I2NSF Working Group J. Kim Internet-Draft J. Jeong Intended status: Standards Track Sungkyunkwan University Expires:May 8,September 12, 2019 J. Park ETRI S. Hares Q. Lin HuaweiNovember 4, 2018March 11, 2019 I2NSF Network Security Function-Facing Interface YANG Data Modeldraft-ietf-i2nsf-nsf-facing-interface-dm-02draft-ietf-i2nsf-nsf-facing-interface-dm-03 Abstract This document defines a YANG data model for configuring security policy rules on network security functions. The YANG data model in this document is corresponding to the information model for Network Security Functions (NSF)-Facing Interface in Interface to Network Security Functions (I2NSF).It describes a data model for the features provided by generic security functions. This data model provides vendors with generic components that they understand well, so these generic components can be used even if they have some vendor specific functions. These generic functions represent a point of interoperability, and can be provided by any product that offers the required capabilities. Also, if they need additional features for their network security functions, the vendors can easily add the features by extending the YANG data model in this document.Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onMay 8,September 12, 2019. Copyright Notice Copyright (c)20182019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . .43 4.The Structure and Objective of I2NSF Security PolicyYANG Tree Diagram . . . . .4 4.1. I2NSF Security Policy Rule. . . . . . . . . . . . . . .4 4.2. Event Clause. . 4 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 4.2. Event Clause . . . . . . . . . .4 4.3. Condition Clause. . . . . . . . . . . . 6 4.3. Condtion Clause . . . . . . . .4 4.4. Action Clause. . . . . . . . . . . . . 7 4.4. Action Clause . . . . . . . . .5 5. Data Model Structure. . . . . . . . . . . . . 12 5. YANG Data Module . . . . . . .5 5.1. I2NSF Security Policy Rule. . . . . . . . . . . . . . .5 5.2. Event Clause13 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 13 6. IANA Considerations . . . . . . . . . . . . . . .7 5.3. Condition Clause. . . . . . 77 7. Security Considerations . . . . . . . . . . . . . .8 5.4. Action Clause. . . . . 78 8. References . . . . . . . . . . . . . . . . .10 6. YANG Module. . . . . . . . 78 8.1. Normative References . . . . . . . . . . . . . . . . .12 6.1. IETF NSF-Facing Interface YANG Data Module. 78 8.2. Informative References . . . . . .12 7. Security Considerations. . . . . . . . . . . 79 Appendix A. Configuration Examples . . . . . . . .47 8. References. . . . . . . 81 A.1. Security Requirement 1: Block SNS Access during Business Hours . . . . . . . . . . . . . . . . . .47 8.1. Normative References. . . . . . . . 81 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming to the Company . . . . . . . . . .47 8.2. Informative References. . . . 84 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a Company Web Server . . . . . . . . . . . . .4787 AppendixA.B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-01dm-02 . . . . . . . . . . . . . . . . . . . . . . .4890 AppendixB.C. Acknowledgments . . . . . . . . . . . . . . . . . .4891 AppendixC.D. Contributors . . . . . . . . . . . . . . . . . . . .4891 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .4991 1. Introduction This document defines a YANG[RFC6020][RFC6020][RFC7950] data model forthesecurity policy rule configuration of network securityservices withdevices. The YANG data model is corresponding to the information model [i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing interface in Interface to Network Security Functions (I2NSF).It provides a specific information model and the correspondingThe YANG datamodelsmodel in this document focuses on security policy configuration for generic network securityfunctions (i.e.,functions. Note that security policy configuration for advanced network securityfunctions), as definedfunctions are written in[i2nsf-nsf-cap-im]. With these[i2nsf-advanced-nsf-dm]. This YANG datamodel, I2NSF controller can control the capabilities of NSFs. Themodel uses an "Event-Condition-Action" (ECA) policy model that is used as the basis for the design of I2NSF Policy described in [RFC8329] and [i2nsf-nsf-cap-im]. Rules. The"ietf-i2nsf-nsf-facing-interface""ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this document provides the followingfeatures:features. o Configurationof I2NSFfor general security policy ruleforof generic network securityfunction policy;function. o Configurationoffor an event clauseforof generic network securityfunction policy;function. o Configurationoffor a condition clauseforof generic network securityfunction policy;function. o Configurationoffor an action clauseforof generic network securityfunction policy.function. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in[RFC2119].[RFC2119][RFC8174]. 3. Terminology This document uses the terminology described in [i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the following terms are from [supa-policy-info-model]: o Data Model: A data model is a representation of concepts of interest to an environment in a form that is dependent on data repository, data definition language, query language, implementation language, and protocol. o Information Model: An information model is a representation of concepts of interest to an environment in a form that is independent of data repository, data definition language, query language, implementation language, and protocol. 3.1. Tree Diagrams A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams[RFC8431][RFC8340] is as follows: o Brackets "[" and "]" enclose list keys. o Abbreviations before data node names: "rw" means configuration (read-write) and "ro" state data (read-only). o Symbols after data node names: "?" means an optional node and "*" denotes a "list" and "leaf-list". o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":"). o Ellipsis ("...") stands for contents of subtrees that are not shown. 4.The Structure and Objective of I2NSF Security Policy 4.1. I2NSF Security Policy Rule This shows a policy rule for generic network security functions. The object of a policy rule is defined as policy information and rule information. This includes ECA Policy Rule such as Event Clause Objects, Condition Clause Objects, Action Clause Objects, Resolution Strategy, and Default Action. 4.2. Event ClauseYANG Tree Diagram This section shows anevent clause forYANG tree diagram of generic network security functions.An Event is any important occurrence in time ofNote that achange in the system being managed, and/or indetailed data model for theenvironmentconfiguration of thesystem being managed. When used in the context of I2NSF Policy Rules, itadvanced network security functions isused to determine whether the Condition clause ofdescribed in [i2nsf-advanced-nsf-dm]. The section describes the following subjects: o General I2NSFPolicy Rule can be evaluated or not. The object of an event clauses is defined as user security event, device security event, systemsecurityevent, and time security event. The objectspolicy rule of generic network security function. o An eventclauses can be extended according to specific vendor event features. 4.3. Condition Clause This shows a conditionclauseforof generic network securityfunctions.function. o A conditionis defined as a setclause ofattributes, features, and/or values that are to be compared with a set of known attributes, features, and/or values in order to determine whether or not the set of Actions in that (imperative) I2NSF Policy Rule can be executed or not. These objects are defined as packet security condition, packet payload security condition, target security condition, user security condition, context condition, and generic context condition. The objects of action clauses can be extended according to specific vendor condition features. 4.4. Action Clause This shows an action clause forgeneric network securityfunctions.function. o An actionis used to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied. NSFs provide security functions by executing various Actions. The object of an actionclauseis defined as ingress action, egress action, and apply profile action. The objects of action clauses can be extended according to specific vendor action features. 5. Data Model Structure This section shows a data model structure treeof generic network securityfunctions that are defined in the [i2nsf-nsf-cap-im]. Note that a detailed data model for the configuration of the advanced network security functions is described in [i2nsf-advanced-nsf-dm]. The section discusses the following subjects: o Consideration of ECA Policy Model by aggregating the Event, Condition, and Action Clause Objects; o Consideration of Capability Algebra; o Consideration of NSFs Capability Categories (i.e., Network Security, Content Security, and Attack Mitigation Capabilities); o Definition for Network Security Event Class, Network Security Condition Class, and Network Security Action Class. 5.1.function. 4.1. General I2NSF Security Policy RuleThe data modelThis section shows YANG tree diagram forthe identification of networkgeneral I2NSF security policyhas the following structure:rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy +--rw system-policy* [system-policy-name] +--rw system-policy-name string +--rwpriority-usage priority-usage-typepriority-usage? identityref +--rw resolution-strategy? identityref +--rw default-action? identityref +--rw rules* [rule-name]|+--rw rule-name string|+--rw rule-description? string|+--rw rule-priority? uint8|+--rwenable?rule-enable? boolean|+--rwsession-aging-time? uint16time-zone | +--rwlong-connectionabsolute-time-zone | | +--rwenable? booleanstart-time? start-time-type | | +--rwduring? uint16end-time? end-time-type | +--rwtime-zone |periodic-time-zone | +--rwabsolute-time-zone | | | +--rw time | | | | +--rw start-time? yang:date-and-time | | | | +--rw end-time? yang:date-and-time | | | +--rw date | | | +--rw absolute-date? yang:date-and-time | | +--rw periodic-time-zone | | +--rw day | | | +--rw sunday? boolean | | | +--rw monday? boolean | | | +--rw tuesday? boolean | | | +--rw wednesday? boolean | | | +--rw thursday? boolean |day | | +--rwfriday?every-day? boolean | ||+--rwsaturday? boolean |specific-day* day-type | +--rw month ||+--rwjanuary?every-month? boolean || +--rw february? boolean | | +--rw march? boolean | | +--rw april? boolean | | +--rw may? boolean | | +--rw june? boolean | | +--rw july? boolean | | +--rw august? boolean | | +--rw september? boolean | | +--rw october? boolean | | +--rw november? boolean | |+--rwdecember? boolean |specific-month* month-type +--rw event-clause-container ||...|+--rw condition-clause-container ||...|+--rw action-clause-container|...+--rw resolution-strategy | +--rw (resolution-strategy-type)? | +--:(fmr) | | +--rw first-matching-rule? boolean | +--:(lmr) | +--rw last-matching-rule? boolean +--rw default-action | +--rw default-action-type? boolean +--rw rule-group +--rw groups* [group-name] +--rw group-name string +--rw rule-range | +--rw start-rule? string | +--rw end-rule? string +--rw enable? boolean +--rw description? stringFigure 1:Data Model StructureYANG Tree Diagram for Network Security PolicyIdentification 5.2. Event Clause The data model for eventThis YANG tree diagram shows general I2NSF security policy rulehas the following structure: module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy +--rw system-policy* [system-policy-name] ... | +--rw event-clause-container | | +--rw event-clause-list* [eca-object-id] | | +--rw entity-class? identityref | | +--rw eca-object-id string | | +--rw description? string | | +--rw sec-event-content string | | +--rw sec-event-format sec-event-format | | +--rw sec-event-type string | +--rw condition-clause-container | | ... | +--rw action-clause-container | ... +--rw resolution-strategy | ... +--rw default-action | ... +--rw rule-group ... Figure 2: Data Model StructureforEvent Rule These objects are defined as user security event, devicegeneric network securityevent,functions. The systemsecurity event, and time security event. These objects canpolicy represents there could beextended according to specific vendor eventmultiple system policies in one NSF, and each system policy is used by one virtual instance of the NSF/device. The system policy includes system policy name, priority usage, resolutation strategy, default action, and rules. A resolution strategy is used to decide how to resolve conflicts that occur between the actions of the same or different policy rules that are matched and contained in this particular NSF. The resolution strategy is defined as First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and Prioritized Matching Rule with No Errors (PMRN). The resolution strategy can be extended according to specific vendor action features.We will add additionalThe resolution strategy is described in detail in [i2nsf-nsf-cap-im]. A default action is used to execute I2NSF policy rule when no rule matches a packet. The default action is defined as pass, drop, reject, alert, and mirror. The default action can be extended according to specific vendor action features. The default action is described in detail in [i2nsf-nsf-cap-im]. The rules include rule name, rule description, rule priority, rule enable, time zone, eventobjects for more generic network security functions. 5.3. Conditionclause container, condition clause container, and action clause container. 4.2. Event ClauseThe data modelThis section shows YANG tree diagram forcondition rule has the following structure:an event clause of I2NSF security policy rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy +--rw system-policy* [system-policy-name] ...|+--rwevent-clause-container | |rules* [rule-name] ...| +--rw condition-clause-container | | +--rw condition-clause-list* [eca-object-id] | | +--rw entity-class? identityref | | +--rw eca-object-id string | | +--rw packet-security-condition | | | +--rw packet-description? string | | | +--rw packet-security-mac-condition | | | | +--rw pkt-sec-cond-mac-dest* yang:phys-address | | | | +--rw pkt-sec-cond-mac-src* yang:phys-address | | | |+--rwpkt-sec-cond-mac-8021q* string | | |event-clause-container | +--rwpkt-sec-cond-mac-ether-type*event-clause-description? string || | |+--rwpkt-sec-cond-mac-tci* string | |event-clauses | +--rwpacket-security-ipv4-condition | | |system-event* identityref | +--rwpkt-sec-cond-ipv4-header-length* uint8 | | | |system-alarm* identityref +--rwpkt-sec-cond-ipv4-tos* uint8 | | |condition-clause-container | ... +--rwpkt-sec-cond-ipv4-total-length* uint16 | | |action-clause-container ... Figure 2: YANG Tree Diagram for Network Security Policy This YANG tree diagram shows an event clause of I2NSF security policy rule for generic network security functions. An event clause is any important occurrence in time of a change in the system being managed, and/or in the environment of the system being managed. An event clause is used to trigger the evaluation of the condition clause of the I2NSF Policy Rule. The event clause is defined as system event and system alarm. The event clause can be extended according to specific vendor event features. The event clause is described in detail in [i2nsf-nsf-cap-im]. 