--- 1/draft-ietf-i2nsf-nsf-facing-interface-dm-03.txt 2019-03-24 05:13:14.088430991 -0700 +++ 2/draft-ietf-i2nsf-nsf-facing-interface-dm-04.txt 2019-03-24 05:13:14.252434966 -0700 @@ -1,23 +1,23 @@ I2NSF Working Group J. Kim Internet-Draft J. Jeong Intended status: Standards Track Sungkyunkwan University -Expires: September 12, 2019 J. Park +Expires: September 25, 2019 J. Park ETRI S. Hares Q. Lin Huawei - March 11, 2019 + March 24, 2019 I2NSF Network Security Function-Facing Interface YANG Data Model - draft-ietf-i2nsf-nsf-facing-interface-dm-03 + draft-ietf-i2nsf-nsf-facing-interface-dm-04 Abstract This document defines a YANG data model for configuring security policy rules on network security functions. The YANG data model in this document is corresponding to the information model for Network Security Functions (NSF)-Facing Interface in Interface to Network Security Functions (I2NSF). Status of This Memo @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 12, 2019. + This Internet-Draft will expire on September 25, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -55,40 +55,40 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7 - 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 12 - 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 13 - 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 13 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 77 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 78 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 78 - 8.1. Normative References . . . . . . . . . . . . . . . . . . 78 - 8.2. Informative References . . . . . . . . . . . . . . . . . 79 - Appendix A. Configuration Examples . . . . . . . . . . . . . . . 81 + 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 13 + 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 14 + 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 14 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 88 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 88 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 88 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 89 + 8.2. Informative References . . . . . . . . . . . . . . . . . 90 + Appendix A. Configuration Examples . . . . . . . . . . . . . . . 91 A.1. Security Requirement 1: Block SNS Access during Business - Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 81 + Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 91 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE - Packets Coming to the Company . . . . . . . . . . . . . . 84 + Packets Coming to the Company . . . . . . . . . . . . . . 94 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood - Attacks on a Company Web Server . . . . . . . . . . . . . 87 + Attacks on a Company Web Server . . . . . . . . . . . . . 97 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- - dm-02 . . . . . . . . . . . . . . . . . . . . . . . 90 - Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 91 - Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 91 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 + dm-03 . . . . . . . . . . . . . . . . . . . . . . . 100 + Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 100 + Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 100 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101 1. Introduction This document defines a YANG [RFC6020][RFC7950] data model for security policy rule configuration of network security devices. The YANG data model is corresponding to the information model [i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing interface in Interface to Network Security Functions (I2NSF). The YANG data model in this document focuses on security policy configuration for generic network security functions. Note that @@ -179,41 +179,52 @@ policy rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy +--rw system-policy* [system-policy-name] +--rw system-policy-name string +--rw priority-usage? identityref +--rw resolution-strategy? identityref +--rw default-action? identityref +--rw rules* [rule-name] - +--rw rule-name string - +--rw rule-description? string - +--rw rule-priority? uint8 - +--rw rule-enable? boolean - +--rw time-zone - | +--rw absolute-time-zone - | | +--rw start-time? start-time-type - | | +--rw end-time? end-time-type - | +--rw periodic-time-zone - | +--rw day - | | +--rw every-day? boolean - | | +--rw specific-day* day-type - | +--rw month - | +--rw every-month? boolean - | +--rw specific-month* month-type - +--rw event-clause-container - | ... - +--rw condition-clause-container + | +--rw rule-name string + | +--rw rule-description? string + | +--rw rule-priority? uint8 + | +--rw rule-enable? boolean + | +--rw rule-session-aging-time? uint16 + | +--rw rule-long-connection + | | +--rw enable? boolean + | | +--rw during? uint16 + | +--rw time-zone + | | +--rw absolute-time-zone + | | | +--rw start-time? start-time-type + | | | +--rw end-time? end-time-type + | | +--rw periodic-time-zone + | | +--rw day + | | | +--rw