draft-ietf-i2nsf-nsf-facing-interface-dm-04.txt   draft-ietf-i2nsf-nsf-facing-interface-dm-05.txt 
I2NSF Working Group J. Kim I2NSF Working Group J. Kim
Internet-Draft J. Jeong Internet-Draft J. Jeong
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: September 25, 2019 J. Park Expires: September 29, 2019 J. Park
ETRI ETRI
S. Hares S. Hares
Q. Lin Q. Lin
Huawei Huawei
March 24, 2019 March 28, 2019
I2NSF Network Security Function-Facing Interface YANG Data Model I2NSF Network Security Function-Facing Interface YANG Data Model
draft-ietf-i2nsf-nsf-facing-interface-dm-04 draft-ietf-i2nsf-nsf-facing-interface-dm-05
Abstract Abstract
This document defines a YANG data model for configuring security This document defines a YANG data model for configuring security
policy rules on network security functions. The YANG data model in policy rules on network security functions. The YANG data model in
this document is corresponding to the information model for Network this document is corresponding to the information model for Network
Security Functions (NSF)-Facing Interface in Interface to Network Security Functions (NSF)-Facing Interface in Interface to Network
Security Functions (I2NSF). Security Functions (I2NSF).
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 25, 2019. This Internet-Draft will expire on September 29, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 15 skipping to change at page 2, line 15
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4
4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6
4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7 4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7
4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 13 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14
5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 14 4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15
5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 14 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 88 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 15
7. Security Considerations . . . . . . . . . . . . . . . . . . . 88 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 88 7. Security Considerations . . . . . . . . . . . . . . . . . . . 90
8.1. Normative References . . . . . . . . . . . . . . . . . . 89 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 90
8.2. Informative References . . . . . . . . . . . . . . . . . 90 8.1. Normative References . . . . . . . . . . . . . . . . . . 90
Appendix A. Configuration Examples . . . . . . . . . . . . . . . 91 8.2. Informative References . . . . . . . . . . . . . . . . . 91
Appendix A. Configuration Examples . . . . . . . . . . . . . . . 93
A.1. Security Requirement 1: Block SNS Access during Business A.1. Security Requirement 1: Block SNS Access during Business
Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 93
A.2. Security Requirement 2: Block Malicious VoIP/VoLTE A.2. Security Requirement 2: Block Malicious VoIP/VoLTE
Packets Coming to the Company . . . . . . . . . . . . . . 94 Packets Coming to the Company . . . . . . . . . . . . . . 96
A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood
Attacks on a Company Web Server . . . . . . . . . . . . . 97 Attacks on a Company Web Server . . . . . . . . . . . . . 99
Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-
dm-03 . . . . . . . . . . . . . . . . . . . . . . . 100 dm-04 . . . . . . . . . . . . . . . . . . . . . . . 102
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 100 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 102
Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 100 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 102
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 103
1. Introduction 1. Introduction
This document defines a YANG [RFC6020][RFC7950] data model for This document defines a YANG [RFC6020][RFC7950] data model for
security policy rule configuration of network security devices. The security policy rule configuration of network security devices. The
YANG data model is corresponding to the information model YANG data model is corresponding to the information model
[i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing [i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing
interface in Interface to Network Security Functions (I2NSF). The interface in Interface to Network Security Functions (I2NSF). The
YANG data model in this document focuses on security policy YANG data model in this document focuses on security policy
configuration for generic network security functions. Note that configuration for generic network security functions. Note that
skipping to change at page 5, line 7 skipping to change at page 5, line 7
o An action clause of generic network security function. o An action clause of generic network security function.
4.1. General I2NSF Security Policy Rule 4.1. General I2NSF Security Policy Rule
This section shows YANG tree diagram for general I2NSF security This section shows YANG tree diagram for general I2NSF security
policy rule. policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
+--rw system-policy* [system-policy-name] | +--rw system-policy* [system-policy-name]
+--rw system-policy-name string | +--rw system-policy-name string
+--rw priority-usage? identityref | +--rw priority-usage? identityref
+--rw resolution-strategy? identityref | +--rw resolution-strategy? identityref
+--rw default-action? identityref | +--rw default-action? identityref
+--rw rules* [rule-name] | +--rw rules* [rule-name]
| +--rw rule-name string | | +--rw rule-name string
| +--rw rule-description? string | | +--rw rule-description? string
| +--rw rule-priority? uint8 | | +--rw rule-priority? uint8
| +--rw rule-enable? boolean | | +--rw rule-enable? boolean
| +--rw rule-session-aging-time? uint16 | | +--rw rule-session-aging-time? uint16
| +--rw rule-long-connection | | +--rw rule-long-connection
| | +--rw enable? boolean | | | +--rw enable? boolean
| | +--rw during? uint16 | | | +--rw during? uint16
| +--rw time-zone | | +--rw time-zone
| | +--rw absolute-time-zone | | | +--rw absolute-time-zone
| | | +--rw start-time? start-time-type | | | | +--rw start-time? start-time-type
| | | +--rw end-time? end-time-type | | | | +--rw end-time? end-time-type
| | +--rw periodic-time-zone | | | +--rw periodic-time-zone
| | +--rw day | | | +--rw day
| | | +--rw every-day? boolean | | | | +--rw every-day? boolean
| | | +--rw specific-day* day-type | | | | +--rw specific-day* day-type
| | +--rw month | | | +--rw month
| | +--rw every-month? boolean | | | +--rw every-month? boolean
| | +--rw specific-month* month-type | | | +--rw specific-month* month-type
| +--rw event-clause-container | | +--rw event-clause-container
| | ... | | | ...
| +--rw condition-clause-container | | +--rw condition-clause-container
| | ... | | | ...
| +--rw action-clause-container | | +--rw action-clause-container
| ... | | ...
+--rw rule-group | +--rw rule-group
+--rw groups* [group-name] | +--rw groups* [group-name]
+--rw group-name string | +--rw group-name string
+--rw rule-range | +--rw rule-range
| +--rw start-rule? string | | +--rw start-rule? string
| +--rw end-rule? string | | +--rw end-rule? string
+--rw enable? boolean | +--rw enable? boolean
| +--rw description? string
+--rw i2nsf-ipsec
...
Figure 1: YANG Tree Diagram for Network Security Policy Figure 1: YANG Tree Diagram for Network Security Policy
This YANG tree diagram shows general I2NSF security policy rule for This YANG tree diagram shows general I2NSF security policy rule for
generic network security functions. generic network security functions.
The system policy represents there could be multiple system policies The system policy represents there could be multiple system policies
in one NSF, and each system policy is used by one virtual instance of in one NSF, and each system policy is used by one virtual instance of
the NSF/device. The system policy includes system policy name, the NSF/device. The system policy includes system policy name,
priority usage, resolutation strategy, default action, and rules. priority usage, resolutation strategy, default action, and rules.
skipping to change at page 7, line 7 skipping to change at page 7, line 7
enable, time zone, event clause container, condition clause enable, time zone, event clause container, condition clause
container, and action clause container. container, and action clause container.
4.2. Event Clause 4.2. Event Clause
This section shows YANG tree diagram for an event clause of I2NSF This section shows YANG tree diagram for an event clause of I2NSF
security policy rule. security policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
+--rw system-policy* [system-policy-name] | +--rw system-policy* [system-policy-name]
... | ...