4.3. Condtion Clause This section shows YANG tree diagram for a condition clause of I2NSF security policy rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy ... +--rw rules* [rule-name] ... +--rw event-clause-container | ... +--rwpkt-sec-cond-ipv4-id* uint8condition-clause-container | +--rw condition-clause-description? string | +--rw packet-security-ipv4-condition | | +--rwpkt-sec-cond-ipv4-fragment* uint8 |pkt-sec-ipv4-header-length | | | +--rwpkt-sec-cond-ipv4-fragment-offset* uint16(match-type)? | | || +--rw pkt-sec-cond-ipv4-ttl* uint8+--:(exact-match) | | | | +--rwpkt-sec-cond-ipv4-protocol*ipv4-header-length* uint8 | | || +--rw pkt-sec-cond-ipv4-src* inet:ipv4-address |+--:(range-match) | | | +--rwpkt-sec-cond-ipv4-dest* inet:ipv4-address |range-ipv4-header-length* [start-ipv4-header-length end-ipv4-header-length] | | | +--rwpkt-sec-cond-ipv4-ipopts? string |start-ipv4-header-length uint8 | | | +--rwpkt-sec-cond-ipv4-sameip? booleanend-ipv4-header-length uint8 | | +--rw pkt-sec-ipv4-tos* identityref | | +--rwpkt-sec-cond-ipv4-geoip* stringpkt-sec-ipv4-total-length | | | +--rwpacket-security-ipv6-condition(match-type)? | | || +--rw pkt-sec-cond-ipv6-dscp* string+--:(exact-match) | | | | +--rwpkt-sec-cond-ipv6-ecn* string | |ipv4-total-length* uint16 | |+--rw pkt-sec-cond-ipv6-traffic-class* uint8| +--:(range-match) | | | +--rwpkt-sec-cond-ipv6-flow-label* uint32 |range-ipv4-total-length* [start-ipv4-total-length end-ipv4-total-length] | | | +--rwpkt-sec-cond-ipv6-payload-length*start-ipv4-total-length uint16 | | ||+--rwpkt-sec-cond-ipv6-next-header* uint8 | |end-ipv4-total-length uint16 | | +--rwpkt-sec-cond-ipv6-hop-limit* uint8pkt-sec-ipv4-id* uint16 | | +--rw pkt-sec-ipv4-fragment-flags* identityref | | +--rwpkt-sec-cond-ipv6-src* inet:ipv6-address |pkt-sec-ipv4-fragment-offset | | | +--rwpkt-sec-cond-ipv6-dest* inet:ipv6-address(match-type)? | | |+--rw packet-security-tcp-condition+--:(exact-match) | | | | +--rwpkt-sec-cond-tcp-src-port* inet:port-number | |ipv4-fragment-offset* uint16 | |+--rw pkt-sec-cond-tcp-dest-port* inet:port-number| +--:(range-match) | | | +--rwpkt-sec-cond-tcp-seq-num* uint32 |range-ipv4-fragment-offset* [start-ipv4-fragment-offset end-ipv4-fragment-offset] | | | +--rwpkt-sec-cond-tcp-ack-num* uint32 |start-ipv4-fragment-offset uint16 | | | +--rwpkt-sec-cond-tcp-window-size*end-ipv4-fragment-offset uint16 | || |+--rwpkt-sec-cond-tcp-flags* uint8pkt-sec-ipv4-ttl | | | +--rwpacket-security-udp-condition(match-type)? | | || +--rw pkt-sec-cond-udp-src-port* inet:port-number+--:(exact-match) | | | | +--rwpkt-sec-cond-udp-dest-port* inet:port-number |ipv4-ttl* uint8 | | |+--rw pkt-sec-cond-udp-length* string+--:(range-match) | | | +--rwpacket-security-icmp-conditionrange-ipv4-ttl* [start-ipv4-ttl end-ipv4-ttl] | | | +--rwpkt-sec-cond-icmp-type*start-ipv4-ttl uint8 | | | +--rwpkt-sec-cond-icmp-code*end-ipv4-ttl uint8 | ||+--rwpkt-sec-cond-icmp-seg-num* uint32pkt-sec-ipv4-protocol* identityref | | +--rwpacket-payload-conditionpkt-sec-ipv4-src | | | +--rwpacket-payload-description? string(match-type)? | | |+--rw pkt-payload-content* string+--:(exact-match) | |+--rw acl-number? uint32| | +--rwapplication-condition |ipv4-address* [ipv4] | |+--rw application-description? string || | +--rwapplication-object* string | |ipv4 inet:ipv4-address |+--rw application-group* string| | | +--rwapplication-label* string(subnet)? | | |+--rw category| +--:(prefix-length) | |+--rw application-category*| | |[name application-subcategory]+--rw prefix-length? uint8 | | |+--rw name string| +--:(netmask) | |+--rw application-subcategory string| | +--rwtarget-conditionnetmask? yang:dotted-quad | | |+--rw target-description? string+--:(range-match) | | | +--rwdevice-sec-context-condrange-ipv4-address* [start-ipv4-address end-ipv4-address] | | | +--rwpc? booleanstart-ipv4-address inet:ipv4-address | | | +--rwmobile-phone? boolean |end-ipv4-address inet:ipv4-address | | +--rwvoip-volte-phone? booleanpkt-sec-ipv4-dest | | | +--rwtablet? boolean(match-type)? | | |+--rw iot? boolean+--:(exact-match) | | |+--rw vehicle? boolean || +--rwusers-conditionipv4 | | | | +--rwusers-description? stringipv4-address* [ipv4] | | | | +--rwuseripv4 inet:ipv4-address | | | | +--rw(user-name)?(subnet)? | | | |+--:(tenant)+--:(prefix-length) | | | | | +--rwtenantprefix-length? uint8 | | | |+--:(vn-id)+--:(netmask) | | | | +--rwvn-id uint8netmask? yang:dotted-quad | | |+--rw group |+--:(range-match) | | | +--rw(group-name)? |range-ipv4-address* [start-ipv4-address end-ipv4-address] | | |+--:(tenant)+--rw start-ipv4-address inet:ipv4-address | | | +--rw end-ipv4-address inet:ipv4-address | | +--rwtenant uint8pkt-sec-ipv4-ipopts* identityref | | +--rw pkt-sec-ipv4-sameip? boolean | |+--:(vn-id)+--rw pkt-sec-ipv4-geoip* string | +--rw packet-security-ipv6-condition | | +--rw pkt-sec-ipv6-traffic-class* identityref | | +--rwvn-id uint8pkt-sec-ipv6-flow-label | | | +--rwsecurity-grup string(match-type)? | |+--rw url-category-condition| +--:(exact-match) | | | | +--rwurl-category-description? stringipv6-flow-label* uint32 | | |+--rw pre-defined-category* string+--:(range-match) | | | +--rwuser-defined-category* stringrange-ipv6-flow-label* [start-ipv6-flow-label end-ipv6-flow-label] | | | +--rwcontext-conditionstart-ipv6-flow-label uint32 | | | +--rwcontext-description? stringend-ipv6-flow-label uint32 | | +--rwgen-context-conditionpkt-sec-ipv6-payload-length | | | +--rwgen-context-description? string(match-type)? | |+--rw geographic-location| +--:(exact-match) |+--rw src-geographic-location* uint32| |+--rw dest-geographic-location* uint32| +--rwaction-clause-containeripv6-payload-length* uint16 |... +--rw resolution-strategy|... +--rw default-action|... +--rw rule-group ... Figure 3: Data Model Structure for Condition Rule These objects are defined as packet security condition, packet payload security condition, target security condition, user security condition, context condition, and generic context condition. These objects can be extended according to specific vendor condition features. We will add additional condition objects for more generic network security functions. 5.4. Action Clause The data model for action rule has the following structure: module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy +--rw system-policy* [system-policy-name] ...+--:(range-match) | | | +--rwevent-clause-containerrange-ipv6-payload-length* [start-ipv6-payload-length end-ipv6-payload-length] | |...| +--rwcondition-clause-containerstart-ipv6-payload-length uint16 | |...| +--rwaction-clause-containerend-ipv6-payload-length uint16 |+--rw action-clause-list* [eca-object-id]| +--rwentity-class?pkt-sec-ipv6-next-header* identityref |+--rw eca-object-id string| +--rwrule-log? booleanpkt-sec-ipv6-hop-limit | |+--rw session-log? boolean| +--rwingress-action(match-type)? | | | +--:(exact-match) | | | | +--rwingress-description? stringipv6-hop-limit* uint8 | | | +--:(range-match) | | | +--rwingress-action-type? ingress-actionrange-ipv6-hop-limit* [start-ipv6-hop-limit end-ipv6-hop-limit] | | | +--rwegress-actionstart-ipv6-hop-limit uint8 | | | +--rwegress-description? stringend-ipv6-hop-limit uint8 | | +--rwegress-action-type? egress-actionpkt-sec-ipv6-src | | | +--rwapply-profile(match-type)? | | | +--:(exact-match) | | | | +--rwprofile-description? stringipv6 | | | | +--rwcontent-security-controlipv6-address* [ipv6] | | | | +--rwcontent-security-control-typesipv6 inet:ipv6-address | | | | +--rwantivirus? stringprefix-length? uint8 | | | +--:(range-match) | | | +--rwips? stringrange-ipv6-address* [start-ipv6-address end-ipv6-address] | | | +--rwids? stringstart-ipv6-address inet:ipv6-address | | | +--rwurl-filtering? stringend-ipv6-address inet:ipv6-address | | +--rwdata-filtering? stringpkt-sec-ipv6-dest | | +--rwmail-filtering? string(match-type)? | | +--:(exact-match) | | | +--rwfile-blocking? stringipv6-address* [ipv6] | | | +--rwfile-isolate? stringipv6 inet:ipv6-address | | | +--rwpkt-capture? stringprefix-length? uint8 | | +--:(range-match) | | +--rwapplication-control? stringrange-ipv6-address* [start-ipv6-address end-ipv6-address] | | +--rwvoip-volte? stringstart-ipv6-address inet:ipv6-address | | +--rwattack-mitigation-controlend-ipv6-address inet:ipv6-address | +--rwddos-attackpacket-security-tcp-condition | | +--rwddos-attack-typepkt-sec-tcp-src-port-num | | | +--rwnetwork-layer-ddos-attack(match-type)? | | |+--rw network-layer-ddos-attack-type+--:(exact-match) | | | | +--rwsyn-flood? stringport-num* inet:port-number | | |+--rw udp-flood? string+--:(range-match) | | | +--rwicmp-flood? stringrange-port-num* [start-port-num end-port-num] | | | +--rwip-frag-flood? stringstart-port-num inet:port-number | | | +--rwipv6-related? stringend-port-num inet:port-number | | +--rwapp-layer-ddos-attackpkt-sec-tcp-dest-port-num | | | +--rwapp-ddos-attack-types(match-type)? | |+--rw http-flood? string| +--:(exact-match) | |+--rw https-flood? string| | +--rwdns-flood? stringport-num* inet:port-number | |+--rw dns-amp-flood? string| +--:(range-match) |+--rw ssl-ddos? string|+--rw single-packet-attack| +--rwsingle-packet-attack-typerange-port-num* [start-port-num end-port-num] |+--rw scan-and-sniff-attack| | +--rwscan-and-sniff-attack-typesstart-port-num inet:port-number | | | +--rwip-sweep? stringend-port-num inet:port-number | | +--rwport-scanning? stringpkt-sec-tcp-seq-num |+--rw malformed-packet-attack| | +--rwmalformed-packet-attack-types(match-type)? | |+--rw ping-of-death? string| +--:(exact-match) |+--rw teardrop? string|+--rw special-packet-attack|+--rw special-packet-attack-types| +--rwoversized-icmp? stringtcp-seq-num* uint32 | | | +--:(range-match) |+--rw tracert? string +--rw resolution-strategy|... +--rw default-action|...+--rwrule-grouprange-tcp-seq-num* [start-tcp-seq-num end-tcp-seq-num] | | | +--rw start-tcp-seq-num uint32 | | | +--rw end-tcp-seq-num uint32 | | +--rw pkt-sec-tcp-ack-num | | | +--rw (match-type)? | | | +--:(exact-match) | | | | +--rw tcp-ack-num* uint32 | | | +--:(range-match) | | | +--rw range-tcp-ack-num* [start-tcp-ack-num end-tcp-ack-num] | | | +--rw start-tcp-ack-num uint32 | | | +--rw end-tcp-ack-num uint32 | | +--rw pkt-sec-tcp-window-size | | | +--rw (match-type)? | | | +--:(exact-match) | | | | +--rw tcp-window-size* uint16 | | | +--:(range-match) | | | +--rw range-tcp-window-size* [start-tcp-window-size end-tcp-window-size] | | | +--rw start-tcp-window-size uint16 | | | +--rw end-tcp-window-size uint16 | | +--rw pkt-sec-tcp-flags* identityref | +--rw packet-security-udp-condition | | +--rw pkt-sec-udp-src-port-num | | | +--rw (match-type)? | | | +--:(exact-match) | | | | +--rw port-num* inet:port-number | | | +--:(range-match) | | | +--rw range-port-num* [start-port-num end-port-num] | | | +--rw start-port-num inet:port-number | | | +--rw end-port-num inet:port-number | | +--rw pkt-sec-udp-dest-port-num | | | +--rw (match-type)? | | | +--:(exact-match) | | | | +--rw port-num* inet:port-number | | | +--:(range-match) | | | +--rw range-port-num* [start-port-num end-port-num] | | | +--rw start-port-num inet:port-number | | | +--rw end-port-num inet:port-number | | +--rw pkt-sec-udp-total-length | | +--rw (match-type)? | | +--:(exact-match) | | | +--rw udp-total-length* uint32 | | +--:(range-match) | | +--rw range-udp-total-length* [start-udp-total-length end-udp-total-length] | | +--rw start-udp-total-length uint32 | | +--rw end-udp-total-length uint32 | +--rw packet-security-icmp-condition | | +--rw pkt-sec-icmp-type* identityref | +--rw packet-security-http-condition | | +--rw pkt-sec-uri-content* string | | +--rw pkt-sec-url-content* string | +--rw packet-security-voice-condition | | +--rw pkt-sec-src-voice-id* string | | +--rw pkt-sec-dest-voice-id* string | | +--rw pkt-sec-user-agent* string | +--rw packet-security-ddos-condition | +--rw pkt-sec-alert-rate? uint32 +--rw action-clause-container ... Figure4: Data Model Structure3: YANG Tree Diagram forAction Rule These objects areNetwork Security Policy This YANG tree diagram shows an condition clause of I2NSF security policy rule for generic network security functions. A condition clause is defined asingress action, egress action, and apply profile action. These objects can be extendeda set of attributes, features, and/or values that are to be compared with a set of known attributes, features, and/or values in order to determine whether or not the set of actions in that (imperative) I2NSF policy rule can be executed or not. The condition clause is classified as conditions of generic network security functions and advanced network security functions. The condition clause of generic network security functions is defined as packet security IPv4 condition, packet security IPv6 condition, packet security tcp condition, and packet security icmp condition. The condition clause of advanced network security functions is defined as packet security http condition, packet security voice condition, and packet security ddos condition. Note that this document deals only with simple conditions of advanced network security functions. The condition clauses of advanced network security functions are described in detail in [i2nsf-advanced-nsf-dm]. The condition clause can be extended according to specific vendor condition features. The condition clause is described in detail in [i2nsf-nsf-cap-im]. 4.4. Action Clause This section shows YANG tree diagram for an actionfeature. We will add additionalclause of I2NSF security policy rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy ... +--rw rules* [rule-name] ... +--rw event-clause-container | ... +--rw condition-clause-container | ... +--rw action-clause-container +--rw action-clause-description? string +--rw packet-action | +--rw ingress-action? identityref | +--rw egress-action? identityref | +--rw log-action? identityref +--rw advanced-action +--rw content-security-control* identityref +--rw attack-mitigation-control* identityref Figure 4: YANG Tree Diagram for Network Security Policy This YANG tree diagram shows an action clause of I2NSF security policy rule for generic network security functions. An action is used to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied. NSFs provide security services by executing various actions. The actionobjectsclause is defined as ingress action, egress action, log action, and advanced action for additional inspection. The advanced action is described in detail in [RFC8329] and [i2nsf-nsf-cap-im]. The action clause can be extended according to specific vendor action features. The action clause is described in detail in [i2nsf-nsf-cap-im]. 