every-day? boolean + | | | +--rw specific-day* day-type + | | +--rw month + | | +--rw every-month? boolean + | | +--rw specific-month* month-type + | +--rw event-clause-container + | | ... + | +--rw condition-clause-container + | | ... + | +--rw action-clause-container | ... - +--rw action-clause-container - ... + +--rw rule-group + +--rw groups* [group-name] + +--rw group-name string + +--rw rule-range + | +--rw start-rule? string + | +--rw end-rule? string + +--rw enable? boolean Figure 1: YANG Tree Diagram for Network Security Policy This YANG tree diagram shows general I2NSF security policy rule for generic network security functions. The system policy represents there could be multiple system policies in one NSF, and each system policy is used by one virtual instance of the NSF/device. The system policy includes system policy name, priority usage, resolutation strategy, default action, and rules. @@ -241,29 +252,31 @@ 4.2. Event Clause This section shows YANG tree diagram for an event clause of I2NSF security policy rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy +--rw system-policy* [system-policy-name] ... +--rw rules* [rule-name] - ... - +--rw event-clause-container - | +--rw event-clause-description? string - | +--rw event-clauses - | +--rw system-event* identityref - | +--rw system-alarm* identityref - +--rw condition-clause-container | ... - +--rw action-clause-container + | +--rw event-clause-container + | | +--rw event-clause-description? string + | | +--rw event-clauses + | | +--rw system-event* identityref + | | +--rw system-alarm* identityref + | +--rw condition-clause-container + | | ... + | +--rw action-clause-container + | ... + +--rw rule-group ... Figure 2: YANG Tree Diagram for Network Security Policy This YANG tree diagram shows an event clause of I2NSF security policy rule for generic network security functions. An event clause is any important occurrence in time of a change in the system being managed, and/or in the environment of the system being managed. An event clause is used to trigger the evaluation of the condition clause of the I2NSF Policy Rule. The event clause is defined as system event @@ -492,20 +505,64 @@ | | +--rw pkt-sec-icmp-type* identityref | +--rw packet-security-http-condition | | +--rw pkt-sec-uri-content* string | | +--rw pkt-sec-url-content* string | +--rw packet-security-voice-condition | | +--rw pkt-sec-src-voice-id* string | | +--rw pkt-sec-dest-voice-id* string | | +--rw pkt-sec-user-agent* string | +--rw packet-security-ddos-condition | +--rw pkt-sec-alert-rate? uint32 + | | +--rw packet-payload-condition + | | | +--rw packet-payload-description? string + | | | +--rw pkt-payload-content* string + | | +--rw acl-number* uint32 + | | +--rw application-condition + | | | +--rw application-description? string + | | | +--rw application-object* string + | | | +--rw application-group* string + | | | +--rw application-label* string + | | | +--rw category + | | | +--rw application-category* + [name application-subcategory] + | | | +--rw name string + | | | +--rw application-subcategory string + | | +--rw target-condition + | | | +--rw target-description? string + | | | +--rw device-sec-context-cond + | | | +--rw target-device* identityref + | | +--rw users-condition + | | | +--rw users-description? string + | | | +--rw user + | | | | +--rw (user-name)? + | | | | +--:(tenant) + | | | | | +--rw tenant uint8 + | | | | +--:(vn-id) + | | | | +--rw vn-id uint8 + | | | +--rw group + | | | | +--rw (group-name)? + | | | | +--:(tenant) + | | | | | +--rw tenant uint8 + | | | | +--:(vn-id) + | | | | +--rw vn-id uint8 + | | | +--rw security-grup string + | | +--rw url-category-condition + | | | +--rw url-category-description? string + | | | +--rw pre-defined-category* string + | | | +--rw user-defined-category* string + | | +--rw context-condition + | | | +--rw context-description? string + | | +--rw gen-context-condition + | | +--rw gen-context-description? string + | | +--rw geographic-location + | | +--rw src-geographic-location* uint32 + | | +--rw dest-geographic-location* uint32 +--rw action-clause-container ... Figure 3: YANG Tree Diagram for Network Security Policy This YANG tree diagram shows an condition clause of I2NSF security policy rule for generic network security functions. A condition clause is defined as a set of attributes, features, and/or values that are to be compared with a set of known attributes, features, and/or values in order to determine whether or not the set of actions @@ -562,21 +619,21 @@ according to specific vendor action features. The action clause is described in detail in [i2nsf-nsf-cap-im]. 