--- 1/draft-ietf-i2nsf-nsf-facing-interface-dm-02.txt 2019-03-11 01:14:12.980240862 -0700 +++ 2/draft-ietf-i2nsf-nsf-facing-interface-dm-03.txt 2019-03-11 01:14:13.124244376 -0700 @@ -1,133 +1,131 @@ I2NSF Working Group J. Kim Internet-Draft J. Jeong Intended status: Standards Track Sungkyunkwan University -Expires: May 8, 2019 J. Park +Expires: September 12, 2019 J. Park ETRI S. Hares Q. Lin Huawei - November 4, 2018 + March 11, 2019 I2NSF Network Security Function-Facing Interface YANG Data Model - draft-ietf-i2nsf-nsf-facing-interface-dm-02 + draft-ietf-i2nsf-nsf-facing-interface-dm-03 Abstract - This document defines a YANG data model corresponding to the - information model for Network Security Functions (NSF)-Facing - Interface in Interface to Network Security Functions (I2NSF). It - describes a data model for the features provided by generic security - functions. This data model provides vendors with generic components - that they understand well, so these generic components can be used - even if they have some vendor specific functions. These generic - functions represent a point of interoperability, and can be provided - by any product that offers the required capabilities. Also, if they - need additional features for their network security functions, the - vendors can easily add the features by extending the YANG data model - in this document. + This document defines a YANG data model for configuring security + policy rules on network security functions. The YANG data model in + this document is corresponding to the information model for Network + Security Functions (NSF)-Facing Interface in Interface to Network + Security Functions (I2NSF). Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 8, 2019. + This Internet-Draft will expire on September 12, 2019. Copyright Notice - Copyright (c) 2018 IETF Trust and the persons identified as the + Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 - 4. The Structure and Objective of I2NSF Security Policy . . . . 4 - 4.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . 4 - 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 4 - 4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 4 - 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 5 - 5. Data Model Structure . . . . . . . . . . . . . . . . . . . . 5 - 5.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . 5 - 5.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 7 - 5.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 8 - 5.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 10 - 6. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 12 - 6.1. IETF NSF-Facing Interface YANG Data Module . . . . . . . 12 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 47 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 47 - 8.1. Normative References . . . . . . . . . . . . . . . . . . 47 - 8.2. Informative References . . . . . . . . . . . . . . . . . 47 - Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface- - dm-01 . . . . . . . . . . . . . . . . . . . . . . . 48 - Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 48 - Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 48 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 + 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 + 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 + 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 + 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 + 4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7 + 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 12 + 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 13 + 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 13 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 77 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 78 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 78 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 78 + 8.2. Informative References . . . . . . . . . . . . . . . . . 79 + Appendix A. Configuration Examples . . . . . . . . . . . . . . . 81 + A.1. Security Requirement 1: Block SNS Access during Business + Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 81 + A.2. Security Requirement 2: Block Malicious VoIP/VoLTE + Packets Coming to the Company . . . . . . . . . . . . . . 84 + A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood + Attacks on a Company Web Server . . . . . . . . . . . . . 87 + Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- + dm-02 . . . . . . . . . . . . . . . . . . . . . . . 90 + Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 91 + Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 91 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 1. Introduction - This document defines a YANG [RFC6020] data model for the - configuration of security services with the information model for - Network Security Functions (NSF) facing interface in Interface to - Network Security Functions (I2NSF). It provides a specific - information model and the corresponding data models for generic - network security functions (i.e., network security functions), as - defined in [i2nsf-nsf-cap-im]. With these data model, I2NSF - controller can control the capabilities of NSFs. + This document defines a YANG [RFC6020][RFC7950] data model for + security policy rule configuration of network security devices. The + YANG data model is corresponding to the information model + [i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing + interface in Interface to Network Security Functions (I2NSF). The + YANG data model in this document focuses on security policy + configuration for generic network security functions. Note that + security policy configuration for advanced network security functions + are written in [i2nsf-advanced-nsf-dm]. - The "Event-Condition-Action" (ECA) policy model is used as the basis - for the design of I2NSF Policy Rules. + This YANG data model uses an "Event-Condition-Action" (ECA) policy + model that is used as the basis for the design of I2NSF Policy + described in [RFC8329] and [i2nsf-nsf-cap-im]. Rules. - The "ietf-i2nsf-nsf-facing-interface" YANG module defined in this - document provides the following features: + The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this + document provides the following features. - o Configuration of I2NSF security policy rule for generic network - security function policy; + o Configuration for general security policy rule of generic network + security function. - o Configuration of event clause for generic network security - function policy; + o Configuration for an event clause of generic network security + function. - o Configuration of condition clause for generic network security - function policy; + o Configuration for a condition clause of generic network security + function. - o Configuration of action clause for generic network security - function policy. + o Configuration for an action clause of generic network security + function. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in [RFC2119]. + document are to be interpreted as described in [RFC2119][RFC8174]. 3. Terminology This document uses the terminology described in [i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the following terms are from [supa-policy-info-model]: o Data Model: A data model is a representation of concepts of interest to an environment in a form that is dependent on data repository, data definition language, query language, @@ -135,442 +133,465 @@ o Information Model: An information model is a representation of concepts of interest to an environment in a form that is independent of data repository, data definition language, query language, implementation language, and protocol. 3.1. Tree Diagrams A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams - [RFC8431] is as follows: + [RFC8340] is as follows: o Brackets "[" and "]" enclose list keys. o Abbreviations before data node names: "rw" means configuration (read-write) and "ro" state data (read-only). o Symbols after data node names: "?" means an optional node and "*" denotes a "list" and "leaf-list". o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":"). o Ellipsis ("...") stands for contents of subtrees that are not shown. -4. The Structure and Objective of I2NSF Security Policy - -4.1. I2NSF Security Policy Rule - - This shows a policy rule for generic network security functions. The - object of a policy rule is defined as policy information and rule - information. This includes ECA Policy Rule such as Event Clause - Objects, Condition Clause Objects, Action Clause Objects, Resolution - Strategy, and Default Action. - -4.2. Event Clause - - This shows an event clause for generic network security functions. - An Event is any important occurrence in time of a change in the - system being managed, and/or in the environment of the system being - managed. When used in the context of I2NSF Policy Rules, it is used - to determine whether the Condition clause of the I2NSF Policy Rule - can be evaluated or not. The object of an event clauses is defined - as user security event, device security event, system security event, - and time security event. The objects of event clauses can be - extended according to specific vendor event features. - -4.3. Condition Clause - - This shows a condition clause for generic network security functions. - A condition is defined as a set of attributes, features, and/or - values that are to be compared with a set of known attributes, - features, and/or values in order to determine whether or not the set - of Actions in that (imperative) I2NSF Policy Rule can be executed or - not. These objects are defined as packet security condition, packet - payload security condition, target security condition, user security - condition, context condition, and generic context condition. The - objects of action clauses can be extended according to specific - vendor condition features. - -4.4. Action Clause - - This shows an action clause for generic network security functions. - An action is used to control and monitor aspects of flow-based NSFs - when the event and condition clauses are satisfied. NSFs provide - security functions by executing various Actions. The object of an - action clause is defined as ingress action, egress action, and apply - profile action. The objects of action clauses can be extended - according to specific vendor action features. - -5. Data Model Structure +4. YANG Tree Diagram - This section shows a data model structure tree of generic network - security functions that are defined in the [i2nsf-nsf-cap-im]. Note - that a detailed data model for the configuration of the advanced - network security functions is described in [i2nsf-advanced-nsf-dm]. - The section discusses the following subjects: + This section shows an YANG tree diagram of generic network security + functions. Note that a detailed data model for the configuration of + the advanced network security functions is described in + [i2nsf-advanced-nsf-dm]. The section describes the following + subjects: - o Consideration of ECA Policy Model by aggregating the Event, - Condition, and Action Clause Objects; + o General I2NSF security policy rule of generic network security + function. - o Consideration of Capability Algebra; + o An event clause of generic network security function. - o Consideration of NSFs Capability Categories (i.e., Network - Security, Content Security, and Attack Mitigation Capabilities); + o A condition clause of generic network security function. - o Definition for Network Security Event Class, Network Security - Condition Class, and Network Security Action Class. + o An action clause of generic network security function. -5.1. I2NSF Security Policy Rule +4.1. General I2NSF Security Policy Rule - The data model for the identification of network security policy has - the following structure: + This section shows YANG tree diagram for general I2NSF security + policy rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy +--rw system-policy* [system-policy-name] +--rw system-policy-name string - +--rw priority-usage priority-usage-type + +--rw priority-usage? identityref + +--rw resolution-strategy? identityref + +--rw default-action? identityref +--rw rules* [rule-name] - | +--rw rule-name string - | +--rw rule-description? string - | +--rw rule-priority? uint8 - | +--rw enable? boolean - | +--rw session-aging-time? uint16 - | +--rw long-connection - | | +--rw enable? boolean - | | +--rw during? uint16 - | +--rw time-zone - | | +--rw absolute-time-zone - | | | +--rw time - | | | | +--rw start-time? yang:date-and-time - | | | | +--rw end-time? yang:date-and-time - | | | +--rw date - | | | +--rw absolute-date? yang:date-and-time - | | +--rw periodic-time-zone - | | +--rw day - | | | +--rw sunday? boolean - | | | +--rw monday? boolean - | | | +--rw tuesday? boolean - | | | +--rw wednesday? boolean - | | | +--rw thursday? boolean - | | | +--rw friday? boolean - | | | +--rw saturday? boolean - | | +--rw month - | | +--rw january? boolean - | | +--rw february? boolean - | | +--rw march? boolean - | | +--rw april? boolean - | | +--rw may? boolean - | | +--rw june? boolean - | | +--rw july? boolean - | | +--rw august? boolean - | | +--rw september? boolean - | | +--rw october? boolean - | | +--rw november? boolean - | | +--rw december? boolean - | +--rw event-clause-container - | | ... - | +--rw condition-clause-container - | | ... - | +--rw action-clause-container + +--rw rule-name string + +--rw rule-description? string + +--rw rule-priority? uint8 + +--rw rule-enable? boolean + +--rw time-zone + | +--rw absolute-time-zone + | | +--rw start-time? start-time-type + | | +--rw end-time? end-time-type + | +--rw periodic-time-zone + | +--rw day + | | +--rw every-day? boolean + | | +--rw specific-day* day-type + | +--rw month + | +--rw every-month? boolean + | +--rw specific-month* month-type + +--rw event-clause-container | ... - +--rw resolution-strategy - | +--rw (resolution-strategy-type)? - | +--:(fmr) - | | +--rw first-matching-rule? boolean - | +--:(lmr) - | +--rw last-matching-rule? boolean - +--rw default-action - | +--rw default-action-type? boolean - +--rw rule-group - +--rw groups* [group-name] - +--rw group-name string - +--rw rule-range - | +--rw start-rule? string - | +--rw end-rule? string - +--rw enable? boolean - +--rw description? string + +--rw condition-clause-container + | ... + +--rw action-clause-container + ... - Figure 1: Data Model Structure for Network Security Policy - Identification + Figure 1: YANG Tree Diagram for Network Security Policy -5.2. Event Clause + This YANG tree diagram shows general I2NSF security policy rule for + generic network security functions. - The data model for event rule has the following structure: + The system policy represents there could be multiple system policies + in one NSF, and each system policy is used by one virtual instance of + the NSF/device. The system policy includes system policy name, + priority usage, resolutation strategy, default action, and rules. + + A resolution strategy is used to decide how to resolve conflicts that + occur between the actions of the same or different policy rules that + are matched and contained in this particular NSF. The resolution + strategy is defined as First Matching Rule (FMR), Last Matching Rule + (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and + Prioritized Matching Rule with No Errors (PMRN). The resolution + strategy can be extended according to specific vendor action + features. The resolution strategy is described in detail in + [i2nsf-nsf-cap-im]. + + A default action is used to execute I2NSF policy rule when no rule + matches a packet. The default action is defined as pass, drop, + reject, alert, and mirror. The default action can be extended + according to specific vendor action features. The default action is + described in detail in [i2nsf-nsf-cap-im]. + + The rules include rule name, rule description, rule priority, rule + enable, time zone, event clause container, condition clause + container, and action clause container. + +4.2. Event Clause + + This section shows YANG tree diagram for an event clause of I2NSF + security policy rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy +--rw system-policy* [system-policy-name] ... - | +--rw event-clause-container - | | +--rw event-clause-list* [eca-object-id] - | | +--rw entity-class? identityref - | | +--rw eca-object-id string - | | +--rw description? string - | | +--rw sec-event-content string - | | +--rw sec-event-format sec-event-format - | | +--rw sec-event-type string - | +--rw condition-clause-container - | | ... - | +--rw action-clause-container - | ... - +--rw resolution-strategy - | ... - +--rw default-action + +--rw rules* [rule-name] + ... + +--rw event-clause-container + | +--rw event-clause-description? string + | +--rw event-clauses + | +--rw system-event* identityref + | +--rw system-alarm* identityref + +--rw condition-clause-container | ... - +--rw rule-group + +--rw action-clause-container ... - Figure 2: Data Model Structure for Event Rule + Figure 2: YANG Tree Diagram for Network Security Policy - These objects are defined as user security event, device security - event, system security event, and time security event. These objects - can be extended according to specific vendor event features. We will - add additional event objects for more generic network security - functions. + This YANG tree diagram shows an event clause of I2NSF security policy + rule for generic network security functions. An