idnits 2.17.1 draft-xia-i2nsf-sec-object-dm-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 74 instances of too long lines in the document, the longest one being 346 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 207 has weird spacing: '...address yan...' == Line 208 has weird spacing: '...ss-mask yang:...' == Line 275 has weird spacing: '...-number uin...' == Line 276 has weird spacing: '...-number str...' == Line 283 has weird spacing: '...-number uin...' == (9 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (October 21, 2018) is 2011 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-05) exists of draft-ietf-i2nsf-capability-02 == Outdated reference: A later version (-08) exists of draft-ietf-i2nsf-terminology-06 ** Downref: Normative reference to an Informational draft: draft-ietf-i2nsf-terminology (ref. 'I-D.ietf-i2nsf-terminology') == Outdated reference: A later version (-21) exists of draft-ietf-netmod-acl-model-20 ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 3 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Interface to Network Security Functions (I2NSF) L. Xia 3 Internet-Draft Q. Lin 4 Intended status: Standards Track Huawei 5 Expires: April 24, 2019 October 21, 2018 7 I2NSF Security Policy Object YANG Data Model 8 draft-xia-i2nsf-sec-object-dm-01 10 Abstract 12 This document describes a set of policy objects which are reusable 13 and can be referenced by variable I2NSF policy rules. And the YANG 14 data models of these policy objects are provided. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on April 24, 2019. 33 Copyright Notice 35 Copyright (c) 2018 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (https://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 52 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 4. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 3 54 5. Policy Object . . . . . . . . . . . . . . . . . . . . . . . . 4 55 5.1. Address Object and Address Group . . . . . . . . . . . . 4 56 5.2. Service Object and Service Group . . . . . . . . . . . . 5 57 5.3. Application Object and Application Group . . . . . . . . 7 58 5.4. User Object, User Group and Security Group . . . . . . . 9 59 5.5. Time Range Object . . . . . . . . . . . . . . . . . . . . 11 60 5.6. Region Object and Region Group . . . . . . . . . . . . . 11 61 5.7. Domain Object . . . . . . . . . . . . . . . . . . . . . . 12 62 6. I2NSF Security Policy Object YANG Module . . . . . . . . . . 13 63 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 46 64 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 65 9. Security Considerations . . . . . . . . . . . . . . . . . . . 46 66 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 46 67 10.1. Normative References . . . . . . . . . . . . . . . . . . 46 68 10.2. Informative References . . . . . . . . . . . . . . . . . 46 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47 71 1. Introduction 73 As described in [RFC8329], provisioning to NSFs can be standardized 74 by using policy rules, and I2NSF uses Event-Condition-Action (ECA) 75 model to represent policy rules. According to 76 [I-D.ietf-i2nsf-terminology], an I2SNF condition is defined as a set 77 of attributes, features, and/or values that are to be compared with a 78 set of known attributes, features, and/or values in order to 79 determine whether the set of actions in that I2NSF policy rules can 80 be executed or not. Information Model of NSFs Capabilities 81 [I-D.ietf-i2nsf-capability] describes attributes of different 82 condition subclasses. When configuring I2NSF condition clause by 83 attributes or features, it is common to see that the same value of an 84 attribute or the same value set of several attributes are configured 85 for many times. And modifications of the policy rules are also very 86 tedious and time-consuming. 88 To facilitate the provisioning of NSF instances, this document 89 describes a set of policy objects which are reusable. These policy 90 objects can then be referenced in the condition clause of variable 91 I2NSF policy rules. A policy object consists of a name attribute 92 that identifies itself and one or several attributes that are 93 typically used together to represent a certain condition. For 94 example, protocol type and port number are usually used together to 95 represent a certain service. Each policy object should be predefined 96 and named in order to be used in I2NSF policy rules. By defining 97 policy objects, the creation and maintenance of policy rules are 98 greatly simplified. 100 o A policy object can be referenced in different policy rules as 101 required to provide re-usability. And a policy rule can reference 102 several policy objects. 104 o The modification of a policy object will be propagated to the 105 I2NSF policy rules that reference this object. No modification 106 should be made to the related policy rules. 108 According to [I-D.ietf-i2nsf-terminology], there are two kinds of 109 I2NSF policy rules, I2NSF Directly Consumable Policy Rule and I2NSF 110 Indirectly Consumable Policy Rule. The former one can be executed by 111 a network device without translating its content or structure, while 112 the latter one can not be executed by a network device without first 113 translating its content or structure. In this document, policy 114 objects are defined for I2NSF directly consumable policy rules. 116 2. Requirements Language 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in [RFC2119]. 122 3. Terminology 124 This document uses the terms defined in [I-D.ietf-i2nsf-terminology] 125 and [RFC7950]. 127 4. Tree Diagrams 129 Tree diagram defined in [RFC8340] is used to represent the policy 130 objects defined in this document. The meaning of the symbols used in 131 the tree diagrams of following sections and the syntax are as 132 follows: 134 o Groupings, offset by 2 spaces, and identified by the keyword 135 "grouping" followed by the name of the grouping and a colon (":") 136 character. 138 o Each node in the tree is prefaces with "+--". Schema nodes that 139 are children of another node are offset from the parent by 3 140 spaces. 142 o Brackets "[" and "]" enclose list keys. 144 o Abbreviations before data node names: "rw" means configuration 145 (read-write) and "ro" means state data (read-only), and "-u" 146 indicates the use of a predefined grouping. 148 o Symbols after data node names: "?" means an optional node, "!" 149 means a presence container, and "*" denotes a "list" and "leaf- 150 list". 152 o Parentheses enclose choice and case nodes, and case nodes are also 153 marked with a colon (":"). 155 o Curly brackets and a question mark "{...}?" are combined to 156 represent the features that node depends on. 158 5. Policy Object 160 These document defines policy objects that are commonly used. 161 Figure 1 shows all the defined policy objects and their 162 relationships. 164 +-------------------------------------------------------------------+ 165 | Policy Object | 166 +-------------------------------------------------------------------+ 167 | | | | | | | | 168 | | | | | | | | 169 +-------+ +-------+ +-----------+ +-----+ +--------+ | | | 170 |Address| |Service| |Application| |User | |Security| | | | 171 |Group | |Group | |Group | |Group| |Group | | +------+ | 172 +-------+ +-------+ +-----------+ +-----+ +--------+ | |Domain| | 173 | | | | | | |Object| | 174 | | | +--------+ | +------+ | 175 | | | | | | 176 +-------+ +-------+ +-----------+ +------+ +----------+ +------+ 177 |Address| |Service| |Application| |User | |Time Range| |Region| 178 |Object | |Object | |Object | |Object| |Object | |Object| 179 +-------+ +-------+ +-----------+ +------+ +----------+ +------+ 181 Figure 1: The Policy Objects Overview 183 5.1. Address Object and Address Group 185 An address object is identified by a unique name, which contains a 186 set of IPv4/IPv6 addresses or MAC addresses. Several address objects 187 can be organized into an address group object. 