5. YANG Data Module 5.1. I2NSF NSF-Facing Interface YANG Data Module This section introduces an YANG data module for configuration of security policy rules on network security functions. - file "ietf-i2nsf-policy-rule-for-nsf@2019-03-11.yang" + file "ietf-i2nsf-policy-rule-for-nsf@2019-03-24.yang" module ietf-i2nsf-policy-rule-for-nsf { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; prefix iiprfn; import ietf-inet-types{ prefix inet; @@ -620,21 +677,21 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 8341; see the RFC itself for full legal notices."; - revision "2019-03-11"{ + revision "2019-03-24"{ description "Initial revision."; reference "RFC XXXX: I2NSF Network Security Function-Facing Interface YANG Data Model"; } /* * Identities */ @@ -1835,20 +1893,64 @@ identity multiple-interfaces-satisfy-query { base icmp-type; description "Identity for multiple interfaces satisfy query in extended echo reply types"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } + identity target-device { + description + "Base identity for target devices"; + reference + "draft-ietf-i2nsf-capability-04: Information Model + of NSFs Capabilities"; + } + + identity pc { + base target-device; + description + "Identity for pc"; + } + + identity mobile-phone { + base target-device; + description + "Identity for mobile-phone"; + } + + identity voip-volte-phone { + base target-device; + description + "Identity for voip-volte-phone"; + } + + identity tablet { + base target-device; + description + "Identity for tablet"; + } + + identity iot { + base target-device; + description + "Identity for IoT"; + } + + identity vehicle { + base target-device; + description + "Identity for vehicle"; + } + identity content-security-control { description "Base identity for content security control"; reference "RFC 8329: Framework for Interface to Network Security Functions - Differences from ACL Data Models draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities"; } @@ -2614,20 +2726,45 @@ numeric value which can range from 1 till 255."; } leaf rule-enable { type boolean; description "True is enable. False is not enbale."; } + leaf session-aging-time { + type uint16; + description + "This is session aging time."; + } + + container long-connection { + description + "This is long-connection"; + + leaf enable { + type boolean; + description + "True is enable. + False is not enbale."; + } + + leaf during { + type uint16; + description + "This is during time."; + } + + } + container time-zone { description "Time zone when the rules are applied"; container absolute-time-zone { description "Rule execution according to absolute time"; leaf start-time { type start-time-type; default right-away; @@ -2772,20 +2910,26 @@ container packet-security-ipv4-condition { description "The purpose of this container is to represent IPv4 packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference "RFC 791: Internet Protocol"; + leaf ipv4-description { + type string; + description + "This is description for ipv4 condition."; + } + container pkt-sec-ipv4-header-length { choice match-type { description "There are two types to configure a security policy for IPv4 header length, such as exact match and range match."; case exact-match { leaf-list ipv4-header-length { type uint8 { range "5..15"; @@ -3042,20 +3185,26 @@ container packet-security-ipv6-condition { description "The purpose of this container is to represent IPv6 packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification"; + leaf ipv6-description { + type string; + description + "This is description for ipv6 condition."; + } + leaf-list pkt-sec-ipv6-traffic-class { type identityref { base traffic-class; } description "The security policy rule according to IPv6 traffic class."; reference "RFC 2460: Internet Protocol, Version 6 (IPv6) Specification - Traffic class"; @@ -3221,20 +3371,26 @@ container packet-security-tcp-condition { description "The purpose of this container is to represent TCP packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference "RFC 793: Transmission Control Protocol"; + leaf tcp-description { + type string; + description + "This is description for tcp condition."; + } + container pkt-sec-tcp-src-port-num { uses pkt-sec-port-number; description "The security policy rule according to tcp source port number."; reference "RFC 793: Transmission Control Protocol - Port number"; } @@ -3382,20 +3540,26 @@ container packet-security-udp-condition { description "The purpose of this container is to represent UDP packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference "RFC 793: Transmission Control Protocol"; + leaf udp-description { + type string; + description + "This is description for udp condition."; + } + container pkt-sec-udp-src-port-num { uses pkt-sec-port-number; description "The security policy rule according to udp source port number."; reference "RFC 793: Transmission Control Protocol - Port number"; } @@ -3452,37 +3616,49 @@ container packet-security-icmp-condition { description "The purpose of this container is to represent ICMP packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; + leaf icmp-description { + type string; + description + "This is description for icmp condition."; + } + leaf-list pkt-sec-icmp-type-and-code { type identityref { base icmp-type; } description "The security policy rule according to ICMP