+--rw rules* [rule-name] | +--rw rules* [rule-name]
| ... | | ...
| +--rw event-clause-container | | +--rw event-clause-container
| | +--rw event-clause-description? string | | | +--rw event-clause-description? string
| | +--rw event-clauses | | | +--rw event-clauses
| | +--rw system-event* identityref | | | +--rw system-event* identityref
| | +--rw system-alarm* identityref | | | +--rw system-alarm* identityref
| +--rw condition-clause-container | | +--rw condition-clause-container
| | ... | | | ...
| +--rw action-clause-container | | +--rw action-clause-container
| ... | | ...
+--rw rule-group | +--rw rule-group
... | ...
+--rw i2nsf-ipsec
...
Figure 2: YANG Tree Diagram for Network Security Policy Figure 2: YANG Tree Diagram for an Event Clause
This YANG tree diagram shows an event clause of I2NSF security policy This YANG tree diagram shows an event clause of I2NSF security policy
rule for generic network security functions. An event clause is any rule for generic network security functions. An event clause is any
important occurrence in time of a change in the system being managed, important occurrence in time of a change in the system being managed,
and/or in the environment of the system being managed. An event and/or in the environment of the system being managed. An event
clause is used to trigger the evaluation of the condition clause of clause is used to trigger the evaluation of the condition clause of
the I2NSF Policy Rule. The event clause is defined as system event the I2NSF Policy Rule. The event clause is defined as system event
and system alarm. The event clause can be extended according to and system alarm. The event clause can be extended according to
specific vendor event features. The event clause is described in specific vendor event features. The event clause is described in
detail in [i2nsf-nsf-cap-im]. detail in [i2nsf-nsf-cap-im].
4.3. Condtion Clause 4.3. Condtion Clause
This section shows YANG tree diagram for a condition clause of I2NSF This section shows YANG tree diagram for a condition clause of I2NSF
security policy rule. security policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| ...
| +--rw rules* [rule-name]
| | ...
| | +--rw event-clause-container
| | | ...
| | +--rw condition-clause-container
| | | +--rw condition-clause-description? string
| | | +--rw packet-security-ipv4-condition
| | | | +--rw ipv4-description? string
| | | | +--rw pkt-sec-ipv4-header-length
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw ipv4-header-length* uint8
| | | | | +--:(range-match)
| | | | | +--rw range-ipv4-header-length*
[start-ipv4-header-length end-ipv4-header-length]
| | | | | +--rw start-ipv4-header-length uint8
| | | | | +--rw end-ipv4-header-length uint8
| | | | +--rw pkt-sec-ipv4-tos* identityref
| | | | +--rw pkt-sec-ipv4-total-length
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw ipv4-total-length* uint16
| | | | | +--:(range-match)
| | | | | +--rw range-ipv4-total-length*
[start-ipv4-total-length end-ipv4-total-length]
| | | | | +--rw start-ipv4-total-length uint16
| | | | | +--rw end-ipv4-total-length uint16
| | | | +--rw pkt-sec-ipv4-id* uint16
| | | | +--rw pkt-sec-ipv4-fragment-flags* identityref
| | | | +--rw pkt-sec-ipv4-fragment-offset
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw ipv4-fragment-offset* uint16
| | | | | +--:(range-match)
| | | | | +--rw range-ipv4-fragment-offset*
[start-ipv4-fragment-offset end-ipv4-fragment-offset]
| | | | | +--rw start-ipv4-fragment-offset uint16
| | | | | +--rw end-ipv4-fragment-offset uint16
| | | | +--rw pkt-sec-ipv4-ttl
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw ipv4-ttl* uint8
| | | | | +--:(range-match)
| | | | | +--rw range-ipv4-ttl*
[start-ipv4-ttl end-ipv4-ttl]
| | | | | +--rw start-ipv4-ttl uint8
| | | | | +--rw end-ipv4-ttl uint8
| | | | +--rw pkt-sec-ipv4-protocol* identityref
| | | | +--rw pkt-sec-ipv4-src
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw ipv4-address* [ipv4]
| | | | | | +--rw ipv4 inet:ipv4-address
| | | | | | +--rw (subnet)?
| | | | | | +--:(prefix-length)
| | | | | | | +--rw prefix-length? uint8
| | | | | | +--:(netmask)
| | | | | | +--rw netmask? yang:dotted-quad
| | | | | +--:(range-match)
| | | | | +--rw range-ipv4-address*
[start-ipv4-address end-ipv4-address]
| | | | | +--rw start-ipv4-address inet:ipv4-address
| | | | | +--rw end-ipv4-address inet:ipv4-address
| | | | +--rw pkt-sec-ipv4-dest
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw ipv4-address* [ipv4]
| | | | | | +--rw ipv4 inet:ipv4-address
| | | | | | +--rw (subnet)?
| | | | | | +--:(prefix-length)
| | | | | | | +--rw prefix-length? uint8
| | | | | | +--:(netmask)
| | | | | | +--rw netmask? yang:dotted-quad
| | | | | +--:(range-match)
| | | | | +--rw range-ipv4-address*
[start-ipv4-address end-ipv4-address]
| | | | | +--rw start-ipv4-address inet:ipv4-address
| | | | | +--rw end-ipv4-address inet:ipv4-address
| | | | +--rw pkt-sec-ipv4-ipopts* identityref
| | | | +--rw pkt-sec-ipv4-sameip? boolean
| | | | +--rw pkt-sec-ipv4-geoip* string
| | | +--rw packet-security-ipv6-condition
| | | | +--rw ipv6-description? string
| | | | +--rw pkt-sec-ipv6-traffic-class* identityref
| | | | +--rw pkt-sec-ipv6-flow-label
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw ipv6-flow-label* uint32
| | | | | +--:(range-match)
| | | | | +--rw range-ipv6-flow-label*
[start-ipv6-flow-label end-ipv6-flow-label]
| | | | | +--rw start-ipv6-flow-label uint32
| | | | | +--rw end-ipv6-flow-label uint32
| | | | +--rw pkt-sec-ipv6-payload-length
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw ipv6-payload-length* uint16
| | | | | +--:(range-match)
| | | | | +--rw range-ipv6-payload-length*
[start-ipv6-payload-length end-ipv6-payload-length]
| | | | | +--rw start-ipv6-payload-length uint16
| | | | | +--rw end-ipv6-payload-length uint16
| | | | +--rw pkt-sec-ipv6-next-header* identityref
| | | | +--rw pkt-sec-ipv6-hop-limit
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw ipv6-hop-limit* uint8
| | | | | +--:(range-match)
| | | | | +--rw range-ipv6-hop-limit*
[start-ipv6-hop-limit end-ipv6-hop-limit]
| | | | | +--rw start-ipv6-hop-limit uint8
| | | | | +--rw end-ipv6-hop-limit uint8
| | | | +--rw pkt-sec-ipv6-src
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw ipv6-address* [ipv6]
| | | | | | +--rw ipv6 inet:ipv6-address
| | | | | | +--rw prefix-length? uint8
| | | | | +--:(range-match)
| | | | | +--rw range-ipv6-address*
[start-ipv6-address end-ipv6-address]
| | | | | +--rw start-ipv6-address inet:ipv6-address
| | | | | +--rw end-ipv6-address inet:ipv6-address
| | | | +--rw pkt-sec-ipv6-dest
| | | | +--rw (match-type)?