189 This document defines groupings for address objects and address 190 groups. 192 The tree diagram of address object is: 194 grouping address-objects: 195 +--rw address-object* [name] 196 +--rw name address-set-name 197 +--rw desc? string 198 +--rw vpn-instance? string 199 +--rw elements* [elem-id] 200 +--rw elem-id uint16 201 +--rw (object-items) 202 +--:(ipv4) 203 | +--rw address-ipv4 inet:ipv4-prefix 204 +--:(ipv6) 205 | +--rw address-ipv6 inet:ipv6-prefix 206 +--:(mac) 207 | +--rw mac-address yang:mac-address 208 | +--rw mac-address-mask yang:mac-address 209 +--:(ipv4-range) 210 | +--rw start-ipv4 inet:ipv4-address 211 | +--rw end-ipv4 inet:ipv4-address 212 +--:(ipv6-range) 213 +--rw start-ipv6 inet:ipv6-address 214 +--rw end-ipv6 inet:ipv6-address 216 The tree diagram of address group is: 218 grouping address-groups: 219 +--rw address-group* [name] 220 +--rw name address-set-name 221 +--rw desc? string 222 +--rw vpn-instance string 223 +--rw elements* [elem-id] 224 +--rw elem-id uint16 225 +--rw addr-object-name address-set-name 227 5.2. Service Object and Service Group 229 A service object is a kind of service based on IP, or ICMP, or UDP, 230 or TCP, or SCTP. Several related objects consist a service group. 231 To identify different kinds of services, different kinds of 232 attributes should be specified. 234 o UDP, TCP, or SCTP based service is recognized by port number. The 235 source port number and destination port number are used to 236 identify the sending and receiving service respectively. 238 o ICMP or ICMPv6 based service is recognized by two header fields in 239 the ICMP/ICMPv6 packets: type field and code field. 241 o IP based service is recognized by the value of the protocol field 242 in IP packet header. 244 Besides, a set of well-known services should be predefined by NSFs as 245 service objects to support direct usage. 247 The tree diagram of service object is: 249 grouping service-objects: 250 +--ro pre-defined-service* [name] 251 | +--ro name string 252 | +--ro session-aging-time uint16 253 +--rw service-object* [name] 254 +--rw name service-set-name 255 +--rw session-aging-time uint16 256 +--rw desc? string 257 +--rw items* [id] 258 +--rw id uint16 259 +--rw (item) 260 +--:(tcp-item) 261 | +--rw tcp 262 | +---u port-items 263 +--:(udp-item) 264 | +--rw udp 265 | +---u port-items 266 +--:(sctp-item) 267 | +--rw sctp 268 | +---u port-items 269 +--:(icmp-item) 270 | +--rw (icmp-type) 271 | +--:(name-type) 272 | | +--rw icmp-name icmp-name-type 273 | +--:(type-code) 274 | +--rw icmp-type-code 275 | +--rw icmp-type-number uint8 276 | +--rw icmp-code-number string 277 +--:(icmp6-item) 278 | +--rw (icmp6) 279 | +--:(name-type) 280 | | +--rw icmp6-name icmp6-name-type 281 | +--:(type-code) 282 | +--rw icmp6-type-code 283 | +--rw icmp-type-number uint8 284 | +--rw icmp-code-number string 285 +--:(protocol-id) 286 +--rw proto-id proto-id-range 288 The "port-items" grouping reuses "port-range-or-operator" grouping 289 defined in [I-D.ietf-netmod-acl-model]. 291 grouping port-items: 292 +--rw source-port 293 | +---u pf:port-range-or-operator 294 +--rw dest-port 295 +---u pf:port-range-or-operator 297 The tree diagram of service group is: 299 grouping service-groups: 300 +--rw service-group* [name] 301 +--rw name service-set-name 302 +--rw desc? string 303 +--rw items* [id] 304 +--rw id uint16 305 +--rw service-set-name service-set-name 307 5.3. Application Object and Application Group 309 Due to the diversity and large amount of applications, it is not able 310 to identify a certain application based on protocol type and port 311 number. For example, there are many web applications with different 312 risk levels run on ports 80 and 443 using HTTP and HTTPS, such as web 313 gaming application and web chat application. Protocol type and port 314 number could not distinguish applications using the same application 315 protocol. In this document, category, subcategory, data transmission 316 model, and risk level are used to describe an application. A set of 317 well-known application objects should be predefined in NSFs to 318 support direct reference. 320 The tree diagram of application object is: 322 grouping application-objects: 323 +--rw user-defined-application {user-defined-application}? 324 | +--rw application* [name] 325 | +--rw name string 326 | +--rw label* string 327 | +--rw data-model? string 328 | +--rw category? string 329 | +--rw subcategory? string 330 | +--ro risk-value? uint32 331 | +--rw desc? string 332 | +--rw rule* [name] 333 | +--rw name string 334 | +--rw protocol? protocol 335 | +--rw signature 336 | | +--rw mode? mode 337 | | +--rw direction? direction 338 | | +--rw pattern-type? pattern-type 339 | | +--rw pattern? string 340 | | +--rw field? identityref 341 | +--rw ip-address* inet:ip-prefix 342 | +--rw port* inet:port-number 343 | +--rw desc? string 344 +--ro predefined-application 345 +--ro application* [name] 346 +--ro name string 347 +--ro protocol* string 348 +--ro risk-value? uint32 349 +--ro label* string 350 +--ro abandon? boolean 351 +--ro multichannel? boolean 352 +--ro data-model? string 353 +--ro category? string 354 +--ro subcategory? string 355 +--ro desc? string 357 The tree diagram of application group is: 359 grouping application-groups: 360 +--rw application-group* [name] 361 +--rw name string 362 +--rw desc? string 363 +--rw items* [id] 364 +--rw id uint16 365 +--rw application-object-name string 367 5.4. User Object, User Group and Security Group 369 A user object identifies a person who may access network resources. 370 It is the basis of implementing user-based policy control. The user 371 objects may be created locally on the NSFs, or be imported from third 372 parties, such as authentication servers. User objects that require 373 the same policy enforcement are grouped as user group objects or 374 security group objects. The user group objects are organized as a 375 hierarchical structure. A security group object consists of user 376 objects from different user group objects that require the same 377 policy enforcement. 