parameters."; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } } container packet-security-http-condition { description "Condition for http."; + leaf http-description { + type string; + description + "This is description for http condition."; + } + leaf-list pkt-sec-uri-content { type string; description "The security policy rule according to uri content."; } leaf-list pkt-sec-url-content { type string; description @@ -3499,20 +3676,26 @@ security rules controlled by a centralized server for VoIP/VoLTE security service (called VoIP IPS). The VoIP/VoLTE security system controls each switch for the VoIP/VoLTE call flow management by manipulating the rules that can be added, deleted, or modified dynamically."; reference "RFC 3261: SIP: Session Initiation Protocol"; + leaf voice-description { + type string; + description + "This is description for voice condition."; + } + leaf-list pkt-sec-src-voice-id { type string; description "The security policy rule according to a source voice ID for VoIP and VoLTE."; } leaf-list pkt-sec-dest-voice-id { type string; description @@ -3519,36 +3702,312 @@ "The security policy rule according to a destination voice ID for VoIP and VoLTE."; } leaf-list pkt-sec-user-agent { type string; description "The security policy rule according to an user agent for VoIP and VoLTE."; } - } container packet-security-ddos-condition { description "Condition for DDoS attack."; + leaf ddos-description { + type string; + description + "This is description for ddos condition."; + } + leaf pkt-sec-alert-rate { type uint32; description "The alert rate of flood detect for same packets."; } } + + container packet-payload-condition { + description + "Condition for packet payload"; + leaf packet-payload-description { + type string; + description + "This is description for payload condition. + Vendors can write instructions for payload condition + that vendor made"; + } + leaf-list pkt-payload-content { + type string; + description + "The content keyword is very important in + signatures. Between the quotation marks you + can write on what you would like the + signature to match."; + } + } + + leaf-list acl-number { + type uint32; + description + "This is acl-number."; } + container application-condition { + description + "Condition for application"; + leaf application-description { + type string; + description + "This is description for application condition."; + } + leaf-list application-object { + type string; + description + "This is application object."; + } + leaf-list application-group { + type string; + description + "This is application group."; + } + leaf-list application-label { + type string; + description + "This is application label."; + } + container category { + description + "This is application category"; + list application-category { + key "name application-subcategory"; + description + "This is application category list"; + leaf name { + type string; + description + "This is name for application category."; + } + leaf application-subcategory { + type string; + description + "This is application subcategory."; + } + } + } + } + + container target-condition { + description + "Condition for target"; + leaf target-description { + type string; + description + "This is description for target condition. + Vendors can write instructions for target condition + that vendor made"; + } + container device-sec-context-cond { + description + "The device attribute that can identify a device, + including the device type (i.e., router, switch, + pc, ios, or android) and the device's owner as + well."; + + leaf-list target-device { + type identityref { + base target-device; + } + description + "Leaf list for target devices"; + } + } + } + container users-condition { + description + "Condition for users"; + leaf users-description { + type string; + description + "This is description for user condition. + Vendors can write instructions for user condition + that vendor made"; + } + container user{ + description + "The user (or user group) information with which + network flow is associated: The user has many + attributes such as name, id, password, type, + authentication mode and so on. Name/id is often + used in the security policy to identify the user. + Besides, NSF is aware of the IP address of the + user provided by a unified user management system + via network. Based on name-address association, + NSF is able to enforce the security functions + over the given user (or user group)"; + + choice user-name { + description + "The name of the user. + This must be unique."; + + case tenant { + description + "Tenant information."; + + leaf tenant { + type uint8; + mandatory true; + description + "User's tenant information."; + } + } + + case vn-id { + description + "VN-ID information."; + + leaf vn-id { + type uint8; + mandatory true; + description + "User's VN-ID information."; + } + } + } + } + container group { + description + "The user (or user group) information with which + network flow is associated: The