draft-ietf-i2nsf-nsf-facing-interface-dm-00.txt   draft-ietf-i2nsf-nsf-facing-interface-dm-01.txt 
Network Working Group J. Kim Network Working Group J. Kim
Internet-Draft J. Jeong Internet-Draft J. Jeong
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: September 6, 2018 J. Park Expires: January 3, 2019 J. Park
ETRI ETRI
S. Hares S. Hares
Q. Lin Q. Lin
Huawei Huawei
March 5, 2018 July 02, 2018
I2NSF Network Security Function-Facing Interface YANG Data Model I2NSF Network Security Function-Facing Interface YANG Data Model
draft-ietf-i2nsf-nsf-facing-interface-dm-00 draft-ietf-i2nsf-nsf-facing-interface-dm-01
Abstract Abstract
This document defines a YANG data model corresponding to the This document defines a YANG data model corresponding to the
information model for Network Security Functions (NSF) facing information model for Network Security Functions (NSF) facing
interface in Interface to Network Security Functions (I2NSF). It interface in Interface to Network Security Functions (I2NSF). It
describes a data model for the features provided by generic security describes a data model for the features provided by generic security
functions. This data model provides generic components whose vendors functions. This data model provides generic components whose vendors
is well understood, so that the generic component can be used even if is well understood, so that the generic component can be used even if
it has some vendor specific functions. These generic functions it has some vendor specific functions. These generic functions
represent a point of interoperability, and can be provided by any represent a point of interoperability, and can be provided by any
product that offers the required Capabilities. Also, if vendors need product that offers the required Capabilities. Also, if vendors need
additional features for its network security function, they can add additional features for its network security function, they can add
the features by extending the YANG data model. the features by extending the YANG data model.
Status of This Memo Status of This Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF). Note that other groups may also distribute
other groups may also distribute working documents as Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This Internet-Draft will expire on January 3, 2019.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 6, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
4. The Structure and Objective of I2NSF Security Policy . . . . . 4 4. The Structure and Objective of I2NSF Security Policy . . . . 4
4.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . . 4 4.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . 4
4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . . 4 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 4
4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . . 5 4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 4
4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 5 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 5
5. Data Model Structure . . . . . . . . . . . . . . . . . . . . . 5 5. Data Model Structure . . . . . . . . . . . . . . . . . . . . 5
5.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . . 5 5.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . 5
5.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . . 7 5.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 7
5.3. Condition Clause . . . . . . . . . . . . . . . . . . . . . 7 5.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 8
5.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 10 5.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 10
6. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 11 6. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.1. IETF NSF-Facing Interface YANG Data Module . . . . . . . . 11 6.1. IETF NSF-Facing Interface YANG Data Module . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 43 7. Security Considerations . . . . . . . . . . . . . . . . . . . 46
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 43 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 46
9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 43 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 47
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 47
10.1. Normative References . . . . . . . . . . . . . . . . . . . 43 10.1. Normative References . . . . . . . . . . . . . . . . . . 47
10.2. Informative References . . . . . . . . . . . . . . . . . . 44 10.2. Informative References . . . . . . . . . . . . . . . . . 47
Appendix A. Changes from Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface-
draft-kim-i2nsf-nsf-facing-interface-data-model-04 . 44 dm-01 . . . . . . . . . . . . . . . . . . . . . . . 49
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49
1. Introduction 1. Introduction
This document defines a YANG [RFC6020] data model for the This document defines a YANG [RFC6020] data model for the
configuration of security services with the information model for configuration of security services with the information model for
Network Security Functions (NSF) facing interface in Interface to Network Security Functions (NSF) facing interface in Interface to
Network Security Functions (I2NSF). It provides a specific Network Security Functions (I2NSF). It provides a specific
information model and the corresponding data models for generic information model and the corresponding data models for generic
network security functions (i.e., network security functions), as network security functions (i.e., network security functions), as
defined in [i2nsf-nsf-cap-im]. With these data model, I2NSF defined in [i2nsf-nsf-cap-im]. With these data model, I2NSF
skipping to change at page 5, line 50 skipping to change at page 5, line 43
o Definitions for Network Security Event Class, Network Security o Definitions for Network Security Event Class, Network Security
Condition Class, and Network Security Action Class. Condition Class, and Network Security Action Class.
5.1. I2NSF Security Policy Rule 5.1. I2NSF Security Policy Rule
The data model for the identification of network security policy has The data model for the identification of network security policy has
the following structure: the following structure:
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy* [policy-name] +--rw i2nsf-security-policy
| +--rw policy-name string | +--rw policy-name? string
| +--rw eca-policy-rules* [rule-id] | +--rw rules* [rule-name]
| | +--rw rule-id uint8 | | +--rw rule-name string
| | +--rw rule-description? string | | +--rw rule-description? string
| | +--rw rule-rev? uint8 | | +--rw rule-priority? uint8
| | +--rw rule-priority? uint8 | | +--rw enable? boolean
| | +--rw session-aging-time? uint16
| | +--rw long-connection
| | | +--rw enable? boolean
| | | +--rw during? uint16
| | +--rw policy-event-clause-agg-ptr* instance-identifier | | +--rw policy-event-clause-agg-ptr* instance-identifier
| | +--rw policy-condition-clause-agg-ptr* instance-identifier | | +--rw policy-condition-clause-agg-ptr* instance-identifier
| | +--rw policy-action-clause-agg-ptr* instance-identifier | | +--rw policy-action-clause-agg-ptr* instance-identifier
| | +--rw time-zone | | +--rw time-zone
| | +--rw absolute-time-zone | | +--rw absolute-time-zone
| | | +--rw time | | | +--rw time
| | | | +--rw start-time? yang:date-and-time | | | | +--rw start-time? yang:date-and-time
| | | | +--rw end-time? yang:date-and-time | | | | +--rw end-time? yang:date-and-time
| | | +--rw date | | | +--rw date
| | | | +--rw absolute-date* yang:date-and-time | | | +--rw absolute-date? yang:date-and-time
| | +--rw periodic-time-zone | | +--rw periodic-time-zone
| | +--rw day | | +--rw day
| | | +--rw sunday? boolean | | | +--rw sunday? boolean
| | | +--rw monday? boolean | | | +--rw monday? boolean
| | | +--rw tuesday? boolean | | | +--rw tuesday? boolean
| | | +--rw wednesday? boolean | | | +--rw wednesday? boolean
| | | +--rw thursday? boolean | | | +--rw thursday? boolean
| | | +--rw friday? boolean | | | +--rw friday? boolean
| | | +--rw saturday? boolean | | | +--rw saturday? boolean
| | +--rw month | | +--rw month
| | +--rw january? boolean | | +--rw january? boolean
| | +--rw february? boolean | | +--rw february? boolean
| | +--rw march? boolean | | +--rw march? boolean
| | +--rw april? boolean | | +--rw april? boolean
| | +--rw may? boolean | | +--rw may? boolean
| | +--rw june? boolean | | +--rw june? boolean
| | +--rw july? boolean | | +--rw july? boolean
| | +--rw august? boolean | | +--rw august? boolean
| | +--rw september? boolean | | +--rw september? boolean
| | +--rw october? boolean | | +--rw october? boolean
| | +--rw november? boolean | | +--rw november? boolean
| | +--rw december? boolean | | +--rw december? boolean
| +--rw resolution-strategy | +--rw resolution-strategy
| | +--rw (resolution-strategy-type)? | | +--rw (resolution-strategy-type)?