| | | | +--:(exact-match)
| | | | | +--rw ipv6-address* [ipv6]
| | | | | +--rw ipv6 inet:ipv6-address
| | | | | +--rw prefix-length? uint8
| | | | +--:(range-match)
| | | | +--rw range-ipv6-address*
[start-ipv6-address end-ipv6-address]
| | | | +--rw start-ipv6-address inet:ipv6-address
| | | | +--rw end-ipv6-address inet:ipv6-address
| | | +--rw packet-security-tcp-condition
| | | | +--rw tcp-description? string
| | | | +--rw pkt-sec-tcp-src-port-num
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw port-num* inet:port-number
| | | | | +--:(range-match)
| | | | | +--rw range-port-num*
[start-port-num end-port-num]
| | | | | +--rw start-port-num inet:port-number
| | | | | +--rw end-port-num inet:port-number
| | | | +--rw pkt-sec-tcp-dest-port-num
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw port-num* inet:port-number
| | | | | +--:(range-match)
| | | | | +--rw range-port-num*
[start-port-num end-port-num]
| | | | | +--rw start-port-num inet:port-number
| | | | | +--rw end-port-num inet:port-number
| | | | +--rw pkt-sec-tcp-seq-num
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw tcp-seq-num* uint32
| | | | | +--:(range-match)
| | | | | +--rw range-tcp-seq-num*
[start-tcp-seq-num end-tcp-seq-num]
| | | | | +--rw start-tcp-seq-num uint32
| | | | | +--rw end-tcp-seq-num uint32
| | | | +--rw pkt-sec-tcp-ack-num
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw tcp-ack-num* uint32
| | | | | +--:(range-match)
| | | | | +--rw range-tcp-ack-num*
[start-tcp-ack-num end-tcp-ack-num]
| | | | | +--rw start-tcp-ack-num uint32
| | | | | +--rw end-tcp-ack-num uint32
| | | | +--rw pkt-sec-tcp-window-size
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw tcp-window-size* uint16
| | | | | +--:(range-match)
| | | | | +--rw range-tcp-window-size*
[start-tcp-window-size end-tcp-window-size]
| | | | | +--rw start-tcp-window-size uint16
| | | | | +--rw end-tcp-window-size uint16
| | | | +--rw pkt-sec-tcp-flags* identityref
| | | +--rw packet-security-udp-condition
| | | | +--rw udp-description? string
| | | | +--rw pkt-sec-udp-src-port-num
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw port-num* inet:port-number
| | | | | +--:(range-match)
| | | | | +--rw range-port-num*
[start-port-num end-port-num]
| | | | | +--rw start-port-num inet:port-number
| | | | | +--rw end-port-num inet:port-number
| | | | +--rw pkt-sec-udp-dest-port-num
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw port-num* inet:port-number
| | | | | +--:(range-match)
| | | | | +--rw range-port-num*
[start-port-num end-port-num]
| | | | | +--rw start-port-num inet:port-number
| | | | | +--rw end-port-num inet:port-number
| | | | +--rw pkt-sec-udp-total-length
| | | | +--rw (match-type)?
| | | | +--:(exact-match)
| | | | | +--rw udp-total-length* uint32
| | | | +--:(range-match)
| | | | +--rw range-udp-total-length*
[start-udp-total-length end-udp-total-length]
| | | | +--rw start-udp-total-length uint32
| | | | +--rw end-udp-total-length uint32
| | | +--rw packet-security-icmp-condition
| | | | +--rw icmp-description? string
| | | | +--rw pkt-sec-icmp-type-and-code* identityref
| | | +--rw packet-security-url-category-condition
| | | | +--rw url-category-description? string
| | | | +--rw pre-defined-category* string
| | | | +--rw user-defined-category* string
| | | +--rw packet-security-voice-condition
| | | | +--rw voice-description? string
| | | | +--rw pkt-sec-src-voice-id* string
| | | | +--rw pkt-sec-dest-voice-id* string
| | | | +--rw pkt-sec-user-agent* string
| | | +--rw packet-security-ddos-condition
| | | | +--rw ddos-description? string
| | | | +--rw pkt-sec-alert-rate? uint32
| | | +--rw packet-security-payload-condition
| | | | +--rw packet-payload-description? string
| | | | +--rw pkt-payload-content* string
| | | +--rw context-condition
| | | +--rw context-description? string
| | | +--rw acl-number* uint32
| | | +--rw application-condition
| | | | +--rw application-description? string
| | | | +--rw application-object* string
| | | | +--rw application-group* string
| | | | +--rw application-label* string
| | | | +--rw category
| | | | +--rw application-category*
[name application-subcategory]
| | | | +--rw name string
| | | | +--rw application-subcategory string
| | | +--rw target-condition
| | | | +--rw target-description? string
| | | | +--rw device-sec-context-cond
| | | | +--rw target-device* identityref
| | | +--rw users-condition
| | | | +--rw users-description? string
| | | | +--rw user
| | | | | +--rw (user-name)?
| | | | | +--:(tenant)
| | | | | | +--rw tenant uint8
| | | | | +--:(vn-id)
| | | | | +--rw vn-id uint8
| | | | +--rw group
| | | | | +--rw (group-name)?
| | | | | +--:(tenant)
| | | | | | +--rw tenant uint8
| | | | | +--:(vn-id)
| | | | | +--rw vn-id uint8
| | | | +--rw security-grup string
| | | +--rw gen-context-condition
| | | +--rw gen-context-description? string
| | | +--rw geographic-location
| | | +--rw src-geographic-location* uint32
| | | +--rw dest-geographic-location* uint32
| | +--rw action-clause-container
| | ...
| +--rw rule-group
| ...
+--rw i2nsf-ipsec
... ...
+--rw rules* [rule-name]
...
+--rw event-clause-container
| ...
+--rw condition-clause-container
| +--rw condition-clause-description? string
| +--rw packet-security-ipv4-condition
| | +--rw pkt-sec-ipv4-header-length
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv4-header-length* uint8
| | | +--:(range-match)
| | | +--rw range-ipv4-header-length*
[start-ipv4-header-length end-ipv4-header-length]
| | | +--rw start-ipv4-header-length uint8
| | | +--rw end-ipv4-header-length uint8
| | +--rw pkt-sec-ipv4-tos* identityref
| | +--rw pkt-sec-ipv4-total-length
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv4-total-length* uint16
| | | +--:(range-match)
| | | +--rw range-ipv4-total-length*
[start-ipv4-total-length end-ipv4-total-length]
| | | +--rw start-ipv4-total-length uint16
| | | +--rw end-ipv4-total-length uint16
| | +--rw pkt-sec-ipv4-id* uint16
| | +--rw pkt-sec-ipv4-fragment-flags* identityref
| | +--rw pkt-sec-ipv4-fragment-offset
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv4-fragment-offset* uint16
| | | +--:(range-match)
| | | +--rw range-ipv4-fragment-offset*
[start-ipv4-fragment-offset end-ipv4-fragment-offset]
| | | +--rw start-ipv4-fragment-offset uint16
| | | +--rw end-ipv4-fragment-offset uint16
| | +--rw pkt-sec-ipv4-ttl
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv4-ttl* uint8
| | | +--:(range-match)
| | | +--rw range-ipv4-ttl*
[start-ipv4-ttl end-ipv4-ttl]
| | | +--rw start-ipv4-ttl uint8
| | | +--rw end-ipv4-ttl uint8
| | +--rw pkt-sec-ipv4-protocol* identityref
| | +--rw pkt-sec-ipv4-src
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv4-address* [ipv4]
| | | | +--rw ipv4 inet:ipv4-address
| | | | +--rw (subnet)?