user has many + attributes such as name, id, password, type, + authentication mode and so on. Name/id is often + used in the security policy to identify the user. + Besides, NSF is aware of the IP address of the + user provided by a unified user management system + via network. Based on name-address association, + NSF is able to enforce the security functions + over the given user (or user group)"; + + choice group-name { + description + "The name of the user. + This must be unique."; + + case tenant { + description + "Tenant information."; + + leaf tenant { + type uint8; + mandatory true; + description + "User's tenant information."; + + } + } + + case vn-id { + description + "VN-ID information."; + + leaf vn-id { + type uint8; + mandatory true; + description + "User's VN-ID information."; + } + } + } + } + leaf security-grup { + type string; + mandatory true; + description + "security-grup."; + } + } + + container url-category-condition { + description + "Condition for url category"; + leaf url-category-description { + type string; + description + "This is description for url category condition. + Vendors can write instructions for context condition + that vendor made"; + } + + leaf-list pre-defined-category { + type string; + description + "This is pre-defined-category."; + } + leaf-list user-defined-category { + type string; + description + "This user-defined-category."; + } + } + + container context-condition { + description + "Condition for context"; + leaf context-description { + type string; + description + "This is description for context condition. + Vendors can write instructions for context condition + that vendor made"; + } + } + + container gen-context-condition { + description + "Condition for generic context"; + leaf gen-context-description { + type string; + description + "This is description for generic context condition. + Vendors can write instructions for generic context + condition that vendor made"; + } + + container geographic-location { + description + "The location where network traffic is associated + with. The region can be the geographic location + such as country, province, and city, + as well as the logical network location such as + IP address, network section, and network domain."; + + leaf-list src-geographic-location { + type uint32; + description + "This is mapped to ip address. We can acquire + source region through ip address stored in the + database."; + } + leaf-list dest-geographic-location { + type uint32; + description + "This is mapped to ip address. We can acquire + destination region through ip address stored + in the database."; + } + } + } + } container action-clause-container { description "An action is used to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied. NSFs provide security functions by executing various Actions. Examples of I2NSF Actions include providing intrusion detection and/or protection, web and flow filtering, and deep packet inspection for packets and flows."; reference @@ -3630,26 +4091,69 @@ description "The Profile is divided into content security control and attack-mitigation-control. Attack mitigation control: syn flood, udp flood, icmp flood, ip frag flood, ipv6 related, http flood, https flood, dns flood, dns amp flood, ssl ddos, ip sweep, port scanning, ping of death, teardrop, oversized icmp, tracert."; } } + + } + } + container rule-group { + description + "This is rule group"; + + list groups { + key "group-name"; + description + "This is a group for rules"; + + leaf group-name { + type string; + description + "This is a group for rules"; + } + + container rule-range { + description + "This is a rule range."; + + leaf start-rule { + type string; + description + "This is a start rule"; + } + leaf end-rule { + type string; + description + "This is a end rule"; + } + } + leaf enable { + type boolean; + description + "This is enable + False is not enable."; + } + leaf description { + type string; + description + "This is a desription for rule-group"; + } } } } } } - Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface 6. IANA Considerations This document requests IANA to register the following URI in the "IETF XML Registry" [RFC3688]: URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf @@ -3679,33 +4183,31 @@ transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the required transport secure transport is TLS [RFC8446]. The NETCONF access control model [RFC8341] provides a means of restricting access to specific NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. 