5. YANG Data Module 5.1. I2NSF NSF-Facing Interface YANG Data Module This section introduces an YANG data module for configuration of security policy rules on network security functions. <CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2019-03-11.yang" module ietf-i2nsf-policy-rule-for-nsf { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; prefix iiprfn; import ietf-inet-types{ prefix inet; reference "RFC 6991"; } import ietf-yang-types{ prefix yang; reference "RFC 6991"; } organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/i2nsf> WG List: <mailto:i2nsf@ietf.org> WG Chair: Adrian Farrel <mailto:Adrain@olddog.co.uk> WG Chair: Linda Dunbar <mailto:Linda.duhbar@huawei.com> Editor: Jingyong Tim Kim <mailto:timkim@skku.edu> Editor: Jaehoon Paul Jeong <mailto:pauljeong@skku.edu> Editor: Susan Hares <mailto:shares@ndzh.com>"; description "This module defines a YANG data module for network security functions. Copyright (c) 2018 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 8341; see the RFC itself for full legal notices."; revision "2019-03-11"{ description "Initial revision."; reference "RFC XXXX: I2NSF Network Security Function-Facing Interface YANG Data Model"; } /* * Identities */ identity priority-usage-type { description "Base identity for priority usage type."; } identity priority-by-order { base priority-usage-type; description "Identity for priority by order"; } identity priority-by-number { base priority-usage-type; description "Identity for priority by number"; } identity event { description "Base identity for event of policy."; reference "draft-hong-i2nsf-nsf-monitoring-data-model-06 - Event"; } identity system-event { base event; description "Identity for system event"; reference "draft-hong-i2nsf-nsf-monitoring-data-model-06 - System event"; } identity system-alarm { base event; description "Identity for system alarm"; reference "draft-hong-i2nsf-nsf-monitoring-data-model-06 - System alarm"; } identity access-violation { base system-event; description "Identity for access violation among system events"; reference "draft-hong-i2nsf-nsf-monitoring-data-model-06 - System event"; } identity configuration-change { base system-event; description "Identity for configuration change among system events"; reference "draft-hong-i2nsf-nsf-monitoring-data-model-06 - System event"; } identity memory-alarm { base system-alarm; description "Identity for memory alarm among system alarms"; reference "draft-hong-i2nsf-nsf-monitoring-data-model-06 - System alarm"; } identity cpu-alarm { base system-alarm; description "Identity for cpu alarm among system alarms"; reference "draft-hong-i2nsf-nsf-monitoring-data-model-06 - System alarm"; } identity disk-alarm { base system-alarm; description "Identity for disk alarm among system alarms"; reference "draft-hong-i2nsf-nsf-monitoring-data-model-06 - System alarm"; } identity hardware-alarm { base system-alarm; description "Identity for hardware alarm among system alarms"; reference "draft-hong-i2nsf-nsf-monitoring-data-model-06 - System alarm"; } identity interface-alarm { base system-alarm; description "Identity for interface alarm among system alarms"; reference "draft-hong-i2nsf-nsf-monitoring-data-model-06 - System alarm"; } identity type-of-service { description "Base identity for type of service of IPv4"; reference "RFC 791: Internet Protocol - Type of Service"; } identity traffic-class { description "Base identity for traffic-class of IPv6"; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity normal { base type-of-service; base traffic-class; description "Identity for normal"; reference "RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity minimize-cost { base type-of-service; base traffic-class; description "Identity for minimize cost"; reference "RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity maximize-reliability { base type-of-service; base traffic-class; description "Identity for maximize reliability"; reference "RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity maximize-throughput { base type-of-service; base traffic-class; description "Identity for maximize throughput"; reference "RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity minimize-delay { base type-of-service; base traffic-class; description "Identity for minimize delay"; reference "RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity maximize-security { base type-of-service; base traffic-class; description "Identity for maximize security"; reference "RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity fragmentation-flags-type { description "Base identity for fragmentation flags type"; reference "RFC 791: Internet Protocol - Fragmentation Flags"; } identity fragment { base fragmentation-flags-type; description "Identity for fragment"; reference "RFC 791: Internet Protocol - Fragmentation Flags"; } identity no-fragment { base fragmentation-flags-type; description "Identity for no fragment"; reference "RFC 791: Internet Protocol - Fragmentation Flags"; } identity reserved { base fragmentation-flags-type; description "Identity for reserved"; reference "RFC 791: Internet Protocol - Fragmentation Flags"; } identity protocol { description "Base identity for protocol of IPv4"; reference "RFC 790: Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Protocol"; } identity next-header { description "Base identity for next header of IPv6"; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity icmp { base protocol; base next-header; description "Identity for icmp"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity igmp { base protocol; base next-header; description "Identity for igmp"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity tcp { base protocol; base next-header; description "Identity for tcp"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity igrp { base protocol; base next-header; description "Identity for igrp"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity udp { base protocol; base next-header; description "Identity for udp"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity gre { base protocol; base next-header; description "Identity for gre"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity esp { base protocol; base next-header; description "Identity for esp"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity ah { base protocol; base next-header; description "Identity for ah"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity mobile { base protocol; base next-header; description "Identity for mobile"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity tlsp { base protocol; base next-header; description "Identity for tlsp"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity skip { base protocol; base next-header; description "Identity for skip"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity ipv6-icmp { base protocol; base next-header; description "Identity for IPv6 icmp "; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity eigrp { base protocol; base next-header; description "Identity for eigrp"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity ospf { base protocol; base next-header; description "Identity for ospf"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity l2tp { base protocol; base next-header; description "Identity for l2tp"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Type of Service RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity ipopts { description "Base identity for IP options"; reference "RFC 791: Internet Protocol - Options"; } identity rr { base ipopts; description "Identity for record route"; reference "RFC 791: Internet Protocol - Options"; } identity eol { base ipopts; description "Identity for end of list"; reference "RFC 791: Internet Protocol - Options"; } identity nop { base ipopts; description "Identity for no operation"; reference "RFC 791: Internet Protocol - Options"; } identity ts { base ipopts; description "Identity for time stamp"; reference "RFC 791: Internet Protocol - Options"; } identity sec { base ipopts; description "Identity for IP security"; reference "RFC 791: Internet Protocol - Options"; } identity esec { base ipopts; description "Identity for IP extended security"; reference "RFC 791: Internet Protocol - Options"; } identity lsrr { base ipopts; description "Identity for loose source routing"; reference "RFC 791: Internet Protocol - Options"; } identity ssrr { base ipopts; description "Identity for strict source routing"; reference "RFC 791: Internet Protocol - Options"; } identity satid { base ipopts; description "Identity for stream identifier"; reference "RFC 791: Internet Protocol - Options"; } identity any { base ipopts; description "Identity for which any IP options are set"; reference "RFC 791: Internet Protocol - Options"; } identity tcp-flags { description "Base identity for tcp flags"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity cwr { base tcp-flags; description "Identity for congestion window reduced"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity ecn { base tcp-flags; description "Identity for explicit congestion notification"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity urg { base tcp-flags; description "Identity for urgent"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity ack { base tcp-flags; description "Identity for acknowledgement"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity psh { base tcp-flags; description "Identity for push"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity rst { base tcp-flags; description "Identity for reset"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity syn { base tcp-flags; description "Identity for synchronize"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity fin { base tcp-flags; description "Identity for finish"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity icmp-type { description "Base identity for icmp types"; reference "RFC 792: Internet Control Message Protocol"; } identity echo-reply { base icmp-type; description "Identity for echo reply"; reference "RFC 792: Internet Control Message Protocol"; } identity destination-unreachable { base icmp-type; description "Identity for destination unreachable"; reference "RFC 792: Internet Control Message Protocol"; } identity source-quench { base icmp-type; description "Identity for source quench"; reference "RFC 792: Internet Control Message Protocol"; } identity redirect { base icmp-type; description "Identity for redirect"; reference "RFC 792: Internet Control Message Protocol"; } identity alternate-host-address { base icmp-type; description "Identity for alternate host address"; reference "RFC 792: Internet Control Message Protocol"; } identity echo { base icmp-type; description "Identity for echo"; reference "RFC 792: Internet Control Message Protocol"; } identity router-advertisement { base icmp-type; description "Identity for router advertisement"; reference "RFC 792: Internet Control Message Protocol"; } identity router-solicitation { base icmp-type; description "Identity for router solicitation"; reference "RFC 792: Internet Control Message Protocol"; } identity time-exceeded { base icmp-type; description "Identity for time exceeded"; reference "RFC 792: Internet Control Message Protocol"; } identity parameter-problem { base icmp-type; description "Identity for parameter problem"; reference "RFC 792: Internet Control Message Protocol"; } identity timestamp { base icmp-type; description "Identity for timestamp"; reference "RFC 792: Internet Control Message Protocol"; } identity timestamp-reply { base icmp-type; description "Identity for timestamp reply"; reference "RFC 792: Internet Control Message Protocol"; } identity information-request { base icmp-type; description "Identity for information request"; reference "RFC 792: Internet Control Message Protocol"; } identity information-reply { base icmp-type; description "Identity for information reply"; reference "RFC 792: Internet Control Message Protocol"; } identity address-mask-request { base icmp-type; description "Identity for address mask request"; reference "RFC 792: Internet Control Message Protocol"; } identity address-mask-reply { base icmp-type; description "Identity for address mask reply"; reference "RFC 792: Internet Control Message Protocol"; } identity traceroute { base icmp-type; description "Identity for traceroute"; reference "RFC 792: Internet Control Message Protocol"; } identity datagram-conversion-error { base icmp-type; description "Identity for datagram conversion error"; reference "RFC 792: Internet Control Message Protocol"; } identity mobile-host-redirect { base icmp-type; description "Identity for mobile host redirect"; reference "RFC 792: Internet Control Message Protocol"; } identity ipv6-where-are-you { base icmp-type; description "Identity for IPv6 where are you"; reference "RFC 792: Internet Control Message Protocol"; } identity ipv6-i-am-here { base icmp-type ; description "Identity for IPv6 i am here"; reference "RFC 792: Internet Control Message Protocol"; } identity mobile-registration-request { base icmp-type; description "Identity for mobile registration request"; reference "RFC 792: Internet Control Message Protocol"; } identity mobile-registration-reply { base icmp-type; description "Identity for mobile registration reply"; reference "RFC 792: Internet Control Message Protocol"; } identity domain-name-request { base icmp-type; description "Identity for domain name request"; reference "RFC 792: Internet Control Message Protocol"; } identity domain-name-reply { base icmp-type; description "Identity for domain name reply"; reference "RFC 792: Internet Control Message Protocol"; } identity iskip { base icmp-type; description "Identity for icmp skip"; reference "RFC 792: Internet Control Message Protocol"; } identity photuris { base icmp-type; description "Identity for photuris"; reference "RFC 792: Internet Control Message Protocol"; } identity experimental-mobility-protocols { base icmp-type; description "Identity for experimental mobility protocols"; reference "RFC 792: Internet Control Message Protocol"; } identity extended-echo-request { base icmp-type; description "Identity for extended echo request"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity extended-echo-reply { base icmp-type; description "Identity for extended echo reply"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity net-unreachable { base icmp-type; description "Identity for net unreachable in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity host-unreachable { base icmp-type; description "Identity for host unreachable in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity protocol-unreachable { base icmp-type; description "Identity for protocol unreachable in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity port-unreachable { base icmp-type; description "Identity for port unreachable in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity fragment-set { base icmp-type; description "Identity for fragmentation set in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity source-route-failed { base icmp-type; description "Identity for source route failed in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity destination-network-unknown { base icmp-type; description "Identity for destination network unknown in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity destination-host-unknown { base icmp-type; description "Identity for destination host unknown in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity source-host-isolated { base icmp-type; description "Identity for source host isolated in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity communication-prohibited-with-destination-network { base icmp-type; description "Identity for which communication with destination network is administratively prohibited in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity communication-prohibited-with-destination-host { base icmp-type; description "Identity for which communication with destination host is administratively prohibited in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity destination-network-unreachable-for-tos { base icmp-type; description "Identity for destination network unreachable for type of service in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity destination-host-unreachable-for-tos { base icmp-type; description "Identity for destination host unreachable for type of service in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity communication-prohibited { base icmp-type; description "Identity for communication administratively prohibited in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity host-precedence-violation { base icmp-type; description "Identity for host precedence violation in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity precedence-cutoff-in-effect { base icmp-type; description "Identity for precedence cutoff in effect in destination unreachable types"; reference "RFC 792: Internet Control Message Protocol"; } identity redirect-datagram-for-the-network { base icmp-type; description "Identity for redirect datagram for the network (or subnet) in redirect types"; reference "RFC 792: Internet Control Message Protocol"; } identity redirect-datagram-for-the-host { base icmp-type; description "Identity for redirect datagram for the host in redirect types"; reference "RFC 792: Internet Control Message Protocol"; } identity redirect-datagram-for-the-tos-and-network { base icmp-type; description "Identity for redirect datagram for the type of service and network in redirect types"; reference "RFC 792: Internet Control Message Protocol"; } identity redirect-datagram-for-the-tos-and-host { base icmp-type; description "Identity for redirect datagram for the type of service and host in redirect types"; reference "RFC 792: Internet Control Message Protocol"; } identity normal-router-advertisement { base icmp-type; description "Identity for normal router advertisement in router advertisement types"; reference "RFC 792: Internet Control Message Protocol"; } identity does-not-route-common-traffic { base icmp-type; description "Identity for does