| | | | +--:(prefix-length)
| | | | | +--rw prefix-length? uint8
| | | | +--:(netmask)
| | | | +--rw netmask? yang:dotted-quad
| | | +--:(range-match)
| | | +--rw range-ipv4-address*
[start-ipv4-address end-ipv4-address]
| | | +--rw start-ipv4-address inet:ipv4-address
| | | +--rw end-ipv4-address inet:ipv4-address
| | +--rw pkt-sec-ipv4-dest
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv4
| | | | +--rw ipv4-address* [ipv4]
| | | | +--rw ipv4 inet:ipv4-address
| | | | +--rw (subnet)?
| | | | +--:(prefix-length)
| | | | | +--rw prefix-length? uint8
| | | | +--:(netmask)
| | | | +--rw netmask? yang:dotted-quad
| | | +--:(range-match)
| | | +--rw range-ipv4-address*
[start-ipv4-address end-ipv4-address]
| | | +--rw start-ipv4-address inet:ipv4-address
| | | +--rw end-ipv4-address inet:ipv4-address
| | +--rw pkt-sec-ipv4-ipopts* identityref
| | +--rw pkt-sec-ipv4-sameip? boolean
| | +--rw pkt-sec-ipv4-geoip* string
| +--rw packet-security-ipv6-condition
| | +--rw pkt-sec-ipv6-traffic-class* identityref
| | +--rw pkt-sec-ipv6-flow-label
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv6-flow-label* uint32
| | | +--:(range-match)
| | | +--rw range-ipv6-flow-label*
[start-ipv6-flow-label end-ipv6-flow-label]
| | | +--rw start-ipv6-flow-label uint32
| | | +--rw end-ipv6-flow-label uint32
| | +--rw pkt-sec-ipv6-payload-length
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv6-payload-length* uint16
| | | +--:(range-match)
| | | +--rw range-ipv6-payload-length*
[start-ipv6-payload-length end-ipv6-payload-length]
| | | +--rw start-ipv6-payload-length uint16
| | | +--rw end-ipv6-payload-length uint16
| | +--rw pkt-sec-ipv6-next-header* identityref
| | +--rw pkt-sec-ipv6-hop-limit
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv6-hop-limit* uint8
| | | +--:(range-match)
| | | +--rw range-ipv6-hop-limit*
[start-ipv6-hop-limit end-ipv6-hop-limit]
| | | +--rw start-ipv6-hop-limit uint8
| | | +--rw end-ipv6-hop-limit uint8
| | +--rw pkt-sec-ipv6-src
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv6
| | | | +--rw ipv6-address* [ipv6]
| | | | +--rw ipv6 inet:ipv6-address
| | | | +--rw prefix-length? uint8
| | | +--:(range-match)
| | | +--rw range-ipv6-address*
[start-ipv6-address end-ipv6-address]
| | | +--rw start-ipv6-address inet:ipv6-address
| | | +--rw end-ipv6-address inet:ipv6-address
| | +--rw pkt-sec-ipv6-dest
| | +--rw (match-type)?
| | +--:(exact-match)
| | | +--rw ipv6-address* [ipv6]
| | | +--rw ipv6 inet:ipv6-address
| | | +--rw prefix-length? uint8
| | +--:(range-match)
| | +--rw range-ipv6-address*
[start-ipv6-address end-ipv6-address]
| | +--rw start-ipv6-address inet:ipv6-address
| | +--rw end-ipv6-address inet:ipv6-address
| +--rw packet-security-tcp-condition
| | +--rw pkt-sec-tcp-src-port-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw port-num* inet:port-number
| | | +--:(range-match)
| | | +--rw range-port-num*
[start-port-num end-port-num]
| | | +--rw start-port-num inet:port-number
| | | +--rw end-port-num inet:port-number
| | +--rw pkt-sec-tcp-dest-port-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw port-num* inet:port-number
| | | +--:(range-match)
| | | +--rw range-port-num*
[start-port-num end-port-num]
| | | +--rw start-port-num inet:port-number
| | | +--rw end-port-num inet:port-number
| | +--rw pkt-sec-tcp-seq-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw tcp-seq-num* uint32
| | | +--:(range-match)
| | | +--rw range-tcp-seq-num*
[start-tcp-seq-num end-tcp-seq-num]
| | | +--rw start-tcp-seq-num uint32
| | | +--rw end-tcp-seq-num uint32
| | +--rw pkt-sec-tcp-ack-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw tcp-ack-num* uint32
| | | +--:(range-match)
| | | +--rw range-tcp-ack-num*
[start-tcp-ack-num end-tcp-ack-num]
| | | +--rw start-tcp-ack-num uint32
| | | +--rw end-tcp-ack-num uint32
| | +--rw pkt-sec-tcp-window-size
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw tcp-window-size* uint16
| | | +--:(range-match)
| | | +--rw range-tcp-window-size*
[start-tcp-window-size end-tcp-window-size]
| | | +--rw start-tcp-window-size uint16
| | | +--rw end-tcp-window-size uint16
| | +--rw pkt-sec-tcp-flags* identityref
| +--rw packet-security-udp-condition
| | +--rw pkt-sec-udp-src-port-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw port-num* inet:port-number
| | | +--:(range-match)
| | | +--rw range-port-num*
[start-port-num end-port-num]
| | | +--rw start-port-num inet:port-number
| | | +--rw end-port-num inet:port-number
| | +--rw pkt-sec-udp-dest-port-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw port-num* inet:port-number
| | | +--:(range-match)
| | | +--rw range-port-num*
[start-port-num end-port-num]
| | | +--rw start-port-num inet:port-number
| | | +--rw end-port-num inet:port-number
| | +--rw pkt-sec-udp-total-length
| | +--rw (match-type)?
| | +--:(exact-match)
| | | +--rw udp-total-length* uint32
| | +--:(range-match)
| | +--rw range-udp-total-length*
[start-udp-total-length end-udp-total-length]
| | +--rw start-udp-total-length uint32
| | +--rw end-udp-total-length uint32
| +--rw packet-security-icmp-condition
| | +--rw pkt-sec-icmp-type* identityref
| +--rw packet-security-http-condition
| | +--rw pkt-sec-uri-content* string
| | +--rw pkt-sec-url-content* string
| +--rw packet-security-voice-condition
| | +--rw pkt-sec-src-voice-id* string
| | +--rw pkt-sec-dest-voice-id* string
| | +--rw pkt-sec-user-agent* string
| +--rw packet-security-ddos-condition
| +--rw pkt-sec-alert-rate? uint32
| | +--rw packet-payload-condition
| | | +--rw packet-payload-description? string
| | | +--rw pkt-payload-content* string
| | +--rw acl-number* uint32
| | +--rw application-condition
| | | +--rw application-description? string
| | | +--rw application-object* string
| | | +--rw application-group* string
| | | +--rw application-label* string
| | | +--rw category
| | | +--rw application-category*
[name application-subcategory]
| | | +--rw name string
| | | +--rw application-subcategory string
| | +--rw target-condition
| | | +--rw target-description? string
| | | +--rw device-sec-context-cond
| | | +--rw target-device* identityref
| | +--rw users-condition
| | | +--rw users-description? string
| | | +--rw user
| | | | +--rw (user-name)?