event clause is any + important occurrence in time of a change in the system being managed, + and/or in the environment of the system being managed. An event + clause is used to trigger the evaluation of the condition clause of + the I2NSF Policy Rule. The event clause is defined as system event + and system alarm. The event clause can be extended according to + specific vendor event features. The event clause is described in + detail in [i2nsf-nsf-cap-im]. -5.3. Condition Clause +4.3. Condtion Clause - The data model for condition rule has the following structure: + This section shows YANG tree diagram for a condition clause of I2NSF + security policy rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy - +--rw system-policy* [system-policy-name] ... - | +--rw event-clause-container - | | ... - | +--rw condition-clause-container - | | +--rw condition-clause-list* [eca-object-id] - | | +--rw entity-class? identityref - | | +--rw eca-object-id string - | | +--rw packet-security-condition - | | | +--rw packet-description? string - | | | +--rw packet-security-mac-condition - | | | | +--rw pkt-sec-cond-mac-dest* yang:phys-address - | | | | +--rw pkt-sec-cond-mac-src* yang:phys-address - | | | | +--rw pkt-sec-cond-mac-8021q* string - | | | | +--rw pkt-sec-cond-mac-ether-type* string - | | | | +--rw pkt-sec-cond-mac-tci* string - | | | +--rw packet-security-ipv4-condition - | | | | +--rw pkt-sec-cond-ipv4-header-length* uint8 - | | | | +--rw pkt-sec-cond-ipv4-tos* uint8 - | | | | +--rw pkt-sec-cond-ipv4-total-length* uint16 - | | | | +--rw pkt-sec-cond-ipv4-id* uint8 - | | | | +--rw pkt-sec-cond-ipv4-fragment* uint8 - | | | | +--rw pkt-sec-cond-ipv4-fragment-offset* uint16 - | | | | +--rw pkt-sec-cond-ipv4-ttl* uint8 - | | | | +--rw pkt-sec-cond-ipv4-protocol* uint8 - | | | | +--rw pkt-sec-cond-ipv4-src* inet:ipv4-address - | | | | +--rw pkt-sec-cond-ipv4-dest* inet:ipv4-address - | | | | +--rw pkt-sec-cond-ipv4-ipopts? string - | | | | +--rw pkt-sec-cond-ipv4-sameip? boolean - | | | | +--rw pkt-sec-cond-ipv4-geoip* string - | | | +--rw packet-security-ipv6-condition - | | | | +--rw pkt-sec-cond-ipv6-dscp* string - | | | | +--rw pkt-sec-cond-ipv6-ecn* string - | | | | +--rw pkt-sec-cond-ipv6-traffic-class* uint8 - | | | | +--rw pkt-sec-cond-ipv6-flow-label* uint32 - | | | | +--rw pkt-sec-cond-ipv6-payload-length* uint16 - | | | | +--rw pkt-sec-cond-ipv6-next-header* uint8 - | | | | +--rw pkt-sec-cond-ipv6-hop-limit* uint8 - | | | | +--rw pkt-sec-cond-ipv6-src* inet:ipv6-address - | | | | +--rw pkt-sec-cond-ipv6-dest* inet:ipv6-address - | | | +--rw packet-security-tcp-condition - | | | | +--rw pkt-sec-cond-tcp-src-port* inet:port-number - | | | | +--rw pkt-sec-cond-tcp-dest-port* inet:port-number - | | | | +--rw pkt-sec-cond-tcp-seq-num* uint32 - | | | | +--rw pkt-sec-cond-tcp-ack-num* uint32 - | | | | +--rw pkt-sec-cond-tcp-window-size* uint16 - | | | | +--rw pkt-sec-cond-tcp-flags* uint8 - | | | +--rw packet-security-udp-condition - | | | | +--rw pkt-sec-cond-udp-src-port* inet:port-number - | | | | +--rw pkt-sec-cond-udp-dest-port* inet:port-number - | | | | +--rw pkt-sec-cond-udp-length* string - | | | +--rw packet-security-icmp-condition - | | | +--rw pkt-sec-cond-icmp-type* uint8 - | | | +--rw pkt-sec-cond-icmp-code* uint8 - | | | +--rw pkt-sec-cond-icmp-seg-num* uint32 - | | +--rw packet-payload-condition - | | | +--rw packet-payload-description? string - | | | +--rw pkt-payload-content* string - | | +--rw acl-number? uint32 - | | +--rw application-condition - | | | +--rw application-description? string - | | | +--rw application-object* string - | | | +--rw application-group* string - | | | +--rw application-label* string - | | | +--rw category - | | | +--rw application-category* - | | | [name application-subcategory] - | | | +--rw name string - | | | +--rw application-subcategory string - | | +--rw target-condition - | | | +--rw target-description? string - | | | +--rw device-sec-context-cond - | | | +--rw pc? boolean - | | | +--rw mobile-phone? boolean - | | | +--rw voip-volte-phone? boolean - | | | +--rw tablet? boolean - | | | +--rw iot? boolean - | | | +--rw vehicle? boolean - | | +--rw users-condition - | | | +--rw users-description? string - | | | +--rw user - | | | | +--rw (user-name)? - | | | | +--:(tenant) - | | | | | +--rw tenant uint8 - | | | | +--:(vn-id) - | | | | +--rw vn-id uint8 - | | | +--rw group - | | | | +--rw (group-name)? - | | | | +--:(tenant) - | | | | | +--rw tenant uint8 - | | | | +--:(vn-id) - | | | | +--rw vn-id uint8 - | | | +--rw security-grup string - | | +--rw url-category-condition - | | | +--rw url-category-description? string - | | | +--rw pre-defined-category* string - | | | +--rw user-defined-category* string - | | +--rw context-condition - | | | +--rw context-description? string - | | +--rw gen-context-condition - | | +--rw gen-context-description? string - | | +--rw geographic-location - | | +--rw src-geographic-location* uint32 - | | +--rw dest-geographic-location* uint32 - | +--rw action-clause-container - | ... - +--rw resolution-strategy - | ... - +--rw default-action + +--rw rules* [rule-name] + ... + +--rw event-clause-container | ... - +--rw rule-group + +--rw condition-clause-container + | +--rw condition-clause-description? string + | +--rw packet-security-ipv4-condition + | | +--rw pkt-sec-ipv4-header-length + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw ipv4-header-length* uint8 + | | | +--:(range-match) + | | | +--rw range-ipv4-header-length* + [start-ipv4-header-length end-ipv4-header-length] + | | | +--rw start-ipv4-header-length uint8 + | | | +--rw end-ipv4-header-length uint8 + | | +--rw pkt-sec-ipv4-tos* identityref + | | +--rw pkt-sec-ipv4-total-length + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw ipv4-total-length* uint16 + | | | +--:(range-match) + | | | +--rw range-ipv4-total-length* + [start-ipv4-total-length end-ipv4-total-length] + | | | +--rw start-ipv4-total-length uint16 + | | | +--rw end-ipv4-total-length uint16 + | | +--rw pkt-sec-ipv4-id* uint16 + | | +--rw pkt-sec-ipv4-fragment-flags* identityref + | | +--rw pkt-sec-ipv4-fragment-offset + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw ipv4-fragment-offset* uint16 + | | | +--:(range-match) + | | | +--rw range-ipv4-fragment-offset* + [start-ipv4-fragment-offset end-ipv4-fragment-offset] + | | | +--rw start-ipv4-fragment-offset uint16 + | | | +--rw end-ipv4-fragment-offset uint16 + | | +--rw pkt-sec-ipv4-ttl + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw ipv4-ttl* uint8 + | | | +--:(range-match) + | | | +--rw range-ipv4-ttl* + [start-ipv4-ttl end-ipv4-ttl] + | | | +--rw start-ipv4-ttl uint8 + | | | +--rw end-ipv4-ttl uint8 + | | +--rw pkt-sec-ipv4-protocol* identityref + | | +--rw pkt-sec-ipv4-src + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw ipv4-address* [ipv4] + | | | | +--rw ipv4 inet:ipv4-address + | | | | +--rw (subnet)? + | | | | +--:(prefix-length) + | | | | | +--rw prefix-length? uint8 + | | | | +--:(netmask) + | | | | +--rw netmask? yang:dotted-quad + | | | +--:(range-match) + | | | +--rw range-ipv4-address* + [start-ipv4-address end-ipv4-address] + | | | +--rw start-ipv4-address inet:ipv4-address + | | | +--rw end-ipv4-address inet:ipv4-address + | | +--rw pkt-sec-ipv4-dest + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw ipv4 + | | | | +--rw ipv4-address* [ipv4] + | | | | +--rw ipv4 inet:ipv4-address + | | | | +--rw (subnet)? + | | | | +--:(prefix-length) + | | | | | +--rw prefix-length? uint8 + | | | | +--:(netmask) + | | | | +--rw netmask? yang:dotted-quad + | | | +--:(range-match) + | | | +--rw range-ipv4-address* + [start-ipv4-address end-ipv4-address] + | | | +--rw start-ipv4-address inet:ipv4-address + | | | +--rw end-ipv4-address inet:ipv4-address + | | +--rw pkt-sec-ipv4-ipopts* identityref + | | +--rw pkt-sec-ipv4-sameip? boolean + | | +--rw pkt-sec-ipv4-geoip* string + | +--rw packet-security-ipv6-condition + | | +--rw pkt-sec-ipv6-traffic-class* identityref + | | +--rw pkt-sec-ipv6-flow-label + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw ipv6-flow-label* uint32 + | | | +--:(range-match) + | | | +--rw range-ipv6-flow-label* + [start-ipv6-flow-label end-ipv6-flow-label] + | | | +--rw start-ipv6-flow-label uint32 + | | | +--rw end-ipv6-flow-label uint32 + | | +--rw pkt-sec-ipv6-payload-length + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw ipv6-payload-length* uint16 + | | | +--:(range-match) + | | | +--rw range-ipv6-payload-length* + [start-ipv6-payload-length end-ipv6-payload-length] + | | | +--rw start-ipv6-payload-length uint16 + | | | +--rw end-ipv6-payload-length uint16 + | | +--rw pkt-sec-ipv6-next-header* identityref + | | +--rw pkt-sec-ipv6-hop-limit + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw ipv6-hop-limit* uint8 + | | | +--:(range-match) + | | | +--rw range-ipv6-hop-limit* + [start-ipv6-hop-limit end-ipv6-hop-limit] + | | | +--rw start-ipv6-hop-limit uint8 + | | | +--rw end-ipv6-hop-limit uint8 + | | +--rw pkt-sec-ipv6-src + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw ipv6 + | | | | +--rw ipv6-address* [ipv6] + | | | | +--rw ipv6 inet:ipv6-address + | | | | +--rw prefix-length? uint8 + | | | +--:(range-match) + | | | +--rw range-ipv6-address* + [start-ipv6-address end-ipv6-address] + | | | +--rw start-ipv6-address inet:ipv6-address + | | | +--rw end-ipv6-address inet:ipv6-address + | | +--rw pkt-sec-ipv6-dest + | | +--rw (match-type)? + | | +--:(exact-match) + | | | +--rw ipv6-address* [ipv6] + | | | +--rw ipv6 inet:ipv6-address + | | | +--rw prefix-length? uint8 + | | +--:(range-match) + | | +--rw range-ipv6-address* + [start-ipv6-address end-ipv6-address] + | | +--rw start-ipv6-address inet:ipv6-address + | | +--rw end-ipv6-address inet:ipv6-address + | +--rw packet-security-tcp-condition + | | +--rw pkt-sec-tcp-src-port-num + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw port-num* inet:port-number + | | | +--:(range-match) + | | | +--rw range-port-num* + [start-port-num end-port-num] + | | | +--rw start-port-num inet:port-number + | | | +--rw end-port-num inet:port-number + | | +--rw pkt-sec-tcp-dest-port-num + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw port-num* inet:port-number + | | | +--:(range-match) + | | | +--rw range-port-num* + [start-port-num end-port-num] + | | | +--rw start-port-num inet:port-number + | | | +--rw end-port-num inet:port-number + | | +--rw pkt-sec-tcp-seq-num + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw tcp-seq-num* uint32 + | | | +--:(range-match) + | | | +--rw range-tcp-seq-num* + [start-tcp-seq-num end-tcp-seq-num] + | | | +--rw start-tcp-seq-num uint32 + | | | +--rw end-tcp-seq-num uint32 + | | +--rw pkt-sec-tcp-ack-num + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw tcp-ack-num* uint32 + | | | +--:(range-match) + | | | +--rw range-tcp-ack-num* + [start-tcp-ack-num end-tcp-ack-num] + | | | +--rw start-tcp-ack-num uint32 + | | | +--rw end-tcp-ack-num uint32 + | | +--rw pkt-sec-tcp-window-size + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw tcp-window-size* uint16 + | | | +--:(range-match) + | | | +--rw range-tcp-window-size* + [start-tcp-window-size end-tcp-window-size] + | | | +--rw start-tcp-window-size uint16 + | | | +--rw end-tcp-window-size uint16 + | | +--rw pkt-sec-tcp-flags* identityref + | +--rw packet-security-udp-condition + | | +--rw pkt-sec-udp-src-port-num + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw port-num* inet:port-number + | | | +--:(range-match) + | | | +--rw range-port-num* + [start-port-num end-port-num] + | | | +--rw start-port-num inet:port-number + | | | +--rw end-port-num inet:port-number + | | +--rw pkt-sec-udp-dest-port-num + | | | +--rw (match-type)? + | | | +--:(exact-match) + | | | | +--rw port-num* inet:port-number + | | | +--:(range-match) + | | | +--rw range-port-num* + [start-port-num end-port-num] + | | | +--rw start-port-num inet:port-number + | | | +--rw end-port-num inet:port-number + | | +--rw pkt-sec-udp-total-length + | | +--rw (match-type)? + | | +--:(exact-match) + | | | +--rw udp-total-length* uint32 + | | +--:(range-match) + | | +--rw range-udp-total-length* + [start-udp-total-length end-udp-total-length] + | | +--rw start-udp-total-length uint32 + | | +--rw end-udp-total-length uint32 + | +--rw packet-security-icmp-condition + | | +--rw pkt-sec-icmp-type* identityref + | +--rw packet-security-http-condition + | | +--rw pkt-sec-uri-content* string + | | +--rw pkt-sec-url-content* string + | +--rw packet-security-voice-condition + | | +--rw pkt-sec-src-voice-id* string + | | +--rw pkt-sec-dest-voice-id* string + | | +--rw pkt-sec-user-agent* string + | +--rw packet-security-ddos-condition + | +--rw pkt-sec-alert-rate? uint32 + +--rw action-clause-container ... - Figure 3: Data Model Structure for Condition Rule + Figure 3: YANG Tree Diagram for Network Security Policy - These objects are defined as packet security condition, packet - payload security condition, target security condition, user security - condition, context condition, and generic context condition. These - objects can be extended according to specific vendor condition - features. We will add additional condition objects for more generic - network security functions. + This YANG tree diagram shows an condition clause of I2NSF security + policy rule for generic network security functions. A condition + clause is defined as a set of attributes, features, and/or values + that are to be compared with a set of known attributes, features, + and/or values in order to determine whether or not the set of actions + in that (imperative) I2NSF policy rule can be executed or not. The + condition clause is classified as conditions of generic network + security functions and advanced network security functions. The + condition clause of generic network security functions is defined as + packet security IPv4 condition, packet security IPv6 condition, + packet security tcp condition, and packet security icmp condition. + The condition clause of advanced network security functions is + defined as packet security http condition, packet security voice + condition, and packet security ddos condition. Note that this + document deals only with simple conditions of advanced network + security functions. The condition clauses of advanced network + security functions are described in detail in + [i2nsf-advanced-nsf-dm]. The condition clause can be extended + according to specific vendor condition features. The condition + clause is described in detail in [i2nsf-nsf-cap-im]. -5.4. Action Clause +4.4. Action Clause - The data model for action rule has the following structure: + This section shows YANG tree diagram for an action clause of I2NSF + security policy rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy - +--rw system-policy* [system-policy-name] ... - | +--rw event-clause-container - | | ... - | +--rw condition-clause-container - | | ... - | +--rw action-clause-container - | +--rw action-clause-list* [eca-object-id] - | +--rw entity-class? identityref - | +--rw eca-object-id string - | +--rw rule-log? boolean - | +--rw session-log? boolean - | +--rw ingress-action - | | +--rw ingress-description? string - | | +--rw ingress-action-type? ingress-action - | +--rw egress-action - | | +--rw egress-description? string - | | +--rw egress-action-type? egress-action - | +--rw apply-profile - | +--rw profile-description? string - | +--rw content-security-control - | | +--rw content-security-control-types - | | +--rw antivirus? string - | | +--rw ips? string - | | +--rw ids? string - | | +--rw url-filtering? string - | | +--rw data-filtering? string - | | +--rw mail-filtering? string - | | +--rw file-blocking? string - | | +--rw file-isolate? string - | | +--rw pkt-capture? string - | | +--rw application-control? string - | | +--rw voip-volte? string - | +--rw attack-mitigation-control - | +--rw ddos-attack - | | +--rw ddos-attack-type - | | +--rw network-layer-ddos-attack - | | | +--rw network-layer-ddos-attack-type - | | | +--rw syn-flood? string - | | | +--rw udp-flood? string - | | | +--rw icmp-flood? string - | | | +--rw ip-frag-flood? string - | | | +--rw ipv6-related? string - | | +--rw app-layer-ddos-attack - | | +--rw app-ddos-attack-types - | | +--rw http-flood? string - | | +--rw https-flood? string - | | +--rw dns-flood? string - | | +--rw dns-amp-flood? string - | | +--rw ssl-ddos? string - | +--rw single-packet-attack - | +--rw single-packet-attack-type - | +--rw scan-and-sniff-attack - | | +--rw scan-and-sniff-attack-types - | | +--rw ip-sweep? string - | | +--rw port-scanning? string - | +--rw malformed-packet-attack - | | +--rw malformed-packet-attack-types - | | +--rw ping-of-death? string - | | +--rw teardrop? string - | +--rw special-packet-attack - | +--rw special-packet-attack-types - | +--rw oversized-icmp? string - | +--rw tracert? string - +--rw resolution-strategy + +--rw rules* [rule-name] + ... + +--rw event-clause-container | ... - +--rw default-action + +--rw condition-clause-container | ... - +--rw rule-group - ... + +--rw action-clause-container + +--rw action-clause-description? string + +--rw packet-action + | +--rw ingress-action? identityref + | +--rw egress-action? identityref + | +--rw log-action? identityref + +--rw advanced-action + +--rw content-security-control* identityref + +--rw attack-mitigation-control* identityref - Figure 4: Data Model Structure for Action Rule + Figure 4: YANG Tree Diagram for Network Security Policy - These objects are defined as ingress action, egress action, and apply - profile action. These objects can be extended according to specific - vendor action feature. We will add additional action objects for - more generic network security functions. + This YANG tree diagram shows an action clause of I2NSF security + policy rule for generic network security functions. An action is + used to control and monitor aspects of flow-based NSFs when the event + and condition clauses are satisfied. NSFs provide security services + by executing various actions. The action clause is defined as + ingress action, egress action, log action, and advanced action for + additional inspection. The advanced action is described in detail in + [RFC8329] and [i2nsf-nsf-cap-im]. The action clause can be extended + according to specific vendor action features. The action clause is + described in detail in [i2nsf-nsf-cap-im]. -6. YANG Module +5. YANG Data Module -6.1. IETF NSF-Facing Interface YANG Data Module +5.1. I2NSF NSF-Facing Interface YANG Data Module - This section introduces a YANG module for the information model of - network security functions, as defined in the [i2nsf-nsf-cap-im]. + This section introduces an YANG data module for configuration of + security policy rules on network security functions. - file "ietf-i2nsf-policy-rule-for-nsf@2018-11-04.yang" + file "ietf-i2nsf-policy-rule-for-nsf@2019-03-11.yang" module ietf-i2nsf-policy-rule-for-nsf { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; prefix - policy-rule-for-nsf; + iiprfn; import ietf-inet-types{ prefix inet; + reference "RFC 6991"; } import ietf-yang-types{ prefix yang; + reference "RFC 6991"; } organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact "WG Web: WG List: @@ -584,1700 +605,3540 @@ Editor: Jaehoon Paul Jeong Editor: Susan Hares "; description "This module defines a YANG data module for network security - functions."; - revision "2018-11-04"{ - description "The fourth revision"; + functions. + + Copyright (c) 2018 IETF Trust and the persons + identified as authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD License + set forth in Section 4.c of the IETF Trust's Legal Provisions + Relating to IETF Documents + (http://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC 8341; see + the RFC itself for full legal notices."; + + revision "2019-03-11"{ + description "Initial revision."; reference - "draft-ietf-i2nsf-capability-04"; + "RFC XXXX: I2NSF Network Security Function-Facing Interface + YANG Data Model"; } - typedef sec-event-format { - type enumeration { - enum unknown { + /* + * Identities + */ + + identity priority-usage-type { description - "If SecEventFormat is unknown"; + "Base identity for priority usage type."; } - enum guid { + + identity priority-by-order { + base priority-usage-type; description - "If SecEventFormat is GUID - (Generic Unique IDentifier)"; + "Identity for priority by order"; } - enum uuid { + + identity priority-by-number { + base priority-usage-type; description - "If SecEventFormat is UUID - (Universal Unique IDentifier)"; + "Identity for priority by number"; } - enum uri { + + identity event { description - "If SecEventFormat is URI - (Uniform Resource Identifier)"; + "Base identity for event of policy."; + reference + "draft-hong-i2nsf-nsf-monitoring-data-model-06 + - Event"; } - enum fqdn { + + identity system-event { + base event; description - "If SecEventFormat is FQDN - (Fully Qualified Domain Name)"; + "Identity for system event"; + reference + "draft-hong-i2nsf-nsf-monitoring-data-model-06 + - System event"; } - enum fqpn { + + identity system-alarm { + base event; description - "If SecEventFormat is FQPN - (Fully Qualified Path Name)"; - } + "Identity for system alarm"; + reference + "draft-hong-i2nsf-nsf-monitoring-data-model-06 + - System alarm"; } + + identity access-violation { + base system-event; description - "This is used for SecEventFormat."; + "Identity for access violation + among system events"; + reference + "draft-hong-i2nsf-nsf-monitoring-data-model-06 + - System event"; } - typedef priority-usage-type { - type enumeration { - enum priority-by-order { + identity configuration-change { + base system-event; description - "If priority type is order"; + "Identity for configuration change + among system events"; + reference + "draft-hong-i2nsf-nsf-monitoring-data-model-06 + - System event"; } - enum priority-by-number { + identity memory-alarm { + base system-alarm; description - "If priority type is number"; - } + "Identity for memory alarm + among system alarms"; + reference + "draft-hong-i2nsf-nsf-monitoring-data-model-06 + - System alarm"; } + + identity cpu-alarm { + base system-alarm; description - "This is used for priority type."; + "Identity for cpu alarm + among system alarms"; + reference + "draft-hong-i2nsf-nsf-monitoring-data-model-06 + - System alarm"; } - typedef ingress-action { - type enumeration { - enum pass { + identity disk-alarm { + base system-alarm; description - "If ingress action is pass"; + "Identity for disk alarm + among system alarms"; + reference + "draft-hong-i2nsf-nsf-monitoring-data-model-06 + - System alarm"; } - enum drop { + + identity hardware-alarm { + base system-alarm; description - "If ingress action is drop"; + "Identity for hardware alarm + among system alarms"; + reference + "draft-hong-i2nsf-nsf-monitoring-data-model-06 + - System alarm"; } - enum reject { + + identity interface-alarm { + base system-alarm; description - "If ingress action is reject"; + "Identity for interface alarm + among system alarms"; + reference + "draft-hong-i2nsf-nsf-monitoring-data-model-06 + - System alarm"; + } - enum alert { + + identity type-of-service { description - "If ingress action is alert"; + "Base identity for type of service of IPv4"; + reference + "RFC 791: Internet Protocol - Type of Service"; } - enum mirror { + + identity traffic-class { description - "If ingress action is mirror"; - } + "Base identity for traffic-class of IPv6"; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Traffic Class"; } + + identity normal { + base type-of-service; + base traffic-class; description - "This is used for ingress action."; + "Identity for normal"; + reference + "RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Traffic Class"; } - typedef egress-action { - type enumeration { - enum invoke-signaling { + identity minimize-cost { + base type-of-service; + base traffic-class; description - "If egress action is invoke signaling"; + "Identity for minimize cost"; + reference + "RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Traffic Class"; } - enum tunnel-encapsulation { + + identity maximize-reliability { + base type-of-service; + base traffic-class; description - "If egress action is tunnel encapsulation"; + "Identity for maximize reliability"; + reference + "RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Traffic Class"; + } - enum forwarding { + + identity maximize-throughput { + base type-of-service; + base traffic-class; description - "If egress action is forwarding"; + "Identity for maximize throughput"; + reference + "RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Traffic Class"; } - enum redirection { + + identity minimize-delay { + base type-of-service; + base traffic-class; description - "If egress action is redirection"; + "Identity for minimize delay"; + reference + "RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Traffic Class"; } + + identity maximize-security { + base type-of-service; + base traffic-class; + description + "Identity for maximize security"; + reference + "RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Traffic Class"; } + + identity fragmentation-flags-type { description - "This is used for egress action."; + "Base identity for fragmentation flags type"; + reference + "RFC 791: Internet Protocol - Fragmentation Flags"; } - identity ECA-OBJECT-TYPE { - description "TBD"; + identity fragment { + base fragmentation-flags-type; + description + "Identity for fragment"; + reference + "RFC 791: Internet Protocol - Fragmentation Flags"; + } - identity ECA-EVENT-TYPE { - base ECA-OBJECT-TYPE; - description "TBD"; + identity no-fragment { + base fragmentation-flags-type; + description + "Identity for no fragment"; + reference + "RFC 791: Internet Protocol - Fragmentation Flags"; } - identity ECA-CONDITION-TYPE { - base ECA-OBJECT-TYPE; - description "TBD"; + identity reserved { + base fragmentation-flags-type; + description + "Identity for reserved"; + reference + "RFC 791: Internet Protocol - Fragmentation Flags"; } - identity ECA-ACTION-TYPE { - base ECA-OBJECT-TYPE; - description "TBD"; + + identity protocol { + description + "Base identity for protocol of IPv4"; + reference + "RFC 790: Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Protocol"; } - identity EVENT-USER-TYPE { - base ECA-EVENT-TYPE; - description "TBD"; + identity next-header { + description + "Base identity for next header of IPv6"; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - identity EVENT-DEV-TYPE { - base ECA-EVENT-TYPE; - description "TBD"; + identity icmp { + base protocol; + base next-header; + description + "Identity for icmp"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; + } + identity igmp { + base protocol; + base next-header; + description + "Identity for igmp"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - identity EVENT-SYS-TYPE { - base ECA-EVENT-TYPE; - description "TBD"; + identity tcp { + base protocol; + base next-header; + description + "Identity for tcp"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - identity EVENT-TIME-TYPE { - base ECA-EVENT-TYPE; - description "TBD"; + identity igrp { + base protocol; + base next-header; + description + "Identity for igrp"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - grouping i2nsf-eca-object-type { - leaf entity-class { - type identityref { - base ECA-OBJECT-TYPE; + identity udp { + base protocol; + base next-header; + description + "Identity for udp"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - description "TBD"; + + identity gre { + base protocol; + base next-header; + description + "Identity for gre"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - leaf eca-object-id { - type string; - description "TBD"; + + identity esp { + base protocol; + base next-header; + description + "Identity for esp"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - description "TBD"; + + identity ah { + base protocol; + base next-header; + description + "Identity for ah"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - grouping i2nsf-event-type { - description "TBD"; - leaf description { - type string; + identity mobile { + base protocol; + base next-header; description - "This is description for event. - Vendors can write instructions for event - that vendor made"; + "Identity for mobile"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - leaf sec-event-content { - type string; - mandatory true; + identity tlsp { + base protocol; + base next-header; description - "This is a mandatory string that contains the content - of the SecurityEvent. The format of the content - is specified in the SecEventFormat class - attribute, and the type of event is defined in the - SecEventType class attribute. An example of the - SecEventContent attribute is a string hrAdmin, - with the SecEventFormat set to 1 (GUID) and the - SecEventType attribute set to 5 (new logon)."; + "Identity for tlsp"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - leaf sec-event-format { - type sec-event-format; - mandatory true; + identity skip { + base protocol; + base next-header; description - "This is a mandatory uint 8 enumerated integer, which - is used to specify the data type of the - SecEventContent attribute. The content is - specified in the SecEventContent class attribute, - and the type of event is defined in the - SecEventType class attribute. An example of the - SecEventContent attribute is string hrAdmin, - with the SecEventFormat attribute set to 1 (GUID) - and the SecEventType attribute set to 5 - (new logon)."; + "Identity for skip"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - leaf sec-event-type { - type string; - mandatory true; + identity ipv6-icmp { + base protocol; + base next-header; description - "This is a mandatory uint 8 enumerated integer, which - is used to specify the type of event that involves - this user. The content and format are specified in - the SecEventContent and SecEventFormat class - attributes, respectively. An example of the - SecEventContent attribute is string hrAdmin, - with the SecEventFormat attribute set to 1 (GUID) - and the SecEventType attribute set to 5 - (new logon)."; + "Identity for IPv6 icmp "; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; + } + identity eigrp { + base protocol; + base next-header; + description + "Identity for eigrp"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } + identity ospf { + base protocol; + base next-header; + description + "Identity for ospf"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; } - container i2nsf-security-policy { + + identity l2tp { + base protocol; + base next-header; description - "policy is a container - including a set of security rules according to certain logic, - i.e., their similarity or mutual relations, etc. The network - security policy is able to apply over both the unidirectional - and bidirectional traffic across the NSF."; + "Identity for l2tp"; + reference + "RFC 790: - Assigned numbers - Assigned Internet + Protocol Number + RFC 791: Internet Protocol - Type of Service + RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next Header"; + } - list system-policy { - key "system-policy-name"; + identity ipopts { description - "The system-policy represents there could be multiple system - policies in one NSF, and each system policy is used by - one virtual instance of the NSF/device."; + "Base identity for IP options"; + reference + "RFC 791: Internet Protocol - Options"; + } - leaf system-policy-name { - type string; - mandatory true; + identity rr { + base ipopts; description - "The name of the policy. - This must be unique."; + "Identity for record route"; + reference + "RFC 791: Internet Protocol - Options"; } - leaf priority-usage { - type priority-usage-type; - mandatory true; + identity eol { + base ipopts; description - "This is priority type."; + "Identity for end of list"; + reference + "RFC 791: Internet Protocol - Options"; } - list rules { - key "rule-name"; + identity nop { + base ipopts; description - "This is a rule for network security functions."; + "Identity for no operation"; + reference + "RFC 791: Internet Protocol - Options"; + } - leaf rule-name { - type string; - mandatory true; + identity ts { + base ipopts; description - "The id of the rule. - This must be unique."; + "Identity for time stamp"; + reference + "RFC 791: Internet Protocol - Options"; } - leaf rule-description { - type string; + identity sec { + base ipopts; description - "This description gives more information about - rules."; + "Identity for IP security"; + reference + "RFC 791: Internet Protocol - Options"; } - leaf rule-priority { - type uint8; + identity esec { + base ipopts; description - "The priority keyword comes with a mandatory - numeric value which can range from 1 till 255."; + "Identity for IP extended security"; + reference + "RFC 791: Internet Protocol - Options"; } - leaf enable { - type boolean; + identity lsrr { + base ipopts; description - "True is enable. - False is not enbale."; + "Identity for loose source routing"; + reference + "RFC 791: Internet Protocol - Options"; } - leaf session-aging-time { - type uint16; + identity ssrr { + base ipopts; description - "This is session aging time."; + "Identity for strict source routing"; + reference + "RFC 791: Internet Protocol - Options"; } - container long-connection { + identity satid { + base ipopts; description - "This is long-connection"; + "Identity for stream identifier"; + reference + "RFC 791: Internet Protocol - Options"; + } - leaf enable { - type boolean; + identity any { + base ipopts; description - "True is enable. - False is not enbale."; + "Identity for which any IP options are set"; + reference + "RFC 791: Internet Protocol - Options"; } - leaf during { - type uint16; + identity tcp-flags { description - "This is during time."; + "Base identity for tcp flags"; + reference + "RFC 793: Transmission Control Protocol - Flags"; } + + identity cwr { + base tcp-flags; + description + "Identity for congestion window reduced"; + reference + "RFC 793: Transmission Control Protocol - Flags"; } - container time-zone { + identity ecn { + base tcp-flags; description - "This can be used to apply rules according to time-zone"; - container absolute-time-zone { + "Identity for explicit congestion notification"; + reference + "RFC 793: Transmission Control Protocol - Flags"; + } + + identity urg { + base tcp-flags; description - "This can be used to apply rules according to - absolute-time"; - container time { + "Identity for urgent"; + reference + "RFC 793: Transmission Control Protocol - Flags"; + } + + identity ack { + base tcp-flags; description - "This can be used to apply rules according to time"; - leaf start-time { - type yang:date-and-time; + "Identity for acknowledgement"; + reference + "RFC 793: Transmission Control Protocol - Flags"; + } + + identity psh { + base tcp-flags; description - "This is start time for time zone"; + "Identity for push"; + reference + "RFC 793: Transmission Control Protocol - Flags"; } - leaf end-time { - type yang:date-and-time; + + identity