not route common traffic in router advertisement types"; reference "RFC 792: Internet Control Message Protocol"; } identity time-to-live-exceeded-in-transit { base icmp-type; description "Identity for time to live exceeded in transit in time exceeded types"; reference "RFC 792: Internet Control Message Protocol"; } identity fragment-reassembly-time-exceeded { base icmp-type; description "Identity for fragment reassembly time exceeded in time exceeded types"; reference "RFC 792: Internet Control Message Protocol"; } identity pointer-indicates-the-error { base icmp-type; description "Identity for pointer indicates the error in parameter problem types"; reference "RFC 792: Internet Control Message Protocol"; } identity missing-a-required-option { base icmp-type; description "Identity for missing a required option in parameter problem types"; reference "RFC 792: Internet Control Message Protocol"; } identity bad-length { base icmp-type; description "Identity for bad length in parameter problem types"; reference "RFC 792: Internet Control Message Protocol"; } identity bad-spi { base icmp-type; description "Identity for bad spi in photuris types"; reference "RFC 792: Internet Control Message Protocol"; } identity authentication-failed { base icmp-type; description "Identity for authentication failed in photuris types"; reference "RFC 792: Internet Control Message Protocol"; } identity decompression-failed { base icmp-type; description "Identity for decompression failed in photuris types"; reference "RFC 792: Internet Control Message Protocol"; } identity decryption-failed { base icmp-type; description "Identity for decryption failed in photuris types"; reference "RFC 792: Internet Control Message Protocol"; } identity need-authentication { base icmp-type; description "Identity for need authentication in photuris types"; reference "RFC 792: Internet Control Message Protocol"; } identity need-authorization { base icmp-type; description "Identity for need authorization in photuris types"; reference "RFC 792: Internet Control Message Protocol"; } identity req-no-error { base icmp-type; description "Identity for request with no error in extended echo request types"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity rep-no-error { base icmp-type; description "Identity for reply with no error in extended echo reply types"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity malformed-query { base icmp-type; description "Identity for malformed query in extended echo reply types"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity no-such-interface { base icmp-type; description "Identity for no such interface in extended echo reply types"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity no-such-table-entry { base icmp-type; description "Identity for no such table entry in extended echo reply types"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity multiple-interfaces-satisfy-query { base icmp-type; description "Identity for multiple interfaces satisfy query in extended echo reply types"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity content-security-control { description "Base identity for content security control"; reference "RFC 8329: Framework for Interface to Network Security Functions - Differences from ACL Data Models draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities"; } identity antivirus { base content-security-control; description "Identity for antivirus"; } identity ips { base content-security-control; description "Identity for ips"; } identity ids { base content-security-control; description "Identity for ids"; } identity url-filtering { base content-security-control; description "Identity for url filtering"; } identity mail-filtering { base content-security-control; description "Identity for mail filtering"; } identity file-blocking { base content-security-control; description "Identity formore generic network security functions. 6. YANG Module 6.1. IETF NSF-Facing Interface YANG Data Module This section introduces a YANG modulefile blocking"; } identity file-isolate { base content-security-control; description "Identity forthe information model of network security functions, as defined in the [i2nsf-nsf-cap-im]. <CODE BEGINS>file"ietf-i2nsf-policy-rule-for-nsf@2018-11-04.yang" module ietf-i2nsf-policy-rule-for-nsfisolate"; } identity pkt-capture {yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; prefix policy-rule-for-nsf; import ietf-inet-types{ prefix inet;base content-security-control; description "Identity for packet capture"; }import ietf-yang-types{ prefix yang;identity application-control { base content-security-control; description "Identity for application control"; }organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/i2nsf> WG List: <mailto:i2nsf@ietf.org> WG Chair: Adrian Farrel <mailto:Adrain@olddog.co.uk> WG Chair: Linda Dunbar <mailto:Linda.duhbar@huawei.com> Editor: Jingyong Tim Kim <mailto:timkim@skku.edu> Editor: Jaehoon Paul Jeong <mailto:pauljeong@skku.edu> Editor: Susan Hares <mailto:shares@ndzh.com>";identity voip-volte { base content-security-control; description"This module defines a YANG data module"Identity fornetwork security functions."; revision "2018-11-04"{voip and volte"; } identity attack-mitigation-control { description"The fourth revision";"Base identity for attack mitigation control"; reference"draft-ietf-i2nsf-capability-04";"RFC 8329: Framework for Interface to Network Security Functions - Differences from ACL Data Models draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities"; }typedef sec-event-format { type enumerationidentity syn-flood {enum unknownbase attack-mitigation-control; description "Identity for syn flood"; } identity udp-flood { base attack-mitigation-control; description"If SecEventFormat is unknown";"Identity for udp flood"; }enum guididentity icmp-flood { base attack-mitigation-control; description"If SecEventFormat is GUID (Generic Unique IDentifier)";"Identity for icmp flood"; }enum uuididentity ip-frag-flood { base attack-mitigation-control; description"If SecEventFormat is UUID (Universal Unique IDentifier)";"Identity for ip frag flood"; }enum uriidentity ipv6-related { base attack-mitigation-control; description"If SecEventFormat is URI (Uniform Resource Identifier)";"Identity for ipv6 related"; }enum fqdnidentity http-and-https-flood { base attack-mitigation-control; description"If SecEventFormat is FQDN (Fully Qualified Domain Name)";"Identity for http and https flood"; }enum fqpnidentity dns-flood { base attack-mitigation-control; description"If SecEventFormat is FQPN (Fully Qualified Path Name)";"Identity for dns flood"; } identity dns-amp-flood { base attack-mitigation-control; description "Identity for dns amp flood"; } identity ssl-ddos { base attack-mitigation-control; description"This is used"Identity forSecEventFormat.";ssl ddos"; }typedef priority-usage-typeidentity ip-sweep {type enumerationbase attack-mitigation-control; description "Identity for ip sweep"; } identity port-scanning {enum priority-by-orderbase attack-mitigation-control; description "Identity for port scanning"; } identity ping-of-death { base attack-mitigation-control; description"If priority type is order";"Identity for ping of death"; }enum priority-by-numberidentity teardrop { base attack-mitigation-control; description"If priority type is number";"Identity for teardrop"; } identity oversized-icmp { base attack-mitigation-control; description "Identity for oversized icmp"; } identity tracert { base attack-mitigation-control; description"This is used"Identity forpriority type.";tracert"; }typedefidentity ingress-action {type enumerationdescription "Base identity for action"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Ingress Action"; } identity egress-action {enumdescription "Base identity for egress action"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Egress action"; } identity default-action { description "Base identity for default action"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Default action"; } identity pass { base ingress-action; base egress-action; base default-action; description"If ingress action is"Identity for pass"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Actions and default action"; }enumidentity drop { base ingress-action; base egress-action; base default-action; description"If ingress action is"Identity for drop"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Actions and default action"; }enumidentity reject { base ingress-action; base egress-action; base default-action; description"If ingress action is"Identity for reject"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Actions and default action"; }enumidentity alert { base ingress-action; base egress-action; base default-action; description"If ingress action is"Identity for alert"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Actions and default action"; }enumidentity mirror { base ingress-action; base egress-action; base default-action; description"If ingress action is"Identity for mirror"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Actions and default action"; }}identity log-action { description"This is used"Base identity foringress action.";log action"; }typedef egress-actionidentity rule-log {type enumerationbase log-action; description "Identity for rule log"; } identity session-log {enumbase log-action; description "Identity for session log"; } identity invoke-signaling { base egress-action; description"If egress action is"Identity for invoke signaling"; }enumidentity tunnel-encapsulation { base egress-action; description"If egress action is"Identity for tunnel encapsulation"; }enumidentity forwarding { base egress-action; description"If egress action is"Identity for forwarding"; }enumidentity redirection { base egress-action; description"If egress action is redirection"; } } description "This is used"Identity foregress action."; } identity ECA-OBJECT-TYPE { description "TBD";redirection"; } identityECA-EVENT-TYPEresolution-strategy {base ECA-OBJECT-TYPE;description"TBD"; }"Base identityECA-CONDITION-TYPE { base ECA-OBJECT-TYPE; description "TBD";for resolution strategy"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Resolution Strategy"; } identityECA-ACTION-TYPEfmr { baseECA-OBJECT-TYPE;resolution-strategy; description"TBD";"Identity for First Matching Rule (FMR)"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Resolution Strategy"; } identityEVENT-USER-TYPElmr { baseECA-EVENT-TYPE;resolution-strategy; description"TBD";"Identity for Last Matching Rule (LMR)"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Resolution Strategy"; } identityEVENT-DEV-TYPEpmr { baseECA-EVENT-TYPE;resolution-strategy; description"TBD";"Identity for Prioritized Matching Rule (PMR)"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Resolution Strategy"; } identityEVENT-SYS-TYPEpmre { baseECA-EVENT-TYPE;resolution-strategy; description"TBD";"Identity for Prioritized Matching Rule with Errors (PMRE)"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Resolution Strategy"; } identityEVENT-TIME-TYPEpmrn { baseECA-EVENT-TYPE;resolution-strategy; description"TBD";"Identity for Prioritized Matching Rule with No Errors (PMRN)"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Resolution Strategy"; }grouping i2nsf-eca-object-type/* * Typedefs */ typedef start-time-type {leaf entity-classtype union { typeidentityrefstring {base ECA-OBJECT-TYPE;pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' + '(Z|[\+\-]\d{2}:\d{2})'; } type enumeration { enum right-away { description "Immediate rule execution in the system."; } } } description"TBD";"Start time when the rules are applied."; }leaf eca-object-idtypedef end-time-type { typestring;union { type string { pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' + '(Z|[\+\-]\d{2}:\d{2})'; } type enumeration { enum infinitely { description"TBD";"Infinite rule execution in the system."; } } } description"TBD";"End time when the rules are applied."; }grouping i2nsf-event-typetypedef day-type { type enumeration { enum sunday { description"TBD"; leaf description"Sunday for periodic day"; } enum monday {type string;description"This is"Monday for periodic day"; } enum tuesday { description "Tuesday forevent. Vendors can write instructionsperiodic day"; } enum wednesday { description "Wednesday forevent that vendor made";periodic day"; }leaf sec-event-contentenum thursday {type string; mandatory true;description"This is a mandatory string that contains the content of the SecurityEvent. The format of the content is specified in the SecEventFormat class attribute, and the type of event is defined in the SecEventType class attribute. An example of the SecEventContent attribute is a string hrAdmin, with the SecEventFormat set to 1 (GUID) and the SecEventType attribute set to 5 (new logon).";"Thursday for periodic day"; }leaf sec-event-formatenum friday {type sec-event-format; mandatory true;description"This is a mandatory uint 8 enumerated integer, which is used to specify the data type of the SecEventContent attribute. The content is specified in the SecEventContent class attribute, and the type of event is defined in the SecEventType class attribute. An example of the SecEventContent attribute is string hrAdmin, with the SecEventFormat attribute set to 1 (GUID) and the SecEventType attribute set to 5 (new logon).";"Friday for periodic day"; }leaf sec-event-typeenum saturday {type string; mandatory true;description "Saturday for periodic day"; } } description "Thisis a mandatory uint 8 enumerated integer, which iscan be usedto specify the type of event that involves this user. The content and format are specified in the SecEventContent and SecEventFormat class attributes, respectively. An example of the SecEventContent attribute is string hrAdmin, withfor theSecEventFormat attribute setrules to1 (GUID) and the SecEventType attribute setbe applied according to5 (new logon).";periodic day"; } typedef month-type { type enumeration { enum january { description "January for periodic month"; }container i2nsf-security-policyenum february { description"policy is a container including a set of security"February for periodic month"; } enum march { description "March for periodic month"; } enum april { description "April for periodic month"; } enum may { description "May for periodic month"; } enum june { description "June for periodic month"; } enum july { description "July for periodic month"; } enum august { description "August for periodic month"; } enum september { description "September for periodic month"; } enum october { description "October for periodic month"; } enum november { description "November for periodic month"; } enum december { description "December for periodic month"; } } description "This can be used for the rulesaccordingtocertain logic, i.e., their similarity or mutual relations, etc. The network security policy is ablebe applied according toapply over both the unidirectional and bidirectional traffic across the NSF.";periodic month"; } /* * Groupings */ grouping ipv4 { listsystem-policyipv4-address { key"system-policy-name";"ipv4"; description "Thesystem-policy represents there could be multiple system policies in one NSF, and each system policy is used by one virtual instancelist ofthe NSF/device.";IPv4 address."; leafsystem-policy-nameipv4 { typestring; mandatory true;inet:ipv4-address; description "Thenamevalue ofthe policy. This mustIPv4 address."; } choice subnet { description "The subnet can beunique.";specified as a prefix length or netmask."; leaf prefix-length { type uint8 { range "0..32"; } description "The length of the subnet prefix."; } leafpriority-usagenetmask { typepriority-usage-type; mandatory true;yang:dotted-quad; description"This is priority type.";"The subnet specified as a netmask."; } } } description "Grouping for an IPv4 address"; reference "RFC 791: Internet Protocol - IPv4 address RFC 8344: A YANG Data Model for IP Management"; } grouping ipv6 { listrulesipv6-address { key"rule-name";"ipv6"; description"This is a rule for network security functions.";"The list of IPv6 address."; leafrule-nameipv6 { typestring; mandatory true;inet:ipv6-address; description "Theidvalue ofthe rule. This must be unique.";IPv6 address."; } leafrule-descriptionprefix-length { typestring;uint8 { range "0..128"; } description"This"The length of the subnet prefix."; } } descriptiongives more information about rules.";"Grouping for an IPv6 address"; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - IPv6 address RFC 8344: A YANG Data Model for IP Management"; }leaf rule-prioritygrouping pkt-sec-ipv4 { choice match-type {type uint8;description"The priority keyword comes with"There are two types to configure amandatory numeric value which cansecurity policy for IPv4 address, such as exact match and rangefrom 1 till 255.";match."; case exact-match { uses ipv4; description "Exact match for an IPv4 address."; } case range-match { list range-ipv4-address { key "start-ipv4-address end-ipv4-address"; leafenablestart-ipv4-address { typeboolean;inet:ipv4-address; description"True is enable. False is not enbale.";"Start IPv4 address for a range match."; } leafsession-aging-timeend-ipv4-address { typeuint16;inet:ipv4-address; description"This is session aging time.";"End IPv4 address for a range match."; }container long-connectiondescription "Range match for an IPv4 address."; } } } description "Grouping for an IPv4 address."; reference "RFC 791: Internet Protocol - IPv4 address"; } grouping pkt-sec-ipv6 { choice match-type { description"This is long-connection";"There are two types to configure a security policy for IPv6 address, such as exact match and range match."; case exact-match { uses ipv6; description "Exact match for an IPv6 address."; } case range-match { list range-ipv6-address { key "start-ipv6-address end-ipv6-address"; leafenablestart-ipv6-address { typeboolean;inet:ipv6-address; description"True is enable. False is not enbale.";"Start IPv6 address for a range match."; } leafduringend-ipv6-address { typeuint16;inet:ipv6-address; description "End IPv6 address for a range match."; } description"This is during time.";"Range match for an IPv6 address."; } } }container time-zone {description"This can be used to apply rules according to time-zone"; container absolute-time-zone"Grouping for IPv6 address."