| | | | +--:(tenant)
| | | | | +--rw tenant uint8
| | | | +--:(vn-id)
| | | | +--rw vn-id uint8
| | | +--rw group
| | | | +--rw (group-name)?
| | | | +--:(tenant)
| | | | | +--rw tenant uint8
| | | | +--:(vn-id)
| | | | +--rw vn-id uint8
| | | +--rw security-grup string
| | +--rw url-category-condition
| | | +--rw url-category-description? string
| | | +--rw pre-defined-category* string
| | | +--rw user-defined-category* string
| | +--rw context-condition
| | | +--rw context-description? string
| | +--rw gen-context-condition
| | +--rw gen-context-description? string
| | +--rw geographic-location
| | +--rw src-geographic-location* uint32
| | +--rw dest-geographic-location* uint32
+--rw action-clause-container
...
Figure 3: YANG Tree Diagram for Network Security Policy Figure 3: YANG Tree Diagram for a Condition Clause
This YANG tree diagram shows an condition clause of I2NSF security This YANG tree diagram shows an condition clause of I2NSF security
policy rule for generic network security functions. A condition policy rule for generic network security functions. A condition
clause is defined as a set of attributes, features, and/or values clause is defined as a set of attributes, features, and/or values
that are to be compared with a set of known attributes, features, that are to be compared with a set of known attributes, features,
and/or values in order to determine whether or not the set of actions and/or values in order to determine whether or not the set of actions
in that (imperative) I2NSF policy rule can be executed or not. The in that (imperative) I2NSF policy rule can be executed or not. The
condition clause is classified as conditions of generic network condition clause is classified as conditions of generic network
security functions and advanced network security functions. The security functions, advanced network security functions, and context.
condition clause of generic network security functions is defined as The condition clause of generic network security functions is defined
packet security IPv4 condition, packet security IPv6 condition, as packet security IPv4 condition, packet security IPv6 condition,
packet security tcp condition, and packet security icmp condition. packet security tcp condition, and packet security icmp condition.
The condition clause of advanced network security functions is The condition clause of advanced network security functions is
defined as packet security http condition, packet security voice defined as packet security url category condition, packet security
condition, and packet security ddos condition. Note that this voice condition, packet security ddos condition, and packet security
document deals only with simple conditions of advanced network payload condition. The condition clause of context is defined as acl
security functions. The condition clauses of advanced network number condition, application condition, target condition, users
security functions are described in detail in condition, and geography condition. Note that this document deals
[i2nsf-advanced-nsf-dm]. The condition clause can be extended only with simple conditions of advanced network security functions.
according to specific vendor condition features. The condition The condition clauses of advanced network security functions are
clause is described in detail in [i2nsf-nsf-cap-im]. described in detail in [i2nsf-advanced-nsf-dm]. The condition clause
can be extended according to specific vendor condition features. The
condition clause is described in detail in [i2nsf-nsf-cap-im].
4.4. Action Clause 4.4. Action Clause
This section shows YANG tree diagram for an action clause of I2NSF This section shows YANG tree diagram for an action clause of I2NSF
security policy rule. security policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| ...
| +--rw rules* [rule-name]
| | ...
| | +--rw event-clause-container
| | | ...
| | +--rw condition-clause-container
| | | ...
| | +--rw action-clause-container
| | +--rw action-clause-description? string
| | +--rw packet-action
| | | +--rw ingress-action? identityref
| | | +--rw egress-action? identityref
| | | +--rw log-action? identityref
| | +--rw advanced-action
| | +--rw content-security-control* identityref
| | +--rw attack-mitigation-control* identityref
| +--rw rule-group
| ...
+--rw i2nsf-ipsec
... ...
+--rw rules* [rule-name]
...
+--rw event-clause-container
| ...
+--rw condition-clause-container
| ...
+--rw action-clause-container
+--rw action-clause-description? string
+--rw packet-action
| +--rw ingress-action? identityref
| +--rw egress-action? identityref
| +--rw log-action? identityref
+--rw advanced-action
+--rw content-security-control* identityref
+--rw attack-mitigation-control* identityref
Figure 4: YANG Tree Diagram for Network Security Policy Figure 4: YANG Tree Diagram for an Action Clause
This YANG tree diagram shows an action clause of I2NSF security This YANG tree diagram shows an action clause of I2NSF security
policy rule for generic network security functions. An action is policy rule for generic network security functions. An action is
used to control and monitor aspects of flow-based NSFs when the event used to control and monitor aspects of flow-based NSFs when the event
and condition clauses are satisfied. NSFs provide security services and condition clauses are satisfied. NSFs provide security services
by executing various actions. The action clause is defined as by executing various actions. The action clause is defined as
ingress action, egress action, log action, and advanced action for ingress action, egress action, and log action for packet action, and
additional inspection. The advanced action is described in detail in advanced action for additional inspection. The action clause can be
[RFC8329] and [i2nsf-nsf-cap-im]. The action clause can be extended extended according to specific vendor action features. The action
according to specific vendor action features. The action clause is clause is described in detail in [i2nsf-nsf-cap-im].
described in detail in [i2nsf-nsf-cap-im].
4.5. I2NSF Internet Key Exchange
This section shows YANG tree diagram for an I2NSF IPsec.
module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy
| ...
| +--rw rules* [rule-name]
| | ...
| | +--rw event-clause-container
| | | ...
| | +--rw condition-clause-container
| | | ...
| | +--rw action-clause-container
| | ...
| +--rw rule-group
| ...
+--rw i2nsf-ipsec
+--rw ike
+--rw ikeless
Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage
This YANG tree diagram shows an I2NSF IPsec for an Internet key
exchange. An I2NSF IPsec is used to define a method required to
manage IPsec parameters for creating IPsec Security Associations
between two NSFs through either the IKEv2 protocol or the Security
Controller [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec
considers two cases such as IKE case (i.e., IPsec through IKE) and
IKEless case (i.e., IPsec not through IKE, but through a Security
Controller). Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection]
for the detailed description of the I2NSF IPsec.
5. YANG Data Module 5. YANG Data Module
5.1. I2NSF NSF-Facing Interface YANG Data Module 5.1. I2NSF NSF-Facing Interface YANG Data Module
This section introduces an YANG data module for configuration of This section introduces an YANG data module for configuration of
security policy rules on network security functions. security policy rules on network security functions.