| | +--:(fmr) | | +--:(fmr)
| | | +--rw first-matching-rule? boolean | | | +--rw first-matching-rule? boolean
| | +--:(lmr) | | +--:(lmr)
| | +--rw last-matching-rule? boolean | | +--rw last-matching-rule? boolean
| +--rw default-action | +--rw default-action
| +--rw default-action-type? ingress-action | | +--rw default-action-type? boolean
| +--rw rule-group
| +--rw groups* [group-name]
| +--rw group-name string
| +--rw rule-range
| | +--rw start-rule? string
| | +--rw end-rule? string
| +--rw enable? boolean
| +--rw description? string
+--rw event-clause-container +--rw event-clause-container
| ... | ...
+--rw condition-clause-container +--rw condition-clause-container
| ... | ...
+--rw action-clause-container +--rw action-clause-container
... ...
Figure 1: Data Model Structure for Network Security Policy Figure 1: Data Model Structure for Network Security Policy
Identification Identification
5.2. Event Clause 5.2. Event Clause
The data model for event rule has the following structure: The data model for event rule has the following structure:
skipping to change at page 7, line 28 skipping to change at page 7, line 33
| +--rw eca-policy-rules* [rule-id] | +--rw eca-policy-rules* [rule-id]
| ... | ...
| +--rw resolution-strategy | +--rw resolution-strategy
| ... | ...
| +--rw default-action | +--rw default-action
| ... | ...
+--rw event-clause-container +--rw event-clause-container
| +--rw event-clause-list* [eca-object-id] | +--rw event-clause-list* [eca-object-id]
| +--rw entity-class? identityref | +--rw entity-class? identityref
| +--rw eca-object-id string | +--rw eca-object-id string
| +--rw manual? string | +--rw description? string
| +--rw sec-event-content string | +--rw sec-event-content string
| +--rw sec-event-format sec-event-format | +--rw sec-event-format sec-event-format
| +--rw sec-event-type string | +--rw sec-event-type string
+--rw condition-clause-container +--rw condition-clause-container
| ... | ...
+--rw action-clause-container +--rw action-clause-container
... ...
Figure 2: Data Model Structure for Event Rule Figure 2: Data Model Structure for Event Rule
These objects are defined as user security event, device security These objects are defined as user security event, device security
event, system security event, and time security event. These objects event, system security event, and time security event. These objects
can be extended according to specific vendor event features. We will can be extended according to specific vendor event features. We will
add additional event objects for more generic network security add additional event objects for more generic network security
functions. functions.
5.3. Condition Clause 5.3. Condition Clause
The data model for condition rule has the following structure: The data model for condition rule has the following structure:
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy* [policy-name] +--rw i2nsf-security-policy* [policy-name]
| ... | ...
| +--rw eca-policy-rules* [rule-id]
| +--rw eca-policy-rules* [rule-id] | ...
| ... | +--rw resolution-strategy
| +--rw resolution-strategy | ...
| ... | +--rw default-action
| +--rw default-action | ...
| ... +--rw event-clause-container
+--rw event-clause-container | ...
| ... +--rw condition-clause-container
+--rw condition-clause-container | +--rw condition-clause-list* [eca-object-id]
| +--rw condition-clause-list* [eca-object-id] | +--rw entity-class? identityref
| +--rw entity-class? identityref | +--rw eca-object-id string
| +--rw eca-object-id string | +--rw packet-security-condition
| +--rw packet-security-condition | | +--rw packet-description? string
| | +--rw packet-manual? string | | +--rw packet-security-mac-condition
| | +--rw packet-security-mac-condition | | | +--rw pkt-sec-cond-mac-dest* yang:phys-address
| | | +--rw pkt-sec-cond-mac-dest* yang:phys-address | | | +--rw pkt-sec-cond-mac-src* yang:phys-address
| | | +--rw pkt-sec-cond-mac-src* yang:phys-address | | | +--rw pkt-sec-cond-mac-8021q* string
| | | +--rw pkt-sec-cond-mac-8021q* string | | | +--rw pkt-sec-cond-mac-ether-type* string
| | | +--rw pkt-sec-cond-mac-ether-type* string | | | +--rw pkt-sec-cond-mac-tci* string
| | | +--rw pkt-sec-cond-mac-tci* string | | +--rw packet-security-ipv4-condition
| | +--rw packet-security-ipv4-condition | | | +--rw pkt-sec-cond-ipv4-header-length* uint8
| | | +--rw pkt-sec-cond-ipv4-header-length* uint8 | | | +--rw pkt-sec-cond-ipv4-tos* uint8
| | | +--rw pkt-sec-cond-ipv4-tos* uint8 | | | +--rw pkt-sec-cond-ipv4-total-length* uint16
| | | +--rw pkt-sec-cond-ipv4-total-length* uint16 | | | +--rw pkt-sec-cond-ipv4-id* uint8
| | | +--rw pkt-sec-cond-ipv4-id* uint8 | | | +--rw pkt-sec-cond-ipv4-fragment* uint8
| | | +--rw pkt-sec-cond-ipv4-fragment* uint8 | | | +--rw pkt-sec-cond-ipv4-fragment-offset* uint16
| | | +--rw pkt-sec-cond-ipv4-fragment-offset* uint16 | | | +--rw pkt-sec-cond-ipv4-ttl* uint8
| | | +--rw pkt-sec-cond-ipv4-ttl* uint8 | | | +--rw pkt-sec-cond-ipv4-protocol* uint8
| | | +--rw pkt-sec-cond-ipv4-protocol* uint8 | | | +--rw pkt-sec-cond-ipv4-src* inet:ipv4-address
| | | +--rw pkt-sec-cond-ipv4-src* inet:ipv4-address | | | +--rw pkt-sec-cond-ipv4-dest* inet:ipv4-address
| | | +--rw pkt-sec-cond-ipv4-dest* inet:ipv4-address | | | +--rw pkt-sec-cond-ipv4-ipopts? string
| | | +--rw pkt-sec-cond-ipv4-ipopts? string | | | +--rw pkt-sec-cond-ipv4-sameip? boolean
| | | +--rw pkt-sec-cond-ipv4-sameip? boolean | | | +--rw pkt-sec-cond-ipv4-geoip* string
| | | +--rw pkt-sec-cond-ipv4-geoip* string | | +--rw packet-security-ipv6-condition
| | +--rw packet-security-ipv6-condition | | | +--rw pkt-sec-cond-ipv6-dscp* string
| | | +--rw pkt-sec-cond-ipv6-dscp* string | | | +--rw pkt-sec-cond-ipv6-ecn* string
| | | +--rw pkt-sec-cond-ipv6-ecn* string | | | +--rw pkt-sec-cond-ipv6-traffic-class* uint8
| | | +--rw pkt-sec-cond-ipv6-traffic-class* uint8 | | | +--rw pkt-sec-cond-ipv6-flow-label* uint32
| | | +--rw pkt-sec-cond-ipv6-flow-label* uint32 | | | +--rw pkt-sec-cond-ipv6-payload-length* uint16
| | | +--rw pkt-sec-cond-ipv6-payload-length* uint16 | | | +--rw pkt-sec-cond-ipv6-next-header* uint8
| | | +--rw pkt-sec-cond-ipv6-next-header* uint8 | | | +--rw pkt-sec-cond-ipv6-hop-limit* uint8
| | | +--rw pkt-sec-cond-ipv6-hop-limit* uint8 | | | +--rw pkt-sec-cond-ipv6-src* inet:ipv6-address
| | | +--rw pkt-sec-cond-ipv6-src* inet:ipv6-address | | | +--rw pkt-sec-cond-ipv6-dest* inet:ipv6-address
| | | +--rw pkt-sec-cond-ipv6-dest* inet:ipv6-address | | +--rw packet-security-tcp-condition
| | +--rw packet-security-tcp-condition | | | +--rw pkt-sec-cond-tcp-src-port* inet:port-number
| | | +--rw pkt-sec-cond-tcp-src-port* inet:port-number | | | +--rw pkt-sec-cond-tcp-dest-port* inet:port-number
| | | +--rw pkt-sec-cond-tcp-dest-port* inet:port-number | | | +--rw pkt-sec-cond-tcp-seq-num* uint32
| | | +--rw pkt-sec-cond-tcp-seq-num* uint32 | | | +--rw pkt-sec-cond-tcp-ack-num* uint32
| | | +--rw pkt-sec-cond-tcp-ack-num* uint32 | | | +--rw pkt-sec-cond-tcp-window-size* uint16
| | | +--rw pkt-sec-cond-tcp-window-size* uint16 | | | +--rw pkt-sec-cond-tcp-flags* uint8
| | | +--rw pkt-sec-cond-tcp-flags* uint8 | | +--rw packet-security-udp-condition
| | +--rw packet-security-udp-condition | | | +--rw pkt-sec-cond-udp-src-port* inet:port-number
| | | +--rw pkt-sec-cond-udp-src-port* inet:port-number | | | +--rw pkt-sec-cond-udp-dest-port* inet:port-number
| | | +--rw pkt-sec-cond-udp-dest-port* inet:port-number | | | +--rw pkt-sec-cond-udp-length* string
| | | +--rw pkt-sec-cond-udp-length* string | | +--rw packet-security-icmp-condition
| | +--rw packet-security-icmp-condition | | +--rw pkt-sec-cond-icmp-type* uint8
| | +--rw pkt-sec-cond-icmp-type* uint8 | | +--rw pkt-sec-cond-icmp-code* uint8
| | +--rw pkt-sec-cond-icmp-code* uint8 | | +--rw pkt-sec-cond-icmp-seg-num* uint32
| | +--rw pkt-sec-cond-icmp-seg-num* uint32 | +--rw packet-payload-condition
| +--rw packet-payload-condition | | +--rw packet-payload-description? string
| | +--rw packet-payload-manual? string | | +--rw pkt-payload-content* string
| | +--rw pkt-payload-content* string | +--rw acl-number? uint32
| +--rw target-condition | +--rw application-condition
| | +--rw target-manual? string | | +--rw application-description? string
| | +--rw device-sec-context-cond | | +--rw application-object* string
| | +--rw pc? boolean | | +--rw application-group* string
| | +--rw mobile-phone? boolean | | +--rw application-label* string
| | +--rw voip-volte-phone? boolean | | +--rw category
| | +--rw tablet? boolean | | +--rw application-category* [name application-subcategory]
| | +--rw iot? boolean | | +--rw name string
| | +--rw vehicle? boolean | | +--rw application-subcategory string
| +--rw users-condition | +--rw target-condition
| | +--rw users-manual? string | | +--rw target-description? string
| | +--rw user | | +--rw device-sec-context-cond
| | | +--rw (user-name)? | | +--rw pc? boolean
| | | +--:(tenant) | | +--rw mobile-phone? boolean
| | | | +--rw tenant uint8 | | +--rw voip-volte-phone? boolean
| | | +--:(vn-id) | | +--rw tablet? boolean
| | | +--rw vn-id uint8 | | +--rw iot? boolean
| | +--rw group | | +--rw vehicle? boolean
| | +--rw (group-name)? | +--rw users-condition
| | +--:(tenant) | | +--rw users-description? string
| | | +--rw tenant uint8 | | +--rw user
| | +--:(vn-id) | | | +--rw (user-name)?
| | +--rw vn-id uint8 | | | +--:(tenant)
| +--rw context-condition | | | | +--rw tenant uint8
| | +--rw context-manual? string | | | +--:(vn-id)
| +--rw gen-context-condition | | | +--rw vn-id uint8
| +--rw gen-context-manual? string | | +--rw group
| +--rw geographic-location | | | +--rw (group-name)?
| +--rw src-geographic-location* uint32 | | | +--:(tenant)
| +--rw dest-geographic-location* uint32 | | | | +--rw tenant uint8
+--rw action-clause-container | | | +--:(vn-id)
... | | | +--rw vn-id uint8
| | +--rw security-grup string
| +--rw url-category-condition
| | +--rw pre-defined-category* string
| | +--rw user-defined-category* string
| +--rw context-condition
| | +--rw context-description? string
| +--rw gen-context-condition
| +--rw gen-context-description? string
| +--rw geographic-location
| +--rw src-geographic-location* uint32
| +--rw dest-geographic-location* uint32
+--rw action-clause-container
...