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - IPv6 address"; } grouping pkt-sec-port-number {description "This can be used to apply rules according to absolute-time"; container timechoice match-type { description"This can be used to apply rules according"There are two types totime"; leaf start-timeconfigure a security policy for a port number, such as exact match and range match."; case exact-match { leaf-list port-num { typeyang:date-and-time;inet:port-number; description"This is start time"Exact match fortime zone";a port number."; } } case range-match { list range-port-num { key "start-port-num end-port-num"; leafend-timestart-port-num { typeyang:date-and-time;inet:port-number; description"This is end time"Start port number fortime zone"; }a range match."; }container date { description "This can be used to apply rules according to date";leafabsolute-dateend-port-num { typeyang:date-and-time;inet:port-number; description"This is absolute date"Start port number fortime zone";a range match."; } description "Range match for a port number."; } } } description "Grouping for port number."; reference "RFC 793: Transmission Control Protocol - Port number RFC 768: User Datagram Protocol - Port Number"; } /* * Data nodes */ containerperiodic-time-zonei2nsf-security-policy { description"This can be used to apply"Container for security policy including a set of security rules according toperiodic-time-zone"; container day { description "This can be usedcertain logic, i.e., their similarity or mutual relations, etc. The network security policy is able to applyrules accordingover both the unidirectional and bidirectional traffic across the NSF. The I2NSF security policies use the Event-Condition-Action (ECA) policy model "; reference "RFC 8329: Framework for Interface toperiodic day"; leaf sundayNetwork Security Functions - I2NSF Flow Security Policy Structure draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Design Principles and ECA Policy Model Overview"; list system-policy {type boolean;key "system-policy-name"; description"This is sunday for periodic day"; }"The system-policy represents there could be multiple system policies in one NSF, and each system policy is used by one virtual instance of the NSF/device."; leafmondaysystem-policy-name { typeboolean;string; mandatory true; description"This is monday for periodic day";"The name of the policy. This must be unique."; } leaftuesdaypriority-usage { typeboolean;identityref { base priority-usage-type; } default priority-by-order; description"This is tuesday"Priority usage type forperiodic day";security policy rule: priority by order and priority by number"; } leafwednesdayresolution-strategy { typeboolean;identityref { base resolution-strategy; } default fmr; description"This is wednesday for periodic day";"The resolution strategies can be used to specify how to resolve conflicts that occur between the actions of the same or different policy rules that are matched and contained in this particular NSF"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Resolution strategy"; } leafthursdaydefault-action { typeboolean;identityref { base default-action; } default alert; description "This default action can be used to specify a predefined action when no other alternative action was matched by the currently executing I2NSF Policy Rule. An analogy isthursday for periodic day";the use of a default statement in a C switch statement."; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Default action"; }leaf fridaylist rules {type boolean;key "rule-name"; description "This isfridaya rule forperiodic day"; }network security functions."; leafsaturdayrule-name { typeboolean; description "This is saturday for periodic day"; } } container month {string; mandatory true; description"This can"The name of the rule. This must beused to apply rules according to periodic month";unique."; } leafjanuaryrule-description { typeboolean;string; description "Thisis january for periodic month";description gives more information about rules."; } leaffebruaryrule-priority { typeboolean;uint8 { range "1..255"; } description"This is february for periodic month";"The priority keyword comes with a mandatory numeric value which can range from 1 till 255."; } leafmarchrule-enable { type boolean; description"This"True ismarch for periodic month";enable. False is not enbale."; }leaf aprilcontainer time-zone {type boolean;description"This is april for periodic month"; } leaf may"Time zone when the rules are applied"; container absolute-time-zone {type boolean;description"This is may for periodic month"; }"Rule execution according to absolute time"; leafjunestart-time { typeboolean;start-time-type; default right-away; description"This is june for periodic month";"Start time when the rules are applied"; } leafjulyend-time { typeboolean;end-time-type; default infinitely; description"This is july for periodic month";"End time when the rules are applied"; }leaf august} container periodic-time-zone {type boolean;description"This is august for"Rule execution according to periodicmonth"; }time"; container day { description "Rule execution according to day."; leafseptemberevery-day { type boolean; default true; description"This is september for periodic month";"Rule execution every day"; }leaf octoberleaf-list specific-day { when "../every-day = 'false'"; typeboolean;day-type; description"This is october for periodic month";"Rule execution according to specific day"; } } container month { description "Rule execution according to month."; leafnovemberevery-month { type boolean; default true; description"This is november for periodic month";"Rule execution every day"; }leaf decemberleaf-list specific-month { when "../every-month = 'false'"; typeboolean;month-type; description"This is december for periodic month";"Rule execution according to month day"; } } } } container event-clause-container { description"TBD"; list event-clause-list { key eca-object-id; uses i2nsf-eca-object-type { refine entity-class { default ECA-EVENT-TYPE; } } description " This is abstract. An"An event is defined as any important occurrence in time of a change in the system being managed, and/or in the environment of the system being managed. When used in the context of policy rules for a flow-based NSF, it is used to determine whether the Condition clause of the Policy Rule can be evaluated or not. Examples of an I2NSF event include time anduser actions (e.g., logon, logoff,user actions (e.g., logon, logoff, and actions that violate any ACL.)."; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Design Principles and ECA Policy Model Overview draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG Data Model for Monitoring I2NSF Network Security Functions - System Alarm and System Events"; leaf event-clause-description { type string; description "Description for an event clause"; } container event-clauses { description "It has two event types such as system event and system alarm."; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Design Principles and ECA Policy Model Overview draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG Data Model for Monitoring I2NSF Network Security Functions - System Alarm andactions that violate any ACL.)."; uses i2nsf-event-type; } } container condition-clause-containerSystem Events"; leaf-list system-event {description "TBD"; list condition-clause-listtype identityref {key eca-object-id; uses i2nsf-eca-object-typebase system-event; } description "The security policy rule according to system events."; } leaf-list system-alarm {refine entity-classtype identityref {default ECA-CONDITION-TYPE;base system-alarm; } description "The security policy rule according to system alarms."; } } } container condition-clause-container { description" This is abstract. A"A condition is defined as a set of attributes, features, and/or values that are to be compared with a set of known attributes, features, and/or values in order to determine whether or not the set of Actions in that (imperative) I2NSF Policy Rule can be executed or not. Examples of I2NSF Conditions include matching attributes of a packet or flow, and comparing the internal state of an NSF to a desired state."; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Design Principles and ECA Policy Model Overview"; leaf condition-clause-description { type string; description "Description for a condition clause."; } container packet-security-ipv4-condition { description "The purpose of this container is to represent IPv4 packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference "RFC 791: Internet Protocol"; containerpacket-security-conditionpkt-sec-ipv4-header-length { choice match-type { description "There are two types to configure a security policy for IPv4 header length, such as exact match and range match."; case exact-match { leaf-list ipv4-header-length { type uint8 { range "5..15"; } description"TBD";"Exact match for an IPv4 header length."; } } case range-match { list range-ipv4-header-length { key "start-ipv4-header-length end-ipv4-header-length"; leafpacket-descriptionstart-ipv4-header-length { typestring;uint8 { range "5..15"; } description"This is"Start IPv4 header length for a range match."; } leaf end-ipv4-header-length { type uint8 { range "5..15"; } description "End IPv4 header length forpacket condition. Vendors can write instructionsa range match."; } description "Range match forpacket condition that vendor made";an IPv4 header length."; } } } description "The security policy rule according to IPv4 header length."; reference "RFC 791: Internet Protocol - Header length"; } leaf-list pkt-sec-ipv4-tos { type identityref { base type-of-service; } description "The security policy rule according to IPv4 type of service."; reference "RFC 791: Internet Protocol - Type of service"; } containerpacket-security-mac-conditionpkt-sec-ipv4-total-length { choice match-type { description"The purpose of this Class is"There are two types torepresent packet MAC packet header information that can be used as part ofconfigure atest to determine if the set of Policy Actions in this ECA Policy Rule should be execute or not.";security policy for IPv4 total length, such as exact match and range match."; case exact-match { leaf-listpkt-sec-cond-mac-destipv4-total-length { typeyang:phys-address;uint16; description"The MAC destination address (6 octets long).";"Exact match for an IPv4 total length."; }leaf-list pkt-sec-cond-mac-src} case range-match { list range-ipv4-total-length { key "start-ipv4-total-length end-ipv4-total-length"; leaf start-ipv4-total-length { typeyang:phys-address;uint16; description"The MAC source address (6 octets long).";"Start IPv4 total length for a range match."; }leaf-list pkt-sec-cond-mac-8021qleaf end-ipv4-total-length { typestring;uint16; description"This is"End IPv4 total length for a range match."; } description "Range match for anoptional string attribute, and defines The 802.1Q tab value (2 octets long).";IPv4 total length."; } } } description "The security policy rule according to IPv4 total length."; reference "RFC 791: Internet Protocol - Total length"; } leaf-listpkt-sec-cond-mac-ether-typepkt-sec-ipv4-id { typestring;uint16; description "TheEtherType field (2 octets long). Values upsecurity policy rule according toand including 1500 indicate the size of the payload in octets; values of 1536 and above define which protocol is encapsulated in the payload of the frame.";IPv4 identification."; reference "RFC 791: Internet Protocol - Identification"; } leaf-listpkt-sec-cond-mac-tcipkt-sec-ipv4-fragment-flags { typestring; description "This is an optional string attribute, and defines the Tag Control Information. This consists of a 3 bit user priority field, a drop eligible indicator (1 bit), and a VLAN identifier (12 bits).";identityref { base fragmentation-flags-type; } description "The security policy rule according to IPv4 fragment flags."; reference "RFC 791: Internet Protocol - Fragment flags"; } containerpacket-security-ipv4-conditionpkt-sec-ipv4-fragment-offset { choice match-type { description"The purpose of this Class is"There are two types torepresentconfigure a security policy for IPv4packet header information that can be usedfragment offset, such aspart of a test to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not.";exact match and range match."; case exact-match { leaf-listpkt-sec-cond-ipv4-header-lengthipv4-fragment-offset { type uint16 { range "0..16383"; } description "Exact match for an IPv4 fragment offset."; } } case range-match { list range-ipv4-fragment-offset { key "start-ipv4-fragment-offset end-ipv4-fragment-offset"; leaf start-ipv4-fragment-offset { typeuint8;uint16 { range "0..16383"; } description"The"Start IPv4packet header consists of 14 fields, of which 13 are required.";fragment offset for a range match."; }leaf-list pkt-sec-cond-ipv4-tosleaf end-ipv4-fragment-offset { typeuint8;uint16 { range "0..16383"; } description"The ToS field could specify a datagram's priority and request"End IPv4 fragment offset for arouterange match."; } description "Range match forlow-delay, high-throughput, or highly-reliable service..";an IPv4 fragment offset."; }leaf-list pkt-sec-cond-ipv4-total-length} } description "The security policy rule according to IPv4 fragment offset."; reference "RFC 791: Internet Protocol - Fragment offset"; } container pkt-sec-ipv4-ttl { choice match-type {type uint16;description"This 16-bit field defines the entire packet size, including header"There are two types to configure a security policy for IPv4 TTL, such as exact match anddata, in bytes."; }range match."; case exact-match { leaf-listpkt-sec-cond-ipv4-idipv4-ttl { type