379 +---------------------------+ 380 | UserGroup_3 | 381 +---------------------------+ 382 | | 383 | | 384 +--------------+ +--------------+ 385 | UserGroup_1 | | UserGroup_2 | 386 +--------------+ +--------------+ 387 | | | | 388 | | | | 389 +--------+ +--------+ +--------+ +--------+ 390 | User_1 | | User_2 | | User_a | | User_b | 391 +--------+ +--------+ +--------+ +--------+ 392 \ / 393 \ / 394 +-----------------+ 395 | SecurityGroup_1 | 396 +-----------------+ 398 Figure 2: Example of User, User Group and Security Group Structure 400 The tree diagram of user object is: 402 grouping user-objects: 403 +--rw user-object* [name aaa-domain] 404 +--rw name user-name 405 +--rw aaa-domain string 406 +--rw desc? string 407 +--rw password? ianach:crypt-hash 408 +--rw parent-user-group user-group-name 409 +--rw parent-security-group user-security-group-name 410 +--rw expiration-time 411 | +--:(expiration-type) 412 | +--rw (never-expire) 413 | | +--rw never-expire 414 | +--rw (expire-after-this-time) 415 | +--rw expiration-time yang:date-and-time 416 +--rw ip-mac-binding 417 +--: (bind-state) 418 +--rw (no-binding) 419 | +--rw no-binding 420 +--rw (binding) 421 +--rw bind-mode ip-mac-binding-type 422 +--rw ip-binding* inet:ipv4-address 423 +--rw mac-binding* yang:mac-address 424 +--rw ip-mac-bindings [ip-binding] 425 +--rw ip-binding inet:ipv4-address 426 +--rw mac-binding yang:mac-address; 428 The tree diagram of user group is: 430 grouping user-groups: 431 +--rw user-group* [name] 432 +--rw name user-group-name 433 +--rw desc? string 434 +--rw parent-user-group user-group-name 436 The tree diagram of security group is: 438 grouping security-groups: 439 +--rw security-group* [name] 440 +--rw name user-security-group-name 441 +--rw desc? string 442 +--rw parent-security-group*? user-security-group-name 443 +--rw filter-action 444 +--:(filter-type) 445 +--rw (static) 446 | +--rw static 447 +--rw (dynamic) 448 +--rw dynamic 449 +--rw filter-rule* string 451 5.5. Time Range Object 453 There are two kinds of time ranges: periodic time range and absolute 454 time range. A periodic time range occurs every week. An absolute 455 time range occurs only once. 457 The tree diagram of time range object is: 459 grouping time-range-objects: 460 +--rw time-range-object* [name] 461 +--rw name time-range-name 462 +--rw period-time* [start end] 463 | +--rw start hour-minute-second 464 | +--rw end hour-minute-second 465 | +--rw weekday weekday 466 +--rw absolute-time* [start end] 467 +--rw start yang:date-and-time 468 +--rw end yang:date-and-time 470 5.6. Region Object and Region Group 472 A region object is a set of public IP addresses that are assigned to 473 a certain geographic location. A region group consists of a set of 474 region objects. 476 The tree diagram of region object is: 478 grouping region-objects: 479 +--ro pre-defined-region* [name] 480 | +--ro name region-name 481 | +--ro desc? string 482 | +--ro region-ipv4-address 483 | | +--ro address-ipv4* inet:ipv4-prefix 484 | | +--ro address-ipv4-range* [start-ipv4 end-ipv4] 485 | | +--ro start-ipv4 inet:ipv4-address 486 | | +--ro end-ipv4 inet:ipv4-address 487 | +--ro region-ipv6-address {support-ipv6-address}? 488 | +--ro address-ipv6* inet:ipv6-prefix 489 | +--ro address-ipv6-range* [start-ipv6 end-ipv6] 490 | +--ro start-ipv6 inet:ipv6-address 491 | +--ro end-ipv6 inet:ipv6-address 492 +--rw user-defined-region* [name] 493 +--rw name region-name 494 +--rw desc? string 495 +--rw coordinate 496 | +--rw longitude region-longitude 497 | +--rw latitude region-latitude 498 +--rw region-ipv4-address 499 | +--rw address-ipv4* inet:ipv4-prefix 500 | +--rw address-ipv4-range* [start-ipv4 end-ipv4] 501 | +--rw start-ipv4 inet:ipv4-address 502 | +--rw end-ipv4 inet:ipv4-address 503 +--rw region-ipv6-address {support-ipv6-address}? 504 +--rw address-ipv6* inet:ipv6-prefix 505 +--rw address-ipv6-range* [start-ipv6 end-ipv6] 506 +--rw start-ipv6 inet:ipv6-address 507 +--rw end-ipv6 inet:ipv6-address 509 The tree diagram of region group is: 511 grouping region-groups: 512 +--rw region-group* [name] 513 +--rw name region-name 514 +--rw desc? string 515 +--rw region-name* region-name 516 +--rw region-group-name* region-name 518 5.7. Domain Object 520 The tree diagram of domain object is: 522 grouping domain-objects: 523 +--rw domain-object* [name] 524 +--rw name domain-name 525 +--rw desc? string 526 +--rw domain* string 528 6. I2NSF Security Policy Object YANG Module 530 file "ietf-policy-object@2018-10-12.yang" 531 module ietf-policy-object { 532 yang-version 1.1; 533 namespace "urn:ietf:params:xml:ns:yang:ietf-policy-object"; 534 prefix policy-object; 536 import ietf-inet-types { 537 prefix inet; 538 reference 539 "RFC 6991 - Common YANG Data Types."; 540 } 542 import ietf-yang-types { 543 prefix yang; 544 reference 545 "RFC 6991 - Common YANG Data Types."; 546 } 548 import iana-crypt-hash { 549 prefix ianach; 550 reference 551 "RFC7317 - A YANG Data Model for System Management."; 552 } 554 import ietf-packet-fields { 555 prefix pf; 556 reference 557 "draft-ietf-netmod-acl-model - Network Access Control List (ACL) YANG Data Model."; 558 } 560 organization 561 "IETF I2NSF (Interface To Network Security Functions) Working Group"; 563 contact 564 "WG Web: http://tools.ietf.org/wg/i2nsf/ 565 WG List: i2nsf@ietf.org 567 Editor: Liang Xia 568 frank.xialiang@huawei.com 569 Editor: Qiushi Lin 570 linqiushi@huawei.com"; 572 description 573 "This YANG module defines groupings that are used by ietf-policy-object YANG module. Their usage is not limited to ietf-policy-object and can be used anywhere as applicable."; 575 revision 2018-10-12 { 576 description "Initial version."; 577 reference 578 "draft-xia-i2nsf-sec-object-dm-01"; 579 } 581 /* 582 * Typedefs for address object and address group 583 */ 584 typedef address-set-name { 585 type string { 586 length "1..63"; 587 } 588 description 589 "This type represents an address object or an address group name."; 590 } 592 /* 593 * Typedefs for service object and service group 594 */ 595 typedef service-set-name { 596 type string { 597 length "1..63"; 598 } 599 description 600 "This type represents a service object or a service group name."; 601 } 603 typedef port-range { 604 type uint16; 605 description 606 "This type represents a port number, which may be a start port of a port range or an end port of a port range."; 607 } 609 typedef proto-id-range { 610 type uint8 { 611 range "0..255"; 612 } 613 description 614 "This type represents the range of protocol id."; 615 } 617 typedef icmp-name-type { 618 type enumeration { 619 enum echo { 620 description 621 "ICMP type number 8, ICMP code number 0"; 622 } 623 enum echo-reply { 624 description 625 "ICMP type number 0, ICMP code number 0"; 626 } 627 enum fragmentneed-DFset { 628 description 629 "ICMP type number 3, ICMP code number 4"; 630 } 631 enum host-redirect { 632 description 633 "ICMP type number 5, ICMP code number 1"; 634 } 635 enum host-tos-redirect { 636 description 637 "ICMP type number 5, ICMP code number 3"; 638 } 639 enum host-unreachable { 640 description 641 "ICMP type number 3, ICMP code number 1"; 642 } 643 enum information-reply { 644 description 645 "ICMP type number 16, ICMP code number 0"; 646 } 647 enum information-request { 648 description 649 "ICMP type number 15, ICMP code number 0"; 650 } 651 enum net-redirect { 652 description 653 "ICMP type number 5, ICMP code number 0"; 654 } 655 enum net-tos-redirect { 656 description 657 "ICMP type number 5, ICMP code number 2"; 658 } 659 enum net-unreachable { 660 description 661 "ICMP type number 3, ICMP code number 0"; 662 } 663 enum parameter-problem { 664 description 665 "ICMP type number 12, ICMP code number 0"; 666 } 667 enum port-unreachable { 668 description 669 "ICMP type number 3, ICMP code number 3"; 670 } 671 enum protocol-unreachable { 672 description 673 "ICMP type number 3, ICMP code number 2"; 674 } 675 enum reassembly-timeout { 676 description 677 "ICMP type number 11, ICMP code number 1"; 678 } 679 enum source-quench { 680 description 681 "ICMP type number 4, ICMP code number 0"; 682 } 683 enum source-soute-failed { 684 description 685 "ICMP type number 3, ICMP code number 5"; 686 } 687 enum timestamp-reply { 688 description 689 "ICMP type number 14, ICMP code number 0"; 690 } 691 enum timestamp-request { 692 description 693 "ICMP type number 13, ICMP code number 0"; 694 } 695 enum ttl-exceeded { 696 description 697 "ICMP type number 11, ICMP code number 0"; 698 } 699 } 700 description 701 "This