--- 1/draft-ietf-i2nsf-nsf-facing-interface-dm-01.txt 2018-11-04 03:13:09.667956259 -0800 +++ 2/draft-ietf-i2nsf-nsf-facing-interface-dm-02.txt 2018-11-04 03:13:09.759958457 -0800 @@ -1,54 +1,55 @@ -Network Working Group J. Kim +I2NSF Working Group J. Kim Internet-Draft J. Jeong Intended status: Standards Track Sungkyunkwan University -Expires: January 3, 2019 J. Park +Expires: May 8, 2019 J. Park ETRI S. Hares Q. Lin Huawei - July 02, 2018 + November 4, 2018 I2NSF Network Security Function-Facing Interface YANG Data Model - draft-ietf-i2nsf-nsf-facing-interface-dm-01 + draft-ietf-i2nsf-nsf-facing-interface-dm-02 Abstract This document defines a YANG data model corresponding to the - information model for Network Security Functions (NSF) facing - interface in Interface to Network Security Functions (I2NSF). It + information model for Network Security Functions (NSF)-Facing + Interface in Interface to Network Security Functions (I2NSF). It describes a data model for the features provided by generic security - functions. This data model provides generic components whose vendors - is well understood, so that the generic component can be used even if - it has some vendor specific functions. These generic functions - represent a point of interoperability, and can be provided by any - product that offers the required Capabilities. Also, if vendors need - additional features for its network security function, they can add - the features by extending the YANG data model. + functions. This data model provides vendors with generic components + that they understand well, so these generic components can be used + even if they have some vendor specific functions. These generic + functions represent a point of interoperability, and can be provided + by any product that offers the required capabilities. Also, if they + need additional features for their network security functions, the + vendors can easily add the features by extending the YANG data model + in this document. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 3, 2019. + This Internet-Draft will expire on May 8, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -69,86 +70,86 @@ 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 4 4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 4 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 5 5. Data Model Structure . . . . . . . . . . . . . . . . . . . . 5 5.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . 5 5.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 7 5.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 8 5.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 10 6. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 12 6.1. IETF NSF-Facing Interface YANG Data Module . . . . . . . 12 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 46 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 46 - 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 47 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 47 - 10.1. Normative References . . . . . . . . . . . . . . . . . . 47 - 10.2. Informative References . . . . . . . . . . . . . . . . . 47 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 47 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 47 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 47 + 8.2. Informative References . . . . . . . . . . . . . . . . . 47 Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface- - dm-01 . . . . . . . . . . . . . . . . . . . . . . . 49 + dm-01 . . . . . . . . . . . . . . . . . . . . . . . 48 + Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 48 + Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 48 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 1. Introduction This document defines a YANG [RFC6020] data model for the configuration of security services with the information model for Network Security Functions (NSF) facing interface in Interface to Network Security Functions (I2NSF). It provides a specific information model and the corresponding data models for generic network security functions (i.e., network security functions), as defined in [i2nsf-nsf-cap-im]. With these data model, I2NSF controller can control the capabilities of NSFs. The "Event-Condition-Action" (ECA) policy model is used as the basis for the design of I2NSF Policy Rules. The "ietf-i2nsf-nsf-facing-interface" YANG module defined in this document provides the following features: - o configuration of I2NSF security policy rule for generic network - security function policy + o Configuration of I2NSF security policy rule for generic network + security function policy; - o configuration of event clause for generic network security - function policy + o Configuration of event clause for generic network security + function policy; - o configuration of condition clause for generic network security - function policy + o Configuration of condition clause for generic network security + function policy; - o configuration of action clause for generic network security - function policy + o Configuration of action clause for generic network security + function policy. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Terminology This document uses the terminology described in - [i2nsf-nsf-cap-im][i2rs-rib-data-model][supa-policy-info-model]. - Especially, the following terms are from [supa-policy-info-model]: + [i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the + following terms are from [supa-policy-info-model]: o Data Model: A data model is a representation of concepts of interest to an environment in a form that is dependent on data repository, data definition language, query language, implementation language, and protocol. o Information Model: An information model is a representation of concepts of interest to an environment in a form that is independent of data repository, data definition language, query language, implementation language, and protocol. 3.1. Tree Diagrams A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams - [i2rs-rib-data-model] is as follows: + [RFC8431] is as follows: o Brackets "[" and "]" enclose list keys. o Abbreviations before data node names: "rw" means configuration (read-write) and "ro" state data (read-only). o Symbols after data node names: "?" means an optional node and "*" denotes a "list" and "leaf-list". o Parentheses enclose choice and case nodes, and case nodes are also @@ -198,54 +199,56 @@ An action is used to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied. NSFs provide security functions by executing various Actions. The object of an action clause is defined as ingress action, egress action, and apply profile action. The objects of action clauses can be extended according to specific vendor action features. 5. Data Model Structure This section shows a data model structure tree of generic network - security functions that are defined in the [i2nsf-nsf-cap-im]. + security functions that are defined in the [i2nsf-nsf-cap-im]. Note + that a detailed data model for the configuration of the advanced + network security functions is described in [i2nsf-advanced-nsf-dm]. + The section discusses the following subjects: - o Consideration of ECA Policy Model by Aggregating the Event, - Condition, and Action Clauses Objects. + o Consideration of ECA Policy Model by aggregating the Event, + Condition, and Action Clause Objects; - o Consideration of Capability Algebra. + o Consideration of Capability Algebra; o Consideration of NSFs Capability Categories (i.e., Network - Security, Content Security, and Attack Mitigation Capabilities). + Security, Content Security, and Attack Mitigation Capabilities); - o Definitions for Network Security Event Class, Network Security + o Definition for Network Security Event Class, Network Security Condition Class, and Network Security Action Class. 5.1. I2NSF Security Policy Rule The data model for the identification of network security policy has the following structure: module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy - | +--rw policy-name? string - | +--rw rules* [rule-name] - | | +--rw rule-name string - | | +--rw rule-description? string - | | +--rw rule-priority? uint8 + +--rw system-policy* [system-policy-name] + +--rw system-policy-name string + +--rw priority-usage priority-usage-type + +--rw rules* [rule-name] + | +--rw rule-name string + | +--rw rule-description? string + | +--rw rule-priority? uint8 + | +--rw enable? boolean + | +--rw session-aging-time? uint16 + | +--rw long-connection | | +--rw enable? boolean - | | +--rw session-aging-time? uint16 - | | +--rw long-connection - | | | +--rw enable? boolean - | | | +--rw during? uint16 - | | +--rw policy-event-clause-agg-ptr* instance-identifier - | | +--rw policy-condition-clause-agg-ptr* instance-identifier - | | +--rw policy-action-clause-agg-ptr* instance-identifier - | | +--rw time-zone + | | +--rw during? uint16 + | +--rw time-zone | | +--rw absolute-time-zone | | | +--rw time | | | | +--rw start-time? yang:date-and-time | | | | +--rw end-time? yang:date-and-time | | | +--rw date | | | +--rw absolute-date? yang:date-and-time | | +--rw periodic-time-zone | | +--rw day | | | +--rw sunday? boolean | | | +--rw monday? boolean @@ -260,296 +263,301 @@ | | +--rw march? boolean | | +--rw april? boolean | | +--rw may? boolean | | +--rw june? boolean | | +--rw july? boolean | | +--rw august? boolean | | +--rw september? boolean | | +--rw october? boolean | | +--rw november? boolean | | +--rw december? boolean - | +--rw resolution-strategy - | | +--rw (resolution-strategy-type)? - | | +--:(fmr) - | | | +--rw first-matching-rule? boolean - | | +--:(lmr) - | | +--rw last-matching-rule? boolean - | +--rw default-action - | | +--rw default-action-type? boolean - | +--rw rule-group - | +--rw groups* [group-name] - | +--rw group-name string - | +--rw rule-range - | | +--rw start-rule? string - | | +--rw end-rule? string - | +--rw enable? boolean - | +--rw description? string - +--rw event-clause-container - | ... - +--rw condition-clause-container + | +--rw event-clause-container + | | ... + | +--rw condition-clause-container + | | ... + | +--rw action-clause-container | ... - +--rw action-clause-container - ... + +--rw resolution-strategy + | +--rw (resolution-strategy-type)? + | +--:(fmr) + | | +--rw first-matching-rule? boolean + | +--:(lmr) + | +--rw last-matching-rule? boolean + +--rw default-action + | +--rw default-action-type? boolean + +--rw rule-group + +--rw groups* [group-name] + +--rw group-name string + +--rw rule-range + | +--rw start-rule? string + | +--rw end-rule? string + +--rw enable? boolean + +--rw description? string Figure 1: Data Model Structure for Network Security Policy Identification 5.2. Event Clause The data model for event rule has the following structure: module: ietf-i2nsf-policy-rule-for-nsf - +--rw i2nsf-security-policy* [policy-name] - | ... - | +--rw eca-policy-rules* [rule-id] - | ... - | +--rw resolution-strategy + +--rw i2nsf-security-policy + +--rw system-policy* [system-policy-name] + ... + | +--rw event-clause-container + | | +--rw event-clause-list* [eca-object-id] + | | +--rw entity-class? identityref + | | +--rw eca-object-id string + | | +--rw description? string + | | +--rw sec-event-content string + | | +--rw sec-event-format sec-event-format + | | +--rw sec-event-type string + | +--rw condition-clause-container + | | ... + | +--rw action-clause-container | ... - | +--rw default-action + +--rw resolution-strategy | ... - +--rw event-clause-container - | +--rw event-clause-list* [eca-object-id] - | +--rw entity-class? identityref - | +--rw eca-object-id string - | +--rw description? string - | +--rw sec-event-content string - | +--rw sec-event-format sec-event-format - | +--rw sec-event-type string - +--rw condition-clause-container + +--rw default-action | ... - +--rw action-clause-container + +--rw rule-group ... Figure 2: Data Model Structure for Event Rule These objects are defined as user security event, device security event, system security event, and time security event. These objects can be extended according to specific vendor event features. We will add additional event objects for more generic network security functions. 5.3. Condition Clause The data model for condition rule has the following structure: module: ietf-i2nsf-policy-rule-for-nsf -+--rw i2nsf-security-policy* [policy-name] -| ... -| +--rw eca-policy-rules* [rule-id] -| ... -| +--rw resolution-strategy ++--rw i2nsf-security-policy + +--rw system-policy* [system-policy-name] + ... + | +--rw event-clause-container + | | ... + | +--rw condition-clause-container + | | +--rw condition-clause-list* [eca-object-id] + | | +--rw entity-class? identityref + | | +--rw eca-object-id string + | | +--rw packet-security-condition + | | | +--rw packet-description? string + | | | +--rw packet-security-mac-condition + | | | | +--rw pkt-sec-cond-mac-dest* yang:phys-address + | | | | +--rw pkt-sec-cond-mac-src* yang:phys-address + | | | | +--rw pkt-sec-cond-mac-8021q* string + | | | | +--rw pkt-sec-cond-mac-ether-type* string + | | | | +--rw pkt-sec-cond-mac-tci* string + | | | +--rw packet-security-ipv4-condition + | | | | +--rw pkt-sec-cond-ipv4-header-length* uint8 + | | | | +--rw pkt-sec-cond-ipv4-tos* uint8 + | | | | +--rw pkt-sec-cond-ipv4-total-length* uint16 + | | | | +--rw pkt-sec-cond-ipv4-id* uint8 + | | | | +--rw pkt-sec-cond-ipv4-fragment* uint8 + | | | | +--rw pkt-sec-cond-ipv4-fragment-offset* uint16 + | | | | +--rw pkt-sec-cond-ipv4-ttl* uint8 + | | | | +--rw pkt-sec-cond-ipv4-protocol* uint8 + | | | | +--rw pkt-sec-cond-ipv4-src* inet:ipv4-address + | | | | +--rw pkt-sec-cond-ipv4-dest* inet:ipv4-address + | | | | +--rw pkt-sec-cond-ipv4-ipopts? string + | | | | +--rw pkt-sec-cond-ipv4-sameip? boolean + | | | | +--rw pkt-sec-cond-ipv4-geoip* string + | | | +--rw packet-security-ipv6-condition + | | | | +--rw pkt-sec-cond-ipv6-dscp* string + | | | | +--rw pkt-sec-cond-ipv6-ecn* string + | | | | +--rw pkt-sec-cond-ipv6-traffic-class* uint8 + | | | | +--rw pkt-sec-cond-ipv6-flow-label* uint32 + | | | | +--rw pkt-sec-cond-ipv6-payload-length* uint16 + | | | | +--rw pkt-sec-cond-ipv6-next-header* uint8 + | | | | +--rw pkt-sec-cond-ipv6-hop-limit* uint8 + | | | | +--rw pkt-sec-cond-ipv6-src* inet:ipv6-address + | | | | +--rw pkt-sec-cond-ipv6-dest* inet:ipv6-address + | | | +--rw packet-security-tcp-condition + | | | | +--rw pkt-sec-cond-tcp-src-port* inet:port-number + | | | | +--rw pkt-sec-cond-tcp-dest-port* inet:port-number + | | | | +--rw pkt-sec-cond-tcp-seq-num* uint32 + | | | | +--rw pkt-sec-cond-tcp-ack-num* uint32 + | | | | +--rw pkt-sec-cond-tcp-window-size* uint16 + | | | | +--rw pkt-sec-cond-tcp-flags* uint8 + | | | +--rw packet-security-udp-condition + | | | | +--rw pkt-sec-cond-udp-src-port* inet:port-number + | | | | +--rw pkt-sec-cond-udp-dest-port* inet:port-number + | | | | +--rw pkt-sec-cond-udp-length* string + | | | +--rw packet-security-icmp-condition + | | | +--rw pkt-sec-cond-icmp-type* uint8 + | | | +--rw pkt-sec-cond-icmp-code* uint8 + | | | +--rw pkt-sec-cond-icmp-seg-num* uint32 + | | +--rw packet-payload-condition + | | | +--rw packet-payload-description? string + | | | +--rw pkt-payload-content* string + | | +--rw acl-number? uint32 + | | +--rw application-condition + | | | +--rw application-description? string + | | | +--rw application-object* string + | | | +--rw application-group* string + | | | +--rw application-label* string + | | | +--rw category + | | | +--rw application-category* + | | | [name application-subcategory] + | | | +--rw name string + | | | +--rw application-subcategory string + | | +--rw target-condition + | | | +--rw target-description? string + | | | +--rw device-sec-context-cond + | | | +--rw pc? boolean + | | | +--rw mobile-phone? boolean + | | | +--rw voip-volte-phone? boolean + | | | +--rw tablet? boolean + | | | +--rw iot? boolean + | | | +--rw vehicle? boolean + | | +--rw users-condition + | | | +--rw users-description? string + | | | +--rw user + | | | | +--rw (user-name)? + | | | | +--:(tenant) + | | | | | +--rw tenant uint8 + | | | | +--:(vn-id) + | | | | +--rw vn-id uint8 + | | | +--rw group + | | | | +--rw (group-name)? + | | | | +--:(tenant) + | | | | | +--rw tenant uint8 + | | | | +--:(vn-id) + | | | | +--rw vn-id uint8 + | | | +--rw security-grup string + | | +--rw url-category-condition + | | | +--rw url-category-description? string + | | | +--rw pre-defined-category* string + | | | +--rw user-defined-category* string + | | +--rw context-condition + | | | +--rw context-description? string + | | +--rw gen-context-condition + | | +--rw gen-context-description? string + | | +--rw geographic-location + | | +--rw src-geographic-location* uint32 + | | +--rw dest-geographic-location* uint32 + | +--rw action-clause-container | ... -| +--rw default-action + +--rw resolution-strategy | ... -+--rw event-clause-container + +--rw default-action | ... -+--rw condition-clause-container -| +--rw condition-clause-list* [eca-object-id] -| +--rw entity-class? identityref -| +--rw eca-object-id string -| +--rw packet-security-condition -| | +--rw packet-description? string -| | +--rw packet-security-mac-condition -| | | +--rw pkt-sec-cond-mac-dest* yang:phys-address -| | | +--rw pkt-sec-cond-mac-src* yang:phys-address -| | | +--rw pkt-sec-cond-mac-8021q* string -| | | +--rw pkt-sec-cond-mac-ether-type* string -| | | +--rw pkt-sec-cond-mac-tci* string -| | +--rw packet-security-ipv4-condition -| | | +--rw pkt-sec-cond-ipv4-header-length* uint8 -| | | +--rw pkt-sec-cond-ipv4-tos* uint8 -| | | +--rw pkt-sec-cond-ipv4-total-length* uint16 -| | | +--rw pkt-sec-cond-ipv4-id* uint8 -| | | +--rw pkt-sec-cond-ipv4-fragment* uint8 -| | | +--rw pkt-sec-cond-ipv4-fragment-offset* uint16 -| | | +--rw pkt-sec-cond-ipv4-ttl* uint8 -| | | +--rw pkt-sec-cond-ipv4-protocol* uint8 -| | | +--rw pkt-sec-cond-ipv4-src* inet:ipv4-address -| | | +--rw pkt-sec-cond-ipv4-dest* inet:ipv4-address -| | | +--rw pkt-sec-cond-ipv4-ipopts? string -| | | +--rw pkt-sec-cond-ipv4-sameip? boolean -| | | +--rw pkt-sec-cond-ipv4-geoip* string -| | +--rw packet-security-ipv6-condition -| | | +--rw pkt-sec-cond-ipv6-dscp* string -| | | +--rw pkt-sec-cond-ipv6-ecn* string -| | | +--rw pkt-sec-cond-ipv6-traffic-class* uint8 -| | | +--rw pkt-sec-cond-ipv6-flow-label* uint32 -| | | +--rw pkt-sec-cond-ipv6-payload-length* uint16 -| | | +--rw pkt-sec-cond-ipv6-next-header* uint8 -| | | +--rw pkt-sec-cond-ipv6-hop-limit* uint8 -| | | +--rw pkt-sec-cond-ipv6-src* inet:ipv6-address -| | | +--rw pkt-sec-cond-ipv6-dest* inet:ipv6-address -| | +--rw packet-security-tcp-condition -| | | +--rw pkt-sec-cond-tcp-src-port* inet:port-number -| | | +--rw pkt-sec-cond-tcp-dest-port* inet:port-number -| | | +--rw pkt-sec-cond-tcp-seq-num* uint32 -| | | +--rw pkt-sec-cond-tcp-ack-num* uint32 -| | | +--rw pkt-sec-cond-tcp-window-size* uint16 -| | | +--rw pkt-sec-cond-tcp-flags* uint8 -| | +--rw packet-security-udp-condition -| | | +--rw pkt-sec-cond-udp-src-port* inet:port-number -| | | +--rw pkt-sec-cond-udp-dest-port* inet:port-number -| | | +--rw pkt-sec-cond-udp-length* string -| | +--rw packet-security-icmp-condition -| | +--rw pkt-sec-cond-icmp-type* uint8 -| | +--rw pkt-sec-cond-icmp-code* uint8 -| | +--rw pkt-sec-cond-icmp-seg-num* uint32 -| +--rw packet-payload-condition -| | +--rw packet-payload-description? string -| | +--rw pkt-payload-content* string -| +--rw acl-number? uint32 -| +--rw application-condition -| | +--rw application-description? string -| | +--rw application-object* string -| | +--rw application-group* string -| | +--rw application-label* string -| | +--rw category -| | +--rw application-category* [name application-subcategory] -| | +--rw name string -| | +--rw application-subcategory string -| +--rw target-condition -| | +--rw target-description? string -| | +--rw device-sec-context-cond -| | +--rw pc? boolean -| | +--rw mobile-phone? boolean -| | +--rw voip-volte-phone? boolean -| | +--rw tablet? boolean -| | +--rw iot? boolean -| | +--rw vehicle? boolean -| +--rw users-condition -| | +--rw users-description? string -| | +--rw user -| | | +--rw (user-name)? -| | | +--:(tenant) -| | | | +--rw tenant uint8 -| | | +--:(vn-id) -| | | +--rw vn-id uint8 -| | +--rw group -| | | +--rw (group-name)? -| | | +--:(tenant) -| | | | +--rw tenant uint8 -| | | +--:(vn-id) -| | | +--rw vn-id uint8 -| | +--rw security-grup string -| +--rw url-category-condition -| | +--rw pre-defined-category* string -| | +--rw user-defined-category* string -| +--rw context-condition -| | +--rw context-description? string -| +--rw gen-context-condition -| +--rw gen-context-description? string -| +--rw geographic-location -| +--rw src-geographic-location* uint32 -| +--rw dest-geographic-location* uint32 -+--rw action-clause-container + +--rw rule-group ... Figure 3: Data Model Structure for Condition Rule These objects are defined as packet security condition, packet payload security condition, target security condition, user security condition, context condition, and generic context condition. These objects can be extended according to specific vendor condition features. We will add additional condition objects for more generic network security functions. 5.4. Action Clause The data model for action rule has the following structure: module: ietf-i2nsf-policy-rule-for-nsf - +--rw i2nsf-security-policy* [policy-name] - | ... - | +--rw eca-policy-rules* [rule-id] - | ... - | +--rw resolution-strategy - | ... - | +--rw default-action - | ... - +--rw event-clause-container + +--rw i2nsf-security-policy + +--rw system-policy* [system-policy-name] + ... + | +--rw event-clause-container + | | ... + | +--rw condition-clause-container + | | ... + | +--rw action-clause-container + | +--rw action-clause-list* [eca-object-id] + | +--rw entity-class? identityref + | +--rw eca-object-id string + | +--rw rule-log? boolean + | +--rw session-log? boolean + | +--rw ingress-action + | | +--rw ingress-description? string + | | +--rw ingress-action-type? ingress-action + | +--rw egress-action + | | +--rw egress-description? string + | | +--rw egress-action-type? egress-action + | +--rw apply-profile + | +--rw profile-description? string + | +--rw content-security-control + | | +--rw content-security-control-types + | | +--rw antivirus? string + | | +--rw ips? string + | | +--rw ids? string + | | +--rw url-filtering? string + | | +--rw data-filtering? string + | | +--rw mail-filtering? string + | | +--rw file-blocking? string + | | +--rw file-isolate? string + | | +--rw pkt-capture? string + | | +--rw application-control? string + | | +--rw voip-volte? string + | +--rw attack-mitigation-control + | +--rw ddos-attack + | | +--rw ddos-attack-type + | | +--rw network-layer-ddos-attack + | | | +--rw network-layer-ddos-attack-type + | | | +--rw syn-flood? string + | | | +--rw udp-flood? string + | | | +--rw icmp-flood? string + | | | +--rw ip-frag-flood? string + | | | +--rw ipv6-related? string + | | +--rw app-layer-ddos-attack + | | +--rw app-ddos-attack-types + | | +--rw http-flood? string + | | +--rw https-flood? string + | | +--rw dns-flood? string + | | +--rw dns-amp-flood? string + | | +--rw ssl-ddos? string + | +--rw single-packet-attack + | +--rw single-packet-attack-type + | +--rw scan-and-sniff-attack + | | +--rw scan-and-sniff-attack-types + | | +--rw ip-sweep? string + | | +--rw port-scanning? string + | +--rw malformed-packet-attack + | | +--rw malformed-packet-attack-types + | | +--rw ping-of-death? string + | | +--rw teardrop? string + | +--rw special-packet-attack + | +--rw special-packet-attack-types + | +--rw oversized-icmp? string + | +--rw tracert? string + +--rw resolution-strategy | ... - +--rw