uint8; description"This field is an identification field and is primarily used"Exact match foruniquely identifying the group of fragments of a single IP datagram.";an IPv4 TTL."; }leaf-list pkt-sec-cond-ipv4-fragment} case range-match { list range-ipv4-ttl { key "start-ipv4-ttl end-ipv4-ttl"; leaf start-ipv4-ttl { type uint8; description"IP fragmentation is an Internet Protocol (IP) process that breaks datagrams into smaller pieces (fragments), so that packets may be formed that can pass through a link with"Start IPv4 TTL for asmaller maximum transmission unit (MTU) than the original datagram size.";range match."; }leaf-list pkt-sec-cond-ipv4-fragment-offsetleaf end-ipv4-ttl { typeuint16;uint8; description"Fragment offset field along with Don't Fragment and More Fragment flags in the IP protocol header are used"End IPv4 TTL forfragmentation and reassembly of IP datagrams.";a range match."; } description "Range match for an IPv4 TTL."; } } }leaf-list pkt-sec-cond-ipv4-ttl { type uint8;description "Thettl keyword is usedsecurity policy rule according tocheck for a specific IPIPv4 time-to-livevalue in the header of a packet.";(TTL)."; reference "RFC 791: Internet Protocol - Time to live"; } leaf-listpkt-sec-cond-ipv4-protocolpkt-sec-ipv4-protocol { typeuint8;identityref { base protocol; } description"Internet"The security policy rule according to IPv4 protocol."; reference "RFC 791: Internet Protocolversion 4(IPv4) is the fourth version of the- Protocol"; } container pkt-sec-ipv4-src { uses pkt-sec-ipv4; description "The security policy rule according to IPv4 source address."; reference "RFC 791: Internet Protocol(IP).";- IPv4 Address"; }leaf-list pkt-sec-cond-ipv4-srccontainer pkt-sec-ipv4-dest {type inet:ipv4-address;uses pkt-sec-ipv4; description"Defines the"The security policy rule according to IPv4 destination address."; reference "RFC 791: Internet Protocol - IPv4Source Address.";Address"; } leaf-listpkt-sec-cond-ipv4-destpkt-sec-ipv4-ipopts { typeinet:ipv4-address; description "Defines the IPv4 Destination Address."; } leaf pkt-sec-cond-ipv4-ipoptsidentityref {type string;base ipopts; } description"With the ipopts keyword you can check if a specific ip option is set. Ipopts has"The security policy rule according tobe used at the beginning of a rule.";IPv4 options."; reference "RFC 791: Internet Protocol - Options"; } leafpkt-sec-cond-ipv4-sameippkt-sec-ipv4-sameip { type boolean; description "Every packet has a source IP-address and a destination IP-address. It can be that the source IP is the same as the destination IP."; } leaf-listpkt-sec-cond-ipv4-geoippkt-sec-ipv4-geoip { type string; description "The geoip keyword enables you to match on the source, destination or source and destination IP addresses of network traffic and to see to which country it belongs. To do this, Suricata uses GeoIP API with MaxMind database format."; } } container packet-security-ipv6-condition { description "The purpose of thisClasscontainer is to representpacketIPv6 packet header informationthat can be used as part of a testto determine if the set ofPolicy Actionspolicy actions in this ECAPolicy Rulepolicy rule should be executed or not."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification"; leaf-listpkt-sec-cond-ipv6-dscppkt-sec-ipv6-traffic-class { typestring;identityref { base traffic-class; } description"Differentiated Services Code Point (DSCP) of ipv6.";"The security policy rule according to IPv6 traffic class."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Traffic class"; } container pkt-sec-ipv6-flow-label { choice match-type { description "There are two types to configure a security policy for IPv6 flow label, such as exact match and range match."; case exact-match { leaf-listpkt-sec-cond-ipv6-ecnipv6-flow-label { typestring;uint32 { range "0..1048575"; } description"ECN allows end-to-end notification of network congestion without dropping packets.";"Exact match for an IPv6 flow label."; }leaf-list pkt-sec-cond-ipv6-traffic-class} case range-match { list range-ipv6-flow-label { key "start-ipv6-flow-label end-ipv6-flow-label"; leaf start-ipv6-flow-label { typeuint8;uint32 { range "0..1048575"; } description"The bits of this field hold two values. The 6 most-significant bits are used"Start IPv6 flow label fordifferentiated services, which is used to classify packets.";a range match."; }leaf-list pkt-sec-cond-ipv6-flow-labelleaf end-ipv6-flow-label { typeuint32;uint32 { range "0..1048575"; } description"The"End IPv6 flow labelwhen setfor a range match."; } description "Range match for an IPv6 flow label."; } } } description "The security policy rule according to IPv6 flow label."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Flow label"; } container pkt-sec-ipv6-payload-length { choice match-type { description "There are two types to configure anon-zero value servessecurity policy for IPv6 payload length, such asa hint to routersexact match andswitches with multiple outbound paths that these packets should stay on the same path so that they will not be reordered.";range match."; case exact-match { leaf-list ipv6-payload-length { type uint16; description "Exact match for an IPv6 payload length."; } } case range-match { list range-ipv6-payload-length { key "start-ipv6-payload-length end-ipv6-payload-length"; leaf start-ipv6-payload-length { type uint16; description "Start IPv6 payload length for a range match."; }leaf-list pkt-sec-cond-ipv6-payload-lengthleaf end-ipv6-payload-length { type uint16; description"The size of the"End IPv6 payloadin octets, including any extension headers."; } leaf-list pkt-sec-cond-ipv6-next-header { type uint8; description "Specifies the type of the next header. This field usually specifies the transport layer protocol used bylength for apacket's payload.";range match."; }leaf-list pkt-sec-cond-ipv6-hop-limit { type uint8;description"Replaces the time to live field of IPv4.";"Range match for an IPv6 payload length."; } } }leaf-list pkt-sec-cond-ipv6-src { type inet:ipv6-address;description "The security policy rule according to IPv6address of the sending node.";payload length."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Payload length"; } leaf-listpkt-sec-cond-ipv6-destpkt-sec-ipv6-next-header { typeinet:ipv6-address;identityref { base next-header; } description "The security policy rule according to IPv6address of the destination node(s)."; }next header."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Next header"; } containerpacket-security-tcp-conditionpkt-sec-ipv6-hop-limit { choice match-type { description"The purpose of this Class is"There are two types torepresent packet TCP packet header information that can be used as part ofconfigure atest to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not.";security policy for IPv6 hop limit, such as exact match and range match."; case exact-match { leaf-listpkt-sec-cond-tcp-src-portipv6-hop-limit { typeinet:port-number;uint8; description"This is a mandatory string attribute, and defines the Source Port number (16 bits).";"Exact match for an IPv6 hop limit."; }leaf-list pkt-sec-cond-tcp-dest-port} case range-match { list range-ipv6-hop-limit { key "start-ipv6-hop-limit end-ipv6-hop-limit"; leaf start-ipv6-hop-limit { typeinet:port-number;uint8; description"This is"Start IPv6 hop limit for amandatory string attribute, and defines the Destination Port number (16 bits).";range match."; }leaf-list pkt-sec-cond-tcp-seq-numleaf end-ipv6-hop-limit { typeuint32;uint8; description"If the SYN flag is set (1), then this is the initial sequence number.";"End IPv6 hop limit for a range match."; }leaf-list pkt-sec-cond-tcp-ack-num { type uint32;description"If the ACK flag is set then the value of this field is the next sequence number that the sender is expecting.";"Range match for an IPv6 hop limit."; } } }leaf-list pkt-sec-cond-tcp-window-size { type uint16;description "Thesize of the receive window, which specifies the number of windows size units (by default,bytes) (beyond the segment identified by the sequence number in the acknowledgment field) that the sender of this segment is currently willingsecurity policy rule according to IPv6 hop limit."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Hop limit"; } container pkt-sec-ipv6-src { uses pkt-sec-ipv6; description "The security policy rule according torecive.";IPv6 source address."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - IPv6 address"; }leaf-list pkt-sec-cond-tcp-flagscontainer pkt-sec-ipv6-dest {type uint8;uses pkt-sec-ipv6; description"This is a mandatory string attribute, and defines the nine Control bit flags (9 bits).";"The security policy rule according to IPv6 destination address."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - IPv6 address"; } } containerpacket-security-udp-conditionpacket-security-tcp-condition { description "The purpose of thisClasscontainer is to representpacket UDPTCP packet header informationthat can be used as part of a testto determine if the set ofPolicy Actionspolicy actions in this ECAPolicy Rulepolicy rule should be executed or not.";leaf-list pkt-sec-cond-udp-src-port { type inet:port-number; description "This is a mandatory string attribute, and defines the UDP Source Port number (16 bits)."; } leaf-list pkt-sec-cond-udp-dest-port { type inet:port-number; description "This is a mandatory string attribute, and defines the UDP Destination Port number (16 bits)."; } leaf-list pkt-sec-cond-udp-length { type string; description "This is a mandatory string attribute, and defines the length in bytes of the UDP header and data (16 bits)."; } }reference "RFC 793: Transmission Control Protocol"; containerpacket-security-icmp-conditionpkt-sec-tcp-src-port-num { uses pkt-sec-port-number; description "Theinternet control message protocol condition."; leaf-list pkt-sec-cond-icmp-type { type uint8; description "ICMP type, see Control messages."; } leaf-list pkt-sec-cond-icmp-code { type uint8; description "ICMP subtype, seesecurity policy rule according to tcp source port number."; reference "RFC 793: Transmission Controlmessages."; } leaf-list pkt-sec-cond-icmp-seg-num { type uint32; description "The icmp Sequence Number."; } }Protocol - Port number"; } containerpacket-payload-condition { description "TBD"; leaf packet-payload-description { type string; description "This is description for payload condition. Vendors can write instructions for payload condition that vendor made"; } leaf-list pkt-payload-contentpkt-sec-tcp-dest-port-num {type string;uses pkt-sec-port-number; description "Thecontent keyword is very important in signatures. Between the quotation marks you can write on what you would like the signaturesecurity policy rule according tomatch."; } } leaf acl-number { type uint32; description "This is acl-number.";tcp destination port number."; reference "RFC 793: Transmission Control Protocol - Port number"; } containerapplication-conditionpkt-sec-tcp-seq-num {description "TBD"; leaf application-descriptionchoice match-type {type string; description "This isdescription "There are two types to configure a security policy forapplication condition."; } leaf-list application-objecttcp sequence number, such as exact match and range match."; case exact-match {type string; description "This is application object."; }leaf-listapplication-grouptcp-seq-num { typestring;uint32; description"This is application group.";"Exact match for an tcp sequence number."; }leaf-list application-label { type string; description "This is application label.";}container categorycase range-match {description "TBD";listapplication-categoryrange-tcp-seq-num { key"name application-subcategory"; description "TBD";"start-tcp-seq-num end-tcp-seq-num"; leafnamestart-tcp-seq-num { typestring;uint32; description"This is name"Start tcp sequence number forapplication category.";a range match."; } leafapplication-subcategoryend-tcp-seq-num { typestring;uint32; description"This is application subcategory.";"End tcp sequence number for a range match."; } description "Range match for a tcp sequence number."; } } }container target-condition { description "TBD"; leaf target-description { type string; description "This isdescriptionfor target condition. Vendors can write instructions for target condition that vendor made";"The security policy rule according to tcp sequence number."; reference "RFC 793: Transmission Control Protocol - Sequence number"; } containerdevice-sec-context-condpkt-sec-tcp-ack-num { choice match-type { description"The device attribute that can identify"There are two types to configure adevice, including the device type (i.e., router, switch, pc, ios, or android) and the device's ownersecurity policy for tcp acknowledgement number, such aswell."; leaf pcexact match and range match."; case exact-match {type boolean; description "If type of a device is PC."; } leaf mobile-phoneleaf-list tcp-ack-num { typeboolean;uint32; description"If type of a device is mobile-phone.";"Exact match for an tcp acknowledgement number."; }leaf voip-volte-phone { type boolean; description "If type of a device is voip-volte-phone.";}leaf tabletcase range-match {type boolean; description "If type of a device is tablet."; } leaf iotlist range-tcp-ack-num {type boolean; description "If type of a device is Internet of Things."; }key "start-tcp-ack-num end-tcp-ack-num"; leafvehiclestart-tcp-ack-num { typeboolean;uint32; description"If type of"Start tcp acknowledgement number for adevice is vehicle."; } }range match."; }container users-condition { description "TBD";leafusers-descriptionend-tcp-ack-num { typestring; description "This isuint32; description "End tcp acknowledgement number foruser condition. Vendors can write instructions for user condition that vendor made"; } container user{ description "The user (or user group) information with which network flow is associated: The user has many attributes such as name, id, password, type, authentication mode and so on. Name/id is often used in the security policy to identify the user. Besides, NSF is aware of the IP address of the user provided byaunified user management system via network. Based on name-address association, NSF is able to enforce therange match."; } description "Range match for a tcp acknowledgement number."; } } } description "The securityfunctions over the given user (or user group)";policy rule according to tcp acknowledgement number."; reference "RFC 793: Transmission Control Protocol - Acknowledgement number"; } container pkt-sec-tcp-window-size { choiceuser-namematch-type { description"The name of the user. This must be unique.";"There are two types to configure a security policy for tcp window size, such as exact match and range match."; casetenantexact-match {description "Tenant information."; leaf tenantleaf-list tcp-window-size { typeuint8; mandatory true;uint16; description"User's tenant information.";"Exact match for an tcp window size."; } } casevn-idrange-match { list range-tcp-window-size { key "start-tcp-window-size end-tcp-window-size"; leaf start-tcp-window-size { type uint16; description"VN-ID information.";"Start tcp window size for a range match."; } leafvn-idend-tcp-window-size { typeuint8; mandatory true;uint16; description"User's VN-ID information.";"End tcp window size for a range match."; } description "Range match for a tcp window size."; } } }container groupdescription "The security policy rule according to tcp window size."; reference "RFC 793: Transmission Control Protocol - Window size"; } leaf-list pkt-sec-tcp-flags { type identityref { base tcp-flags; } description "Theuser (or user group) information with which network flow is associated: The user has many attributes such as name, id, password, type, authentication mode and so on. Name/id is often used in thesecurity policy rule according toidentify the user. Besides, NSF is aware of the IP addresstcp flags."; reference "RFC 793: Transmission Control Protocol - Flags"; } } container packet-security-udp-condition { description "The purpose ofthe user provided by a