type is an enumeration of ICMP type names."; 702 } 704 typedef icmp6-name-type { 705 type enumeration { 706 enum redirect { 707 description 708 "ICMPv6 type number 137, ICMPv6 code number 0"; 709 } 710 enum echo { 711 description 712 "ICMPv6 type number 128, ICMPv6 code number 0"; 713 } 715 enum echo-reply { 716 description 717 "ICMPv6 type number 129, ICMPv6 code number 0"; 718 } 719 enum err-Header-field { 720 description 721 "ICMPv6 type number 4, ICMPv6 code number 0"; 722 } 723 enum frag-time-exceeded { 724 description 725 "ICMPv6 type number 3, ICMPv6 code number 1"; 726 } 727 enum hop-limit-exceeded { 728 description 729 "ICMPv6 type number 3, ICMPv6 code number 0"; 730 } 731 enum host-admin-prohib { 732 description 733 "ICMPv6 type number 1, ICMPv6 code number 1"; 734 } 735 enum host-unreachable { 736 description 737 "ICMPv6 type number 1, ICMPv6 code number 3"; 738 } 739 enum neighbor-advertisement { 740 description 741 "ICMPv6 type number 136, ICMPv6 code number 0"; 742 } 743 enum neighbor-solicitation { 744 description 745 "ICMPv6 type number 135, ICMPv6 code number 0"; 746 } 747 enum network-unreachable { 748 description 749 "ICMPv6 type number 1, ICMPv6 code number 0"; 750 } 751 enum packet-too-big { 752 description 753 "ICMPv6 type number 2, ICMPv6 code number 0"; 754 } 755 enum port-unreachable { 756 description 757 "ICMPv6 type number 1, ICMPv6 code number 4"; 758 } 759 enum router-advertisement { 760 description 761 "ICMPv6 type number 134, ICMPv6 code number 0"; 762 } 764 enum router-solicitation { 765 description 766 "ICMPv6 type number 133, ICMPv6 code number 0"; 767 } 768 enum unknown-ipv6-opt { 769 description 770 "ICMPv6 type number 4, ICMPv6 code number 2"; 771 } 772 enum unknown-next-hdr { 773 description 774 "ICMPv6 type number 4, ICMPv6 code number 1"; 775 } 776 } 777 description 778 "This type is an enumeration of ICMPv6 type names."; 779 } 781 /* 782 * Typedefs for application object and application group 783 */ 784 typedef protocol { 785 type enumeration { 786 enum tcp { 787 description 788 "tcp protocol"; 789 } 790 enum udp { 791 description 792 "udp protocol"; 793 } 794 enum any { 795 description 796 "any protocol"; 797 } 798 } 799 description 800 "The protocol of user-defined application rule:tcp/udp/any."; 801 } 803 typedef mode { 804 type enumeration { 805 enum flow { 806 description 807 "Keyword exists in multiple packets"; 808 } 809 enum packet{ 810 description 811 "Keyword exists in one packet"; 812 } 813 } 814 description 815 "The mode of keyword identification to identify user-defined applications. If the keyword exists in one packet, the mode is Packet. If the keyword exists in multiple packets, the mode is Flow."; 816 } 818 typedef direction { 819 type enumeration { 820 enum request { 821 description 822 "Request indicates that data to the server is monitored to detect applications."; 823 } 824 enum response { 825 description 826 "Response indicates that data from the server is monitored to detect applications."; 827 } 828 enum both { 829 description 830 "Both indicates that data from and to the server is monitored to detect applications."; 831 } 832 } 833 description 834 "The data flow direction that is monitored to identify user-defined applications:request/response/both. Request indicates that data to the server is monitored to detect applications, Response indicates that data from the server is monitored to detect applications, and Both indicates that data from and to the server is monitored to detect applications."; 835 } 837 typedef pattern-type { 838 type enumeration { 839 enum regular { 840 description 841 "Regular indicates that the keyword of the match pattern is not a fixed string, it is represented by regular expression."; 842 } 843 enum plain { 844 description 845 "Plain indicates that the keyword of the match pattern is a fixed string."; 846 } 847 } 848 description 849 "The match pattern of the user-defined application rule. If the keyword is a fixed string, the pattern type is Plain. If the keyword is not a fixed string, the pattern type is Regular Expression."; 850 } 852 /* 853 * Typedefs for user object, user group, and security group 854 */ 856 typedef user-name { 857 type string { 858 length "1..63"; 860 } 861 description 862 "This type represents a user name."; 863 } 865 typedef user-group-name { 866 type string { 867 length "1..63"; 868 } 869 description 870 "This type represents a user group name."; 871 } 873 typedef user-security-group-name { 874 type string { 875 length "1..63"; 876 } 877 description 878 "This type represents a security group name."; 879 } 881 typedef ip-mac-binding-type { 882 type enumeration { 883 enum bidirectional { 884 description 885 "Bidirectional binding indicates that a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users."; 886 } 887 enum unidirectional { 888 description 889 "Unidirectional binding indicates that a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users."; 890 } 891 } 892 description 893 "The user and IP/MAC address binding mode: bidirectional, or unidirectional. In unidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users. In bidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users."; 894 } 896 /* 897 * Typedefs for time range object 898 */ 899 typedef time-range-name { 900 type string { 901 length "1..32"; 902 } 903 description 904 "This type represents a time-range name."; 905 } 906 typedef hour-minute-second { 907 type string { 908 pattern '\d{1,2}:\d{1,2}:\d{1,2}'; 909 } 910 description 911 "The representation of Hour, Minute, Sencond - hh:mm:ss"; 912 } 914 typedef weekday { 915 type enumeration { 916 enum sunday { 917 description 918 "Sunday of the week"; 919 } 920 enum monday { 921 description 922 "Monday of the week"; 923 } 924 enum tuesday { 925 description 926 "Tuesday of the week"; 927 } 928 enum wednesday { 929 description 930 "Wednesday of the week"; 931 } 932 enum thursday { 933 description 934 "Thursday of the week"; 935 } 936 enum friday { 937 description 938 "Friday of the week"; 939 } 940 enum saturday { 941 description 942 "Saturday of the week"; 943 } 944 } 945 description 946 "A type modeling the weekdays in the Greco-Roman tradition."; 947 } 949 /* 950 * Typedefs for region object and region group 951 */ 952 typedef region-name { 953 type string; 954 description 955 "This type represents a location or location set name."; 956 } 958 typedef region-longitude { 959 type string; 960 description 961 "This type represents a region longitude number(-180.00 - 180.00)."; 962 } 964 typedef region-latitude { 965 type string; 966 description 967 "This type represents a region latitude number(-90.00 - 90.00)."; 968 } 970 typedef domain-name { 971 type string { 972 length "1..63"; 973 } 974 description 975 "This type represents a domain object name."; 976 } 978 /* 979 * Identities for application object and application group 980 */ 981 identity protocol-field { 982 description 983 "Base type of protocol field."; 984 } 986 identity general-payload { 987 base protocol-field; 988 description 989 "The field of signature is general-payload."; 990 } 992 identity http-method { 993 base protocol-field; 994 description 995 "The field of signature is http.method."; 996 } 998 identity http-uri { 999 base protocol-field; 1000 description 1001 "The field of signature is http.uri."; 1002 } 1004 identity http-user-agent { 1005 base protocol-field; 1006 description 1007 "The field of signature is http.user-agent."; 1008 } 1010 identity http-host { 1011 base protocol-field; 1012 description 