<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2019-03-24.yang" <CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2019-03-28.yang"
module ietf-i2nsf-policy-rule-for-nsf { module ietf-i2nsf-policy-rule-for-nsf {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
prefix prefix
iiprfn; iiprfn;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference "RFC 6991"; reference "RFC 6991";
} }
import ietf-yang-types{ import ietf-yang-types{
prefix yang; prefix yang;
reference "RFC 6991"; reference "RFC 6991";
skipping to change at page 15, line 14 skipping to change at page 16, line 17
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference "RFC 6991"; reference "RFC 6991";
} }
import ietf-yang-types{ import ietf-yang-types{
prefix yang; prefix yang;
reference "RFC 6991"; reference "RFC 6991";
} }
/*
import ietf-ipsec-ike {
prefix iii;
reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04";
}
import ietf-ipsec-ikeless {
prefix iiil;
reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04";
}
*/
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
WG Chair: Adrian Farrel WG Chair: Adrian Farrel
<mailto:Adrain@olddog.co.uk> <mailto:Adrain@olddog.co.uk>
skipping to change at page 16, line 5 skipping to change at page 17, line 22
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8341; see This version of this YANG module is part of RFC 8341; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2019-03-24"{ revision "2019-03-28"{
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Network Security Function-Facing Interface "RFC XXXX: I2NSF Network Security Function-Facing Interface
YANG Data Model"; YANG Data Model";
} }
/* /*
* Identities * Identities
*/ */
skipping to change at page 77, line 30 skipping to change at page 78, line 49
} }
description description
"The security policy rule according to "The security policy rule according to
ICMP parameters."; ICMP parameters.";
reference reference
"RFC 792: Internet Control Message Protocol "RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces"; RFC 8335: PROBE: A Utility for Probing Interfaces";
} }
} }
container packet-security-http-condition { container packet-security-url-category-condition {
description description
"Condition for http."; "Condition for url category";
leaf http-description { leaf url-category-description {
type string; type string;
description description
"This is description for http condition."; "This is description for url category condition.
Vendors can write instructions for context condition
that vendor made";
} }
leaf-list pkt-sec-uri-content { leaf-list pre-defined-category {
type string; type string;
description description
"The security policy rule according to "This is pre-defined-category.";
uri content.";
} }
leaf-list user-defined-category {
leaf-list pkt-sec-url-content {
type string; type string;
description description
"The security policy rule according to "This user-defined-category.";
url content.";
} }
} }
container packet-security-voice-condition { container packet-security-voice-condition {
description description
"For the VoIP/VoLTE security system, a VoIP/ "For the VoIP/VoLTE security system, a VoIP/
VoLTE security system can monitor each VoLTE security system can monitor each
VoIP/VoLTE flow and manage VoIP/VoLTE VoIP/VoLTE flow and manage VoIP/VoLTE
security rules controlled by a centralized security rules controlled by a centralized
server for VoIP/VoLTE security service server for VoIP/VoLTE security service
skipping to change at page 79, line 20 skipping to change at page 80, line 37
} }
leaf pkt-sec-alert-rate { leaf pkt-sec-alert-rate {
type uint32; type uint32;
description description
"The alert rate of flood detect for "The alert rate of flood detect for
same packets."; same packets.";
} }
} }
container packet-payload-condition { container packet-security-payload-condition {
description description
"Condition for packet payload"; "Condition for packet payload";
leaf packet-payload-description { leaf packet-payload-description {
type string; type string;
description description
"This is description for payload condition. "This is description for payload condition.
Vendors can write instructions for payload condition Vendors can write instructions for payload condition
that vendor made"; that vendor made";
} }
leaf-list pkt-payload-content { leaf-list pkt-payload-content {
type string; type string;
description description
"The content keyword is very important in "The content keyword is very important in
signatures. Between the quotation marks you signatures. Between the quotation marks you
can write on what you would like the can write on what you would like the
signature to match."; signature to match.";
} }
} }
leaf-list acl-number { container context-condition {
type uint32;
description
"This is acl-number.";
}
container application-condition {
description description
"Condition for application"; "Condition for context";
leaf application-description { leaf context-description {
type string;
description
"This is description for application condition.";
}
leaf-list application-object {
type string;
description
"This is application object.";
}
leaf-list application-group {
type string; type string;
description description
"This is application group."; "This is description for context condition.
Vendors can write instructions for context condition
that vendor made";
} }
leaf-list application-label {
type string; leaf-list acl-number {
type uint32;
description description
"This is application label."; "This is acl-number.";
} }
container category {
container application-condition {
description description
"This is application category"; "Condition for application";
list application-category { leaf application-description {
key "name application-subcategory"; type string;
description description
"This is application category list"; "This is description for application condition.";
leaf name { }
type string; leaf-list application-object {
description type string;
"This is name for application category."; description
} "This is application object.";
leaf application-subcategory { }
type string; leaf-list application-group {
type string;
description
"This is application group.";
}
leaf-list application-label {
type string;
description
"This is application label.";
}
container category {
description
"This is application category";
list application-category {
key "name application-subcategory";
description description
"This is application subcategory."; "This is application category list";
leaf name {
type string;
description
"This is name for application category.";
}
leaf application-subcategory {
type string;
description
"This is application subcategory.";
}
} }
} }
} }
}
container target-condition { container target-condition {
description
"Condition for target";
leaf target-description {
type string;
description
"This is description for target condition.
Vendors can write instructions for target condition
that vendor made";
}
container device-sec-context-cond {
description description
"The device attribute that can identify a device, "Condition for target";
including the device type (i.e., router, switch, leaf target-description {
pc, ios, or android) and the device's owner as type string;
well."; description
"This is description for target condition.
Vendors can write instructions for target condition
that vendor made";
}
leaf-list target-device { container device-sec-context-cond {
type identityref {
base target-device;
}
description description
"Leaf list for target devices"; "The device attribute that can identify a device,
including the device type (i.e., router, switch,
pc, ios, or android) and the device's owner as
well.";
leaf-list target-device {
type identityref {
base target-device;
}
description
"Leaf list for target devices";
}
} }
} }
}
container users-condition {
description
"Condition for users";
leaf users-description {
type string;
description
"This is description for user condition.
Vendors can write instructions for user condition
that vendor made";
}
container user{
description
"The user (or user group) information with which
network flow is associated: The user has many
attributes such as name, id, password, type,
authentication mode and so on. Name/id is often
used in the security policy to identify the user.
Besides, NSF is aware of the IP address of the
user provided by a unified user management system
via network. Based on name-address association,
NSF is able to enforce the security functions
over the given user (or user group)";
choice user-name { container users-condition {
description
"Condition for users";
leaf users-description {
type string;
description description
"The name of the user. "This is description for user condition.
This must be unique."; Vendors can write instructions for user condition
that vendor made";
}
container user{
description
"The user (or user group) information with which
network flow is associated: The user has many
attributes such as name, id, password, type,
authentication mode and so on. Name/id is often
used in the security policy to identify the user.
Besides, NSF is aware of the IP address of the
user provided by a unified user management system
via network. Based on name-address association,
NSF is able to enforce the security functions
over the given user (or user group)";
case tenant { choice user-name {
description description
"Tenant information."; "The name of the user.