unified user management system via network. Based on name-address association, NSFthis container isabletoenforcerepresent UDP packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference "RFC 793: Transmission Control Protocol"; container pkt-sec-udp-src-port-num { uses pkt-sec-port-number; description "The securityfunctions over the given user (or user group)"; choice group-namepolicy rule according to udp source port number."; reference "RFC 793: Transmission Control Protocol - Port number"; } container pkt-sec-udp-dest-port-num { uses pkt-sec-port-number; description "Thename of the user. This must be unique.";security policy rule according to udp destination port number."; reference "RFC 768: User Datagram Protocol - Total Length"; } container pkt-sec-udp-total-length { choice match-type { description "There are two types to configure a security policy for udp sequence number, such as exact match and range match."; casetenantexact-match {description "Tenant information."; leaf tenantleaf-list udp-total-length { typeuint8; mandatory true;uint32; description"User's tenant information.";"Exact match for an udp-total-length."; } } casevn-idrange-match { list range-udp-total-length { key "start-udp-total-length end-udp-total-length"; leaf start-udp-total-length { type uint32; description"VN-ID information.";"Start udp total length for a range match."; } leafvn-idend-udp-total-length { typeuint8; mandatory true;uint32; description"User's VN-ID information.";"End udp total length for a range match."; } description "Range match for a udp total length."; } } }leaf security-grup { type string; mandatory true;description"security-grup.";"The security policy rule according to udp total length."; reference "RFC 768: User Datagram Protocol - Total Length"; } } containerurl-category-condition { description "TBD"; leaf url-category-descriptionpacket-security-icmp-condition {type string;description"This"The purpose of this container isdescription for url category condition. Vendors can write instructionsto represent ICMP packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility forcontext condition that vendor made"; }Probing Interfaces"; leaf-listpre-defined-categorypkt-sec-icmp-type-and-code { typestring; description "This is pre-defined-category."; } leaf-list user-defined-categoryidentityref {type string;base icmp-type; } description"This user-defined-category.";"The security policy rule according to ICMP parameters."; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } } containercontext-conditionpacket-security-http-condition { description"TBD"; leaf context-description"Condition for http."; leaf-list pkt-sec-uri-content { type string; description"This is description for context condition. Vendors can write instructions for context condition that vendor made"; }"The security policy rule according to uri content."; }container gen-context-condition { description "TBD"; leaf gen-context-descriptionleaf-list pkt-sec-url-content { type string; description"This is description for generic context condition. Vendors can write instructions for generic context condition that vendor made";"The security policy rule according to url content."; } } containergeographic-locationpacket-security-voice-condition { description"The location where network traffic is associated with. The region can be"For thegeographic location such as country, province,VoIP/VoLTE security system, a VoIP/ VoLTE security system can monitor each VoIP/VoLTE flow andcity, as well asmanage VoIP/VoLTE security rules controlled by a centralized server for VoIP/VoLTE security service (called VoIP IPS). The VoIP/VoLTE security system controls each switch for thelogical network location such as IP address, network section, and network domain.";VoIP/VoLTE call flow management by manipulating the rules that can be added, deleted, or modified dynamically."; reference "RFC 3261: SIP: Session Initiation Protocol"; leaf-listsrc-geographic-locationpkt-sec-src-voice-id { typeuint32;string; description"This is mapped"The security policy rule according toip address. We can acquirea sourceregion through ip address stored the database.";voice ID for VoIP and VoLTE."; } leaf-list pkt-sec-dest-voice-id { type string; description "The security policy rule according to a destination voice ID for VoIP and VoLTE."; } leaf-listdest-geographic-locationpkt-sec-user-agent { typeuint32;string; description"This is mapped"The security policy rule according toip address. We can acquire destination region through ip address stored the database."; } } }an user agent for VoIP and VoLTE."; } } containeraction-clause-containerpacket-security-ddos-condition { description"TBD"; list action-clause-list { key eca-object-id; uses i2nsf-eca-object-type { refine entity-class"Condition for DDoS attack."; leaf pkt-sec-alert-rate {default ECA-ACTION-TYPE;type uint32; description "The alert rate of flood detect for same packets."; } } } container action-clause-container { description "An action is used to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied. NSFs provide security functions by executing various Actions. Examples of I2NSF Actions include providing intrusion detection and/or protection, web and flow filtering, and deep packet inspection for packets and flows.";leaf rule-log { type boolean; description "True is enable False is not enable."; } leaf session-log { type boolean; description "True is enable False is not enable."; } container ingress-action { description "TBD"; leaf ingress-description { type string; description "This is description for ingress action. Vendors can write instructionsreference "RFC 8329: Framework foringress action that vendor made"; } leaf ingress-action-type { type ingress-action; description "Ingress action type: permit, deny,Interface to Network Security Functions - I2NSF Flow Security Policy Structure draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Design Principles andmirror."; } } container egress-action { description "TBD";ECA Policy Model Overview"; leafegress-descriptionaction-clause-description { type string; description"This is description for egress action. Vendors can write instructions"Description foregressan actionthat vendor made"; } leaf egress-action-type { type egress-action; description "Egress-action-type: invoke-signaling, tunnel-encapsulation, and forwarding."; }clause."; } containerapply-profile { description "TBD"; leaf profile-descriptionpacket-action {type string; description "This isdescription "Action forapply profile action. Vendors can write instructionspackets"; reference "RFC 8329: Framework forapply profile action that vendor made"; } container content-security-control { description "Content security control is another category of security capabilities appliedInterface toapplication layer. Through detecting the contents carried over the traffic in application layer, these capabilities can realize various security purposes, such as defending against intrusion, inspecting virus, filtering malicious URL or junk email, and blocking illegal web access or data retrieval."; container content-security-control-types { description "ContentNetwork Securitytypes: Antivirus, IPS, IDS, url-filtering, data-filtering, mail-filtering, file-blocking, file-isolate, pkt-capture, application-control, and voip-volte."; leaf antivirus { type string; description "Additional inspection of antivirus."; } leaf ips { type string; description "Additional inspection of IPS."; } leaf ids { type string; description "Additional inspection of IDS."; } leaf url-filtering { type string; description "Additional inspection of URL filtering."; } leaf data-filtering { type string; description "Additional inspectionFunctions - I2NSF Flow Security Policy Structure draft-ietf-i2nsf-capability-04: Information Model ofdata filtering."; }NSFs Capabilities - Design Principles and ECA Policy Model Overview"; leafmail-filteringingress-action { typestring;identityref { base ingress-action; } description"Additional inspection of mail filtering.";"Action: pass, drop, reject, alert, and mirror."; } leaffile-blockingegress-action { typestring;identityref { base egress-action; } description"Additional inspection of file blocking.";"Egress action: pass, drop, reject, alert, mirror, invoke-signaling, tunnel-encapsulation, forwarding, and redirection."; } leaffile-isolatelog-action { typestring;identityref { base log-action; } description"Additional inspection of file isolate.";"Log action: rule log and session log"; }leaf pkt-capture} container advanced-action {type string;description"Additional inspection of"If the packetcapture."; } leaf application-controlneed be additionally inspected, the packet are passed to advanced network security functions according to the profile."; reference "RFC 8329: Framework for Interface to Network Security Functions - Differences from ACL Data Models"; leaf-list content-security-control { typestring;identityref { base content-security-control; } description"Additional inspection of app control.";"The Profile is divided into content security control and attack-mitigation-control. Content security control: antivirus, ips, ids, url filtering, mail filtering, file blocking, file isolate, packet capture, application control, voip and volte."; }leaf voip-volteleaf-list attack-mitigation-control { typestring;identityref { base attack-mitigation-control; } description"Additional inspection of VoIP/VoLTE.";"The Profile is divided into content security control and attack-mitigation-control. Attack mitigation control: syn flood, udp flood, icmp flood, ip frag flood, ipv6 related, http flood, https flood, dns flood, dns amp flood, ssl ddos, ip sweep, port scanning, ping of death, teardrop, oversized icmp, tracert."; } } }container attack-mitigation-control { description "This category} } } } <CODE ENDS> Figure 5: YANG Data Module ofsecurity capabilitiesI2NSF NSF-Facing-Interface 6. IANA Considerations This document requests IANA to register the following URI in the "IETF XML Registry" [RFC3688]: URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf Registrant Contact: The IESG. XML: N/A; the requested URI isspecially usedan XML namespace. This document requests IANA to register the following YANG module in the "YANG Module Names" registry [RFC7950]. name: ietf-i2nsf-policy-rule-for-nsf namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for- nsf prefix: iiprfn reference: RFC XXXX 7. Security Considerations The YANG module specified in this document defines a data schema designed to be accessed through network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the required transport secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the required transport secure transport is TLS [RFC8446]. The NETCONF access control model [RFC8341] provides a means of restricting access to specific NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs todetectIndicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC6087] Bierman, A., "Guidelines for Authors andmitigate various typesReviewers ofnetwork attacks."; container ddos-attack { description "A distributed-denial-of-service (DDoS) is whereYANG Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, January 2011, <https://www.rfc-editor.org/info/rfc6087>. [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, <https://www.rfc-editor.org/info/rfc6241>. [RFC6242] Wasserman, M., "Using theattack source is more than one, often thousands of unique IP addresses."; container ddos-attack-type { description "DDoS-attack types:NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, <https://www.rfc-editor.org/info/rfc6242>. [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, <https://www.rfc-editor.org/info/rfc6991>. [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, <https://www.rfc-editor.org/info/rfc7950>. [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, <https://www.rfc-editor.org/info/rfc8040>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to NetworkLayer DDoS AttacksSecurity Functions", RFC 8329, February 2018. [RFC8340] Bjorklund, M. andApplication Layer DDoS Attacks."; container network-layer-ddos-attack { description "Network layer DDoS-attack."; container network-layer-ddos-attack-type { descriptionL. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, <https://www.rfc-editor.org/info/rfc8340>. [RFC8341] Bierman, A. and M. Bjorklund, "Networklayer DDoS attack types: Syn Flood Attack, UDP Flood Attack, ICMP Flood Attack, IP Fragment Flood, IPv6 Related Attacks,Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, March 2018, <https://www.rfc-editor.org/info/rfc8341>. [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, S., andetc"; leaf syn-flood { type string; description "Additional Inspection of Syn Flood Attack."; } leaf udp-flood { type string; description "Additional Inspection of UDP Flood Attack."; } leaf icmp-flood { type string; description "Additional Inspection of ICMP Flood Attack."; } leaf ip-frag-flood { type string; description "Additional Inspection of IP Fragment Flood."; } leaf ipv6-related { type string; description "Additional Inspection of IPv6 Related Attacks."; } } } container app-layer-ddos-attack { description "Application layer DDoS-attack."; container app-ddos-attack-types { description "Application layer DDoS-attack types: Http Flood Attack, Https Flood Attack, DNS Flood Attack,N. Bahadur, "A YANG Data Model for Routing Information Base (RIB)", RFC RFC8431, September 2018. [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>. 8.2. Informative References [i2nsf-advanced-nsf-dm] Pan, W. and L. Xia, "Configuration of Advanced Security Functions with I2NSF Security Controller", draft-dong- i2nsf-asf-config-01 (work in progress), October 2018. [i2nsf-nsf-cap-dm] Hares, S., Jeong, J., Kim, J., Moskowitz, R., andDNS Amplification Flood Attack, SSL DDoS Attack,Q. Lin, "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- capability-data-model-02 (work in progress), November 2018. [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., andetc."; leaf http-flood { type string; description "Additional InspectionD. Lopez, "Information Model ofHttp Flood Attack."; } leaf https-flood { type string; description "Additional InspectionNSFs Capabilities", draft-ietf- i2nsf-capability-04 (work in progress), October 2018. [supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer, "Generic Policy Information Model for Simplified Use ofHttps Flood Attack."; } leaf dns-flood { type string; description "Additional InspectionPolicy Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- model-03 (work in progress), May 2017. Appendix A. Configuration Examples This section shows configuration examples ofDNS Flood Attack."; } leaf dns-amp-flood { type string; description "Additional Inspection"ietf-i2nsf-policy-rule- for-nsf" module for security policy rules ofDNS Amplification Flood Attack."; } leaf ssl-ddos { type string; description "Additional Inspectionnetwork security devices. For security requirements, we assume that the NSFs (i.e., General firewall, Time based firewall, Web filter, VoIP/VoLTE filter http and https flood mitigation ) described in Appendix A. Configuration Examples ofSSL Flood Attack."; } } } } } container single-packet-attack { description "Single Packet Attacks."; container single-packet-attack-type { description "DDoS-attack types: Scanning Attack, Sniffing Attack, Malformed Packet Attack, Special Packet Attack,[i2nsf-nsf-cap-dm] are registered in I2NSF framework. With the registed NSFs, we show configuration examples for security policy rules of network security functions according to the following three security requirements: (i) Block SNS access during business hours, (ii) Block malicious VoIP/VoLTE packets coming to the company, andetc."; container scan-and-sniff-attack { description "Scanning(iii) Mitigate http andSniffing Attack."; container scan-and-sniff-attack-types { description "Scanninghttps flood attacks on company web server. A.1. Security Requirement 1: Block SNS Access during Business