1013 "The field of signature is http.host."; 1014 } 1016 identity http-content-type { 1017 base protocol-field; 1018 description 1019 "The field of signature is http.content-type."; 1020 } 1022 identity http-cookie { 1023 base protocol-field; 1024 description 1025 "The field of signature is http.cookie."; 1026 } 1028 identity http-body { 1029 base protocol-field; 1030 description 1031 "The field of signature is http.body."; 1032 } 1034 /* 1035 * Features for application object 1036 */ 1037 feature user-defined-application { 1038 description 1039 "This feature means the NSF supports user-defined application function that can be used to define application rule."; 1040 } 1042 /* 1043 * Features for region object 1044 */ 1045 feature support-ipv6-address { 1046 description 1047 "This feature means the NSF support configuring IPv6 addresses for Region Object."; 1048 } 1050 /* 1051 * Groupings for address object and address group 1052 */ 1053 grouping address-objects { 1054 list address-object { 1055 key "name"; 1056 leaf name { 1057 type address-set-name; 1058 description 1059 "The name of the address object."; 1060 } 1061 leaf desc { 1062 type string{ 1063 length "1..127"; 1064 } 1065 description 1066 "The description of the address object."; 1067 } 1068 leaf vpn-instance { 1069 type string; 1070 description 1071 "The name of the vpn-instrance."; 1072 } 1073 list elements { 1074 key "elem-id"; 1075 leaf elem-id { 1076 type uint16; 1077 description 1078 "The id of the element in address object."; 1079 } 1080 choice object-items { 1081 case ipv4 { 1082 leaf address-ipv4 { 1083 type inet:ipv4-prefix; 1084 description 1085 "A set of IPv4 addresses that are represented by an IPv4 address prefix."; 1086 } 1087 } 1088 case ipv6 { 1089 leaf address-ipv6 { 1090 type inet:ipv6-prefix; 1091 description 1092 "A set of IPv6 addresses that are represented by an IPv6 address prefix."; 1093 } 1094 } 1095 case mac { 1096 leaf mac-address { 1097 type yang:mac-address; 1098 description 1099 "MAC address. This leaf is combined with the mac-address-mask leaf to represent a single MAC address or a set of MAC addresses. If the mac-address-mask leaf is not presented, this leaf represents a single MAC address. If the mac-address-mask leaf is setted, this leaf represents a range of contiguous MAC addresses."; 1100 } 1101 leaf mac-address-mask { 1102 type yang:mac-address; 1103 description 1104 "If this leaf is not presented, the mac-address leaf represents a single MAC address. If this leaf is setted, the mac-address leaf represents a range of contiguous MAC addresses."; 1105 } 1106 } 1107 case ipv4-range { 1108 leaf start-ipv4 { 1109 type inet:ipv4-address; 1110 description 1111 "The start IPv4 address of an IPv4 address range."; 1112 } 1113 leaf end-ipv4 { 1114 type inet:ipv4-address; 1115 description 1116 "The end IPv4 address of an IPv4 address range."; 1117 } 1118 } 1119 case ipv6-range { 1120 leaf start-ipv6 { 1121 type inet:ipv6-address; 1122 description 1123 "The start IPv6 address of an IPv6 address range."; 1124 } 1125 leaf end-ipv6 { 1126 type inet:ipv6-address; 1127 description 1128 "The end IPv6 address of an IPv6 address range."; 1129 } 1130 } 1131 description 1132 "Diffrent types of addresses: IPv4, IPv6, MAC."; 1133 } 1134 description 1135 "A list of addresses that belong to a specific address object."; 1136 } 1137 description 1138 "A list of address objects."; 1139 } 1140 description 1141 "This grouping represents a list of address objects. An address object is identified by a unique name and contains a set of IPv4/IPv6 addresses or MAC addresses. This grouping reuse the predefined address-object-item grouping."; 1142 } 1143 grouping address-groups { 1144 list address-group { 1145 key "name"; 1146 leaf name { 1147 type address-set-name; 1148 description 1149 "The name of the address group."; 1150 } 1151 leaf desc { 1152 type string{ 1153 length "1..127"; 1154 } 1155 description 1156 "The description of the address group."; 1157 } 1158 leaf vpn-instance { 1159 type string; 1160 description 1161 "The name of the vpn-instrance."; 1162 } 1163 list elements { 1164 key "elem-id"; 1165 leaf elem-id { 1166 type uint16; 1167 description 1168 "The id of the element in address group."; 1169 } 1170 leaf addr-object-name { 1171 type address-set-name; 1172 mandatory true; 1173 description 1174 "The name of the address object that consists the address group."; 1175 } 1176 description 1177 "A list of address objects that consists the address group object."; 1178 } 1179 description 1180 "A list of address group objects."; 1181 } 1182 description 1183 "An address group object is comprised of several address objects that require the same policy enforcement. This grouping represents a list of address groups."; 1184 } 1186 /* 1187 * Groupings for service object and service group 1188 */ 1189 grouping port-items { 1190 container source-port { 1191 uses pf:port-range-or-operator; 1192 description 1193 "Source port definition from range or operator."; 1194 } 1195 container dest-port { 1196 uses pf:port-range-or-operator; 1197 description 1198 "Destination port definition from range or operator."; 1199 } 1200 description 1201 "This grouping consists of the source port numbers and destination port numbers that represent UDP, TCP or SCTP based services."; 1202 } 1204 grouping service-objects { 1205 list pre-defined-service { 1206 key "name"; 1207 config false; 1208 leaf name { 1209 type service-set-name; 1210 config false; 1211 description 1212 "The name of the predefined service object."; 1213 } 1214 leaf session-aging-time { 1215 type uint16; 1216 units second; 1217 config false; 1218 description 1219 "The aging time of the predefined service object."; 1220 } 1221 description 1222 "A list of the predefined service objects."; 1223 } 1224 list service-object { 1225 key "name"; 1226 leaf name { 1227 type service-set-name; 1228 description 1229 "The name of the service object."; 1230 } 1231 leaf session-aging-time { 1232 type uint16; 1233 units second; 1234 description 1235 "The aging time of the service object."; 1236 } 1237 leaf desc { 1238 type string{ 1239 length "1..127"; 1240 } 1241 description 1242 "The description of the service object."; 1243 } 1244 list items { 1245 key "id"; 1246 leaf id { 1247 type uint16; 1248 description 1249 "The id of the element in service object."; 1250 } 1251 choice item { 1252 case tcp-item { 1253 container tcp { 1254 uses port-items; 1255 description 1256 "TCP based service is recognized by source port number and destination port number. This container reuse the port-items grouping."; 1257 } 1258 } 1259 case udp-item { 1260 container udp { 1261 uses port-items; 1262 description 1263 "UDP based service is recognized by source port number and destination port number. This container reuse the port-items grouping."; 1264 } 1265 } 1266 case sctp-item { 1267 container sctp { 1268 uses port-items; 1269 description 1270 "SCTP based service is recognized by source port number and destination port number. This container reuse the port-items grouping."; 1271 } 1272 } 1273 case icmp-item { 1274 choice icmp-type { 1275 case name-type { 1276 leaf icmp-name { 1277 type icmp-name-type; 1278 mandatory true; 1279 description 1280 "The ICMP based service is identified by the predefined ICMP name type."; 1281 } 1282 } 1283 case type-code { 1284 container icmp-type-code { 1285 leaf icmp-type-number { 1286 type uint8; 1287 mandatory true; 1288 description 1289 "The ICMP type number."; 1290 } 1291 leaf icmp-code-number { 1292 type