8. References - 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997. - - [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the - Network Configuration Protocol (NETCONF)", RFC 6020, - October 2010. + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + . - [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG - Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, - January 2011, . + [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for + the Network Configuration Protocol (NETCONF)", RFC 6020, + DOI 10.17487/RFC6020, October 2010, + . [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, . @@ -3720,70 +4222,71 @@ [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security - Functions", RFC 8329, February 2018. + Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, + . [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, . [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, March 2018, . [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, - S., and N. Bahadur, "A YANG Data Model for Routing - Information Base (RIB)", RFC RFC8431, September 2018. + S., and N. Bahadur, "A YANG Data Model for the Routing + Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, + September 2018, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . 8.2. Informative References [i2nsf-advanced-nsf-dm] Pan, W. and L. Xia, "Configuration of Advanced Security Functions with I2NSF Security Controller", draft-dong- i2nsf-asf-config-01 (work in progress), October 2018. [i2nsf-nsf-cap-dm] Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- - capability-data-model-02 (work in progress), November - 2018. + capability-data-model-03 (work in progress), March 2019. [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", draft-ietf- i2nsf-capability-04 (work in progress), October 2018. [supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer, "Generic Policy Information Model for Simplified Use of Policy Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- model-03 (work in progress), May 2017. Appendix A. Configuration Examples This section shows configuration examples of "ietf-i2nsf-policy-rule- for-nsf" module for security policy rules of network security devices. For security requirements, we assume that the NSFs (i.e., - General firewall, Time based firewall, Web filter, VoIP/VoLTE filter - http and https flood mitigation ) described in Appendix A. + General firewall, Time based firewall, URL filter, VoIP/VoLTE filter, + and http and https flood mitigation ) described in Appendix A. Configuration Examples of [i2nsf-nsf-cap-dm] are registered in I2NSF framework. With the registed NSFs, we show configuration examples for security policy rules of network security functions according to the following three security requirements: (i) Block SNS access during business hours, (ii) Block malicious VoIP/VoLTE packets coming to the company, and (iii) Mitigate http and https flood attacks on company web server. A.1. Security Requirement 1: Block SNS Access during Business Hours @@ -3822,21 +4325,21 @@ Figure 6: Configuration XML for Time based Firewall to Block SNS Access during Business Hours sns_access - block_facebook_and_instgram + block_sns_access_during_operation_time facebook instagram drop @@ -3891,21 +4394,21 @@ to the Company This section shows a configuration example for blocking malicious VoIP/VoLTE packets coming to the company. voip_volte_inspection - block_malicious_voip_volte_packets + block_malicious_voice_id 221.159.112.1 221.159.112.90 @@ -3923,21 +4426,21 @@ Figure 8: Configuration XML for General Firewall to Block Malicious VoIP/VoLTE Packets Coming to the Company - malicious_voice_id + voip_volte_inspection block_malicious_voice_id 11111@voip.black.com 22222@voip.black.com @@ -4028,24 +4531,23 @@ Figure 10: Configuration XML for General Firewall to Mitigate HTTP and HTTPS Flood Attacks on a Company Web Server - http_and_https_flood_attack_mitigation - + flood_attack_mitigation - 100_per_second + mitigate_http_and_https_flood_attack 100 drop @@ -4092,43 +4594,31 @@ http_and_https_flood_attack_mitigation. 2. The name of the rule is 100_per_second. 3. The rule controls the http and https packets according to the amount of incoming packets. 4. If the incoming packets match the rules above, the packets are blocked. -Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-02 +Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-03 The following changes are made from draft-ietf-i2nsf-nsf-facing- - interface-dm-03: - - o We revised this YANG data module according to guidelines for - authors and reviewers of YANG data model documents [RFC6087]. - - o We changed the structure of the overall YANG data model. - - o We added exact-range type as well as range-based type for the - range policy rules. - - o We changed enumeration type to identity type for scalable - components. - - o We added a description for the YANG tree diagram of the YANG data - module. + interface-dm-04: - o We revised overall sentences of this YANG data model document. + o We added fields for a rule (e.g., rule session aging time, rule + long connection, and rule group). - o We added configuration examples to make it easier for reviewers to - understand. + o We added fields for a condition (e.g., payload, acl number, + application, target, users, url category, context, and generic + context) Appendix C. Acknowledgments This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning). Appendix D. Contributors