condition-clause-container + +--rw default-action | ... - +--rw action-clause-container - +--rw action-clause-list* [eca-object-id] - +--rw entity-class? identityref - +--rw eca-object-id string - +--rw rule-log? boolean - +--rw session-log? boolean - +--rw ingress-action - | +--rw ingress-description? string - | +--rw ingress-action-type? ingress-action - +--rw egress-action - | +--rw egress-description? string - | +--rw egress-action-type? egress-action - +--rw apply-profile - +--rw profile-description? string - +--rw content-security-control - | +--rw content-security-control-types - | +--rw antivirus? string - | +--rw ips? string - | +--rw ids? string - | +--rw url-filtering? string - | +--rw data-filtering? string - | +--rw mail-filtering? string - | +--rw file-blocking? string - | +--rw file-isolate? string - | +--rw pkt-capture? string - | +--rw application-control? string - | +--rw voip-volte? string - +--rw attack-mitigation-control - +--rw ddos-attack - | +--rw ddos-attack-type - | +--rw network-layer-ddos-attack - | | +--rw network-layer-ddos-attack-type - | | +--rw syn-flood? string - | | +--rw udp-flood? string - | | +--rw icmp-flood? string - | | +--rw ip-frag-flood? string - | | +--rw ipv6-related? string - | +--rw app-layer-ddos-attack - | +--rw app-ddos-attack-types - | +--rw http-flood? string - | +--rw https-flood? string - | +--rw dns-flood? string - | +--rw dns-amp-flood? string - | +--rw ssl-ddos? string - +--rw single-packet-attack - +--rw single-packet-attack-type - +--rw scan-and-sniff-attack - | +--rw scan-and-sniff-attack-types - | +--rw ip-sweep? string - | +--rw port-scanning? string - +--rw malformed-packet-attack - | +--rw malformed-packet-attack-types - | +--rw ping-of-death? string - | +--rw teardrop? string - +--rw special-packet-attack - +--rw special-packet-attack-types - +--rw oversized-icmp? string - +--rw tracert? string + +--rw rule-group + ... Figure 4: Data Model Structure for Action Rule These objects are defined as ingress action, egress action, and apply profile action. These objects can be extended according to specific vendor action feature. We will add additional action objects for more generic network security functions. 6. YANG Module 6.1. IETF NSF-Facing Interface YANG Data Module This section introduces a YANG module for the information model of network security functions, as defined in the [i2nsf-nsf-cap-im]. - file "ietf-i2nsf-policy-rule-for-nsf@2018-07-02.yang" + file "ietf-i2nsf-policy-rule-for-nsf@2018-11-04.yang" module ietf-i2nsf-policy-rule-for-nsf { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; prefix policy-rule-for-nsf; import ietf-inet-types{ prefix inet; @@ -577,24 +585,24 @@ Editor: Jaehoon Paul Jeong Editor: Susan Hares "; description "This module defines a YANG data module for network security functions."; - revision "2018-07-02"{ + revision "2018-11-04"{ description "The fourth revision"; reference - "draft-ietf-i2nsf-capability-00"; + "draft-ietf-i2nsf-capability-04"; } typedef sec-event-format { type enumeration { enum unknown { description "If SecEventFormat is unknown"; } enum guid { description @@ -620,20 +627,35 @@ enum fqpn { description "If SecEventFormat is FQPN (Fully Qualified Path Name)"; } } description "This is used for SecEventFormat."; } + typedef priority-usage-type { + type enumeration { + enum priority-by-order { + description + "If priority type is order"; + } + enum priority-by-number { + description + "If priority type is number"; + } + } + description + "This is used for priority type."; + } + typedef ingress-action { type enumeration { enum pass { description "If ingress action is pass"; } enum drop { description "If ingress action is drop"; } @@ -779,36 +801,50 @@ this user. The content and format are specified in the SecEventContent and SecEventFormat class attributes, respectively. An example of the SecEventContent attribute is string hrAdmin, with the SecEventFormat attribute set to 1 (GUID) and the SecEventType attribute set to 5 (new logon)."; } } - container i2nsf-security-policy { description "policy is a container including a set of security rules according to certain logic, i.e., their similarity or mutual relations, etc. The network security policy is able to apply over both the unidirectional and bidirectional traffic across the NSF."; - leaf policy-name { + list system-policy { + key "system-policy-name"; + description + "The system-policy represents there could be multiple system + policies in one NSF, and each system policy is used by + one virtual instance of the NSF/device."; + + leaf system-policy-name { type string; + mandatory true; description "The name of the policy. This must be unique."; } + leaf priority-usage { + type