string; 1293 mandatory true; 1294 description 1295 "The ICMP code number."; 1296 } 1297 description 1298 "The ICMP based service is recognized by two header fields in the ICMP packets: type field and code field."; 1299 } 1300 } 1301 description 1302 "The ICMP based service object and its attributes."; 1303 } 1304 } 1305 case icmp6-item { 1306 choice icmp6-type { 1307 case name-type { 1308 leaf icmp6-name { 1309 type icmp6-name-type; 1310 mandatory true; 1311 description 1312 "The ICMPv6 based service is identified by the predefined ICMPv6 name type."; 1313 } 1314 } 1315 case type-code { 1316 container icmp6-type-code { 1317 leaf icmp6-type-number { 1318 type uint8; 1319 mandatory true; 1320 description 1321 "The ICMPv6 type number."; 1322 } 1323 leaf icmp6-code-number { 1324 type string; 1325 mandatory true; 1326 description 1327 "The ICMP code number."; 1328 } 1329 description 1330 "The ICMPv6 based service is recognized by two header fields in the ICMPv6 packets: type field and code field."; 1331 } 1332 } 1333 description 1334 "The ICMPv6 based service object and its attributes."; 1335 } 1336 description 1337 "The ICMPv6 based service object and its attributes."; 1338 } 1339 case protocol-id { 1340 leaf proto-id { 1341 type proto-id-range; 1342 mandatory true; 1343 description 1344 "IP based service is identified by the value of the protocol field in IP packet header."; 1345 } 1346 } 1347 description 1348 "Diffrent types of protocols for service definition."; 1349 } 1350 description 1351 "A list of service items that consist an service object."; 1352 } 1353 description 1354 "A list of user defined service objects."; 1355 } 1356 description 1357 "A list of the predefined service objects and user defined service objects."; 1358 } 1360 grouping service-groups { 1361 list service-group { 1362 key "name"; 1363 leaf name { 1364 type service-set-name; 1365 description 1366 "The name of the service group."; 1367 } 1368 leaf desc { 1369 type string{ 1370 length "1..127"; 1371 } 1372 description 1373 "The description of the service group."; 1374 } 1375 list items { 1376 key "id"; 1377 leaf id { 1378 type uint16; 1379 description 1380 "The id of the element in service group."; 1382 } 1383 leaf service-object-name { 1384 type service-set-name; 1385 mandatory true; 1386 description 1387 "The name of the service object that consists the service group."; 1388 } 1389 description 1390 "A list of service objects that consists the service group object."; 1391 } 1392 description 1393 "A list of service group objects."; 1394 } 1395 description 1396 "A service group object is comprised of several service objects that require the same policy enforcement. This grouping represents a list of service groups."; 1397 } 1399 /* 1400 * Groupings for application object and application group 1401 */ 1402 grouping application-objects { 1403 container user-defined-application { 1404 if-feature user-defined-application; 1405 container applications { 1406 list application { 1407 key "name"; 1408 leaf name { 1409 type string; 1410 description 1411 "The name of user-defined application object."; 1412 } 1413 leaf-list label { 1414 type string; 1415 description 1416 "A list of labels for user-defined application."; 1417 } 1418 leaf data-model { 1419 type string; 1420 description 1421 "The data transmission model of user-defined application. Examples are client/server, peer-to-peer. Data transmission models are predefined in the NSF."; 1422 } 1423 leaf category { 1424 type string; 1425 description 1426 "The category of user-defined application. The value of this leaf is selected from a predefined set of categories, e.g., general category, network category."; 1427 } 1428 leaf subcategory { 1429 type string; 1430 description 1431 "The subcategory of user-defined application. "; 1432 } 1433 leaf risk-value { 1434 type uint32; 1435 config false; 1436 description 1437 "The risk value of predefined application."; 1438 } 1439 leaf desc { 1440 type string; 1441 description 1442 "The description information of user-defined application."; 1443 } 1444 list rule { 1445 key "name"; 1446 leaf name { 1447 type string; 1448 description 1449 "The name of the user-defined application rule."; 1450 } 1451 leaf protocol { 1452 type protocol; 1453 description 1454 "The protocol that user-defined application is based on."; 1455 } 1456 container signature { 1457 leaf mode { 1458 type string; 1459 description 1460 "The mode of keyword identification. If the keyword exists in one packet, the mode is Packet. If the keyword exists in multiple packets, the mode is Flow."; 1461 } 1462 leaf direction { 1463 type direction; 1464 description 1465 "The traffic direction for application identification. Request indicates that data to the server is detected, Response indicates that data from the server is detected, and Both indicates that data from and to the server is detected."; 1466 } 1467 leaf pattern-type{ 1468 type pattern-type; 1469 description 1470 "The match pattern of the user-defined application rule. If the keyword is a fixed string, the pattern type is Plain. If the keyword is not a fixed string, the pattern type is Regular Expression."; 1471 } 1472 leaf pattern { 1473 type string; 1474 description 1475 "The keyword of user-defined application rule."; 1476 } 1477 leaf field { 1478 type identityref { 1479 base protocol-field; 1480 } 1481 default general-payload; 1482 description 1483 "The protocol field to search for a signature. The default protocol field is General-payload."; 1484 } 1485 description 1486 "The signature/characteristics of user-defined application."; 1487 } 1488 description 1489 "The rule used to identify the user-defined application."; 1490 } 1491 leaf-list ip-address { 1492 type inet:ip-prefix; 1493 description 1494 "The destination IPv4/IPv6 address of user-defined application."; 1495 } 1496 leaf-list port { 1497 type inet:port-number; 1498 description 1499 "The destination port number of user-defined application."; 1500 } 1501 description 1502 "A list of user-defined application objects."; 1503 } 1504 description 1505 "When the NSF supports user-defined application function, these are a list of user-defined application objects."; 1506 } 1507 description 1508 "When the NSF supports user-defined application function, this container is used to configure application objects."; 1509 } 1510 container predefined-application { 1511 config false; 1512 list application { 1513 key "name"; 1514 leaf name { 1515 type string; 1516 config false; 1517 description 1518 "The name of the predefined application."; 1519 } 1520 leaf-list protocol { 1521 type string; 1522 config false; 1523 description 1524 "The protocol information of application."; 1525 } 1526 leaf risk-value { 1527 type uint32; 1528 config false; 1529 description 1530 "The risk value of predefined application."; 1531 } 1532 leaf-list label { 1533 type string; 1534 config false; 1535 description 1536 "The label of predefined application,an application may have multiple labels."; 1537 } 1538 leaf abandon { 1539 type boolean; 1540 config false; 1541 description 1542 "The abandon flag of predefined application."; 1543 } 1544 leaf multichannel { 1545 type boolean; 1546 config false; 1547 description 1548 "The multi channel flag of predefined application."; 1549 } 1550 leaf data-model { 1551 type string; 1552 description 1553 "The data transmission model of user-defined application. Examples are client/server, peer-to-peer. Data transmission models are predefined in the NSF."; 1554 } 1555 leaf category { 1556 