This must be unique.";
leaf tenant { case tenant {
type uint8;
mandatory true;
description description
"User's tenant information."; "Tenant information.";
}
}
case vn-id { leaf tenant {
description type uint8;
"VN-ID information."; mandatory true;
description
"User's tenant information.";
}
}
leaf vn-id { case vn-id {
type uint8;
mandatory true;
description description
"User's VN-ID information."; "VN-ID information.";
leaf vn-id {
type uint8;
mandatory true;
description
"User's VN-ID information.";
}
} }
} }
} }
}
container group {
description
"The user (or user group) information with which
network flow is associated: The user has many
attributes such as name, id, password, type,
authentication mode and so on. Name/id is often
used in the security policy to identify the user.
Besides, NSF is aware of the IP address of the
user provided by a unified user management system
via network. Based on name-address association,
NSF is able to enforce the security functions
over the given user (or user group)";
choice group-name { container group {
description description
"The name of the user. "The user (or user group) information with which
This must be unique."; network flow is associated: The user has many
attributes such as name, id, password, type,
authentication mode and so on. Name/id is often
used in the security policy to identify the user.
Besides, NSF is aware of the IP address of the
user provided by a unified user management system
via network. Based on name-address association,
NSF is able to enforce the security functions
over the given user (or user group)";
case tenant { choice group-name {
description description
"Tenant information."; "The name of the user.
This must be unique.";
leaf tenant { case tenant {
type uint8;
mandatory true;
description description
"User's tenant information."; "Tenant information.";
leaf tenant {
type uint8;
mandatory true;
description
"User's tenant information.";
}
} }
}
case vn-id { case vn-id {
description
"VN-ID information.";
leaf vn-id {
type uint8;
mandatory true;
description description
"User's VN-ID information."; "VN-ID information.";
leaf vn-id {
type uint8;
mandatory true;
description
"User's VN-ID information.";
}
} }
} }
} }
} leaf security-grup {
leaf security-grup { type string;
type string; mandatory true;
mandatory true; description
description "security-grup.";
"security-grup."; }
}
}
container url-category-condition {
description
"Condition for url category";
leaf url-category-description {
type string;
description
"This is description for url category condition.
Vendors can write instructions for context condition
that vendor made";
}
leaf-list pre-defined-category {
type string;
description
"This is pre-defined-category.";
}
leaf-list user-defined-category {
type string;
description
"This user-defined-category.";
}
}
container context-condition {
description
"Condition for context";
leaf context-description {
type string;
description
"This is description for context condition.
Vendors can write instructions for context condition
that vendor made";
}
}
container gen-context-condition {
description
"Condition for generic context";
leaf gen-context-description {
type string;
description
"This is description for generic context condition.
Vendors can write instructions for generic context
condition that vendor made";
} }
container geographic-location { container gen-context-condition {
description description
"The location where network traffic is associated "Condition for generic context";
with. The region can be the geographic location leaf gen-context-description {
such as country, province, and city, type string;
as well as the logical network location such as
IP address, network section, and network domain.";
leaf-list src-geographic-location {
type uint32;
description description
"This is mapped to ip address. We can acquire "This is description for generic context condition.
source region through ip address stored in the Vendors can write instructions for generic context
database."; condition that vendor made";
} }
leaf-list dest-geographic-location {
type uint32; container geographic-location {
description description
"This is mapped to ip address. We can acquire "The location where network traffic is associated
destination region through ip address stored with. The region can be the geographic location
in the database."; such as country, province, and city,
as well as the logical network location such as
IP address, network section, and network domain.";
leaf-list src-geographic-location {
type uint32;
description
"This is mapped to ip address. We can acquire
source region through ip address stored in the
database.";
}
leaf-list dest-geographic-location {
type uint32;
description
"This is mapped to ip address. We can acquire
destination region through ip address stored
in the database.";
}
} }
} }
} }
} }
container action-clause-container { container action-clause-container {
description description
"An action is used to control and monitor aspects of "An action is used to control and monitor aspects of
flow-based NSFs when the event and condition clauses flow-based NSFs when the event and condition clauses
are satisfied. NSFs provide security functions by are satisfied. NSFs provide security functions by
executing various Actions. Examples of I2NSF Actions executing various Actions. Examples of I2NSF Actions
skipping to change at page 87, line 52 skipping to change at page 89, line 4
} }
leaf description { leaf description {
type string; type string;
description description
"This is a desription for rule-group"; "This is a desription for rule-group";
} }
} }
} }
} }
} }
container i2nsf-ipsec {
description
"Internet Key Exchnage for NSFs
in the I2NSF framework";
container ike {
description
"IKE case: IPsec with IKE in the NSF";
/*
uses "iii:ikev2";
*/
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
- ike";
}
container ikeless {
description
"IKEless case: IPsec without IKEv2 in the NSF";
/*
uses "iiil:ietf-ipsec";
*/
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
- ikeless";
}
}
} }
<CODE ENDS> <CODE ENDS>
Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface Figure 6: YANG Data Module of I2NSF NSF-Facing-Interface
6. IANA Considerations 6. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf
Registrant Contact: The IESG. Registrant Contact: The IESG.
skipping to change at page 90, line 21 skipping to change at page 91, line 46
S., and N. Bahadur, "A YANG Data Model for the Routing S., and N. Bahadur, "A YANG Data Model for the Routing
Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431,
September 2018, <https://www.rfc-editor.org/info/rfc8431>. September 2018, <https://www.rfc-editor.org/info/rfc8431>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
8.2. Informative References 8.2. Informative References
[draft-ietf-i2nsf-sdn-ipsec-flow-protection]
Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "Software-Defined Networking (SDN)-based IPsec
Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-
protection-04 (work in progress), March 2019.
[i2nsf-advanced-nsf-dm] [i2nsf-advanced-nsf-dm]
Pan, W. and L. Xia, "Configuration of Advanced Security Pan, W. and L. Xia, "Configuration of Advanced Security
Functions with I2NSF Security Controller", draft-dong- Functions with I2NSF Security Controller", draft-dong-
i2nsf-asf-config-01 (work in progress), October 2018. i2nsf-asf-config-01 (work in progress), October 2018.
[i2nsf-nsf-cap-dm] [i2nsf-nsf-cap-dm]
Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin,
"I2NSF Capability YANG Data Model", draft-ietf-i2nsf- "I2NSF Capability YANG Data Model", draft-ietf-i2nsf-
capability-data-model-03 (work in progress), March 2019. capability-data-model-03 (work in progress), March 2019.
skipping to change at page 92, line 36 skipping to change at page 94, line 36
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<advanced-action> <advanced-action>
<content-security-control>url-filtering</content-security-control> <content-security-control>url-filtering</content-security-control>
</advanced-action> </advanced-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 6: Configuration XML for Time based Firewall to Block SNS Figure 7: Configuration XML for Time based Firewall to Block SNS
Access during Business Hours Access during Business Hours
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>sns_access</system-policy-name> <system-policy-name>sns_access</system-policy-name>
<rules> <rules>
<rule-name>block_sns_access_during_operation_time</rule-name> <rule-name>block_sns_access_during_operation_time</rule-name>
<condition-clause-container> <condition-clause-container>
<packet-security-http-condition> <packet-security-url-category-condition>
<pkt-sec-url-content>facebook</pkt-sec-url-content> <user-defined-category>facebook</user-defined-category>
<pkt-sec-url-content>instagram</pkt-sec-url-content> <user-defined-category>instagram</user-defined-category>
</packet-security-http-condition> </packet-security-url-category-condition>
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<packet-action> <packet-action>
<egress-action>drop</egress-action> <egress-action>drop</egress-action>
</packet-action> </packet-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 7: Configuration XML for Web Filter to Block SNS Access during Figure 8: Configuration XML for Web Filter to Block SNS Access during
Business Hours Business Hours
Figure 6 and Figure 7 show the configuration XML documents for time Figure 7 and Figure 8 show the configuration XML documents for time
based firewall and web filter to block SNS access during business based firewall and web filter to block SNS access during business
hours. For the security requirement, two NSFs (i.e., a time based hours. For the security requirement, two NSFs (i.e., a time based
firewall and a web filter) were used because one NSF can not meet the firewall and a web filter) were used because one NSF can not meet the
security requirement. The instances of XML documents for the time security requirement. The instances of XML documents for the time
based firewall and the web filter are as follows: Note that a based firewall and the web filter are as follows: Note that a
detailed data model for the configuration of the advanced network detailed data model for the configuration of the advanced network
security function (i.e., web filter) is described in security function (i.e., web filter) is described in
[i2nsf-advanced-nsf-dm]. [i2nsf-advanced-nsf-dm].