Figure 3: Data Model Structure for Condition Rule Figure 3: Data Model Structure for Condition Rule
These objects are defined as packet security condition, packet These objects are defined as packet security condition, packet
payload security condition, target security condition, user security payload security condition, target security condition, user security
condition, context condition, and generic context condition. These condition, context condition, and generic context condition. These
objects can be extended according to specific vendor condition objects can be extended according to specific vendor condition
features. We will add additional condition objects for more generic features. We will add additional condition objects for more generic
network security functions. network security functions.
skipping to change at page 10, line 31 skipping to change at page 11, line 4
| +--rw resolution-strategy | +--rw resolution-strategy
| ... | ...
| +--rw default-action | +--rw default-action
| ... | ...
+--rw event-clause-container +--rw event-clause-container
| ... | ...
+--rw condition-clause-container +--rw condition-clause-container
| ... | ...
+--rw action-clause-container +--rw action-clause-container
+--rw action-clause-list* [eca-object-id] +--rw action-clause-list* [eca-object-id]
+--rw entity-class? identityref +--rw entity-class? identityref
+--rw eca-object-id string +--rw eca-object-id string
+--rw ingress-action +--rw rule-log? boolean
| +--rw ingress-manual? string +--rw session-log? boolean
| +--rw ingress-action-type? ingress-action +--rw ingress-action
+--rw egress-action | +--rw ingress-description? string
| +--rw egress-manual? string | +--rw ingress-action-type? ingress-action
| +--rw egress-action-type? egress-action +--rw egress-action
+--rw apply-profile | +--rw egress-description? string
+--rw profile-manual? string | +--rw egress-action-type? egress-action
+--rw content-security-control +--rw apply-profile
| +--rw content-security-control-types +--rw profile-description? string
| +--rw antivirus? boolean +--rw content-security-control
| +--rw ips? boolean | +--rw content-security-control-types
| +--rw ids? boolean | +--rw antivirus? string
| +--rw url-filtering? boolean | +--rw ips? string
| +--rw data-filtering? boolean | +--rw ids? string
| +--rw mail-filtering? boolean | +--rw url-filtering? string
| +--rw file-blocking? boolean | +--rw data-filtering? string
| +--rw file-isolate? boolean | +--rw mail-filtering? string
| +--rw pkt-capture? boolean | +--rw file-blocking? string
| +--rw application-control? boolean | +--rw file-isolate? string
| +--rw voip-volte? boolean | +--rw pkt-capture? string
+--rw attack-mitigation-control | +--rw application-control? string
+--rw ddos-attack | +--rw voip-volte? string
| +--rw ddos-attack-type +--rw attack-mitigation-control
| +--rw network-layer-ddos-attack +--rw ddos-attack
| | +--rw network-layer-ddos-attack-type | +--rw ddos-attack-type
| | +--rw syn-flood? boolean | +--rw network-layer-ddos-attack
| | +--rw udp-flood? boolean | | +--rw network-layer-ddos-attack-type
| | +--rw icmp-flood? boolean | | +--rw syn-flood? string
| | +--rw ip-frag-flood? boolean | | +--rw udp-flood? string
| | +--rw ipv6-related? boolean | | +--rw icmp-flood? string
| +--rw app-layer-ddos-attack | | +--rw ip-frag-flood? string
| +--rw app-ddos-attack-types | | +--rw ipv6-related? string
| +--rw http-flood? boolean | +--rw app-layer-ddos-attack
| +--rw https-flood? boolean | +--rw app-ddos-attack-types
| +--rw dns-flood? boolean | +--rw http-flood? string
| +--rw dns-amp-flood? boolean | +--rw https-flood? string
| +--rw ssl-ddos? boolean | +--rw dns-flood? string
+--rw single-packet-attack | +--rw dns-amp-flood? string
+--rw single-packet-attack-type | +--rw ssl-ddos? string
+--rw scan-and-sniff-attack +--rw single-packet-attack
| +--rw scan-and-sniff-attack-types +--rw single-packet-attack-type
| +--rw ip-sweep? boolean +--rw scan-and-sniff-attack
| +--rw port-scanning? boolean | +--rw scan-and-sniff-attack-types
+--rw malformed-packet-attack | +--rw ip-sweep? string
| +--rw malformed-packet-attack-types | +--rw port-scanning? string
| +--rw ping-of-death? boolean +--rw malformed-packet-attack
| +--rw teardrop? boolean | +--rw malformed-packet-attack-types
+--rw special-packet-attack | +--rw ping-of-death? string
+--rw special-packet-attack-types | +--rw teardrop? string
+--rw oversized-icmp? boolean +--rw special-packet-attack
+--rw tracert? boolean +--rw special-packet-attack-types
+--rw oversized-icmp? string
+--rw tracert? string
Figure 4: Data Model Structure for Action Rule Figure 4: Data Model Structure for Action Rule
These objects are defined as ingress action, egress action, and apply These objects are defined as ingress action, egress action, and apply
profile action. These objects can be extended according to specific profile action. These objects can be extended according to specific
vendor action feature. We will add additional action objects for vendor action feature. We will add additional action objects for
more generic network security functions. more generic network security functions.
6. YANG Module 6. YANG Module
6.1. IETF NSF-Facing Interface YANG Data Module 6.1. IETF NSF-Facing Interface YANG Data Module
This section introduces a YANG module for the information model of This section introduces a YANG module for the information model of
network security functions, as defined in the [i2nsf-nsf-cap-im]. network security functions, as defined in the [i2nsf-nsf-cap-im].
<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2018-03-05.yang" <CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2018-07-02.yang"
module ietf-i2nsf-policy-rule-for-nsf { module ietf-i2nsf-policy-rule-for-nsf {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
prefix prefix
policy-rule-for-nsf; policy-rule-for-nsf;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
} }
skipping to change at page 12, line 44 skipping to change at page 13, line 21
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Susan Hares Editor: Susan Hares
<mailto:shares@ndzh.com>"; <mailto:shares@ndzh.com>";
description description
"This module defines a YANG data module for network security "This module defines a YANG data module for network security
functions."; functions.";
revision "2018-03-05"{ revision "2018-07-02"{
description "The fourth revision"; description "The fourth revision";
reference reference
"draft-ietf-i2nsf-capability-00"; "draft-ietf-i2nsf-capability-00";
} }
typedef sec-event-format { typedef sec-event-format {
type enumeration { type enumeration {
enum unknown { enum unknown {
description description
"If SecEventFormat is unknown"; "If SecEventFormat is unknown";
skipping to change at page 15, line 48 skipping to change at page 16, line 24
} }
leaf eca-object-id { leaf eca-object-id {
type string; type string;
description "TBD"; description "TBD";
} }
description "TBD"; description "TBD";
} }
grouping i2nsf-event-type { grouping i2nsf-event-type {
description "TBD"; description "TBD";
leaf manual { leaf description {
type string; type string;
description description
"This is manual for event. "This is description for event.