type string; 1557 config false; 1558 description 1559 "The category of user-defined application. The value of this leaf is selected from a predefined set of categories, e.g., general category, network category."; 1560 } 1561 leaf subcategory { 1562 type string; 1563 config false; 1564 description 1565 "The name of application subcategory."; 1566 } 1567 leaf desc { 1568 type string; 1569 config false; 1570 description 1571 "The description information of application."; 1572 } 1573 description 1574 "The attributes of a predefined application."; 1575 } 1576 description 1577 "The information of all predefined applications."; 1578 } 1579 description 1580 "A list of predefined application objects."; 1581 } 1583 grouping application-groups { 1584 list application-group { 1585 key "name"; 1586 leaf name { 1587 type string; 1588 description 1589 "The name of the application group."; 1590 } 1591 leaf desc { 1592 type string{ 1593 length "1..127"; 1594 } 1595 description 1596 "The description of the application group."; 1597 } 1598 list items { 1599 key "id"; 1600 leaf id { 1601 type uint16; 1602 description 1603 "The id of the element in application group."; 1604 } 1605 leaf application-object-name { 1606 type string; 1607 mandatory true; 1608 description 1609 "The name of the application object that consists the application group."; 1610 } 1611 description 1612 "A list of application objects that consist an application group object."; 1613 } 1614 description 1615 "A list of application group objects."; 1616 } 1617 description 1618 "An application group object is comprised of several application objects that require the same policy enforcement. This grouping represents a list of application groups."; 1619 } 1620 /* 1621 * Groupings for user object, user group and security group 1622 */ 1623 grouping user-objects { 1624 list user-object { 1625 key "name aaa-domain"; 1626 leaf name { 1627 type user-name; 1628 description 1629 "The name of the user."; 1630 } 1631 leaf aaa-domain { 1632 type string { 1633 length "1..64"; 1634 } 1635 description 1636 "The name of the domain to which the user belong."; 1637 } 1638 leaf desc { 1639 type string { 1640 length "1..127"; 1641 } 1642 description 1643 "The description of the user."; 1644 } 1645 leaf password { 1646 type ianach:crypt-hash; 1647 description 1648 "If user is authenticated locally on the NSF, this attribute is mandatory. It defines the password corresponding to the user name."; 1649 } 1650 leaf parent-user-group { 1651 type user-group-name; 1652 description 1653 "The name of the parent group. User objects and user groups are in a hierarchical structure. A user object can only belong to one user group."; 1654 } 1655 leaf-list parent-security-group { 1656 type user-security-group-name; 1657 max-elements 40; 1658 description 1659 "The name of the parent security group. A user object can belong to several security groups."; 1660 } 1661 container expiration-time { 1662 choice expiration-type { 1663 case never-expire { 1664 leaf never-expire { 1665 type empty; 1666 description 1667 "This case indicates that the user never expire."; 1669 } 1670 } 1671 case expire-after-this-time { 1672 leaf expiration-time { 1673 type yang:date-and-time; 1674 description 1675 "User expired time."; 1676 } 1677 } 1678 description 1679 "Two types of user expiration configurations."; 1680 } 1681 description 1682 "User expiration time."; 1683 } 1684 container ip-mac-binding { 1685 choice bind-state { 1686 case no-binding { 1687 leaf no-binding{ 1688 type empty; 1689 mandatory true; 1690 description 1691 "No binding: Indicates that a user is not bound to any IP or MAC address."; 1692 } 1693 } 1694 case binding { 1695 leaf bind-mode{ 1696 type ip-mac-binding-type; 1697 description 1698 "The user and IP/MAC address binding mode: bidirectional, or unidirectional. In unidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users. In bidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users."; 1699 } 1700 leaf-list ip-binding { 1701 type inet:ipv4-address; 1702 description 1703 "The IP address bound to the user."; 1704 } 1705 leaf-list mac-binding { 1706 type yang:mac-address; 1707 description 1708 "The MAC address bound to the user."; 1709 } 1710 list ip-mac-bindings { 1711 key "ip-binding"; 1712 unique "mac-binding"; 1713 leaf ip-binding { 1714 type inet:ipv4-address; 1715 description 1716 "The bound IPv4 address"; 1718 } 1719 leaf mac-binding { 1720 type yang:mac-address; 1721 description 1722 "The bound mac address"; 1723 } 1724 description 1725 "Configure the IP address and MAC address pairs bound to the user."; 1726 } 1727 } 1728 description 1729 "The binding state: no-binding, binding."; 1730 } 1731 description 1732 "Whether there are IP/MAC addresses bound to the user."; 1733 } 1734 description 1735 "User Object and its attributes."; 1736 } 1737 description 1738 "A list of user objects."; 1739 } 1741 grouping security-groups { 1742 list security-group { 1743 key "name"; 1744 leaf name { 1745 type user-security-group-name; 1746 description 1747 "The name of the security-group."; 1748 } 1749 leaf desc { 1750 type string { 1751 length "1..127"; 1752 } 1753 description 1754 "The description of the security-group."; 1755 } 1756 leaf-list parent-security-group { 1757 type user-security-group-name; 1758 max-elements 40; 1759 description 1760 "Configure the name of the parent-security-group."; 1761 } 1762 container filter-action { 1763 choice filter-type { 1764 case static { 1765 leaf static { 1766 type empty; 1767 mandatory true; 1768 description 1769 "Empty leaf indicates that this is a static security group."; 1770 } 1771 } 1772 case dynamic { 1773 leaf dynamic { 1774 type empty; 1775 mandatory true; 1776 description 1777 "Empty leaf indicates that this is a dynamic security group."; 1778 } 1779 leaf-list filter-rule { 1780 type string { 1781 length "1..256"; 1782 } 1783 max-elements 5; 1784 description 1785 "Filter rules for dynamic security group."; 1786 } 1787 } 1788 description 1789 "The filter type: static, dynamic."; 1790 } 1791 description 1792 "The filter type of the security group, static and dynamic. For dynamic security group, an filter rule needs to be configured."; 1793 } 1794 description 1795 "Security group and its attributes."; 1796 } 1797 description 1798 "A list of security groups."; 1799 } 1801 grouping user-groups { 1802 list user-group { 1803 key "name"; 1804 leaf name { 1805 type user-group-name; 1806 description 1807 "The name of the user group."; 1808 } 1809 leaf desc { 1810 type string { 1811 length "1..63"; 1812 } 1813 description 1814 "The description of the user group."; 1815 } 1816 leaf parent-user-group { 1817 type user-group-name; 1818 description 1819 "The name of the user group. A user group can only belong to one parent user group."; 1820 } 1821 description 1822 "User group and its attributes."; 1823 } 1824 description 1825 "A list of user groups"; 1826 } 1828 /* 1829 * Groupings for time range object 1830 */ 1831 grouping time-range-objects { 1832 list time-range-object { 1833 key "name"; 1834 leaf name { 1835 type time-range-name; 1836 description 1837 "The name of the time range object."; 1838 } 1839 list period-time { 1840 key "start end"; 1841 leaf start { 1842 type hour-minute-second; 1843 mandatory true; 1844 description 1845 "Start time of the periodic time range."; 1846 } 1847 leaf end { 1848 type hour-minute-second; 1849 mandatory true; 1850 description 1851 "End time of the periodic time range."; 1852 } 1853 leaf-list weekday { 1854 type weekday; 1855 