rst { + base tcp-flags; description - "This is end time for time zone"; + "Identity for reset"; + reference + "RFC 793: Transmission Control Protocol - Flags"; } + + identity syn { + base tcp-flags; + description + "Identity for synchronize"; + reference + "RFC 793: Transmission Control Protocol - Flags"; } - container date { + + identity fin { + base tcp-flags; description - "This can be used to apply rules according to date"; - leaf absolute-date { - type yang:date-and-time; + "Identity for finish"; + reference + "RFC 793: Transmission Control Protocol - Flags"; + } + + identity icmp-type { description - "This is absolute date for time zone"; + "Base identity for icmp types"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity echo-reply { + base icmp-type; + description + "Identity for echo reply"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity destination-unreachable { + base icmp-type; + description + "Identity for destination unreachable"; + reference + "RFC 792: Internet Control Message Protocol"; } - container periodic-time-zone { + + identity source-quench { + base icmp-type; description - "This can be used to apply rules according to - periodic-time-zone"; - container day { + "Identity for source quench"; + reference + "RFC 792: Internet Control Message Protocol"; + } + + identity redirect { + base icmp-type; description - "This can be used to apply rules according - to periodic day"; - leaf sunday { - type boolean; + "Identity for redirect"; + reference + "RFC 792: Internet Control Message Protocol"; + } + + identity alternate-host-address { + base icmp-type; description - "This is sunday for periodic day"; + "Identity for alternate host address"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf monday { - type boolean; + + identity echo { + base icmp-type; description - "This is monday for periodic day"; + "Identity for echo"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf tuesday { - type boolean; + + identity router-advertisement { + base icmp-type; description - "This is tuesday for periodic day"; + "Identity for router advertisement"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf wednesday { - type boolean; + + identity router-solicitation { + base icmp-type; description - "This is wednesday for periodic day"; + "Identity for router solicitation"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf thursday { - type boolean; + + identity time-exceeded { + base icmp-type; description - "This is thursday for periodic day"; + "Identity for time exceeded"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf friday { - type boolean; + + identity parameter-problem { + base icmp-type; description - "This is friday for periodic day"; + "Identity for parameter problem"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf saturday { - type boolean; + + identity timestamp { + base icmp-type; description - "This is saturday for periodic day"; + "Identity for timestamp"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity timestamp-reply { + base icmp-type; + description + "Identity for timestamp reply"; + reference + "RFC 792: Internet Control Message Protocol"; } - container month { + + identity information-request { + base icmp-type; description - "This can be used to apply rules according - to periodic month"; - leaf january { - type boolean; + "Identity for information request"; + reference + "RFC 792: Internet Control Message Protocol"; + } + + identity information-reply { + base icmp-type; description - "This is january for periodic month"; + "Identity for information reply"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf february { - type boolean; + + identity address-mask-request { + base icmp-type; description - "This is february for periodic month"; + "Identity for address mask request"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf march { - type boolean; + + identity address-mask-reply { + base icmp-type; description - "This is march for periodic month"; + "Identity for address mask reply"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf april { - type boolean; + + identity traceroute { + base icmp-type; description - "This is april for periodic month"; + "Identity for traceroute"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf may { - type boolean; + + identity datagram-conversion-error { + base icmp-type; description - "This is may for periodic month"; + "Identity for datagram conversion error"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf june { - type boolean; + + identity mobile-host-redirect { + base icmp-type; description - "This is june for periodic month"; + "Identity for mobile host redirect"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf july { - type boolean; + + identity ipv6-where-are-you { + base icmp-type; description - "This is july for periodic month"; + "Identity for IPv6 where are you"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf august { - type boolean; + + identity ipv6-i-am-here { + base icmp-type ; description - "This is august for periodic month"; + "Identity for IPv6 i am here"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf september { - type boolean; + + identity mobile-registration-request { + base icmp-type; description - "This is september for periodic month"; + "Identity for mobile registration request"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf october { - type boolean; + + identity mobile-registration-reply { + base icmp-type; description - "This is october for periodic month"; + "Identity for mobile registration reply"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf november { - type boolean; + + identity domain-name-request { + base icmp-type; description - "This is november for periodic month"; + "Identity for domain name request"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf december { - type boolean; + + identity domain-name-reply { + base icmp-type; description - "This is december for periodic month"; + "Identity for domain name reply"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity iskip { + base icmp-type; + description + "Identity for icmp skip"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity photuris { + base icmp-type; + description + "Identity for photuris"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity experimental-mobility-protocols { + base icmp-type; + description + "Identity for experimental mobility protocols"; + reference + "RFC 792: Internet Control Message Protocol"; } - container event-clause-container { - description "TBD"; - list event-clause-list { - key eca-object-id; - uses i2nsf-eca-object-type { - refine entity-class { - default ECA-EVENT-TYPE; + identity extended-echo-request { + base icmp-type; + description + "Identity for extended echo request"; + reference + "RFC 792: Internet Control Message Protocol + RFC 8335: PROBE: A Utility for Probing Interfaces"; + } + identity extended-echo-reply { + base icmp-type; + description + "Identity for extended echo reply"; + reference + "RFC 792: Internet Control Message Protocol + RFC 8335: PROBE: A Utility for Probing Interfaces"; } + + identity net-unreachable { + base icmp-type; + description + "Identity for net unreachable + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } + identity host-unreachable { + base icmp-type; description - " This is abstract. An event is defined as any important - occurrence in time of a change in the system being - managed, and/or in the environment of the system being - managed. When used in the context of policy rules for - a flow-based NSF, it is used to determine whether the - Condition clause of the Policy Rule can be evaluated - or not. Examples of an I2NSF event include time and - user actions (e.g., logon, logoff, and actions that - violate any ACL.)."; + "Identity for host unreachable + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; + } - uses i2nsf-event-type; + identity protocol-unreachable { + base icmp-type; + description + "Identity for protocol unreachable + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity port-unreachable { + base icmp-type; + description + "Identity for port unreachable + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } - container condition-clause-container { - description "TBD"; - list condition-clause-list { - key eca-object-id; - uses i2nsf-eca-object-type { - refine entity-class { - default ECA-CONDITION-TYPE; + + identity fragment-set { + base icmp-type; + description + "Identity for fragmentation set + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity source-route-failed { + base icmp-type; + description + "Identity for source route failed + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity destination-network-unknown { + base icmp-type; description - " This is abstract. A condition is defined as a set - of attributes, features, and/or values that are to be - compared with a set of known attributes, features, - and/or values in order to determine whether or not the - set of Actions in that (imperative) I2NSF Policy Rule - can be executed or not. Examples of I2NSF Conditions - include matching attributes of a packet or flow, and - comparing the internal state of an NSF to a desired - state."; + "Identity for destination network unknown + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; + } - container packet-security-condition { + identity destination-host-unknown { + base icmp-type; description - "TBD"; - leaf packet-description { - type string; + "Identity for destination host unknown + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; + } + + identity source-host-isolated { + base icmp-type; description - "This is description for packet condition. - Vendors can write instructions for packet condition - that vendor made"; + "Identity for source host isolated + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } - container packet-security-mac-condition { + identity communication-prohibited-with-destination-network { + base icmp-type; description - "The purpose of this Class is to represent packet MAC - packet header information that can be used as part of - a test to determine if the set of Policy Actions in - this ECA Policy Rule should be execute or not."; + "Identity for which communication with destination network + is administratively prohibited in destination unreachable + types"; + reference + "RFC 792: Internet Control Message Protocol"; + } - leaf-list pkt-sec-cond-mac-dest { - type yang:phys-address; + identity communication-prohibited-with-destination-host { + base icmp-type; description - "The MAC destination address (6 octets long)."; + "Identity for which communication with destination host + is administratively prohibited in destination unreachable + types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-mac-src { - type yang:phys-address; + identity destination-network-unreachable-for-tos { + base icmp-type; description - "The MAC source address (6 octets long)."; + "Identity for destination network unreachable + for type of service in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-mac-8021q { - type string; + identity destination-host-unreachable-for-tos { + base icmp-type; description - "This is an optional string attribute, and defines - The 802.1Q tab value (2 octets long)."; + "Identity for destination host unreachable + for type of service in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-mac-ether-type { - type string; + identity communication-prohibited { + base icmp-type; description - "The EtherType field (2 octets long). Values up to - and including 1500 indicate the size of the - payload in octets; values of 1536 and above - define which protocol is encapsulated in the - payload of the frame."; + "Identity for communication administratively prohibited + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-mac-tci { - type string; + identity host-precedence-violation { + base icmp-type; description - "This is an optional string attribute, and defines - the Tag Control Information. This consists of a 3 - bit user priority field, a drop eligible indicator - (1 bit), and a VLAN identifier (12 bits)."; + "Identity for host precedence violation + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity precedence-cutoff-in-effect { + base icmp-type; + description + "Identity for precedence cutoff in effect + in destination unreachable types"; + reference + "RFC 792: Internet Control Message Protocol"; } - container packet-security-ipv4-condition { + identity redirect-datagram-for-the-network { + base icmp-type; description - "The purpose of this Class is to represent IPv4 - packet header information that can be used as - part of a test to determine if the set of Policy - Actions in this ECA Policy Rule should be executed - or not."; + "Identity for redirect datagram for the network + (or subnet) in redirect types"; + reference + "RFC 792: Internet Control Message Protocol"; + } - leaf-list pkt-sec-cond-ipv4-header-length { - type uint8; + identity redirect-datagram-for-the-host { + base icmp-type; description - "The IPv4 packet header consists of 14 fields, - of which 13 are required."; + "Identity for redirect datagram for the host + in redirect types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-ipv4-tos { - type uint8; + identity redirect-datagram-for-the-tos-and-network { + base icmp-type; description - "The ToS field could specify a datagram's priority - and request a route for low-delay, - high-throughput, or highly-reliable service.."; + "Identity for redirect datagram for the type of + service and network in redirect types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-ipv4-total-length { - type uint16; + identity redirect-datagram-for-the-tos-and-host { + base icmp-type; description - "This 16-bit field defines the entire packet size, - including header and data, in bytes."; + "Identity for redirect datagram for the type of + service and host in redirect types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-ipv4-id { - type uint8; + identity normal-router-advertisement { + base icmp-type; description - "This field is an identification field and is - primarily used for uniquely identifying - the group of fragments of a single IP datagram."; + "Identity for normal router advertisement + in router advertisement types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-ipv4-fragment { - type uint8; + identity does-not-route-common-traffic { + base icmp-type; description - "IP fragmentation is an Internet Protocol (IP) - process that breaks datagrams into smaller pieces - (fragments), so that packets may be formed that - can pass through a link with a smaller maximum - transmission unit (MTU) than the original - datagram size."; + "Identity for does not route common traffic + in router advertisement types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-ipv4-fragment-offset { - type uint16; + identity time-to-live-exceeded-in-transit { + base icmp-type; description - "Fragment offset field along with Don't Fragment - and More Fragment flags in the IP protocol - header are used for fragmentation and reassembly - of IP datagrams."; + "Identity for time to live exceeded in transit + in time exceeded types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-ipv4-ttl { - type uint8; + identity fragment-reassembly-time-exceeded { + base icmp-type; description - "The ttl keyword is used to check for a specific - IP time-to-live value in the header of - a packet."; + "Identity for fragment reassembly time exceeded + in time exceeded types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-ipv4-protocol { - type uint8; + identity pointer-indicates-the-error { + base icmp-type; description - "Internet Protocol version 4(IPv4) is the fourth - version of the Internet Protocol (IP)."; + "Identity for pointer indicates the error + in parameter problem types"; + reference + "RFC 792: Internet Control Message Protocol"; + } - leaf-list pkt-sec-cond-ipv4-src { - type inet:ipv4-address; + identity missing-a-required-option { + base icmp-type; description - "Defines the IPv4 Source Address."; + "Identity for missing a required option + in parameter problem types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-ipv4-dest { - type inet:ipv4-address; + identity bad-length { + base icmp-type; description - "Defines the IPv4 Destination Address."; + "Identity for bad length + in parameter problem types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf pkt-sec-cond-ipv4-ipopts { - type string; + identity bad-spi { + base icmp-type; description - "With the ipopts keyword you can check if - a specific ip option is set. Ipopts has - to be used at the beginning of a rule."; + "Identity for bad spi + in photuris types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf pkt-sec-cond-ipv4-sameip { - type boolean; + identity authentication-failed { + base icmp-type; description - "Every packet has a source IP-address and - a destination IP-address. It can be that - the source IP is the same as - the destination IP."; + "Identity for authentication failed + in photuris types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-ipv4-geoip { - type string; + identity decompression-failed { + base icmp-type; description - "The geoip keyword enables you to match on - the source, destination or source and destination - IP addresses of network traffic and to see to - which country it belongs. To do this, Suricata - uses GeoIP API with MaxMind database format."; + "Identity for decompression failed + in photuris types"; + reference + "RFC 792: Internet Control Message Protocol"; } + + identity decryption-failed { + base icmp-type; + description + "Identity for decryption failed + in photuris types"; + reference + "RFC 792: Internet Control Message Protocol"; } - container packet-security-ipv6-condition { + identity need-authentication { + base icmp-type; description - "The purpose of this Class is to represent packet - IPv6 packet header information that can be used as - part of a test to determine if the set of Policy - Actions in this ECA Policy Rule should be executed - or not."; + "Identity for need authentication + in photuris types"; + reference + "RFC 792: Internet Control Message Protocol"; + } - leaf-list pkt-sec-cond-ipv6-dscp { - type string; + identity need-authorization { + base icmp-type; description - "Differentiated Services Code Point (DSCP) - of ipv6."; + "Identity for need authorization + in photuris types"; + reference + "RFC 792: Internet Control Message Protocol"; } - leaf-list pkt-sec-cond-ipv6-ecn { - type string; + identity req-no-error { + base icmp-type; description - "ECN allows end-to-end notification of network - congestion without dropping packets."; + "Identity for request with no error + in extended echo request types"; + reference + "RFC 792: Internet Control Message Protocol + RFC 8335: PROBE: A Utility for Probing Interfaces"; } - leaf-list pkt-sec-cond-ipv6-traffic-class { - type uint8; + identity rep-no-error { + base icmp-type; description - "The bits of this field hold two values. The 6 - most-significant bits are used for - differentiated services, which is used to - classify packets."; + "Identity for reply with no error + in extended echo reply types"; + reference + "RFC 792: Internet Control Message Protocol + RFC 8335: PROBE: A Utility for Probing Interfaces"; } - leaf-list pkt-sec-cond-ipv6-flow-label { - type uint32; + identity malformed-query { + base icmp-type; description - "The flow label when set to a non-zero value - serves as a hint to routers and switches - with multiple outbound paths that these - packets should stay on the same path so that - they will not be reordered."; + "Identity for malformed query + in extended echo reply types"; + reference + "RFC 792: Internet Control Message Protocol + RFC 8335: PROBE: A Utility for Probing Interfaces"; } - leaf-list pkt-sec-cond-ipv6-payload-length { - type uint16; + identity no-such-interface { + base icmp-type; description - "The size of the payload in octets, - including any extension headers."; + "Identity for no such interface + in extended echo reply types"; + reference + "RFC 792: Internet Control Message Protocol + RFC 8335: PROBE: A Utility for Probing Interfaces"; } - leaf-list pkt-sec-cond-ipv6-next-header { - type uint8; + identity no-such-table-entry { + base icmp-type; description - "Specifies the type of the next header. - This field usually specifies the transport - layer protocol used by a packet's payload."; + "Identity for no such table entry + in extended echo reply types"; + reference + "RFC 792: Internet Control Message Protocol + RFC 8335: PROBE: A Utility for Probing Interfaces"; } - leaf-list pkt-sec-cond-ipv6-hop-limit { - type uint8; + identity multiple-interfaces-satisfy-query { + base icmp-type; description - "Replaces the time to live field of IPv4."; + "Identity for multiple interfaces satisfy query + in extended echo reply types"; + reference + "RFC 792: Internet Control Message Protocol + RFC 8335: PROBE: A Utility for Probing Interfaces"; } - leaf-list pkt-sec-cond-ipv6-src { - type inet:ipv6-address; + identity content-security-control { description - "The IPv6 address of the sending node."; + "Base identity for content security control"; + reference + "RFC 8329: Framework for Interface to + Network Security Functions - Differences + from ACL Data Models + draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities"; + } + identity antivirus { + base content-security-control; + description + "Identity for antivirus"; } - leaf-list pkt-sec-cond-ipv6-dest { - type inet:ipv6-address; + identity ips { + base content-security-control; description - "The IPv6 address of the destination node(s)."; + "Identity for ips"; } + + identity ids { + base content-security-control; + description + "Identity for ids"; } - container packet-security-tcp-condition { + identity url-filtering { + base content-security-control; description - "The purpose of this Class is to represent packet - TCP packet header information that can be used as - part of a test to determine if the set of Policy - Actions in this ECA Policy Rule should be executed - or not."; + "Identity for url filtering"; + } - leaf-list pkt-sec-cond-tcp-src-port { - type inet:port-number; + identity mail-filtering { + base content-security-control; description - "This is a mandatory string attribute, and - defines the Source Port number (16 bits)."; + "Identity for mail filtering"; } - leaf-list pkt-sec-cond-tcp-dest-port { - type inet:port-number; + identity file-blocking { + base content-security-control; description - "This is a mandatory string attribute, and - defines the Destination Port number (16 bits)."; + "Identity for file blocking"; } - leaf-list pkt-sec-cond-tcp-seq-num { - type uint32; + identity file-isolate { + base content-security-control; description - "If the SYN flag is set (1), then this is the - initial sequence number."; + "Identity for file isolate"; } - leaf-list pkt-sec-cond-tcp-ack-num { - type uint32; + identity pkt-capture { + base content-security-control; description - "If the ACK flag is set then the value of this - field is the next sequence number that the sender - is expecting."; + "Identity for packet capture"; + } + identity application-control { + base content-security-control; + description + "Identity for application control"; } - leaf-list pkt-sec-cond-tcp-window-size { - type uint16; + identity voip-volte { + base content-security-control; description - "The size of the receive window, which specifies - the number of windows size units - (by default,bytes) (beyond the segment - identified by the sequence number in the - acknowledgment field) that the sender of this - segment is currently willing to recive."; + "Identity for voip and volte"; } - leaf-list pkt-sec-cond-tcp-flags { - type uint8; + identity attack-mitigation-control { description - "This is a mandatory string attribute, and defines - the nine Control bit flags (9 bits)."; + "Base identity for attack mitigation control"; + reference + "RFC 8329: Framework for Interface to + Network Security Functions - Differences + from ACL Data Models + draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities"; } + identity syn-flood { + base attack-mitigation-control; + description + "Identity for syn flood"; } - container packet-security-udp-condition { + identity udp-flood { + base attack-mitigation-control; description - "The purpose of this Class is to represent packet UDP - packet header information that can be used as part - of a test to determine if the set of Policy Actions - in this ECA Policy Rule should be executed or not."; + "Identity for udp flood"; + } - leaf-list pkt-sec-cond-udp-src-port { - type inet:port-number; + identity icmp-flood { + base attack-mitigation-control; description - "This is a mandatory string attribute, and - defines the UDP Source Port number (16 bits)."; + "Identity for icmp flood"; } - leaf-list pkt-sec-cond-udp-dest-port { - type inet:port-number; + identity ip-frag-flood { + base attack-mitigation-control; description - "This is a mandatory string attribute, and - defines the UDP Destination Port number (16 bits)."; + "Identity for ip frag flood"; } - leaf-list pkt-sec-cond-udp-length { - type string; + identity ipv6-related { + base attack-mitigation-control; description - "This is a mandatory string attribute, and defines - the length in bytes of the UDP header and data - (16 bits)."; + "Identity for ipv6 related"; } + + identity http-and-https-flood { + base attack-mitigation-control; + description + "Identity for http and https flood"; } - container packet-security-icmp-condition { + identity dns-flood { + base attack-mitigation-control; description - "The internet control message protocol condition."; + "Identity for dns flood"; + } - leaf-list pkt-sec-cond-icmp-type { - type uint8; + identity dns-amp-flood { + base attack-mitigation-control; description - "ICMP type, see Control messages."; + "Identity for dns amp flood"; } - leaf-list pkt-sec-cond-icmp-code { - type uint8; + identity ssl-ddos { + base attack-mitigation-control; description - "ICMP subtype, see Control messages."; + "Identity for ssl ddos"; } - leaf-list pkt-sec-cond-icmp-seg-num { - type uint32; + + identity ip-sweep { + base attack-mitigation-control; description - "The icmp Sequence Number."; + "Identity for ip sweep"; } + + identity port-scanning { + base attack-mitigation-control; + description + "Identity for port scanning"; } + + identity ping-of-death { + base attack-mitigation-control; + description + "Identity for ping of death"; } - container packet-payload-condition { + identity teardrop { + base attack-mitigation-control; description - "TBD"; - leaf packet-payload-description { - type string; + "Identity for teardrop"; + } + + identity oversized-icmp { + base attack-mitigation-control; description - "This is description for payload condition. - Vendors can write instructions for payload condition - that vendor made"; + "Identity for oversized icmp"; } - leaf-list pkt-payload-content { - type string; + + identity tracert { + base attack-mitigation-control; description - "The content keyword is very important in - signatures. Between the quotation marks you - can write on what you would like the - signature to match."; + "Identity for tracert"; } + + identity ingress-action { + description + "Base identity for action"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Ingress Action"; } - leaf acl-number { - type uint32; + identity egress-action { description - "This is acl-number."; + "Base identity for egress action"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Egress action"; } - container application-condition { + identity default-action { description - "TBD"; - leaf application-description { - type string; + "Base identity for default action"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Default action"; + } + + identity pass { + base ingress-action; + base egress-action; + base default-action; description - "This is description for application condition."; + "Identity for pass"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Actions and + default action"; } - leaf-list application-object { - type string; + + identity drop { + base ingress-action; + base egress-action; + base default-action; description - "This is application object."; + "Identity for drop"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Actions and + default action"; } - leaf-list application-group { - type string; + + identity reject { + base ingress-action; + base egress-action; + base default-action; description - "This is application group."; + "Identity for reject"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Actions and + default action"; } - leaf-list application-label { - type string; + + identity alert { + base ingress-action; + base egress-action; + base default-action; description - "This is application label."; + "Identity for alert"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Actions and + default action"; } - container category { + + identity mirror { + base ingress-action; + base egress-action; + base default-action; description - "TBD"; - list application-category { - key "name application-subcategory"; + "Identity for mirror"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Actions and + default action"; + } + + identity log-action { description - "TBD"; - leaf name { - type string; + "Base identity for log action"; + } + + identity rule-log { + base log-action; description - "This is name for application category."; + "Identity for rule log"; } - leaf application-subcategory { - type string; + + identity session-log { + base log-action; description - "This is application subcategory."; + "Identity for session log"; } + + identity invoke-signaling { + base egress-action; + description + "Identity for invoke signaling"; } + + identity tunnel-encapsulation { + base egress-action; + description + "Identity for tunnel encapsulation"; } + + identity forwarding { + base egress-action; + description + "Identity for forwarding"; } - container target-condition { + identity redirection { + base egress-action; description - "TBD"; - leaf target-description { - type string; + "Identity for redirection"; + + } + + identity resolution-strategy { description - "This is description for target condition. - Vendors can write instructions for target condition - that vendor made"; + "Base identity for resolution strategy"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Resolution Strategy"; } - container device-sec-context-cond { + identity fmr { + base resolution-strategy; description - "The device attribute that can identify a device, - including the device type (i.e., router, switch, - pc, ios, or android) and the device's owner as - well."; + "Identity for First Matching Rule (FMR)"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Resolution Strategy"; + } - leaf pc { - type boolean; + identity lmr { + base resolution-strategy; description - "If type of a device is PC."; + "Identity for Last Matching Rule (LMR)"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Resolution Strategy"; } - leaf mobile-phone { - type boolean; + identity pmr { + base resolution-strategy; description - "If type of a device is mobile-phone."; + "Identity for Prioritized Matching Rule (PMR)"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Resolution Strategy"; } - leaf voip-volte-phone { - type boolean; + identity pmre { + base resolution-strategy; description - "If type of a device is voip-volte-phone."; + "Identity for Prioritized Matching Rule + with Errors (PMRE)"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Resolution Strategy"; } - leaf tablet { - type boolean; + identity pmrn { + base resolution-strategy; description - "If type of a device is tablet."; + "Identity for Prioritized Matching Rule + with No Errors (PMRN)"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Resolution Strategy"; } - leaf iot { - type boolean; + /* + * Typedefs + */ + + typedef start-time-type { + type union { + type string { + pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' + + '(Z|[\+\-]\d{2}:\d{2})'; + } + + type enumeration { + enum right-away { description - "If type of a device is Internet of Things."; + "Immediate rule execution + in the system."; + } + } } - leaf vehicle { - type boolean; description - "If type of a device is vehicle."; + "Start time when the rules are applied."; + } + + typedef end-time-type { + type union { + type string { + pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' + + '(Z|[\+\-]\d{2}:\d{2})'; + } + + type enumeration { + enum infinitely { + description + "Infinite rule execution + in the system."; } } } - container users-condition { description - "TBD"; - leaf users-description { - type string; + "End time when the rules are applied."; + } + typedef day-type { + type enumeration { + enum sunday { description - "This is description for user condition. - Vendors can write instructions for user condition - that vendor made"; + "Sunday for periodic day"; } - container user{ + enum monday { description - "The user (or user group) information with which - network flow is associated: The user has many - attributes such as name, id, password, type, - authentication mode and so on. Name/id is often - used in the security policy to identify the user. - Besides, NSF is aware of the IP address of the - user provided by a unified user management system - via network. Based on name-address association, - NSF is able to enforce the security functions - over the given user (or user group)"; - - choice user-name { + "Monday for periodic day"; + } + enum tuesday { description - "The name of the user. - This must be unique."; - - case tenant { + "Tuesday for periodic day"; + } + enum wednesday { description - "Tenant information."; + "Wednesday for periodic day"; + } + enum thursday { + description + "Thursday for periodic day"; + } + enum friday { + description + "Friday for periodic day"; + } + enum saturday { + description + "Saturday for periodic day"; + } + } + description + "This can be used for the rules to be applied + according to periodic day"; + } - leaf tenant { - type uint8; - mandatory true; + typedef month-type { + type enumeration { + enum january { description - "User's tenant information."; + "January for periodic month"; + } + enum february { + description + "February for periodic month"; + } + enum march { + description + "March for periodic month"; + } + enum april { + description + "April for periodic month"; + } + enum may { + description + "May for periodic month"; + } + enum june { + description + "June for periodic month"; } + enum july { + description + "July for periodic month"; + } + enum august { + description + "August for periodic month"; + } + enum september { + description + "September for periodic month"; + } + enum october { + description + "October for periodic month"; + } + enum november { + description + "November for periodic month"; + } + enum december { + description + "December for periodic month"; + } + } + description + "This can be used for the rules to be applied + according to periodic month"; } - case vn-id { + /* + * Groupings + */ + + grouping ipv4 { + list ipv4-address { + key "ipv4"; description - "VN-ID information."; + "The list of IPv4 address."; - leaf vn-id { - type uint8; - mandatory true; + leaf ipv4 { + type inet:ipv4-address; description - "User's VN-ID information."; + "The value of IPv4 address."; + } + choice subnet { + description + "The subnet can be specified as a prefix length or + netmask."; + leaf prefix-length { + type uint8 { + range "0..32"; } + description + "The length of the subnet prefix."; + } + leaf netmask { + type yang:dotted-quad; + description + "The subnet specified as a netmask."; } } } - container group { description - "The user (or user group) information with which - network flow is associated: The user has many - attributes such as name, id, password, type, - authentication mode and so on. Name/id is often - used in the security policy to identify the user. - Besides, NSF is aware of the IP address of the - user provided by a unified user management system - via network. Based on name-address association, - NSF is able to enforce the security functions - over the given user (or user group)"; + "Grouping for an IPv4 address"; - choice group-name { - description - "The name of the user. - This must be unique."; + reference + "RFC 791: Internet Protocol - IPv4 address + RFC 8344: A YANG Data Model for IP Management"; + } - case tenant { + grouping ipv6 { + list ipv6-address { + key "ipv6"; description - "Tenant information."; + "The list of IPv6 address."; - leaf tenant { - type uint8; - mandatory true; + leaf ipv6 { + type inet:ipv6-address; description - "User's tenant information."; + "The value of IPv6 address."; + } + leaf prefix-length { + type uint8 { + range "0..128"; + } + description + "The length of the subnet prefix."; } } + description + "Grouping for an IPv6 address"; - case vn-id { + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - IPv6 address + RFC 8344: A YANG Data Model for IP Management"; + } + + grouping pkt-sec-ipv4 { + choice match-type { description - "VN-ID information."; + "There are two types to configure a security policy + for IPv4 address, such as exact match and range match."; + case exact-match { + uses ipv4; + description + "Exact match for an IPv4 address."; + } + case range-match { + list range-ipv4-address { + key "start-ipv4-address end-ipv4-address"; + leaf start-ipv4-address { + type inet:ipv4-address; + description + "Start IPv4 address for a range match."; + } - leaf vn-id { - type uint8; - mandatory true; + leaf end-ipv4-address { + type inet:ipv4-address; description - "User's VN-ID information."; + "End IPv4 address for a range match."; } + description + "Range match for an IPv4 address."; } } } - leaf security-grup { - type string; - mandatory true; description - "security-grup."; + "Grouping for an IPv4 address."; + + reference + "RFC 791: Internet Protocol - IPv4 address"; + } + + grouping pkt-sec-ipv6 { + choice match-type { + description + "There are two types to configure a security policy + for IPv6 address, such as exact match and range match."; + case exact-match { + uses ipv6; + description + "Exact match for an IPv6 address."; } + case range-match { + list range-ipv6-address { + key "start-ipv6-address end-ipv6-address"; + leaf start-ipv6-address { + type inet:ipv6-address; + description + "Start IPv6 address for a range match."; } - container url-category-condition { + leaf end-ipv6-address { + type inet:ipv6-address; description - "TBD"; - leaf url-category-description { - type string; + "End IPv6 address for a range match."; + } description - "This is description for url category condition. - Vendors can write instructions for context condition - that vendor made"; + "Range match for an IPv6 address."; + } } + } + description + "Grouping for IPv6 address."; - leaf-list pre-defined-category { - type string; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - IPv6 address"; + } + + grouping pkt-sec-port-number { + choice match-type { description - "This is pre-defined-category."; + "There are two types to configure a security policy + for a port number, such as exact match and range match."; + case exact-match { + leaf-list port-num { + type inet:port-number; + description + "Exact match for a port number."; } - leaf-list user-defined-category { - type string; + } + case range-match { + list range-port-num { + key "start-port-num end-port-num"; + leaf start-port-num { + type inet:port-number; description - "This user-defined-category."; + "Start port number for a range match."; + } + leaf end-port-num { + type inet:port-number; + description + "Start port number for a range match."; + } + description + "Range match for a port number."; + } + } } + description + "Grouping for port number."; + + reference + "RFC 793: Transmission Control Protocol - Port number + RFC 768: User Datagram Protocol - Port Number"; } - container context-condition { + /* + * Data nodes + */ + + container i2nsf-security-policy { description - "TBD"; - leaf context-description { + "Container for security policy + including a set of security rules according to certain logic, + i.e., their similarity or mutual relations, etc. The network + security policy is able to apply over both the unidirectional + and bidirectional traffic across the NSF. + The I2NSF security policies use the Event-Condition-Action + (ECA) policy model "; + + reference + "RFC 8329: Framework for Interface to Network Security + Functions - I2NSF Flow Security Policy Structure + draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Design Principles and ECA Policy Model + Overview"; + + list system-policy { + key "system-policy-name"; + description + "The system-policy represents there could be multiple system + policies in one NSF, and each system policy is used by + one virtual instance of the NSF/device."; + + leaf system-policy-name { type string; + mandatory true; description - "This is description for context condition. - Vendors can write instructions for context condition - that vendor made"; + "The name of the policy. + This must be unique."; + } + + leaf priority-usage { + type identityref { + base priority-usage-type; } + default priority-by-order; + description + "Priority usage type for security policy rule: + priority by order and priority by number"; } - container gen-context-condition { + leaf resolution-strategy { + type identityref { + base resolution-strategy; + } + default fmr; description - "TBD"; - leaf gen-context-description { - type string; + "The resolution strategies can be used to + specify how to resolve conflicts that occur between + the actions of the same or different policy rules that + are matched and contained in this particular NSF"; + + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Resolution strategy"; + } + + leaf default-action { + type identityref { + base default-action; + } + default alert; description - "This is description for generic context condition. - Vendors can write instructions for generic context - condition that vendor made"; + "This default action can be used to specify a predefined + action when no other alternative action was matched + by the currently executing I2NSF Policy Rule. An analogy + is the use of a default statement in a C switch statement."; + + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Default action"; } - container geographic-location { + list rules { + key "rule-name"; description - "The location where network traffic is associated - with. The region can be the geographic location - such as country, province, and city, - as well as the logical network location such as - IP address, network section, and network domain."; + "This is a rule for network security functions."; - leaf-list src-geographic-location { - type uint32; + leaf rule-name { + type string; + mandatory true; description - "This is mapped to ip address. We can acquire - source region through ip address stored the - database."; + "The name of the rule. + This must be unique."; } - leaf-list dest-geographic-location { - type uint32; + + leaf rule-description { + type string; description - "This is mapped to ip address. We can acquire - destination region through ip address stored - the database."; + "This description gives more information about + rules."; } + + leaf rule-priority { + type uint8 { + range "1..255"; } + description + "The priority keyword comes with a mandatory + numeric value which can range from 1 till 255."; } + + leaf rule-enable { + type boolean; + description + "True is enable. + False is not enbale."; } + + container time-zone { + description + "Time zone when the rules are applied"; + container absolute-time-zone { + description + "Rule execution according to absolute time"; + + leaf start-time { + type start-time-type; + default right-away; + description + "Start time when the rules are applied"; } - container action-clause-container { - description "TBD"; - list action-clause-list { - key eca-object-id; - uses i2nsf-eca-object-type { - refine entity-class { - default ECA-ACTION-TYPE; + leaf end-time { + type end-time-type; + default infinitely; + description + "End time when the rules are applied"; } } + + container periodic-time-zone { description - "An action is used to control and monitor aspects of - flow-based NSFs when the event and condition clauses - are satisfied. NSFs provide security functions by - executing various Actions. Examples of I2NSF Actions - include providing intrusion detection and/or protection, - web and flow filtering, and deep packet inspection - for packets and flows."; + "Rule execution according to periodic time"; - leaf rule-log { + container day { + description + "Rule execution according to day."; + leaf every-day { type boolean; + default true; description - "True is enable - False is not enable."; + "Rule execution every day"; } - leaf session-log { - type boolean; + + leaf-list specific-day { + when "../every-day = 'false'"; + type day-type; description - "True is enable - False is not enable."; + "Rule execution according + to specific day"; } - container ingress-action { + } + container month { description - "TBD"; - leaf ingress-description { - type string; + "Rule execution according to month."; + leaf every-month { + type boolean; + default true; description - "This is description for ingress action. - Vendors can write instructions for ingress action - that vendor made"; + "Rule execution every day"; } - leaf ingress-action-type { - type ingress-action; + + leaf-list specific-month { + when "../every-month = 'false'"; + type month-type; description - "Ingress action type: permit, deny, and mirror."; + "Rule execution according + to month day"; } } - container egress-action { + } + } + + container event-clause-container { description - "TBD"; - leaf egress-description { + "An event is defined as any important + occurrence in time of a change in the system being + managed, and/or in the environment of the system being + managed. When used in the context of policy rules for + a flow-based NSF, it is used to determine whether the + Condition clause of the Policy Rule can be evaluated + or not. Examples of an I2NSF event include time and + user actions (e.g., logon, logoff, and actions that + violate any ACL.)."; + + reference + "RFC 8329: Framework for Interface to Network Security + Functions - I2NSF Flow Security Policy Structure + draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Design Principles and ECA + Policy Model Overview + draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG + Data Model for Monitoring I2NSF Network Security + Functions - System Alarm and System Events"; + + leaf event-clause-description { type string; description - "This is description for egress action. - Vendors can write instructions for egress action - that vendor made"; + "Description for an event clause"; } - leaf egress-action-type { - type egress-action; + container event-clauses { description - "Egress-action-type: invoke-signaling, - tunnel-encapsulation, and forwarding."; + "It has two event types such as + system event and system alarm."; + reference + "RFC 8329: Framework for Interface to Network Security + Functions - I2NSF Flow Security Policy Structure + draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Design Principles and ECA Policy + Model Overview + draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG + Data Model for Monitoring I2NSF Network Security + Functions - System Alarm and System Events"; + + leaf-list system-event { + type identityref { + base system-event; } + description + "The security policy rule according to + system events."; } - container apply-profile { + leaf-list system-alarm { + type identityref { + base system-alarm; + } description - "TBD"; - leaf profile-description { + "The security policy rule according to + system alarms."; + } + } + } + + container condition-clause-container { + description + "A condition is defined as a set + of attributes, features, and/or values that are to be + compared with a set of known attributes, features, + and/or values in order to determine whether or not the + set of Actions in that (imperative) I2NSF Policy Rule + can be executed or not. Examples of I2NSF Conditions + include matching attributes of a packet or flow, and + comparing the internal state of an NSF to a desired + state."; + reference + "RFC 8329: Framework for Interface to Network Security + Functions - I2NSF Flow Security Policy Structure + draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Design Principles and ECA Policy + Model Overview"; + + leaf condition-clause-description { type string; description - "This is description for apply profile action. - Vendors can write instructions for apply - profile action that vendor made"; + "Description for a condition clause."; } - container content-security-control { - description - "Content security control is another category of - security capabilities applied to application layer. - Through detecting the contents carried over the - traffic in application layer, these capabilities - can realize various security purposes, such as - defending against intrusion, inspecting virus, - filtering malicious URL or junk email, and blocking - illegal web access or data retrieval."; - container content-security-control-types { + container packet-security-ipv4-condition { description - "Content Security types: Antivirus, IPS, IDS, - url-filtering, data-filtering, mail-filtering, - file-blocking, file-isolate, pkt-capture, - application-control, and voip-volte."; + "The purpose of this container is to represent IPv4 + packet header information to determine if the set + of policy actions in this ECA policy rule should be + executed or not."; + reference + "RFC 791: Internet Protocol"; - leaf antivirus { - type string; + container pkt-sec-ipv4-header-length { + choice match-type { description - "Additional inspection of antivirus."; + "There are two types to configure a security + policy for IPv4 header length, such as exact match + and range match."; + case exact-match { + leaf-list ipv4-header-length { + type uint8 { + range "5..15"; + } + description + "Exact match for an IPv4 header length."; + } + } + case range-match { + list range-ipv4-header-length { + key "start-ipv4-header-length + end-ipv4-header-length"; + leaf start-ipv4-header-length { + type uint8 { + range "5..15"; + } + description + "Start IPv4 header length for a range match."; } - leaf ips { - type string; + leaf end-ipv4-header-length { + type uint8 { + range "5..15"; + } description - "Additional inspection of IPS."; + "End IPv4 header length for a range match."; + } + description + "Range match for an IPv4 header length."; + } + } + } + description + "The security policy rule according to + IPv4 header length."; + reference + "RFC 791: Internet Protocol - Header length"; } - leaf ids { - type string; + leaf-list pkt-sec-ipv4-tos { + type identityref { + base type-of-service; + } description - "Additional inspection of IDS."; + "The security policy rule according to + IPv4 type of service."; + reference + "RFC 791: Internet Protocol - Type of service"; } - leaf url-filtering { - type string; + container pkt-sec-ipv4-total-length { + choice match-type { description - "Additional inspection of URL filtering."; + "There are two types to configure a security + policy for IPv4 total length, such as exact match + and range match."; + case exact-match { + leaf-list ipv4-total-length { + type uint16; + description + "Exact match for an IPv4 total length."; + } } + case range-match { + list range-ipv4-total-length { + key "start-ipv4-total-length end-ipv4-total-length"; + leaf start-ipv4-total-length { + type uint16; + description + "Start IPv4 total length for a range match."; - leaf data-filtering { - type string; + } + leaf end-ipv4-total-length { + type uint16; description - "Additional inspection of data filtering."; + "End IPv4 total length for a range match."; } - leaf mail-filtering { - type string; description - "Additional inspection of mail filtering."; + "Range match for an IPv4 total length."; + } + } } - - leaf file-blocking { - type string; description - "Additional inspection of file blocking."; + "The security policy rule according to + IPv4 total length."; + reference + "RFC 791: Internet Protocol - Total length"; } - leaf file-isolate { - type string; + leaf-list pkt-sec-ipv4-id { + type uint16; description - "Additional inspection of file