Time based Firewall Time based Firewall
skipping to change at page 95, line 36 skipping to change at page 97, line 36
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<advanced-action> <advanced-action>
<content-security-control>voip-volte</content-security-control> <content-security-control>voip-volte</content-security-control>
</advanced-action> </advanced-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 8: Configuration XML for General Firewall to Block Malicious Figure 9: Configuration XML for General Firewall to Block Malicious
VoIP/VoLTE Packets Coming to the Company VoIP/VoLTE Packets Coming to the Company
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>voip_volte_inspection</system-policy-name> <system-policy-name>voip_volte_inspection</system-policy-name>
<rules> <rules>
<rule-name>block_malicious_voice_id</rule-name> <rule-name>block_malicious_voice_id</rule-name>
<condition-clause-container> <condition-clause-container>
<packet-security-voice-condition> <packet-security-voice-condition>
skipping to change at page 96, line 26 skipping to change at page 98, line 26
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<packet-action> <packet-action>
<ingress-action>drop</ingress-action> <ingress-action>drop</ingress-action>
</packet-action> </packet-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 9: Configuration XML for VoIP/VoLTE Filter to Block Malicious Figure 10: Configuration XML for VoIP/VoLTE Filter to Block Malicious
VoIP/VoLTE Packets Coming to the Company VoIP/VoLTE Packets Coming to the Company
Figure 8 and Figure 9 show the configuration XML documents for Figure 9 and Figure 10 show the configuration XML documents for
general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE
packets coming to the company. For the security requirement, two packets coming to the company. For the security requirement, two
NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used
because one NSF can not meet the security requirement. The instances because one NSF can not meet the security requirement. The instances
of XML documents for the general firewall and the VoIP/VoLTE filter of XML documents for the general firewall and the VoIP/VoLTE filter
are as follows: Note that a detailed data model for the configuration are as follows: Note that a detailed data model for the configuration
of the advanced network security function (i.e., VoIP/VoLTE filter) of the advanced network security function (i.e., VoIP/VoLTE filter)
is described in [i2nsf-advanced-nsf-dm]. is described in [i2nsf-advanced-nsf-dm].
General Firewall General Firewall
skipping to change at page 98, line 36 skipping to change at page 100, line 36
<action-clause-container> <action-clause-container>
<advanced-action> <advanced-action>
<attack-mitigation-control>http-and-https-flood <attack-mitigation-control>http-and-https-flood
</attack-mitigation-control> </attack-mitigation-control>
</advanced-action> </advanced-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 10: Configuration XML for General Firewall to Mitigate HTTP Figure 11: Configuration XML for General Firewall to Mitigate HTTP
and HTTPS Flood Attacks on a Company Web Server and HTTPS Flood Attacks on a Company Web Server
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>flood_attack_mitigation</system-policy-name> <system-policy-name>flood_attack_mitigation</system-policy-name>
<rules> <rules>
<rule-name>mitigate_http_and_https_flood_attack</rule-name> <rule-name>mitigate_http_and_https_flood_attack</rule-name>
<condition-clause-container> <condition-clause-container>
<packet-security-ddos-condition> <packet-security-ddos-condition>
skipping to change at page 99, line 25 skipping to change at page 101, line 25
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<packet-action> <packet-action>
<ingress-action>drop</ingress-action> <ingress-action>drop</ingress-action>
</packet-action> </packet-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 11: Configuration XML for HTTP and HTTPS Flood Attack Figure 12: Configuration XML for HTTP and HTTPS Flood Attack
Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web
Server Server
Figure 10 and Figure 11 show the configuration XML documents for Figure 11 and Figure 12 show the configuration XML documents for
general firewall and http and https flood attack mitigation to general firewall and http and https flood attack mitigation to
mitigate http and https flood attacks on a company web server. For mitigate http and https flood attacks on a company web server. For
the security requirement, two NSFs (i.e., a general firewall and a the security requirement, two NSFs (i.e., a general firewall and a
http and https flood attack mitigation) were used because one NSF can http and https flood attack mitigation) were used because one NSF can
not meet the security requirement. The instances of XML documents not meet the security requirement. The instances of XML documents
for the general firewall and http and https flood attack mitigation for the general firewall and http and https flood attack mitigation
are as follows: Note that a detailed data model for the configuration are as follows: Note that a detailed data model for the configuration
of the advanced network security function (i.e., http and https flood of the advanced network security function (i.e., http and https flood
attack mitigation) is described in [i2nsf-advanced-nsf-dm]. attack mitigation) is described in [i2nsf-advanced-nsf-dm].
skipping to change at page 100, line 23 skipping to change at page 102, line 23
http_and_https_flood_attack_mitigation. http_and_https_flood_attack_mitigation.
2. The name of the rule is 100_per_second. 2. The name of the rule is 100_per_second.
3. The rule controls the http and https packets according to the 3. The rule controls the http and https packets according to the
amount of incoming packets. amount of incoming packets.
4. If the incoming packets match the rules above, the packets are 4. If the incoming packets match the rules above, the packets are
blocked. blocked.
Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-03 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-04
The following changes are made from draft-ietf-i2nsf-nsf-facing- The following changes are made from draft-ietf-i2nsf-nsf-facing-
interface-dm-04: interface-dm-04:
o We added fields for a rule (e.g., rule session aging time, rule o We changed http fields to url category fields.
long connection, and rule group).
o We added fields for a condition (e.g., payload, acl number, o We added fields for a context condition (e.g., acl number,
application, target, users, url category, context, and generic application, target, user, group, and geography).
context)
o We added an I2NSF IPsec field for configuration and state data for
IPsec management.
Appendix C. Acknowledgments Appendix C. Acknowledgments
This work was supported by Institute for Information & communications This work was supported by Institute for Information & communications
Technology Promotion (IITP) grant funded by the Korea government Technology Promotion (IITP) grant funded by the Korea government
(MSIP) (No.R-20160222-002755, Cloud based Security Intelligence (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence
Technology Development for the Customized Security Service Technology Development for the Customized Security Service
Provisioning). Provisioning).
Appendix D. Contributors Appendix D. Contributors
 End of changes. 93 change blocks. 
608 lines changed or deleted 689 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/