--- 1/draft-ietf-i2nsf-nsf-facing-interface-dm-00.txt 2018-07-02 07:13:29.614517998 -0700 +++ 2/draft-ietf-i2nsf-nsf-facing-interface-dm-01.txt 2018-07-02 07:13:29.706520201 -0700 @@ -1,102 +1,97 @@ Network Working Group J. Kim Internet-Draft J. Jeong Intended status: Standards Track Sungkyunkwan University -Expires: September 6, 2018 J. Park +Expires: January 3, 2019 J. Park ETRI S. Hares Q. Lin Huawei - March 5, 2018 + July 02, 2018 I2NSF Network Security Function-Facing Interface YANG Data Model - draft-ietf-i2nsf-nsf-facing-interface-dm-00 + draft-ietf-i2nsf-nsf-facing-interface-dm-01 Abstract This document defines a YANG data model corresponding to the information model for Network Security Functions (NSF) facing interface in Interface to Network Security Functions (I2NSF). It describes a data model for the features provided by generic security functions. This data model provides generic components whose vendors is well understood, so that the generic component can be used even if it has some vendor specific functions. These generic functions represent a point of interoperability, and can be provided by any product that offers the required Capabilities. Also, if vendors need additional features for its network security function, they can add the features by extending the YANG data model. Status of This Memo - This Internet-Draft is submitted to IETF in full conformance with the + This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. + Task Force (IETF). Note that other groups may also distribute + working documents as Internet-Drafts. The list of current Internet- + Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on September 6, 2018. + This Internet-Draft will expire on January 3, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents - (http://trustee.ietf.org/license-info) in effect on the date of + (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 - 4. The Structure and Objective of I2NSF Security Policy . . . . . 4 - 4.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . . 4 - 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . . 4 - 4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . . 5 + 4. The Structure and Objective of I2NSF Security Policy . . . . 4 + 4.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . 4 + 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 4 + 4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 4 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 5 - 5. Data Model Structure . . . . . . . . . . . . . . . . . . . . . 5 - 5.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . . 5 - 5.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . . 7 - 5.3. Condition Clause . . . . . . . . . . . . . . . . . . . . . 7 + 5. Data Model Structure . . . . . . . . . . . . . . . . . . . . 5 + 5.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . 5 + 5.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 7 + 5.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 8 5.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 10 - 6. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 11 - 6.1. IETF NSF-Facing Interface YANG Data Module . . . . . . . . 11 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 43 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 43 - 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 43 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43 - 10.1. Normative References . . . . . . . . . . . . . . . . . . . 43 - 10.2. Informative References . . . . . . . . . . . . . . . . . . 44 - Appendix A. Changes from - draft-kim-i2nsf-nsf-facing-interface-data-model-04 . 44 + 6. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 12 + 6.1. IETF NSF-Facing Interface YANG Data Module . . . . . . . 12 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 46 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 46 + 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 47 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 47 + 10.1. Normative References . . . . . . . . . . . . . . . . . . 47 + 10.2. Informative References . . . . . . . . . . . . . . . . . 47 + Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface- + dm-01 . . . . . . . . . . . . . . . . . . . . . . . 49 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 1. Introduction This document defines a YANG [RFC6020] data model for the configuration of security services with the information model for Network Security Functions (NSF) facing interface in Interface to Network Security Functions (I2NSF). It provides a specific information model and the corresponding data models for generic network security functions (i.e., network security functions), as defined in [i2nsf-nsf-cap-im]. With these data model, I2NSF @@ -222,37 +217,41 @@ o Definitions for Network Security Event Class, Network Security Condition Class, and Network Security Action Class. 5.1. I2NSF Security Policy Rule The data model for the identification of network security policy has the following structure: module: ietf-i2nsf-policy-rule-for-nsf - +--rw i2nsf-security-policy* [policy-name] - | +--rw policy-name string - | +--rw eca-policy-rules* [rule-id] - | | +--rw rule-id uint8 + +--rw i2nsf-security-policy + | +--rw policy-name? string + | +--rw rules* [rule-name] + | | +--rw rule-name string | | +--rw rule-description? string - | | +--rw rule-rev? uint8 | | +--rw rule-priority? uint8 + | | +--rw enable? boolean + | | +--rw session-aging-time? uint16 + | | +--rw long-connection + | | | +--rw enable? boolean + | | | +--rw during? uint16 | | +--rw policy-event-clause-agg-ptr* instance-identifier | | +--rw policy-condition-clause-agg-ptr* instance-identifier | | +--rw policy-action-clause-agg-ptr* instance-identifier | | +--rw time-zone | | +--rw absolute-time-zone | | | +--rw time | | | | +--rw start-time? yang:date-and-time | | | | +--rw end-time? yang:date-and-time | | | +--rw date - | | | | +--rw absolute-date* yang:date-and-time + | | | +--rw absolute-date? yang:date-and-time | | +--rw periodic-time-zone | | +--rw day | | | +--rw sunday? boolean | | | +--rw monday? boolean | | | +--rw tuesday? boolean | | | +--rw wednesday? boolean | | | +--rw thursday? boolean | | | +--rw friday? boolean | | | +--rw saturday? boolean | | +--rw month @@ -268,26 +267,33 @@ | | +--rw october? boolean | | +--rw november? boolean | | +--rw december? boolean | +--rw resolution-strategy | | +--rw (resolution-strategy-type)? | | +--:(fmr) | | | +--rw first-matching-rule? boolean | | +--:(lmr) | | +--rw last-matching-rule? boolean | +--rw default-action - | +--rw default-action-type? ingress-action + | | +--rw default-action-type? boolean + | +--rw rule-group + | +--rw groups* [group-name] + | +--rw group-name string + | +--rw rule-range + | | +--rw start-rule? string + | | +--rw end-rule? string + | +--rw enable? boolean + | +--rw description? string +--rw event-clause-container | ... +--rw condition-clause-container | ... - +--rw action-clause-container ... Figure 1: Data Model Structure for Network Security Policy Identification 5.2. Event Clause The data model for event rule has the following structure: @@ -297,21 +303,21 @@ | +--rw eca-policy-rules* [rule-id] | ... | +--rw resolution-strategy | ... | +--rw default-action | ... +--rw event-clause-container | +--rw event-clause-list* [eca-object-id] | +--rw entity-class? identityref | +--rw eca-object-id string - | +--rw manual? string + | +--rw description? string | +--rw sec-event-content string | +--rw sec-event-format sec-event-format | +--rw sec-event-type string +--rw condition-clause-container | ... +--rw action-clause-container ... Figure 2: Data Model Structure for Event Rule @@ -335,21 +340,21 @@ | ... | +--rw default-action | ... +--rw event-clause-container | ... +--rw condition-clause-container | +--rw condition-clause-list* [eca-object-id] | +--rw entity-class? identityref | +--rw eca-object-id string | +--rw packet-security-condition - | | +--rw packet-manual? string +| | +--rw packet-description? string | | +--rw packet-security-mac-condition | | | +--rw pkt-sec-cond-mac-dest* yang:phys-address | | | +--rw pkt-sec-cond-mac-src* yang:phys-address | | | +--rw pkt-sec-cond-mac-8021q* string | | | +--rw pkt-sec-cond-mac-ether-type* string | | | +--rw pkt-sec-cond-mac-tci* string | | +--rw packet-security-ipv4-condition | | | +--rw pkt-sec-cond-ipv4-header-length* uint8 | | | +--rw pkt-sec-cond-ipv4-tos* uint8 | | | +--rw pkt-sec-cond-ipv4-total-length* uint16 @@ -382,49 +387,63 @@ | | | +--rw pkt-sec-cond-tcp-flags* uint8 | | +--rw packet-security-udp-condition | | | +--rw pkt-sec-cond-udp-src-port* inet:port-number | | | +--rw pkt-sec-cond-udp-dest-port* inet:port-number | | | +--rw pkt-sec-cond-udp-length* string | | +--rw packet-security-icmp-condition | | +--rw pkt-sec-cond-icmp-type* uint8 | | +--rw pkt-sec-cond-icmp-code* uint8 | | +--rw pkt-sec-cond-icmp-seg-num* uint32 | +--rw packet-payload-condition - | | +--rw packet-payload-manual? string +| | +--rw packet-payload-description? string | | +--rw pkt-payload-content* string +| +--rw acl-number? uint32 +| +--rw application-condition +| | +--rw application-description? string +| | +--rw application-object* string +| | +--rw application-group* string +| | +--rw application-label* string +| | +--rw category +| | +--rw application-category* [name application-subcategory] +| | +--rw name string +| | +--rw application-subcategory string | +--rw target-condition - | | +--rw target-manual? string +| | +--rw target-description? string | | +--rw device-sec-context-cond | | +--rw pc? boolean | | +--rw mobile-phone? boolean | | +--rw voip-volte-phone? boolean | | +--rw tablet? boolean | | +--rw iot? boolean | | +--rw vehicle? boolean | +--rw users-condition - | | +--rw users-manual? string +| | +--rw users-description? string | | +--rw user | | | +--rw (user-name)? | | | +--:(tenant) | | | | +--rw tenant uint8 | | | +--:(vn-id) | | | +--rw vn-id uint8 | | +--rw group - | | +--rw (group-name)? - | | +--:(tenant) - | | | +--rw tenant uint8 - | | +--:(vn-id) - | | +--rw vn-id uint8 +| | | +--rw (group-name)? +| | | +--:(tenant) +| | | | +--rw tenant uint8 +| | | +--:(vn-id) +| | | +--rw vn-id uint8 +| | +--rw security-grup string +| +--rw url-category-condition +| | +--rw pre-defined-category* string +| | +--rw user-defined-category* string | +--rw context-condition - | | +--rw context-manual? string +| | +--rw context-description? string | +--rw gen-context-condition - | +--rw gen-context-manual? string +| +--rw gen-context-description? string | +--rw geographic-location | +--rw src-geographic-location* uint32 | +--rw dest-geographic-location* uint32 +--rw action-clause-container ... Figure 3: Data Model Structure for Condition Rule These objects are defined as packet security condition, packet payload security condition, target security condition, user security @@ -447,88 +466,91 @@ | +--rw default-action | ... +--rw event-clause-container | ... +--rw condition-clause-container | ... +--rw action-clause-container +--rw action-clause-list* [eca-object-id] +--rw entity-class? identityref +--rw eca-object-id string + +--rw rule-log? boolean + +--rw session-log? boolean +--rw ingress-action - | +--rw ingress-manual? string + | +--rw ingress-description? string | +--rw ingress-action-type? ingress-action +--rw egress-action - | +--rw egress-manual? string + | +--rw egress-description? string | +--rw egress-action-type? egress-action +--rw apply-profile - +--rw profile-manual? string + +--rw profile-description? string +--rw content-security-control | +--rw content-security-control-types - | +--rw antivirus? boolean - | +--rw ips? boolean - | +--rw ids? boolean - | +--rw url-filtering? boolean - | +--rw data-filtering? boolean - | +--rw mail-filtering? boolean - | +--rw file-blocking? boolean - | +--rw file-isolate? boolean - | +--rw pkt-capture? boolean - | +--rw application-control? boolean - | +--rw voip-volte? boolean + | +--rw antivirus? string + | +--rw ips? string + | +--rw ids? string + | +--rw url-filtering? string + | +--rw data-filtering? string + | +--rw mail-filtering? string + | +--rw file-blocking? string + | +--rw file-isolate? string + | +--rw pkt-capture? string + | +--rw application-control? string + | +--rw voip-volte? string +--rw attack-mitigation-control +--rw ddos-attack | +--rw ddos-attack-type | +--rw network-layer-ddos-attack | | +--rw network-layer-ddos-attack-type - | | +--rw syn-flood? boolean - | | +--rw udp-flood? boolean - | | +--rw icmp-flood? boolean - | | +--rw ip-frag-flood? boolean - | | +--rw ipv6-related? boolean + | | +--rw syn-flood? string + | | +--rw udp-flood? string + | | +--rw icmp-flood? string + | | +--rw ip-frag-flood? string + | | +--rw ipv6-related? string | +--rw app-layer-ddos-attack | +--rw app-ddos-attack-types - | +--rw http-flood? boolean - | +--rw https-flood? boolean - | +--rw dns-flood? boolean - | +--rw dns-amp-flood? boolean - | +--rw