Hours This section shows a configuration example for blocking SNS access during business hours. <i2nsf-security-policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> <system-policy> <system-policy-name>sns_access</system-policy-name> <rules> <rule-name>block_sns_access_during_operation_time</rule-name> <time-zone> <absolute-time-zone> <start-time>09:00:00Z</start-time> <end-time>18:00:00Z</end-time> </absolute-time-zone> </time-zone> <condition-clause-container> <packet-security-ipv4-condition> <pkt-sec-ipv4-src> <range-ipv4-address> <start-ipv4-address>221.159.112.1</start-ipv4-address> <end-ipv4-address>221.159.112.90</end-ipv4-address> </range-ipv4-address> </pkt-sec-ipv4-src> </packet-security-ipv4-condition> </condition-clause-container> <action-clause-container> <advanced-action> <content-security-control>url-filtering</content-security-control> </advanced-action> </action-clause-container> </rules> </system-policy> </i2nsf-security-policy> Figure 6: Configuration XML for Time based Firewall to Block SNS Access during Business Hours <i2nsf-security-policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> <system-policy> <system-policy-name>sns_access</system-policy-name> <rules> <rule-name>block_facebook_and_instgram</rule-name> <condition-clause-container> <packet-security-http-condition> <pkt-sec-url-content>facebook</pkt-sec-url-content> <pkt-sec-url-content>instagram</pkt-sec-url-content> </packet-security-http-condition> </condition-clause-container> <action-clause-container> <packet-action> <egress-action>drop</egress-action> </packet-action> </action-clause-container> </rules> </system-policy> </i2nsf-security-policy> Figure 7: Configuration XML for Web Filter to Block SNS Access during Business Hours Figure 6 andsniffing attack types: IP Sweep attack, Port Scanning,Figure 7 show the configuration XML documents for time based firewall andetc."; leaf ip-sweep { type string; description "Additional Inspection of IP Sweep Attack."; } leaf port-scanning { type string; description "Additional Inspection of Port Scanning Attack."; } } } container malformed-packet-attack { description "Malformed Packet Attack."; container malformed-packet-attack-types { description "Malformed packet attack types: Ping of Death Attack, Teardrop Attack,web filter to block SNS access during business hours. For the security requirement, two NSFs (i.e., a time based firewall andetc."; leaf ping-of-death { type string; description "Additional Inspectiona web filter) were used because one NSF can not meet the security requirement. The instances ofPingXML documents for the time based firewall and the web filter are as follows: Note that a detailed data model for the configuration ofDeath Attack."; } leaf teardrop { type string; description "Additional Inspectionthe advanced network security function (i.e., web filter) is described in [i2nsf-advanced-nsf-dm]. Time based Firewall 1. The name ofTeardrop Attack."; } } } container special-packet-attack { description "special Packet Attack."; container special-packet-attack-types { description "Special packet attack types: Oversized ICMP Attack, Tracert Attack, and etc."; leaf oversized-icmp { type string; description "Additional Inspectionthe system policy is sns_access. 2. The name ofOversize ICMP Attack."; } leaf tracert { type string; description "Additional Inspectionthe rule is block_sns_access_during_operation_time. 3. The rule is operated during the business hours (i.e., from 9 a.m. to 6 p.m.). 4. The rule inspects a source IPv4 address (i.e., from 221.159.112.1 to 221.159.112.90) to inspect the outgoing packets ofTracrt Attack."; } } } } } } } } } } container resolution-strategy { description "The resolution strategiesemployees. 5. If the outgoing packets match the rules above, the time based firewall sends the packets to url filtering for additional inspection because the time based firewall canbenot inspect contents of the packets for the SNS URL. Web Filter 1. The name of the system policy is sns_access. 2. The name of the rule is block_facebook_and_instagram. 3. The rule inspects URL address to block the access packets to the facebook or the instagram. 4. If the outgoing packets match the rules above, the packets are blocked. A.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming to the Company This section shows a configuration example for blocking malicious VoIP/VoLTE packets coming to the company. <i2nsf-security-policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> <system-policy> <system-policy-name>voip_volte_inspection</system-policy-name> <rules> <rule-name>block_malicious_voip_volte_packets</rule-name> <condition-clause-container> <packet-security-ipv4-condition> <pkt-sec-ipv4-dest> <range-ipv4-address> <start-ipv4-address>221.159.112.1</start-ipv4-address> <end-ipv4-address>221.159.112.90</end-ipv4-address> </range-ipv4-address> </pkt-sec-ipv4-dest> </packet-security-ipv4-condition> <packet-security-tcp-condition> <pkt-sec-tcp-dest-port-num> <port-num>5060</port-num> <port-num>5061</port-num> </pkt-sec-tcp-dest-port-num> </packet-security-tcp-condition> </condition-clause-container> <action-clause-container> <advanced-action> <content-security-control>voip-volte</content-security-control> </advanced-action> </action-clause-container> </rules> </system-policy> </i2nsf-security-policy> Figure 8: Configuration XML for General Firewall to Block Malicious VoIP/VoLTE Packets Coming to the Company <i2nsf-security-policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> <system-policy> <system-policy-name>malicious_voice_id</system-policy-name> <rules> <rule-name>block_malicious_voice_id</rule-name> <condition-clause-container> <packet-security-voice-condition> <pkt-sec-src-voice-id>11111@voip.black.com</pkt-sec-src-voice-id> <pkt-sec-src-voice-id>22222@voip.black.com</pkt-sec-src-voice-id> </packet-security-voice-condition> </condition-clause-container> <action-clause-container> <packet-action> <ingress-action>drop</ingress-action> </packet-action> </action-clause-container> </rules> </system-policy> </i2nsf-security-policy> Figure 9: Configuration XML for VoIP/VoLTE Filter to Block Malicious VoIP/VoLTE Packets Coming to the Company Figure 8 and Figure 9 show the configuration XML documents for general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE packets coming to the company. For the security requirement, two NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were usedto specify how to resolve conflicts that occur betweenbecause one NSF can not meet theactionssecurity requirement. The instances of XML documents for thesame or different policy rules that are matchedgeneral firewall andcontained in this particular NSF"; choice resolution-strategy-type { description "Vendors can use YANGthe VoIP/VoLTE filter are as follows: Note that a detailed data modelto configure rules"; case fmr { leaf first-matching-rule { type boolean; description "Iffor theresolution strategyconfiguration of the advanced network security function (i.e., VoIP/VoLTE filter) isfirst matching rule"; } } case lmr { leaf last-matching-rule { type boolean; description "Ifdescribed in [i2nsf-advanced-nsf-dm]. General Firewall 1. The name of theresolution strategysystem policy islast matching rule"; } } } } container default-action { description "This default action can be usedvoip_volte_inspection. 2. The name of the rule is block_malicious_voip_volte_packets. 3. The rule inspects a destination IPv4 address (i.e., from 221.159.112.1 tospecify221.159.112.90) to inspect the packets coming into the company. 4. The rule inspects apredefined action when no other alternative action was matched byport number (i.e., 5060 and 5061) to inspect VoIP/VoLTE packet. 5. If thecurrently executing I2NSF Policy Rule. An analogy isincoming packets match theuserules above, the general firewall sends the packets to VoIP/VoLTE filter for additional inspection because the general firewall can not inspect contents ofa default statement in a C switch statement."; leaf default-action-type { type boolean; description "True is permit False is deny."; } } container rule-group { description "Thisthe VoIP/VoLTE packets. VoIP/VoLTE Filter 1. The name of the system policy is malicious_voice_id. 2. The name of the rulegroup"; list groups { key "group-name"; description "Thisis block_malicious_voice_id. 3. The rule inspects the voice id of the VoIP/VoLTE packets to block the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and 22222@voip.black.com). 4. If the incoming packets match the rules above, the packets are blocked. A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a Company Web Server This section shows a configuration example for mitigating http and https flood attacks on agroupcompany web server. <i2nsf-security-policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> <system-policy> <system-policy-name>flood_attack_mitigation</system-policy-name> <rules> <rule-name>mitigate_http_and_https_flood_attack</rule-name> <condition-clause-container> <packet-security-ipv4-condition> <pkt-sec-ipv4-dest> <ipv4-address> <ipv4>221.159.112.95</ipv4> </ipv4-address> </pkt-sec-ipv4-dest> </packet-security-ipv4-condition> <packet-security-tcp-condition> <pkt-sec-tcp-dest-port-num> <port-num>80</port-num> <port-num>443</port-num> </pkt-sec-tcp-dest-port-num> </packet-security-tcp-condition> </condition-clause-container> <action-clause-container> <advanced-action> <attack-mitigation-control>http-and-https-flood </attack-mitigation-control> </advanced-action> </action-clause-container> </rules> </system-policy> </i2nsf-security-policy> Figure 10: Configuration XML forrules"; leaf group-name { type string; description "This isGeneral Firewall to Mitigate HTTP and HTTPS Flood Attacks on agroupCompany Web Server <i2nsf-security-policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> <system-policy> <system-policy-name>http_and_https_flood_attack_mitigation </system-policy-name> <rules> <rule-name>100_per_second</rule-name> <condition-clause-container> <packet-security-ddos-condition> <pkt-sec-alert-rate>100</pkt-sec-alert-rate> </packet-security-ddos-condition> </condition-clause-container> <action-clause-container> <packet-action> <ingress-action>drop</ingress-action> </packet-action> </action-clause-container> </rules> </system-policy> </i2nsf-security-policy> Figure 11: Configuration XML forrules"; } container rule-range { description "This isHTTP and HTTPS Flood Attack Mitigation to Mitigate HTTP and HTTPS Flood Attacks on arule range."; leaf start-rule { type string; description "This isCompany Web Server Figure 10 and Figure 11 show the configuration XML documents for general firewall and http and https flood attack mitigation to mitigate http and https flood attacks on astart rule"; } leaf end-rule { type string; description "This iscompany web server. For the security requirement, two NSFs (i.e., aend rule"; } } leaf enable { type boolean; description "This is enable False is not enable."; } leaf description { type string; description "This isgeneral firewall and adesription for rule-group"; } } } } } } <CODE ENDS> Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface 7. Security Considerations This document introduces no additional security threatshttp andSHOULD followhttps flood attack mitigation) were used because one NSF can not meet the securityrequirementsrequirement. The instances of XML documents for the general firewall and http and https flood attack mitigation are asstated in [RFC8329]. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key wordsfollows: Note that a detailed data model forusethe configuration of the advanced network security function (i.e., http and https flood attack mitigation) is described inRFCs[i2nsf-advanced-nsf-dm]. General Firewall 1. The name of the system policy is flood_attack_mitigation. 2. The name of the rule is mitigate_http_and_https_flood_attack. 3. The rule inspects a destination IPv4 address (i.e., 221.159.112.95) toIndicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language forinspect theNetwork Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J.,access packets coming into the company web server. 4. The rule inspects a port number (i.e., 80 andR. Kumar, "Framework for Interface443) to inspect http and https packet. 5. If the packets match the rules above, the general firewall sends the packets toNetwork Security Functions", RFC 8329, February 2018. [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, S.,http andN. Bahadur, "A YANG Data Modelhttps flood attack mitigation forRouting Information Base (RIB)", RFC RFC8431, September 2018. 8.2. Informative References [i2nsf-advanced-nsf-dm] Pan, W. and L. Xia, "Configurationadditional inspection because the general firewall can not contrl the amount ofAdvanced Security Functions with I2NSF Security Controller", draft-dong- i2nsf-asf-config-01 (work in progress), October 2018. [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C.,packets for http andD. Lopez, "Information Modelhttps packets. HTTP and HTTPS Flood Attack Mitigation 1. The name ofNSFs Capabilities", draft-ietf- i2nsf-capability-04 (work in progress), October 2018. [supa-policy-info-model] Strassner, J., Halpern, J.,the system policy is http_and_https_flood_attack_mitigation. 2. The name of the rule is 100_per_second. 3. The rule controls the http andS. Meer, "Generic Policy Information Model for Simplified Usehttps packets according to the amount ofPolicy Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- model-03 (work in progress), May 2017.incoming packets. 4. If the incoming packets match the rules above, the packets are blocked. AppendixA.B. Changes fromdraft-ietf-i2nsf-nsf-facing-interface-dm-01draft-ietf-i2nsf-nsf-facing-interface-dm-02 The following changes are made from draft-ietf-i2nsf-nsf-facing-interface-dm-01:interface-dm-03: o Weadded system policy which represents there could be multiple system policies in one NSF,revised this YANG data module according to guidelines for authors andeach system policy is used by one virtual instancereviewers of YANG data model documents [RFC6087]. o We changed theNSF/device. This is a very general featurestructure of the overall YANG data model. o We added exact-range type as well as range-based type foralltheNSFs/devices.range policy rules. o We changedpolicy nameenumeration type tosystem policy nameidentity type forsystem policy.scalable components. o Wedeleted policy-event-clause-agg-ptr, policy-condition-clause- agg-ptr, and policy-action-clause-agg-ptr.added a description for the YANG tree diagram of the YANG data module. o Weadded priority-usage which represents priorityrevised overall sentences ofpolicies by order or number.this YANG data model document. o We added configuration examples to make it easier for reviewers to understand. AppendixB.C. Acknowledgments This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning). AppendixC.D. Contributors This document is made by the group effort of I2NSF working group. Many people actively contributed to this document. The following are considered co-authors: o Hyoungshick Kim (Sungkyunkwan University) o Daeyoung Hyun (Sungkyunkwan University) o Dongjin Hong (Sungkyunkwan University) o Liang Xia (Huawei) o Tae-Jin Ahn (Korea Telecom) o Se-Hui Lee (Korea Telecom) Authors' Addresses Jinyong Tim Kim Department of Computer Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 10 8273 0930 EMail: timkim@skku.edu Jaehoon Paul Jeong Department of Software Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 31 299 4957 Fax: +82 31 290 7996 EMail: pauljeong@skku.edu URI: http://iotlab.skku.edu/people-jaehoon-jeong.php Jung-Soo Park Electronics and Telecommunications Research Institute 218 Gajeong-Ro, Yuseong-Gu Daejeon 34129 Republic of Korea Phone: +82 42 860 6514 EMail: pjs@etri.re.kr Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 USA Phone: +1-734-604-0332 EMail: shares@ndzh.com Qiushi Lin Huawei Huawei Industrial Base Shenzhen, Guangdong 518129 China EMail: linqiushi@huawei.com