isolate."; + "The security policy rule according to + IPv4 identification."; + reference + "RFC 791: Internet Protocol - Identification"; } - leaf pkt-capture { - type string; + leaf-list pkt-sec-ipv4-fragment-flags { + type identityref { + base fragmentation-flags-type; + } description - "Additional inspection of packet capture."; + "The security policy rule according to + IPv4 fragment flags."; + reference + "RFC 791: Internet Protocol - Fragment flags"; } - leaf application-control { - type string; + container pkt-sec-ipv4-fragment-offset { + choice match-type { description - "Additional inspection of app control."; + "There are two types to configure a security + policy for IPv4 fragment offset, such as exact match + and range match."; + case exact-match { + leaf-list ipv4-fragment-offset { + type uint16 { + range "0..16383"; + + } + description + "Exact match for an IPv4 fragment offset."; + } + } + case range-match { + list range-ipv4-fragment-offset { + key "start-ipv4-fragment-offset + end-ipv4-fragment-offset"; + leaf start-ipv4-fragment-offset { + type uint16 { + range "0..16383"; + } + description + "Start IPv4 fragment offset for a range match."; + } + leaf end-ipv4-fragment-offset { + type uint16 { + range "0..16383"; + } + description + "End IPv4 fragment offset for a range match."; + } + description + "Range match for an IPv4 fragment offset."; + } + } + } + description + "The security policy rule according to + IPv4 fragment offset."; + reference + "RFC 791: Internet Protocol - Fragment offset"; } - leaf voip-volte { - type string; + container pkt-sec-ipv4-ttl { + choice match-type { description - "Additional inspection of VoIP/VoLTE."; + "There are two types to configure a security + policy for IPv4 TTL, such as exact match + and range match."; + case exact-match { + leaf-list ipv4-ttl { + type uint8; + description + "Exact match for an IPv4 TTL."; + } + } + case range-match { + list range-ipv4-ttl { + key "start-ipv4-ttl end-ipv4-ttl"; + leaf start-ipv4-ttl { + type uint8; + description + "Start IPv4 TTL for a range match."; + } + leaf end-ipv4-ttl { + type uint8; + description + "End IPv4 TTL for a range match."; + } + description + "Range match for an IPv4 TTL."; } } } + description + "The security policy rule according to + IPv4 time-to-live (TTL)."; + reference + "RFC 791: Internet Protocol - Time to live"; + } - container attack-mitigation-control { + leaf-list pkt-sec-ipv4-protocol { + type identityref { + base protocol; + } description - "This category of security capabilities is - specially used to detect and mitigate various - types of network attacks."; + "The security policy rule according to + IPv4 protocol."; + reference + "RFC 791: Internet Protocol - Protocol"; + } - container ddos-attack { + container pkt-sec-ipv4-src { + uses pkt-sec-ipv4; description - "A distributed-denial-of-service (DDoS) is - where the attack source is more than one, - often thousands of unique IP addresses."; + "The security policy rule according to + IPv4 source address."; + reference + "RFC 791: Internet Protocol - IPv4 Address"; + } - container ddos-attack-type { + container pkt-sec-ipv4-dest { + uses pkt-sec-ipv4; description - "DDoS-attack types: Network Layer - DDoS Attacks and Application Layer - DDoS Attacks."; + "The security policy rule according to + IPv4 destination address."; + reference + "RFC 791: Internet Protocol - IPv4 Address"; + } - container network-layer-ddos-attack { + leaf-list pkt-sec-ipv4-ipopts { + type identityref { + base ipopts; + } description - "Network layer DDoS-attack."; - container network-layer-ddos-attack-type { + "The security policy rule according to + IPv4 options."; + reference + "RFC 791: Internet Protocol - Options"; + } + + leaf pkt-sec-ipv4-sameip { + type boolean; description - "Network layer DDoS attack types: - Syn Flood Attack, UDP Flood Attack, - ICMP Flood Attack, IP Fragment Flood, - IPv6 Related Attacks, and etc"; + "Every packet has a source IP-address and + a destination IP-address. It can be that + the source IP is the same as + the destination IP."; + } - leaf syn-flood { + leaf-list pkt-sec-ipv4-geoip { type string; description - "Additional Inspection of - Syn Flood Attack."; + "The geoip keyword enables you to match on + the source, destination or source and destination + IP addresses of network traffic and to see to + which country it belongs. To do this, Suricata + uses GeoIP API with MaxMind database format."; + } } - leaf udp-flood { - type string; + container packet-security-ipv6-condition { description - "Additional Inspection of - UDP Flood Attack."; + "The purpose of this container is to represent + IPv6 packet header information to determine + if the set of policy actions in this ECA policy + rule should be executed or not."; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification"; + + leaf-list pkt-sec-ipv6-traffic-class { + type identityref { + base traffic-class; + } + description + "The security policy rule according to + IPv6 traffic class."; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Traffic class"; } - leaf icmp-flood { - type string; + container pkt-sec-ipv6-flow-label { + choice match-type { description - "Additional Inspection of - ICMP Flood Attack."; + "There are two types to configure a security + policy for IPv6 flow label, such as exact match + and range match."; + case exact-match { + leaf-list ipv6-flow-label { + type uint32 { + range "0..1048575"; + } + description + "Exact match for an IPv6 flow label."; + } + } + case range-match { + list range-ipv6-flow-label { + key "start-ipv6-flow-label end-ipv6-flow-label"; + leaf start-ipv6-flow-label { + type uint32 { + range "0..1048575"; + } + description + "Start IPv6 flow label for a range match."; + } + leaf end-ipv6-flow-label { + type uint32 { + range "0..1048575"; + } + description + "End IPv6 flow label for a range match."; + } + description + "Range match for an IPv6 flow label."; + } } - leaf ip-frag-flood { - type string; + } description - "Additional Inspection of - IP Fragment Flood."; + "The security policy rule according to + IPv6 flow label."; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Flow label"; } - leaf ipv6-related { - type string; + container pkt-sec-ipv6-payload-length { + choice match-type { description - "Additional Inspection of - IPv6 Related Attacks."; + "There are two types to configure a security + policy for IPv6 payload length, such as + exact match and range match."; + case exact-match { + leaf-list ipv6-payload-length { + type uint16; + description + "Exact match for an IPv6 payload length."; + } + } + case range-match { + list range-ipv6-payload-length { + key "start-ipv6-payload-length + end-ipv6-payload-length"; + leaf start-ipv6-payload-length { + type uint16; + description + "Start IPv6 payload length for a range match."; + } + leaf end-ipv6-payload-length { + type uint16; + description + "End IPv6 payload length for a range match."; + } + description + "Range match for an IPv6 payload length."; } } } - - container app-layer-ddos-attack { description - "Application layer DDoS-attack."; + "The security policy rule according to + IPv6 payload length."; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Payload length"; + } + leaf-list pkt-sec-ipv6-next-header { + type identityref { + base next-header; + } + description + "The security policy rule according to + IPv6 next header."; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Next header"; + } - container app-ddos-attack-types { + container pkt-sec-ipv6-hop-limit { + choice match-type { description - "Application layer DDoS-attack types: - Http Flood Attack, Https Flood Attack, - DNS Flood Attack, and - DNS Amplification Flood Attack, - SSL DDoS Attack, and etc."; + "There are two types to configure a security + policy for IPv6 hop limit, such as exact match + and range match."; + case exact-match { + leaf-list ipv6-hop-limit { + type uint8; + description + "Exact match for an IPv6 hop limit."; + } + } + case range-match { + list range-ipv6-hop-limit { + key "start-ipv6-hop-limit end-ipv6-hop-limit"; + leaf start-ipv6-hop-limit { + type uint8; + description + "Start IPv6 hop limit for a range match."; + } + leaf end-ipv6-hop-limit { + type uint8; + description + "End IPv6 hop limit for a range match."; + } + description + "Range match for an IPv6 hop limit."; + } + } + } + description + "The security policy rule according to + IPv6 hop limit."; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - Hop limit"; + } - leaf http-flood { - type string; + container pkt-sec-ipv6-src { + uses pkt-sec-ipv6; description - "Additional Inspection of - Http Flood Attack."; + "The security policy rule according to + IPv6 source address."; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - IPv6 address"; } - leaf https-flood { - type string; + container pkt-sec-ipv6-dest { + uses pkt-sec-ipv6; description - "Additional Inspection of - Https Flood Attack."; + "The security policy rule according to + IPv6 destination address."; + reference + "RFC 2460: Internet Protocol, Version 6 (IPv6) + Specification - IPv6 address"; } - leaf dns-flood { - type string; + } + + container packet-security-tcp-condition { description - "Additional Inspection of - DNS Flood Attack."; + "The purpose of this container is to represent + TCP packet header information to determine + if the set of policy actions in this ECA policy + rule should be executed or not."; + reference + "RFC 793: Transmission Control Protocol"; + + container pkt-sec-tcp-src-port-num { + uses pkt-sec-port-number; + description + "The security policy rule according to + tcp source port number."; + reference + "RFC 793: Transmission Control Protocol + - Port number"; } - leaf dns-amp-flood { - type string; + container pkt-sec-tcp-dest-port-num { + uses pkt-sec-port-number; description - "Additional Inspection of - DNS Amplification Flood Attack."; + "The security policy rule according to + tcp destination port number."; + reference + "RFC 793: Transmission Control Protocol + - Port number"; } - leaf ssl-ddos { - type string; + container pkt-sec-tcp-seq-num { + choice match-type { description - "Additional Inspection of - SSL Flood Attack."; + "There are two types to configure a security + policy for tcp sequence number, + such as exact match and range match."; + case exact-match { + leaf-list tcp-seq-num { + type uint32; + description + "Exact match for an tcp sequence number."; + } + } + case range-match { + list range-tcp-seq-num { + key "start-tcp-seq-num end-tcp-seq-num"; + leaf start-tcp-seq-num { + type uint32; + description + "Start tcp sequence number for a range match."; } + leaf end-tcp-seq-num { + type uint32; + description + "End tcp sequence number for a range match."; } + description + "Range match for a tcp sequence number."; } } } + description + "The security policy rule according to + tcp sequence number."; + reference + "RFC 793: Transmission Control Protocol + - Sequence number"; + } - container single-packet-attack { + container pkt-sec-tcp-ack-num { + choice match-type { description - "Single Packet Attacks."; - container single-packet-attack-type { + "There are two types to configure a security + policy for tcp acknowledgement number, + such as exact match and range match."; + case exact-match { + leaf-list tcp-ack-num { + type uint32; description - "DDoS-attack types: Scanning Attack, - Sniffing Attack, Malformed Packet Attack, - Special Packet Attack, and etc."; - - container scan-and-sniff-attack { + "Exact match for an tcp acknowledgement number."; + } + } + case range-match { + list range-tcp-ack-num { + key "start-tcp-ack-num end-tcp-ack-num"; + leaf start-tcp-ack-num { + type uint32; description - "Scanning and Sniffing Attack."; - container scan-and-sniff-attack-types { + "Start tcp acknowledgement number + for a range match."; + } + leaf end-tcp-ack-num { + type uint32; description - "Scanning and sniffing attack types: - IP Sweep attack, Port Scanning, - and etc."; - - leaf ip-sweep { - type string; + "End tcp acknowledgement number + for a range match."; + } description - "Additional Inspection of - IP Sweep Attack."; + "Range match for a tcp acknowledgement number."; + } + } + } + description + "The security policy rule according to + tcp acknowledgement number."; + reference + "RFC 793: Transmission Control Protocol + - Acknowledgement number"; } - leaf port-scanning { - type string; + container pkt-sec-tcp-window-size { + choice match-type { description - "Additional Inspection of - Port Scanning Attack."; + "There are two types to configure a security + policy for tcp window size, + such as exact match and range match."; + case exact-match { + leaf-list tcp-window-size { + type uint16; + description + "Exact match for an tcp window size."; } } + case range-match { + list range-tcp-window-size { + key "start-tcp-window-size end-tcp-window-size"; + leaf start-tcp-window-size { + type uint16; + description + "Start tcp window size for a range match."; } - - container malformed-packet-attack { + leaf end-tcp-window-size { + type uint16; description - "Malformed Packet Attack."; - container malformed-packet-attack-types { + "End tcp window size for a range match."; + } description - "Malformed packet attack types: - Ping of Death Attack, Teardrop Attack, - and etc."; - - leaf ping-of-death { - type string; + "Range match for a tcp window size."; + } + } + } description - "Additional Inspection of - Ping of Death Attack."; + "The security policy rule according to + tcp window size."; + reference + "RFC 793: Transmission Control Protocol + - Window size"; } - leaf teardrop { - type string; - description - "Additional Inspection of - Teardrop Attack."; + leaf-list pkt-sec-tcp-flags { + type identityref { + base tcp-flags; } + description + "The security policy rule according to + tcp flags."; + reference + "RFC 793: Transmission Control Protocol + - Flags"; } } - container special-packet-attack { + container packet-security-udp-condition { description - "special Packet Attack."; - container special-packet-attack-types { + "The purpose of this container is to represent + UDP packet header information to determine + if the set of policy actions in this ECA policy + rule should be executed or not."; + reference + "RFC 793: Transmission Control Protocol"; + + container pkt-sec-udp-src-port-num { + uses pkt-sec-port-number; description - "Special packet attack types: - Oversized ICMP Attack, Tracert Attack, - and etc."; + "The security policy rule according to + udp source port number."; + reference + "RFC 793: Transmission Control Protocol + - Port number"; + } - leaf oversized-icmp { - type string; + container pkt-sec-udp-dest-port-num { + uses pkt-sec-port-number; description - "Additional Inspection of - Oversize ICMP Attack."; + "The security policy rule according to + udp destination port number."; + reference + "RFC 768: User Datagram Protocol + - Total Length"; } - leaf tracert { - type string; + container pkt-sec-udp-total-length { + choice match-type { description - "Additional Inspection of - Tracrt Attack."; + "There are two types to configure a security + policy for udp sequence number, + such as exact match and range match."; + case exact-match { + leaf-list udp-total-length { + type uint32; + description + "Exact match for an udp-total-length."; } } + case range-match { + list range-udp-total-length { + key "start-udp-total-length end-udp-total-length"; + leaf start-udp-total-length { + type uint32; + description + "Start udp total length for a range match."; } + leaf end-udp-total-length { + type uint32; + description + "End udp total length for a range match."; } + description + "Range match for a udp total length."; } } - } + description + "The security policy rule according to + udp total length."; + reference + "RFC 768: User Datagram Protocol + - Total Length"; } } + container packet-security-icmp-condition { + description + "The purpose of this container is to represent + ICMP packet header information to determine + if the set of policy actions in this ECA policy + rule should be executed or not."; + reference + "RFC 792: Internet Control Message Protocol + RFC 8335: PROBE: A Utility for Probing Interfaces"; + + leaf-list pkt-sec-icmp-type-and-code { + type identityref { + base icmp-type; } - container resolution-strategy { description - "The resolution strategies can be used to - specify how to resolve conflicts that occur between - the actions of the same or different policy rules that - are matched and contained in this particular NSF"; + "The security policy rule according to + ICMP parameters."; + reference + "RFC 792: Internet Control Message Protocol + RFC 8335: PROBE: A Utility for Probing Interfaces"; + } + } - choice resolution-strategy-type { + container packet-security-http-condition { description - "Vendors can use YANG data model to configure rules"; + "Condition for http."; - case fmr { - leaf first-matching-rule { - type boolean; + leaf-list pkt-sec-uri-content { + type string; description - "If the resolution strategy is first matching rule"; - } + "The security policy rule according to + uri content."; } - case lmr { - leaf last-matching-rule { - type boolean; + + leaf-list pkt-sec-url-content { + type string; description - "If the resolution strategy is last matching rule"; + "The security policy rule according to + url content."; } } - } + container packet-security-voice-condition { + description + "For the VoIP/VoLTE security system, a VoIP/ + VoLTE security system can monitor each + VoIP/VoLTE flow and manage VoIP/VoLTE + security rules controlled by a centralized + server for VoIP/VoLTE security service + (called VoIP IPS). The VoIP/VoLTE security + system controls each switch for the + VoIP/VoLTE call flow management by + manipulating the rules that can be added, + deleted, or modified dynamically."; + reference + "RFC 3261: SIP: Session Initiation Protocol"; + + leaf-list pkt-sec-src-voice-id { + type string; + description + "The security policy rule according to + a source voice ID for VoIP and VoLTE."; } - container default-action { + leaf-list pkt-sec-dest-voice-id { + type string; description - "This default action can be used to specify a predefined - action when no other alternative action was matched - by the currently executing I2NSF Policy Rule. An analogy - is the use of a default statement in a C switch statement."; + "The security policy rule according to + a destination voice ID for VoIP and VoLTE."; + } - leaf default-action-type { - type boolean; + leaf-list pkt-sec-user-agent { + type string; description - "True is permit - False is deny."; + "The security policy rule according to + an user agent for VoIP and VoLTE."; } } - container rule-group { + container packet-security-ddos-condition { description - "This is rule group"; + "Condition for DDoS attack."; - list groups { - key "group-name"; + leaf pkt-sec-alert-rate { + type uint32; description - "This is a group for rules"; + "The alert rate of flood detect for + same packets."; + } + } + } - leaf group-name { + container action-clause-container { + description + "An action is used to control and monitor aspects of + flow-based NSFs when the event and condition clauses + are satisfied. NSFs provide security functions by + executing various Actions. Examples of I2NSF Actions + include providing intrusion detection and/or protection, + web and flow filtering, and deep packet inspection + for packets and flows."; + reference + "RFC 8329: Framework for Interface to Network Security + Functions - I2NSF Flow Security Policy Structure + draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Design Principles and ECA Policy + Model Overview"; + + leaf action-clause-description { type string; description - "This is a group for rules"; + "Description for an action clause."; } - container rule-range { + container packet-action { description - "This is a rule range."; + "Action for packets"; + reference + "RFC 8329: Framework for Interface to Network Security + Functions - I2NSF Flow Security Policy Structure + draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities - Design Principles and ECA + Policy Model Overview"; - leaf start-rule { - type string; + leaf ingress-action { + type identityref { + base ingress-action; + } description - "This is a start rule"; + "Action: pass, drop, reject, alert, and mirror."; + } + + leaf egress-action { + type identityref { + base egress-action; } - leaf end-rule { - type string; description - "This is a end rule"; + "Egress action: pass, drop, reject, alert, mirror, + invoke-signaling, tunnel-encapsulation, + forwarding, and redirection."; } + + leaf log-action { + type identityref { + base log-action; } - leaf enable { - type boolean; description - "This is enable - False is not enable."; + "Log action: rule log and session log"; } - leaf description { - type string; + + } + + container advanced-action { description - "This is a desription for rule-group"; + "If the packet need be additionally inspected, + the packet are passed to advanced network + security functions according to the profile."; + reference + "RFC 8329: Framework for Interface to Network Security + Functions - Differences from ACL Data Models"; + + leaf-list content-security-control { + type identityref { + base content-security-control; + } + description + "The Profile is divided into content security + control and attack-mitigation-control. + Content security control: antivirus, ips, ids, + url filtering, mail filtering, file blocking, + file isolate, packet capture, application control, + voip and volte."; + } + leaf-list attack-mitigation-control { + type identityref { + base attack-mitigation-control; + } + description + "The Profile is divided into content security + control and attack-mitigation-control. + Attack mitigation control: syn flood, udp flood, + icmp flood, ip frag flood, ipv6 related, http flood, + https flood, dns flood, dns amp flood, ssl ddos, + ip sweep, port scanning, ping of death, teardrop, + oversized icmp, tracert."; + } } } } } } } Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface +6. IANA Considerations + + This document requests IANA to register the following URI in the + "IETF XML Registry" [RFC3688]: + + URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf + + Registrant Contact: The IESG. + + XML: N/A; the requested URI is an XML namespace. + + This document requests IANA to register the following YANG module in + the "YANG Module Names" registry [RFC7950]. + + name: ietf-i2nsf-policy-rule-for-nsf + + namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for- + nsf + + prefix: iiprfn + + reference: RFC XXXX + 7. Security Considerations - This document introduces no additional security threats and SHOULD - follow the security requirements as stated in [RFC8329]. + The YANG module specified in this document defines a data schema + designed to be accessed through network management protocols such as + NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is + the secure transport layer, and the required transport secure + transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer + is HTTPS, and the required transport secure transport is TLS + [RFC8446]. + + The NETCONF access control model [RFC8341] provides a means of + restricting access to specific NETCONF or RESTCONF users to a + preconfigured subset of all available NETCONF or RESTCONF protocol + operations and content. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. + [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG + Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, + January 2011, . + + [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., + and A. Bierman, Ed., "Network Configuration Protocol + (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, + . + + [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure + Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, + . + + [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", + RFC 6991, DOI 10.17487/RFC6991, July 2013, + . + + [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", + RFC 7950, DOI 10.17487/RFC7950, August 2016, + . + + [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF + Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, + . + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . + [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", RFC 8329, February 2018. + [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", + BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, + . + + [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration + Access Control Model", STD 91, RFC 8341, + DOI 10.17487/RFC8341, March 2018, + . + [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, S., and N. Bahadur, "A YANG Data Model for Routing Information Base (RIB)", RFC RFC8431, September 2018. + [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol + Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, + . + 8.2. Informative References [i2nsf-advanced-nsf-dm] Pan, W. and L. Xia, "Configuration of Advanced Security Functions with I2NSF Security Controller", draft-dong- i2nsf-asf-config-01 (work in progress), October 2018. + [i2nsf-nsf-cap-dm] + Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, + "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- + capability-data-model-02 (work in progress), November + 2018. + [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", draft-ietf- i2nsf-capability-04 (work in progress), October 2018. [supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer, "Generic Policy Information Model for Simplified Use of Policy Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- model-03 (work in progress), May 2017. -Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-01 +Appendix A. Configuration Examples + + This section shows configuration examples of "ietf-i2nsf-policy-rule- + for-nsf" module for security policy rules of network security + devices. For security requirements, we assume that the NSFs (i.e., + General firewall, Time based firewall, Web filter, VoIP/VoLTE filter + http and https flood mitigation ) described in Appendix A. + Configuration Examples of [i2nsf-nsf-cap-dm] are registered in I2NSF + framework. With the registed NSFs, we show configuration examples + for security policy rules of network security functions according to + the following three security requirements: (i) Block SNS access + during business hours, (ii) Block malicious VoIP/VoLTE packets coming + to the company, and (iii) Mitigate http and https flood attacks on + company web server. + +A.1. Security Requirement 1: Block SNS Access during Business Hours + + This section shows a configuration example for blocking SNS access + during business hours. + + + + sns_access + + block_sns_access_during_operation_time + + + 09:00:00Z + 18:00:00Z + + + + + + + 221.159.112.1 + 221.159.112.90 + + + + + + + url-filtering + + + + + + + Figure 6: Configuration XML for Time based Firewall to Block SNS + Access during Business Hours + + + + sns_access + + block_facebook_and_instgram + + + facebook + instagram + + + + + drop + + + + + + + Figure 7: Configuration XML for Web Filter to Block SNS Access during + Business Hours + + Figure 6 and Figure 7 show the configuration XML documents for time + based firewall and web filter to block SNS access during business + hours. For the security requirement, two NSFs (i.e., a time based + firewall and a web filter) were used because one NSF can not meet the + security requirement. The instances of XML documents for the time + based firewall and the web filter are as follows: Note that a + detailed data model for the configuration of the advanced network + security function (i.e., web filter) is described in + [i2nsf-advanced-nsf-dm]. + + Time based Firewall + + 1. The name of the system policy is sns_access. + + 2. The name of the rule is block_sns_access_during_operation_time. + + 3. The rule is operated during the business hours (i.e., from 9 a.m. + to 6 p.m.). + + 4. The rule inspects a source IPv4 address (i.e., from 221.159.112.1 + to 221.159.112.90) to inspect the outgoing packets of employees. + + 5. If the outgoing packets match the rules above, the time based + firewall sends the packets to url filtering for additional + inspection because the time based firewall can not inspect + contents of the packets for the SNS URL. + + Web Filter + + 1. The name of the system policy is sns_access. + + 2. The name of the rule is block_facebook_and_instagram. + + 3. The rule inspects URL address to block the access packets to the + facebook or the instagram. + + 4. If the outgoing packets match the rules above, the packets are + blocked. + +A.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming + to the Company + + This section shows a configuration example for blocking malicious + VoIP/VoLTE packets coming to the company. + + + + voip_volte_inspection + + block_malicious_voip_volte_packets + + + + + 221.159.112.1 + 221.159.112.90 + + + + + + 5060 + 5061 + + + + + + voip-volte + + + + + + + Figure 8: Configuration XML for General Firewall to Block Malicious + VoIP/VoLTE Packets Coming to the Company + + + + malicious_voice_id + + block_malicious_voice_id + + + 11111@voip.black.com + 22222@voip.black.com + + + + + drop + + + + + + + Figure 9: Configuration XML for VoIP/VoLTE Filter to Block Malicious + VoIP/VoLTE Packets Coming to the Company + + Figure 8 and Figure 9 show the configuration XML documents for + general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE + packets coming to the company. For the security requirement, two + NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used + because one NSF can not meet the security requirement. The instances + of XML documents for the general firewall and the VoIP/VoLTE filter + are as follows: Note that a detailed data model for the configuration + of the advanced network security function (i.e., VoIP/VoLTE filter) + is described in [i2nsf-advanced-nsf-dm]. + + General Firewall + + 1. The name of the system policy is voip_volte_inspection. + + 2. The name of the rule is block_malicious_voip_volte_packets. + + 3. The rule inspects a destination IPv4 address (i.e., from + 221.159.112.1 to 221.159.112.90) to inspect the packets coming + into the company. + + 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect + VoIP/VoLTE packet. + + 5. If the incoming packets match the rules above, the general + firewall sends the packets to VoIP/VoLTE filter for additional + inspection because the general firewall can not inspect contents + of the VoIP/VoLTE packets. + + VoIP/VoLTE Filter + + 1. The name of the system policy is malicious_voice_id. + + 2. The name of the rule is block_malicious_voice_id. + + 3. The rule inspects the voice id of the VoIP/VoLTE packets to block + the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and + 22222@voip.black.com). + + 4. If the incoming packets match the rules above, the packets are + blocked. + +A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a + Company Web Server + + This section shows a configuration example for mitigating http and + https flood attacks on a company web server. + + + + flood_attack_mitigation + + mitigate_http_and_https_flood_attack + + + + + 221.159.112.95 + + + + + + 80 + 443 + + + + + + http-and-https-flood + + + + + + + + Figure 10: Configuration XML for General Firewall to Mitigate HTTP + and HTTPS Flood Attacks on a Company Web Server + + + + http_and_https_flood_attack_mitigation + + + 100_per_second + + + 100 + + + + + drop + + + + + + + Figure 11: Configuration XML for HTTP and HTTPS Flood Attack + Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web + Server + + Figure 10 and Figure 11 show the configuration XML documents for + general firewall and http and https flood attack mitigation to + mitigate http and https flood attacks on a company web server. For + the security requirement, two NSFs (i.e., a general firewall and a + http and https flood attack mitigation) were used because one NSF can + not meet the security requirement. The instances of XML documents + for the general firewall and http and https flood attack mitigation + are as follows: Note that a detailed data model for the configuration + of the advanced network security function (i.e., http and https flood + attack mitigation) is described in [i2nsf-advanced-nsf-dm]. + + General Firewall + + 1. The name of the system policy is flood_attack_mitigation. + + 2. The name of the rule is mitigate_http_and_https_flood_attack. + + 3. The rule inspects a destination IPv4 address (i.e., + 221.159.112.95) to inspect the access packets coming into the + company web server. + + 4. The rule inspects a port number (i.e., 80 and 443) to inspect + http and https packet. + + 5. If the packets match the rules above, the general firewall sends + the packets to http and https flood attack mitigation for + additional inspection because the general firewall can not contrl + the amount of packets for http and https packets. + + HTTP and HTTPS Flood Attack Mitigation + + 1. The name of the system policy is + http_and_https_flood_attack_mitigation. + + 2. The name of the rule is 100_per_second. + + 3. The rule controls the http and https packets according to the + amount of incoming packets. + + 4. If the incoming packets match the rules above, the packets are + blocked. + +Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-02 The following changes are made from draft-ietf-i2nsf-nsf-facing- - interface-dm-01: + interface-dm-03: - o We added system policy which represents there could be multiple - system policies in one NSF, and each system policy is used by one - virtual instance of the NSF/device. This is a very general - feature for all the NSFs/devices. + o We revised this YANG data module according to guidelines for + authors and reviewers of YANG data model documents [RFC6087]. - o We changed policy name to system policy name for system policy. + o We changed the structure of the overall YANG data model. - o We deleted policy-event-clause-agg-ptr, policy-condition-clause- - agg-ptr, and policy-action-clause-agg-ptr. + o We added exact-range type as well as range-based type for the + range policy rules. - o We added priority-usage which represents priority of policies by - order or number. + o We changed enumeration type to identity type for scalable + components. -Appendix B. Acknowledgments + o We added a description for the YANG tree diagram of the YANG data + module. + + o We revised overall sentences of this YANG data model document. + + o We added configuration examples to make it easier for reviewers to + understand. + +Appendix C. Acknowledgments This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning). -Appendix C. Contributors +Appendix D. Contributors This document is made by the group effort of I2NSF working group. Many people actively contributed to this document. The following are considered co-authors: o Hyoungshick Kim (Sungkyunkwan University) o Daeyoung Hyun (Sungkyunkwan University) o Dongjin Hong (Sungkyunkwan University)