ssl-ddos? boolean + | +--rw http-flood? string + | +--rw https-flood? string + | +--rw dns-flood? string + | +--rw dns-amp-flood? string + | +--rw ssl-ddos? string +--rw single-packet-attack +--rw single-packet-attack-type +--rw scan-and-sniff-attack | +--rw scan-and-sniff-attack-types - | +--rw ip-sweep? boolean - | +--rw port-scanning? boolean + | +--rw ip-sweep? string + | +--rw port-scanning? string +--rw malformed-packet-attack | +--rw malformed-packet-attack-types - | +--rw ping-of-death? boolean - | +--rw teardrop? boolean + | +--rw ping-of-death? string + | +--rw teardrop? string +--rw special-packet-attack +--rw special-packet-attack-types - +--rw oversized-icmp? boolean - +--rw tracert? boolean + +--rw oversized-icmp? string + +--rw tracert? string Figure 4: Data Model Structure for Action Rule These objects are defined as ingress action, egress action, and apply profile action. These objects can be extended according to specific vendor action feature. We will add additional action objects for more generic network security functions. 6. YANG Module 6.1. IETF NSF-Facing Interface YANG Data Module This section introduces a YANG module for the information model of network security functions, as defined in the [i2nsf-nsf-cap-im]. - file "ietf-i2nsf-policy-rule-for-nsf@2018-03-05.yang" + file "ietf-i2nsf-policy-rule-for-nsf@2018-07-02.yang" + module ietf-i2nsf-policy-rule-for-nsf { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; prefix policy-rule-for-nsf; import ietf-inet-types{ prefix inet; } @@ -555,21 +577,21 @@ Editor: Jaehoon Paul Jeong Editor: Susan Hares "; description "This module defines a YANG data module for network security functions."; - revision "2018-03-05"{ + revision "2018-07-02"{ description "The fourth revision"; reference "draft-ietf-i2nsf-capability-00"; } typedef sec-event-format { type enumeration { enum unknown { description "If SecEventFormat is unknown"; @@ -703,25 +725,24 @@ } leaf eca-object-id { type string; description "TBD"; } description "TBD"; } grouping i2nsf-event-type { description "TBD"; - leaf manual { + leaf description { type string; description - "This is manual for event. - + "This is description for event. Vendors can write instructions for event that vendor made"; } leaf sec-event-content { type string; mandatory true; description "This is a mandatory string that contains the content of the SecurityEvent. The format of the content @@ -759,69 +780,93 @@ the SecEventContent and SecEventFormat class attributes, respectively. An example of the SecEventContent attribute is string hrAdmin, with the SecEventFormat attribute set to 1 (GUID) and the SecEventType attribute set to 5 (new logon)."; } } - list i2nsf-security-policy { - key "policy-name"; + container i2nsf-security-policy { description - "policy is a list + "policy is a container including a set of security rules according to certain logic, i.e., their similarity or mutual relations, etc. The network security policy is able to apply over both the unidirectional and bidirectional traffic across the NSF."; leaf policy-name { type string; - mandatory true; description "The name of the policy. This must be unique."; } - list eca-policy-rules { - key "rule-id"; + list rules { + key "rule-name"; description "This is a rule for network security functions."; - leaf rule-id { - type uint8; + leaf rule-name { + type string; mandatory true; description "The id of the rule. This must be unique."; } leaf rule-description { type string; description "This description gives more information about rules."; } - leaf rule-rev { - type uint8; - description - "This shows rule version."; - } - leaf rule-priority { type uint8; description "The priority keyword comes with a mandatory numeric value which can range from 1 till 255."; } + + leaf enable { + type boolean; + description + "True is enable. + False is not enbale."; + } + + leaf session-aging-time { + type uint16; + description + "This is session aging time."; + } + + container long-connection { + description + "This is long-connection"; + + leaf enable { + type boolean; + description + "True is enable. + False is not enbale."; + } + + leaf during { + type uint16; + description + "This is during time."; + } + } + leaf-list policy-event-clause-agg-ptr { type instance-identifier; must 'derived-from-or-self (/event-clause-container/ event-clause-list/entity-class, "ECA-EVENT-TYPE")'; description "TBD"; } leaf-list policy-condition-clause-agg-ptr { type instance-identifier; must 'derived-from-or-self (/condition-clause-container/ @@ -1012,23 +1058,68 @@ } container default-action { description "This default action can be used to specify a predefined action when no other alternative action was matched by the currently executing I2NSF Policy Rule. An analogy is the use of a default statement in a C switch statement."; leaf default-action-type { - type ingress-action; + type boolean; description - "Ingress action type: permit, deny, and mirror."; + "True is permit + False is deny."; + } + } + + container rule-group { + description + "This is rule group"; + + list groups { + key "group-name"; + description + "This is a group for rules"; + + leaf group-name { + type string; + description + "This is a group for rules"; + } + + container rule-range { + description + "This is a rule range."; + + leaf start-rule { + type string; + description + "This is a start rule"; + } + leaf end-rule { + type string; + description + "This is a end rule"; + } + } + leaf enable { + type boolean; + description + "This is enable + False is not enable."; + } + leaf description { + type string; + description + "This is a desription for rule-group"; + } } } } container event-clause-container { description "TBD"; list event-clause-list { key eca-object-id; uses i2nsf-eca-object-type { refine entity-class { @@ -1067,24 +1157,24 @@ and/or values in order to determine whether or not the set of Actions in that (imperative) I2NSF Policy Rule can be executed or not. Examples of I2NSF Conditions include matching attributes of a packet or flow, and comparing the internal state of an NSF to a desired state."; container packet-security-condition { description "TBD"; - leaf packet-manual { + leaf packet-description { type string; description - "This is manual for packet condition. + "This is description for packet condition. Vendors can write instructions for packet condition that vendor made"; } container packet-security-mac-condition { description "The purpose of this Class is to represent packet MAC packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be execute or not."; @@ -1419,43 +1513,94 @@ type uint32; description "The icmp Sequence Number."; } } } container packet-payload-condition { description "TBD"; - leaf packet-payload-manual { + leaf packet-payload-description { type string; description - "This is manual for payload condition. + "This is description for payload condition. Vendors can write instructions for payload condition that vendor made"; } leaf-list pkt-payload-content { type string; description "The content keyword is very important in signatures. Between the quotation marks you can write on what you would like the signature to match."; } } + + leaf acl-number { + type uint32; + description + "This is acl-number."; + } + + container application-condition { + description + "TBD"; + leaf application-description { + type string; + description + "This is description for application condition."; + } + leaf-list application-object { + type string; + description + "This is application object."; + } + leaf-list application-group { + type string; + description + "This is application group."; + } + leaf-list application-label { + type string; + description + "This is application label."; + } + container category { + description + "TBD"; + list application-category { + key "name application-subcategory"; + description + "TBD"; + leaf name { + type string; + description + "This is name for application category."; + } + leaf application-subcategory { + type string; + description + "This is application subcategory."; + } + } + } + } + container target-condition { description "TBD"; - leaf target-manual { + leaf target-description { type string; description - "This is manual for target condition. + "This is description for target condition. Vendors can write instructions for target condition that vendor made"; } container device-sec-context-cond { description "The device attribute that can identify a device, including the device type (i.e., router, switch, pc, ios, or android) and the device's owner as well."; @@ -1493,24 +1638,24 @@ leaf vehicle { type boolean; description "If type of a device is vehicle."; } } } container users-condition { description "TBD"; - leaf users-manual { + leaf users-description { type string; description - "This is manual for user condition. + "This is description for user condition. Vendors can write instructions for user condition that vendor made"; } container user{ description "The user (or user group) information with which network flow is associated: The user has many attributes such as name, id, password, type, authentication mode and so on. Name/id is often @@ -1587,40 +1732,71 @@ leaf vn-id { type uint8; mandatory true; description "User's VN-ID information."; } } } } + leaf security-grup { + type string; + mandatory true; + description + "security-grup."; + } + } + + container url-category-condition { + description + "TBD"; + leaf url-category-description { + type string; + description + "This is description for url category condition. + Vendors can write instructions for context condition + that vendor made"; + } + + leaf-list pre-defined-category { + type string; + description + "This is pre-defined-category."; + } + leaf-list user-defined-category { + type string; + description + "This user-defined-category."; } + } + container context-condition { description "TBD"; - leaf context-manual { + leaf context-description { type string; description - "This is manual for context condition. + "This is description for context condition. Vendors can write instructions for context condition that vendor made"; } } + container gen-context-condition { description "TBD"; - leaf gen-context-manual { + leaf gen-context-description { type string; description - "This is manual for generic context condition. + "This is description for generic context condition. Vendors can write instructions for generic context condition that vendor made"; } container geographic-location { description "The location where network traffic is associated with. The region can be the geographic location such as country, province, and city, as well as the logical network location such as @@ -1655,44 +1832,56 @@ } description "An action is used to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied. NSFs provide security functions by executing various Actions. Examples of I2NSF Actions include providing intrusion detection and/or protection, web and flow filtering, and deep packet inspection for packets and flows."; + leaf rule-log { + type boolean; + description + "True is enable + False is not enable."; + } + leaf session-log { + type boolean; + description + "True is enable + False is not enable."; + } container ingress-action { description "TBD"; - leaf ingress-manual { + leaf ingress-description { type string; description - "This is manual for ingress action. - + "This is description for ingress action. Vendors can write instructions for ingress action that vendor made"; } leaf ingress-action-type { type ingress-action; description "Ingress action type: permit, deny, and mirror."; + } } container egress-action { description "TBD"; - leaf egress-manual { + leaf egress-description { type string; description - "This is manual for egress action. + "This is description for egress action. Vendors can write instructions for egress action that vendor made"; } leaf egress-action-type { type egress-action; description "Egress-action-type: invoke-signaling, tunnel-encapsulation, and forwarding."; } } @@ -1689,27 +1878,28 @@ Vendors can write instructions for egress action that vendor made"; } leaf egress-action-type { type egress-action; description "Egress-action-type: invoke-signaling, tunnel-encapsulation, and forwarding."; } } + container apply-profile { description "TBD"; - leaf profile-manual { + leaf profile-description { type string; description - "This is manual for apply profile action. + "This is description for apply profile action. Vendors can write instructions for apply profile action that vendor made"; } container content-security-control { description "Content security control is another category of security capabilities applied to application layer. Through detecting the contents carried over the traffic in application layer, these capabilities @@ -1719,80 +1909,80 @@ illegal web access or data retrieval."; container content-security-control-types { description "Content Security types: Antivirus, IPS, IDS, url-filtering, data-filtering, mail-filtering, file-blocking, file-isolate, pkt-capture, application-control, and voip-volte."; leaf antivirus { - type boolean; + type string; description "Additional inspection of antivirus."; } leaf ips { - type boolean; + type string; description "Additional inspection of IPS."; } leaf ids { - type boolean; + type string; description "Additional inspection of IDS."; } leaf url-filtering { - type boolean; + type string; description "Additional inspection of URL filtering."; } leaf data-filtering { - type boolean; + type string; description "Additional inspection of data filtering."; } leaf mail-filtering { - type boolean; + type string; description "Additional inspection of mail filtering."; } leaf file-blocking { - type boolean; + type string; description "Additional inspection of file blocking."; } + leaf file-isolate { - type boolean; + type string; description "Additional inspection of file isolate."; } - leaf pkt-capture { - type boolean; + type string; description "Additional inspection of packet capture."; } leaf application-control { - type boolean; + type string; description "Additional inspection of app control."; } leaf voip-volte { - type boolean; + type string; description "Additional inspection of VoIP/VoLTE."; } } } container attack-mitigation-control { description "This category of security capabilities is specially used to detect and mitigate various @@ -1814,98 +2004,98 @@ description "Network layer DDoS-attack."; container network-layer-ddos-attack-type { description "Network layer DDoS attack types: Syn Flood Attack, UDP Flood Attack, ICMP Flood Attack, IP Fragment Flood, IPv6 Related Attacks, and etc"; leaf syn-flood { - type boolean; + type string; description "Additional Inspection of Syn Flood Attack."; } leaf udp-flood { - type boolean; + type string; description "Additional Inspection of UDP Flood Attack."; } leaf icmp-flood { - type boolean; + type string; description "Additional Inspection of ICMP Flood Attack."; } leaf ip-frag-flood { - type boolean; + type string; description "Additional Inspection of IP Fragment Flood."; } leaf ipv6-related { - type boolean; + type string; description "Additional Inspection of IPv6 Related Attacks."; } } } container app-layer-ddos-attack { description "Application layer DDoS-attack."; container app-ddos-attack-types { description "Application layer DDoS-attack types: Http Flood Attack, Https Flood Attack, DNS Flood Attack, and DNS Amplification Flood Attack, SSL DDoS Attack, and etc."; leaf http-flood { - type boolean; + type string; description "Additional Inspection of Http Flood Attack."; } leaf https-flood { - type boolean; + type string; description "Additional Inspection of Https Flood Attack."; } leaf dns-flood { - type boolean; + type string; description "Additional Inspection of DNS Flood Attack."; } leaf dns-amp-flood { - type boolean; + type string; description "Additional Inspection of DNS Amplification Flood Attack."; } leaf ssl-ddos { - type boolean; + type string; description "Additional Inspection of SSL Flood Attack."; } } } } } container single-packet-attack { @@ -1920,57 +2110,59 @@ container scan-and-sniff-attack { description "Scanning and Sniffing Attack."; container scan-and-sniff-attack-types { description "Scanning and sniffing attack types: IP Sweep attack, Port Scanning, and etc."; leaf ip-sweep { - type boolean; + type string; description "Additional Inspection of IP Sweep Attack."; } leaf port-scanning { - type boolean; + type string; description "Additional Inspection of Port Scanning Attack."; } } } container malformed-packet-attack { description "Malformed Packet Attack."; container malformed-packet-attack-types { description "Malformed packet attack types: Ping of Death Attack, Teardrop Attack, and etc."; leaf ping-of-death { - type boolean; + type string; description "Additional Inspection of Ping of Death Attack."; } + leaf teardrop { - type boolean; + type string; description "Additional Inspection of Teardrop Attack."; } } + } container special-packet-attack { description "special Packet Attack."; container special-packet-attack-types { description "Special packet attack types: Oversized ICMP Attack, Tracert Attack, and etc."; @@ -1969,28 +2161,28 @@ container special-packet-attack { description "special Packet Attack."; container special-packet-attack-types { description "Special packet attack types: Oversized ICMP Attack, Tracert Attack, and etc."; leaf oversized-icmp { - type boolean; + type string; description "Additional Inspection of Oversize ICMP Attack."; } leaf tracert { - type boolean; + type string; description "Additional Inspection of Tracrt Attack."; } } } } } } } @@ -2029,76 +2221,63 @@ o Liang Xia (Huawei) o Tae-Jin Ahn (Korea Telecom) o Se-Hui Lee (Korea Telecom) 10. References 10.1. Normative References - [RFC2119] Bradner, S., "Key words for use in RFCs to - Indicate Requirement Levels", BCP 14, - RFC 2119, March 1997. + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. - [RFC6020] Bjorklund, M., "YANG - A Data Modeling - Language for the Network Configuration - Protocol (NETCONF)", RFC 6020, + [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the + Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. - [RFC8329] Lopez, D., Lopez, E., Dunbar, L., - Strassner, J., and R. Kumar, "Framework for - Interface to Network Security Functions", - RFC 8329, February 2018. + [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. + Kumar, "Framework for Interface to Network Security + Functions", RFC 8329, February 2018. 10.2. Informative References - [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., and D. - Lopez, "Information Model of NSFs - Capabilities", - draft-ietf-i2nsf-capability-00 (work in - progress), September 2017. - - [i2rs-rib-data-model] Wang, L., Chen, M., Dass, A., - Ananthakrishnan, H., Kini, S., and N. - Bahadur, "A YANG Data Model for Routing - Information Base (RIB)", - draft-ietf-i2rs-rib-data-model-10 (work in - progress), February 2018. + [i2nsf-nsf-cap-im] + Xia, L., Strassner, J., Basile, C., and D. Lopez, + "Information Model of NSFs Capabilities", draft-ietf- + i2nsf-capability-00 (work in progress), September 2017. - [supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer, - "Generic Policy Information Model for - Simplified Use of Policy Abstractions - (SUPA)", draft-ietf-supa-generic-policy- - info-model-03 (work in progress), May 2017. + [i2rs-rib-data-model] + Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, + S., and N. Bahadur, "A YANG Data Model for Routing + Information Base (RIB)", draft-ietf-i2rs-rib-data-model-10 + (work in progress), February 2018. -Appendix A. Changes from - draft-kim-i2nsf-nsf-facing-interface-data-model-04 + [supa-policy-info-model] + Strassner, J., Halpern, J., and S. Meer, "Generic Policy + Information Model for Simplified Use of Policy + Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- + model-03 (work in progress), May 2017. - The following changes are made from - draft-kim-i2nsf-nsf-facing-interface-data-model-04: +Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-01 - 1. We replaced "Objectives" section with "The Structure and - Objective of I2NSF Security Policy" in order to convey clearer - meaning. + The following changes are made from draft-ietf-i2nsf-nsf-facing- + interface-dm-00: - 2. We replaced the module name for this YANG data model in order to - convey clearer meaning. + 1. We added rule enable, session aging time, and long connection + attributes. - 3. We modified it to support not only absolute time zone but also - periodic time zone. + 2. We added a rule group attribute. - 4. We added port number to the condition clause. + 3. We added additional conditions such as application and url. - 5. We modified the choice-case structure into a container structure - to allow for the selection of multiple catalogues for condition - and action clauses. + 4. We replaced manual to description to clarify the meaning. Authors' Addresses Jinyong Tim Kim Department of Computer Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea @@ -2118,27 +2297,26 @@ URI: http://iotlab.skku.edu/people-jaehoon-jeong.php Jung-Soo Park Electronics and Telecommunications Research Institute 218 Gajeong-Ro, Yuseong-Gu Daejeon 34129 Republic of Korea Phone: +82 42 860 6514 EMail: pjs@etri.re.kr - Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 USA Phone: +1-734-604-0332 EMail: shares@ndzh.com + Qiushi Lin Huawei Huawei Industrial Base Shenzhen, Guangdong 518129 China - Phone: EMail: linqiushi@huawei.com