priority-usage-type; + mandatory true; + description + "This is priority type."; + } + list rules { key "rule-name"; description "This is a rule for network security functions."; leaf rule-name { type string; mandatory true; description "The id of the rule. @@ -853,42 +889,20 @@ False is not enbale."; } leaf during { type uint16; description "This is during time."; } } - leaf-list policy-event-clause-agg-ptr { - type instance-identifier; - must 'derived-from-or-self (/event-clause-container/ - event-clause-list/entity-class, "ECA-EVENT-TYPE")'; - description - "TBD"; - } - leaf-list policy-condition-clause-agg-ptr { - type instance-identifier; - must 'derived-from-or-self (/condition-clause-container/ - condition-clause-list/entity-class, "ECA-CONDITION-TYPE")'; - description - "TBD"; - } - leaf-list policy-action-clause-agg-ptr { - type instance-identifier; - must 'derived-from-or-self (/action-clause-container/ - action-clause-list/entity-class, "ECA-ACTION-TYPE")'; - description - "TBD"; - } - container time-zone { description "This can be used to apply rules according to time-zone"; container absolute-time-zone { description "This can be used to apply rules according to absolute-time"; container time { description "This can be used to apply rules according to time"; @@ -1019,118 +1031,29 @@ "This is november for periodic month"; } leaf december { type boolean; description "This is december for periodic month"; } } } } - } - - container resolution-strategy { - description - "The resolution strategies can be used to - specify how to resolve conflicts that occur between - the actions of the same or different policy rules that - are matched and contained in this particular NSF"; - - choice resolution-strategy-type { - description - "Vendors can use YANG data model to configure rules"; - - case fmr { - leaf first-matching-rule { - type boolean; - description - "If the resolution strategy is first matching rule"; - } - } - case lmr { - leaf last-matching-rule { - type boolean; - description - "If the resolution strategy is last matching rule"; - } - } - - } - } - - container default-action { - description - "This default action can be used to specify a predefined - action when no other alternative action was matched - by the currently executing I2NSF Policy Rule. An analogy - is the use of a default statement in a C switch statement."; - - leaf default-action-type { - type boolean; - description - "True is permit - False is deny."; - } - } - - container rule-group { - description - "This is rule group"; - - list groups { - key "group-name"; - description - "This is a group for rules"; - - leaf group-name { - type string; - description - "This is a group for rules"; - } - - container rule-range { - description - "This is a rule range."; - - leaf start-rule { - type string; - description - "This is a start rule"; - } - leaf end-rule { - type string; - description - "This is a end rule"; - } - } - leaf enable { - type boolean; - description - "This is enable - False is not enable."; - } - leaf description { - type string; - description - "This is a desription for rule-group"; - } - } - } - } container event-clause-container { description "TBD"; list event-clause-list { key eca-object-id; uses i2nsf-eca-object-type { refine entity-class { default ECA-EVENT-TYPE; + } } description " This is abstract. An event is defined as any important occurrence in time of a change in the system being managed, and/or in the environment of the system being managed. When used in the context of policy rules for a flow-based NSF, it is used to determine whether the Condition clause of the Policy Rule can be evaluated @@ -2178,106 +2093,207 @@ type string; description "Additional Inspection of Tracrt Attack."; } } } } } } + } } } + } + container resolution-strategy { + description + "The resolution strategies can be used to + specify how to resolve conflicts that occur between + the actions of the same or different policy rules that + are matched and contained in this particular NSF"; - + choice resolution-strategy-type { + description + "Vendors can use YANG data model to configure rules"; - Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface + case fmr { + leaf first-matching-rule { + type boolean; + description + "If the resolution strategy is first matching rule"; + } + } + case lmr { + leaf last-matching-rule { + type boolean; + description + "If the resolution strategy is last matching rule"; + } + } -7. Security Considerations + } + } - This document introduces no additional security threats and SHOULD - follow the security requirements as stated in [RFC8329]. + container default-action { + description + "This default action can be used to specify a predefined + action when no other