Vendors can write instructions for event Vendors can write instructions for event
that vendor made"; that vendor made";
} }
leaf sec-event-content { leaf sec-event-content {
type string; type string;
mandatory true; mandatory true;
description description
"This is a mandatory string that contains the content "This is a mandatory string that contains the content
of the SecurityEvent. The format of the content of the SecurityEvent. The format of the content
skipping to change at page 17, line 7 skipping to change at page 17, line 32
the SecEventContent and SecEventFormat class the SecEventContent and SecEventFormat class
attributes, respectively. An example of the attributes, respectively. An example of the
SecEventContent attribute is string hrAdmin, SecEventContent attribute is string hrAdmin,
with the SecEventFormat attribute set to 1 (GUID) with the SecEventFormat attribute set to 1 (GUID)
and the SecEventType attribute set to 5 and the SecEventType attribute set to 5
(new logon)."; (new logon).";
} }
} }
list i2nsf-security-policy { container i2nsf-security-policy {
key "policy-name";
description description
"policy is a list "policy is a container
including a set of security rules according to certain logic, including a set of security rules according to certain logic,
i.e., their similarity or mutual relations, etc. The network i.e., their similarity or mutual relations, etc. The network
security policy is able to apply over both the unidirectional security policy is able to apply over both the unidirectional
and bidirectional traffic across the NSF."; and bidirectional traffic across the NSF.";
leaf policy-name { leaf policy-name {
type string; type string;
mandatory true;
description description
"The name of the policy. "The name of the policy.
This must be unique."; This must be unique.";
} }
list eca-policy-rules { list rules {
key "rule-id"; key "rule-name";
description description
"This is a rule for network security functions."; "This is a rule for network security functions.";
leaf rule-id { leaf rule-name {
type uint8; type string;
mandatory true; mandatory true;
description description
"The id of the rule. "The id of the rule.
This must be unique."; This must be unique.";
} }
leaf rule-description { leaf rule-description {
type string; type string;
description description
"This description gives more information about "This description gives more information about
rules."; rules.";
} }
leaf rule-rev {
type uint8;
description
"This shows rule version.";
}
leaf rule-priority { leaf rule-priority {
type uint8; type uint8;
description description
"The priority keyword comes with a mandatory "The priority keyword comes with a mandatory
numeric value which can range from 1 till 255."; numeric value which can range from 1 till 255.";
} }
leaf enable {
type boolean;
description
"True is enable.
False is not enbale.";
}
leaf session-aging-time {
type uint16;
description
"This is session aging time.";
}
container long-connection {
description
"This is long-connection";
leaf enable {
type boolean;
description
"True is enable.
False is not enbale.";
}
leaf during {
type uint16;
description
"This is during time.";
}
}
leaf-list policy-event-clause-agg-ptr { leaf-list policy-event-clause-agg-ptr {
type instance-identifier; type instance-identifier;
must 'derived-from-or-self (/event-clause-container/ must 'derived-from-or-self (/event-clause-container/
event-clause-list/entity-class, "ECA-EVENT-TYPE")'; event-clause-list/entity-class, "ECA-EVENT-TYPE")';
description description
"TBD"; "TBD";
} }
leaf-list policy-condition-clause-agg-ptr { leaf-list policy-condition-clause-agg-ptr {
type instance-identifier; type instance-identifier;
must 'derived-from-or-self (/condition-clause-container/ must 'derived-from-or-self (/condition-clause-container/
skipping to change at page 22, line 20 skipping to change at page 23, line 22
} }
container default-action { container default-action {
description description
"This default action can be used to specify a predefined "This default action can be used to specify a predefined
action when no other alternative action was matched action when no other alternative action was matched
by the currently executing I2NSF Policy Rule. An analogy by the currently executing I2NSF Policy Rule. An analogy
is the use of a default statement in a C switch statement."; is the use of a default statement in a C switch statement.";
leaf default-action-type { leaf default-action-type {
type ingress-action; type boolean;
description description
"Ingress action type: permit, deny, and mirror."; "True is permit
False is deny.";
}
}
container rule-group {
description
"This is rule group";
list groups {
key "group-name";
description
"This is a group for rules";
leaf group-name {
type string;
description
"This is a group for rules";
}
container rule-range {
description
"This is a rule range.";
leaf start-rule {
type string;
description
"This is a start rule";
}
leaf end-rule {
type string;
description
"This is a end rule";
}
}
leaf enable {
type boolean;
description
"This is enable
False is not enable.";
}
leaf description {
type string;
description
"This is a desription for rule-group";
}
} }
} }
} }
container event-clause-container { container event-clause-container {
description "TBD"; description "TBD";
list event-clause-list { list event-clause-list {
key eca-object-id; key eca-object-id;
uses i2nsf-eca-object-type { uses i2nsf-eca-object-type {
refine entity-class { refine entity-class {
skipping to change at page 23, line 29 skipping to change at page 25, line 26
and/or values in order to determine whether or not the and/or values in order to determine whether or not the
set of Actions in that (imperative) I2NSF Policy Rule set of Actions in that (imperative) I2NSF Policy Rule
can be executed or not. Examples of I2NSF Conditions can be executed or not. Examples of I2NSF Conditions
include matching attributes of a packet or flow, and include matching attributes of a packet or flow, and
comparing the internal state of an NSF to a desired comparing the internal state of an NSF to a desired
state."; state.";
container packet-security-condition { container packet-security-condition {
description description
"TBD"; "TBD";
leaf packet-manual { leaf packet-description {
type string; type string;
description description
"This is manual for packet condition. "This is description for packet condition.
Vendors can write instructions for packet condition Vendors can write instructions for packet condition
that vendor made"; that vendor made";
} }
container packet-security-mac-condition { container packet-security-mac-condition {
description description
"The purpose of this Class is to represent packet MAC "The purpose of this Class is to represent packet MAC
packet header information that can be used as part of packet header information that can be used as part of
a test to determine if the set of Policy Actions in a test to determine if the set of Policy Actions in
this ECA Policy Rule should be execute or not."; this ECA Policy Rule should be execute or not.";
skipping to change at page 30, line 47 skipping to change at page 32, line 44
type uint32; type uint32;
description description
"The icmp Sequence Number."; "The icmp Sequence Number.";
} }
} }
} }
container packet-payload-condition { container packet-payload-condition {
description description
"TBD"; "TBD";
leaf packet-payload-manual { leaf packet-payload-description {
type string; type string;
description description
"This is manual for payload condition. "This is description for payload condition.
Vendors can write instructions for payload condition Vendors can write instructions for payload condition
that vendor made"; that vendor made";
} }
leaf-list pkt-payload-content { leaf-list pkt-payload-content {
type string; type string;
description description
"The content keyword is very important in "The content keyword is very important in
signatures. Between the quotation marks you signatures. Between the quotation marks you
can write on what you would like the can write on what you would like the
signature to match."; signature to match.";
} }
} }
leaf acl-number {
type uint32;
description
"This is acl-number.";
}
container application-condition {
description
"TBD";
leaf application-description {
type string;
description
"This is description for application condition.";
}
leaf-list application-object {
type string;
description
"This is application object.";
}
leaf-list application-group {
type string;
description
"This is application group.";
}
leaf-list application-label {
type string;
description
"This is application label.";
}
container category {
description
"TBD";
list application-category {
key "name application-subcategory";
description
"TBD";
leaf name {
type string;
description
"This is name for application category.";
}
leaf application-subcategory {
type string;
description
"This is application subcategory.";
}
}
}
}
container target-condition { container target-condition {
description description
"TBD"; "TBD";
leaf target-manual { leaf target-description {
type string; type string;
description description
"This is manual for target condition. "This is description for target condition.
Vendors can write instructions for target condition Vendors can write instructions for target condition
that vendor made"; that vendor made";
} }
container device-sec-context-cond { container device-sec-context-cond {
description description
"The device attribute that can identify a device, "The device attribute that can identify a device,
including the device type (i.e., router, switch, including the device type (i.e., router, switch,
pc, ios, or android) and the device's owner as pc, ios, or android) and the device's owner as
well."; well.";
skipping to change at page 32, line 25 skipping to change at page 35, line 25
leaf vehicle { leaf vehicle {
type boolean; type boolean;
description description
"If type of a device is vehicle."; "If type of a device is vehicle.";
} }
} }
} }
container users-condition { container users-condition {
description description
"TBD"; "TBD";
leaf users-manual { leaf users-description {
type string; type string;
description description
"This is manual for user condition. "This is description for user condition.
Vendors can write instructions for user condition Vendors can write instructions for user condition
that vendor made"; that vendor made";
} }
container user{ container user{
description description
"The user (or user group) information with which "The user (or user group) information with which
network flow is associated: The user has many network flow is associated: The user has many
attributes such as name, id, password, type, attributes such as name, id, password, type,
authentication mode and so on. Name/id is often authentication mode and so on. Name/id is often
skipping to change at page 34, line 24 skipping to change at page 37, line 24
leaf vn-id { leaf vn-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"User's VN-ID information."; "User's VN-ID information.";
} }
} }
} }
} }
leaf security-grup {
type string;
mandatory true;
description
"security-grup.";
}
}
container url-category-condition {
description
"TBD";
leaf url-category-description {
type string;
description
"This is description for url category condition.
Vendors can write instructions for context condition
that vendor made";
}
leaf-list pre-defined-category {
type string;
description
"This is pre-defined-category.";
}
leaf-list user-defined-category {
type string;
description
"This user-defined-category.";
}
} }
container context-condition { container context-condition {
description description
"TBD"; "TBD";
leaf context-manual { leaf context-description {
type string; type string;
description description
"This is manual for context condition. "This is description for context condition.
Vendors can write instructions for context condition Vendors can write instructions for context condition
that vendor made"; that vendor made";
} }
} }
container gen-context-condition { container gen-context-condition {
description description
"TBD"; "TBD";
leaf gen-context-manual { leaf gen-context-description {
type string; type string;
description description
"This is manual for generic context condition. "This is description for generic context condition.
Vendors can write instructions for generic context Vendors can write instructions for generic context
condition that vendor made"; condition that vendor made";
} }
container geographic-location { container geographic-location {
description description
"The location where network traffic is associated "The location where network traffic is associated
with. The region can be the geographic location with. The region can be the geographic location
such as country, province, and city, such as country, province, and city,
as well as the logical network location such as as well as the logical network location such as
skipping to change at page 35, line 44 skipping to change at page 39, line 27
} }
description description
"An action is used to control and monitor aspects of "An action is used to control and monitor aspects of
flow-based NSFs when the event and condition clauses flow-based NSFs when the event and condition clauses
are satisfied. NSFs provide security functions by are satisfied. NSFs provide security functions by
executing various Actions. Examples of I2NSF Actions executing various Actions. Examples of I2NSF Actions
include providing intrusion detection and/or protection, include providing intrusion detection and/or protection,
web and flow filtering, and deep packet inspection web and flow filtering, and deep packet inspection
for packets and flows."; for packets and flows.";
leaf rule-log {
type boolean;
description
"True is enable
False is not enable.";
}
leaf session-log {
type boolean;
description
"True is enable
False is not enable.";
}
container ingress-action { container ingress-action {
description description
"TBD"; "TBD";
leaf ingress-manual { leaf ingress-description {
type string; type string;
description description
"This is manual for ingress action. "This is description for ingress action.
Vendors can write instructions for ingress action Vendors can write instructions for ingress action
that vendor made"; that vendor made";
} }
leaf ingress-action-type { leaf ingress-action-type {
type ingress-action; type ingress-action;
description description
"Ingress action type: permit, deny, and mirror."; "Ingress action type: permit, deny, and mirror.";
} }
} }
container egress-action { container egress-action {
description description
"TBD"; "TBD";
leaf egress-manual { leaf egress-description {
type string; type string;
description description
"This is manual for egress action. "This is description for egress action.
Vendors can write instructions for egress action Vendors can write instructions for egress action
that vendor made"; that vendor made";
} }
leaf egress-action-type { leaf egress-action-type {
type egress-action; type egress-action;
description description
"Egress-action-type: invoke-signaling, "Egress-action-type: invoke-signaling,
tunnel-encapsulation, and forwarding."; tunnel-encapsulation, and forwarding.";
} }
} }
skipping to change at page 36, line 31 skipping to change at page 40, line 24
Vendors can write instructions for egress action Vendors can write instructions for egress action
that vendor made"; that vendor made";
} }
leaf egress-action-type { leaf egress-action-type {
type egress-action; type egress-action;
description description
"Egress-action-type: invoke-signaling, "Egress-action-type: invoke-signaling,
tunnel-encapsulation, and forwarding."; tunnel-encapsulation, and forwarding.";
} }
} }
container apply-profile { container apply-profile {
description description
"TBD"; "TBD";
leaf profile-manual { leaf profile-description {
type string; type string;
description description
"This is manual for apply profile action. "This is description for apply profile action.
Vendors can write instructions for apply Vendors can write instructions for apply
profile action that vendor made"; profile action that vendor made";
} }
container content-security-control { container content-security-control {
description description
"Content security control is another category of "Content security control is another category of
security capabilities applied to application layer. security capabilities applied to application layer.
Through detecting the contents carried over the Through detecting the contents carried over the
traffic in application layer, these capabilities traffic in application layer, these capabilities
skipping to change at page 37, line 13 skipping to change at page 41, line 6
illegal web access or data retrieval."; illegal web access or data retrieval.";
container content-security-control-types { container content-security-control-types {
description description
"Content Security types: Antivirus, IPS, IDS, "Content Security types: Antivirus, IPS, IDS,
url-filtering, data-filtering, mail-filtering, url-filtering, data-filtering, mail-filtering,
file-blocking, file-isolate, pkt-capture, file-blocking, file-isolate, pkt-capture,
application-control, and voip-volte."; application-control, and voip-volte.";
leaf antivirus { leaf antivirus {
type boolean; type string;
description description
"Additional inspection of antivirus."; "Additional inspection of antivirus.";
} }
leaf ips { leaf ips {
type boolean; type string;
description description
"Additional inspection of IPS."; "Additional inspection of IPS.";
} }
leaf ids { leaf ids {
type boolean; type string;
description description
"Additional inspection of IDS."; "Additional inspection of IDS.";
} }
leaf url-filtering { leaf url-filtering {
type boolean; type string;
description description
"Additional inspection of URL filtering."; "Additional inspection of URL filtering.";
} }
leaf data-filtering { leaf data-filtering {
type boolean; type string;
description description
"Additional inspection of data filtering."; "Additional inspection of data filtering.";
} }
leaf mail-filtering { leaf mail-filtering {
type boolean; type string;
description description
"Additional inspection of mail filtering."; "Additional inspection of mail filtering.";
} }
leaf file-blocking { leaf file-blocking {
type boolean; type string;
description description
"Additional inspection of file blocking."; "Additional inspection of file blocking.";
} }
leaf file-isolate { leaf file-isolate {
type boolean; type string;
description description
"Additional inspection of file isolate."; "Additional inspection of file isolate.";
} }
leaf pkt-capture { leaf pkt-capture {
type boolean; type string;
description description
"Additional inspection of packet capture."; "Additional inspection of packet capture.";
} }
leaf application-control { leaf application-control {
type boolean; type string;
description description
"Additional inspection of app control."; "Additional inspection of app control.";
} }
leaf voip-volte { leaf voip-volte {
type boolean; type string;
description description
"Additional inspection of VoIP/VoLTE."; "Additional inspection of VoIP/VoLTE.";
} }
} }
} }
container attack-mitigation-control { container attack-mitigation-control {
description description
"This category of security capabilities is "This category of security capabilities is
specially used to detect and mitigate various specially used to detect and mitigate various
skipping to change at page 39, line 11 skipping to change at page 43, line 6
description description
"Network layer DDoS-attack."; "Network layer DDoS-attack.";
container network-layer-ddos-attack-type { container network-layer-ddos-attack-type {
description description
"Network layer DDoS attack types: "Network layer DDoS attack types:
Syn Flood Attack, UDP Flood Attack, Syn Flood Attack, UDP Flood Attack,
ICMP Flood Attack, IP Fragment Flood, ICMP Flood Attack, IP Fragment Flood,
IPv6 Related Attacks, and etc"; IPv6 Related Attacks, and etc";
leaf syn-flood { leaf syn-flood {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
Syn Flood Attack."; Syn Flood Attack.";
} }
leaf udp-flood { leaf udp-flood {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
UDP Flood Attack."; UDP Flood Attack.";
} }
leaf icmp-flood { leaf icmp-flood {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
ICMP Flood Attack."; ICMP Flood Attack.";
} }
leaf ip-frag-flood { leaf ip-frag-flood {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
IP Fragment Flood."; IP Fragment Flood.";
} }
leaf ipv6-related { leaf ipv6-related {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
IPv6 Related Attacks."; IPv6 Related Attacks.";
} }
} }
} }
container app-layer-ddos-attack { container app-layer-ddos-attack {
description description
"Application layer DDoS-attack."; "Application layer DDoS-attack.";
container app-ddos-attack-types { container app-ddos-attack-types {
description description
"Application layer DDoS-attack types: "Application layer DDoS-attack types:
Http Flood Attack, Https Flood Attack, Http Flood Attack, Https Flood Attack,
DNS Flood Attack, and DNS Flood Attack, and
DNS Amplification Flood Attack, DNS Amplification Flood Attack,
SSL DDoS Attack, and etc."; SSL DDoS Attack, and etc.";
leaf http-flood { leaf http-flood {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
Http Flood Attack."; Http Flood Attack.";
} }
leaf https-flood { leaf https-flood {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
Https Flood Attack."; Https Flood Attack.";
} }
leaf dns-flood { leaf dns-flood {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
DNS Flood Attack."; DNS Flood Attack.";
} }
leaf dns-amp-flood { leaf dns-amp-flood {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
DNS Amplification Flood Attack."; DNS Amplification Flood Attack.";
} }
leaf ssl-ddos { leaf ssl-ddos {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
SSL Flood Attack."; SSL Flood Attack.";
} }
} }
} }
} }
} }
container single-packet-attack { container single-packet-attack {
skipping to change at page 41, line 21 skipping to change at page 45, line 15
container scan-and-sniff-attack { container scan-and-sniff-attack {
description description
"Scanning and Sniffing Attack."; "Scanning and Sniffing Attack.";
container scan-and-sniff-attack-types { container scan-and-sniff-attack-types {
description description
"Scanning and sniffing attack types: "Scanning and sniffing attack types:
IP Sweep attack, Port Scanning, IP Sweep attack, Port Scanning,
and etc."; and etc.";
leaf ip-sweep { leaf ip-sweep {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
IP Sweep Attack."; IP Sweep Attack.";
} }
leaf port-scanning { leaf port-scanning {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
Port Scanning Attack."; Port Scanning Attack.";
} }
} }
} }
container malformed-packet-attack { container malformed-packet-attack {
description description
"Malformed Packet Attack."; "Malformed Packet Attack.";
container malformed-packet-attack-types { container malformed-packet-attack-types {
description description
"Malformed packet attack types: "Malformed packet attack types:
Ping of Death Attack, Teardrop Attack, Ping of Death Attack, Teardrop Attack,
and etc."; and etc.";
leaf ping-of-death { leaf ping-of-death {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
Ping of Death Attack."; Ping of Death Attack.";
} }
leaf teardrop { leaf teardrop {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
Teardrop Attack."; Teardrop Attack.";
} }
} }
} }
container special-packet-attack { container special-packet-attack {
description description
"special Packet Attack."; "special Packet Attack.";
container special-packet-attack-types { container special-packet-attack-types {
description description
"Special packet attack types: "Special packet attack types:
Oversized ICMP Attack, Tracert Attack, Oversized ICMP Attack, Tracert Attack,
and etc."; and etc.";
skipping to change at page 42, line 23 skipping to change at page 46, line 17
container special-packet-attack { container special-packet-attack {
description description
"special Packet Attack."; "special Packet Attack.";
container special-packet-attack-types { container special-packet-attack-types {
description description
"Special packet attack types: "Special packet attack types:
Oversized ICMP Attack, Tracert Attack, Oversized ICMP Attack, Tracert Attack,
and etc."; and etc.";
leaf oversized-icmp { leaf oversized-icmp {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
Oversize ICMP Attack."; Oversize ICMP Attack.";
} }
leaf tracert { leaf tracert {
type boolean; type string;
description description
"Additional Inspection of "Additional Inspection of
Tracrt Attack."; Tracrt Attack.";
} }
} }
} }
} }
} }
} }
} }
skipping to change at page 43, line 39 skipping to change at page 47, line 28
o Liang Xia (Huawei) o Liang Xia (Huawei)
o Tae-Jin Ahn (Korea Telecom) o Tae-Jin Ahn (Korea Telecom)
o Se-Hui Lee (Korea Telecom) o Se-Hui Lee (Korea Telecom)
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Indicate Requirement Levels", BCP 14, Requirement Levels", BCP 14, RFC 2119, March 1997.
RFC 2119, March 1997.
[RFC6020] Bjorklund, M., "YANG - A Data Modeling [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
Language for the Network Configuration Network Configuration Protocol (NETCONF)", RFC 6020,
Protocol (NETCONF)", RFC 6020, October 2010.
October 2010.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Strassner, J., and R. Kumar, "Framework for Kumar, "Framework for Interface to Network Security
Interface to Network Security Functions", Functions", RFC 8329, February 2018.
RFC 8329, February 2018.
10.2. Informative References 10.2. Informative References
[i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., and D. [i2nsf-nsf-cap-im]
Lopez, "Information Model of NSFs Xia, L., Strassner, J., Basile, C., and D. Lopez,
Capabilities", "Information Model of NSFs Capabilities", draft-ietf-
draft-ietf-i2nsf-capability-00 (work in i2nsf-capability-00 (work in progress), September 2017.
progress), September 2017.
[i2rs-rib-data-model] Wang, L., Chen, M., Dass, A.,
Ananthakrishnan, H., Kini, S., and N.
Bahadur, "A YANG Data Model for Routing
Information Base (RIB)",
draft-ietf-i2rs-rib-data-model-10 (work in
progress), February 2018.
[supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer, [i2rs-rib-data-model]
"Generic Policy Information Model for Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
Simplified Use of Policy Abstractions S., and N. Bahadur, "A YANG Data Model for Routing
(SUPA)", draft-ietf-supa-generic-policy- Information Base (RIB)", draft-ietf-i2rs-rib-data-model-10
info-model-03 (work in progress), May 2017. (work in progress), February 2018.
Appendix A. Changes from [supa-policy-info-model]
draft-kim-i2nsf-nsf-facing-interface-data-model-04 Strassner, J., Halpern, J., and S. Meer, "Generic Policy
Information Model for Simplified Use of Policy
Abstractions (SUPA)", draft-ietf-supa-generic-policy-info-
model-03 (work in progress), May 2017.
The following changes are made from Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-01
draft-kim-i2nsf-nsf-facing-interface-data-model-04:
1. We replaced "Objectives" section with "The Structure and The following changes are made from draft-ietf-i2nsf-nsf-facing-
Objective of I2NSF Security Policy" in order to convey clearer interface-dm-00:
meaning.
2. We replaced the module name for this YANG data model in order to 1. We added rule enable, session aging time, and long connection
convey clearer meaning. attributes.
3. We modified it to support not only absolute time zone but also 2. We added a rule group attribute.
periodic time zone.
4. We added port number to the condition clause. 3. We added additional conditions such as application and url.
5. We modified the choice-case structure into a container structure 4. We replaced manual to description to clarify the meaning.
to allow for the selection of multiple catalogues for condition
and action clauses.
Authors' Addresses Authors' Addresses
Jinyong Tim Kim Jinyong Tim Kim
Department of Computer Engineering Department of Computer Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
skipping to change at page 45, line 37 skipping to change at page 50, line 4
URI: http://iotlab.skku.edu/people-jaehoon-jeong.php URI: http://iotlab.skku.edu/people-jaehoon-jeong.php
Jung-Soo Park Jung-Soo Park
Electronics and Telecommunications Research Institute Electronics and Telecommunications Research Institute
218 Gajeong-Ro, Yuseong-Gu 218 Gajeong-Ro, Yuseong-Gu
Daejeon 34129 Daejeon 34129
Republic of Korea Republic of Korea
Phone: +82 42 860 6514 Phone: +82 42 860 6514
EMail: pjs@etri.re.kr EMail: pjs@etri.re.kr
Susan Hares Susan Hares
Huawei Huawei
7453 Hickory Hill 7453 Hickory Hill
Saline, MI 48176 Saline, MI 48176
USA USA
Phone: +1-734-604-0332 Phone: +1-734-604-0332
EMail: shares@ndzh.com EMail: shares@ndzh.com
Qiushi Lin Qiushi Lin
Huawei Huawei
Huawei Industrial Base Huawei Industrial Base
Shenzhen, Guangdong 518129 Shenzhen, Guangdong 518129
China China
Phone:
EMail: linqiushi@huawei.com EMail: linqiushi@huawei.com
 End of changes. 104 change blocks. 
332 lines changed or deleted 505 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/