min-elements 1; 1856 max-elements 7; 1857 description 1858 "The weekday to which the periodic time range belongs."; 1859 } 1860 description 1861 "Periodic time that the associated function starts going into effect."; 1862 } 1863 list absolute-time { 1864 key "start end"; 1865 leaf start { 1866 type yang:date-and-time; 1867 description 1868 "Absolute start time and date"; 1869 } 1870 leaf end { 1871 type yang:date-and-time; 1872 description 1873 "Absolute end time and date"; 1874 } 1875 description 1876 "Absolute time and date that the associated function starts going into effect."; 1877 } 1878 description 1879 "The time range object and its attributes."; 1880 } 1881 description 1882 "A list of time range objects"; 1883 } 1885 /* 1886 * Groupings for region object and region group 1887 */ 1888 grouping region-objects { 1889 list pre-defined-region { 1890 key "name"; 1891 config false; 1892 leaf name { 1893 type region-name; 1894 config false; 1895 description 1896 "The name of the predefined region."; 1897 } 1898 leaf desc { 1899 type string; 1900 config false; 1901 description 1902 "The description of the predefined region."; 1903 } 1904 container region-ipv4-address { 1905 leaf-list address-ipv4 { 1906 type inet:ipv4-prefix; 1907 config false; 1908 description 1909 "IPv4 address."; 1910 } 1911 list address-ipv4-range { 1912 key "start-ipv4 end-ipv4"; 1913 leaf start-ipv4 { 1914 type inet:ipv4-address; 1915 config false; 1916 description 1917 "Start ipv4 address."; 1918 } 1919 leaf end-ipv4 { 1920 type inet:ipv4-address; 1921 config false; 1922 description 1923 "End ipv4 address."; 1924 } 1925 description 1926 "A list of ipv4 address ranges"; 1927 } 1928 description 1929 "The IPv4 addresses of the predefined region."; 1930 } 1931 container region-ipv6-address { 1932 if-feature support-ipv6-address; 1933 leaf-list address-ipv6 { 1934 type inet:ipv6-prefix; 1935 config false; 1936 description 1937 "IPv6 address."; 1938 } 1939 list address-ipv6-range { 1940 key "start-ipv6 end-ipv6"; 1941 leaf start-ipv6 { 1942 type inet:ipv6-address; 1943 config false; 1944 description 1945 "Start ipv6 address."; 1946 } 1947 leaf end-ipv6 { 1948 type inet:ipv6-address; 1949 config false; 1950 description 1951 "End ipv6 address."; 1952 } 1953 description 1954 "A list of ipv6 address ranges"; 1955 } 1956 description 1957 "The IPv6 addresses of the predefined region."; 1958 } 1959 description 1960 "A list of predefined region objects."; 1961 } 1962 list user-defined-region { 1963 key "name"; 1964 leaf name { 1965 type region-name; 1966 description 1967 "The name of the user-defined region."; 1968 } 1969 leaf desc { 1970 type string; 1971 description 1972 "The description of the user-defined region."; 1973 } 1974 container coordinate { 1975 leaf longitude { 1976 type region-longitude; 1977 description 1978 "The latitude of the user-defined region."; 1979 } 1980 leaf latitude { 1981 type region-latitude; 1982 description 1983 "The longitude of the user-defined region."; 1984 } 1985 description 1986 "The latitude and longitude of the user-defined region."; 1987 } 1988 container region-ipv4-address { 1989 leaf-list address-ipv4 { 1990 type inet:ipv4-prefix; 1991 description 1992 "IPv4 address."; 1993 } 1994 list address-ipv4-range { 1995 key "start-ipv4 end-ipv4"; 1996 leaf start-ipv4 { 1997 type inet:ipv4-address; 1998 description 1999 "Start ipv4 address."; 2000 } 2001 leaf end-ipv4 { 2002 type inet:ipv4-address; 2003 description 2004 "End ipv4 address."; 2005 } 2006 description 2007 "A list of ipv4 address ranges"; 2008 } 2009 description 2010 "The IPv4 addresses of the predefined region."; 2011 } 2012 container region-ipv6-address { 2013 if-feature support-ipv6-address; 2014 leaf-list address-ipv6 { 2015 type inet:ipv6-prefix; 2016 description 2017 "IPv6 address."; 2018 } 2019 list address-ipv6-range { 2020 key "start-ipv6 end-ipv6"; 2021 leaf start-ipv6 { 2022 type inet:ipv6-address; 2023 description 2024 "Start ipv6 address."; 2025 } 2026 leaf end-ipv6 { 2027 type inet:ipv6-address; 2028 description 2029 "End ipv6 address."; 2030 } 2031 description 2032 "A list of ipv6 address ranges"; 2033 } 2034 description 2035 "The IPv6 addresses of the user-defined region."; 2036 } 2037 description 2038 "A list of user-defined region objects."; 2039 } 2040 description 2041 "A list of predefined region objects and a list of user-defined region objects."; 2042 } 2044 grouping region-groups { 2045 list region-group { 2046 key "name"; 2047 leaf name { 2048 type region-name; 2049 description 2050 "The name of the region group."; 2051 } 2052 leaf desc { 2053 type string; 2054 description 2055 "The description of the region group."; 2056 } 2057 leaf-list region-name { 2058 type region-name; 2059 description 2060 "A list of region objects."; 2061 } 2062 leaf-list region-group-name { 2063 type region-name; 2064 description 2065 "A list of region groups."; 2066 } 2067 description 2068 "Region group consists of a set of region objects or region groups."; 2069 } 2070 description 2071 "A list of region group objects."; 2072 } 2074 /* 2075 * Groupings for domain object 2076 */ 2077 grouping domain-objects { 2078 list domain-object { 2079 key "name"; 2080 leaf name { 2081 type domain-name; 2082 description 2083 "The name of the domain object."; 2084 } 2085 leaf desc { 2086 type string; 2087 description 2088 "The description of the domain object."; 2089 } 2090 leaf-list domain { 2091 type string; 2092 description 2093 "A list of domains that consists the domain objects."; 2094 } 2095 description 2096 "Domain object and its attributes."; 2097 } 2098 description 2099 "A list of domain objects."; 2101 } 2102 } 2104 7. Acknowledgements 2106 8. IANA Considerations 2108 This document requires no IANA actions. 2110 9. Security Considerations 2112 Secure transport should be used to retrieve the current status of 2113 management plane security baseline. 2115 10. References 2117 10.1. Normative References 2119 [I-D.ietf-i2nsf-capability] 2120 Xia, L., Strassner, J., Basile, C., and D. Lopez, 2121 "Information Model of NSFs Capabilities", draft-ietf- 2122 i2nsf-capability-02 (work in progress), July 2018. 2124 [I-D.ietf-i2nsf-terminology] 2125 Hares, S., Strassner, J., Lopez, D., Xia, L., and H. 2126 Birkholz, "Interface to Network Security Functions (I2NSF) 2127 Terminology", draft-ietf-i2nsf-terminology-06 (work in 2128 progress), July 2018. 2130 [I-D.ietf-netmod-acl-model] 2131 Jethanandani, M., Agarwal, S., Huang, L., and D. Blair, 2132 "Network Access Control List (ACL) YANG Data Model", 2133 draft-ietf-netmod-acl-model-20 (work in progress), October 2134 2018. 2136 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 2137 Kumar, "Framework for Interface to Network Security 2138 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 2139 . 2141 10.2. Informative References 2143 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2144 Requirement Levels", BCP 14, RFC 2119, 2145 DOI 10.17487/RFC2119, March 1997, 2146 . 2148 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2149 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2150 . 2152 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 2153 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 2154 . 2156 Authors' Addresses 2158 Liang Xia 2159 Huawei 2160 101 Software Avenue, Yuhuatai District 2161 Nanjing, Jiangsu 210012 2162 China 2164 Email: Frank.xialiang@huawei.com 2166 Qiushi Lin 2167 Huawei 2168 Huawei Industrial Base 2169 Shenzhen, Guangdong 518129 2170 China 2172 Email: linqiushi@huawei.com