alternative action was matched + by the currently executing I2NSF Policy Rule. An analogy + is the use of a default statement in a C switch statement."; -8. Acknowledgments + leaf default-action-type { + type boolean; + description + "True is permit + False is deny."; + } - This work was supported by Institute for Information & communications - Technology Promotion (IITP) grant funded by the Korea government - (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence - Technology Development for the Customized Security Service - Provisioning). + } -9. Contributors + container rule-group { + description + "This is rule group"; - I2NSF is a group effort. I2NSF has had a number of contributing - authors. The following are considered co-authors: + list groups { + key "group-name"; + description + "This is a group for rules"; - o Hyoungshick Kim (Sungkyunkwan University) + leaf group-name { + type string; + description + "This is a group for rules"; + } - o Daeyoung Hyun (Sungkyunkwan University) + container rule-range { + description + "This is a rule range."; - o Dongjin Hong (Sungkyunkwan University) + leaf start-rule { + type string; + description + "This is a start rule"; + } + leaf end-rule { + type string; + description + "This is a end rule"; + } + } + leaf enable { + type boolean; + description + "This is enable + False is not enable."; + } + leaf description { + type string; + description + "This is a desription for rule-group"; + } + } + } + } + } + } - o Liang Xia (Huawei) + - o Tae-Jin Ahn (Korea Telecom) + Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface - o Se-Hui Lee (Korea Telecom) +7. Security Considerations -10. References + This document introduces no additional security threats and SHOULD + follow the security requirements as stated in [RFC8329]. -10.1. Normative References +8. References + +8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", RFC 8329, February 2018. -10.2. Informative References + [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, + S., and N. Bahadur, "A YANG Data Model for Routing + Information Base (RIB)", RFC RFC8431, September 2018. + +8.2. Informative References + + [i2nsf-advanced-nsf-dm] + Pan, W. and L. Xia, "Configuration of Advanced Security + Functions with I2NSF Security Controller", draft-dong- + i2nsf-asf-config-01 (work in progress), October 2018. [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", draft-ietf- - i2nsf-capability-00 (work in progress), September 2017. - - [i2rs-rib-data-model] - Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, - S., and N. Bahadur, "A YANG Data Model for Routing - Information Base (RIB)", draft-ietf-i2rs-rib-data-model-10 - (work in progress), February 2018. + i2nsf-capability-04 (work in progress), October 2018. [supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer, "Generic Policy Information Model for Simplified Use of Policy Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- model-03 (work in progress), May 2017. Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-01 The following changes are made from draft-ietf-i2nsf-nsf-facing- - interface-dm-00: + interface-dm-01: - 1. We added rule enable, session aging time, and long connection - attributes. + o We added system policy which represents there could be multiple + system policies in one NSF, and each system policy is used by one + virtual instance of the NSF/device. This is a very general + feature for all the NSFs/devices. - 2. We added a rule group attribute. + o We changed policy name to system policy name for system policy. - 3. We added additional conditions such as application and url. + o We deleted policy-event-clause-agg-ptr, policy-condition-clause- + agg-ptr, and policy-action-clause-agg-ptr. - 4. We replaced manual to description to clarify the meaning. + o We added priority-usage which represents priority of policies by + order or number. + +Appendix B. Acknowledgments + + This work was supported by Institute for Information & communications + Technology Promotion (IITP) grant funded by the Korea government + (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence + Technology Development for the Customized Security Service + Provisioning). + +Appendix C. Contributors + + This document is made by the group effort of I2NSF working group. + Many people actively contributed to this document. The following are + considered co-authors: + + o Hyoungshick Kim (Sungkyunkwan University) + + o Daeyoung Hyun (Sungkyunkwan University) + + o Dongjin Hong (Sungkyunkwan University) + + o Liang Xia (Huawei) + + o Tae-Jin Ahn (Korea Telecom) + + o Se-Hui Lee (Korea Telecom) Authors' Addresses Jinyong Tim Kim Department of Computer Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea