--- 1/draft-ietf-i2nsf-nsf-facing-interface-dm-06.txt 2019-07-25 05:13:15.810739856 -0700 +++ 2/draft-ietf-i2nsf-nsf-facing-interface-dm-07.txt 2019-07-25 05:13:15.970743898 -0700 @@ -1,47 +1,48 @@ I2NSF Working Group J. Kim Internet-Draft J. Jeong Intended status: Standards Track Sungkyunkwan University -Expires: December 14, 2019 J. Park +Expires: January 26, 2020 J. Park ETRI S. Hares Q. Lin Huawei - June 12, 2019 + July 25, 2019 I2NSF Network Security Function-Facing Interface YANG Data Model - draft-ietf-i2nsf-nsf-facing-interface-dm-06 + draft-ietf-i2nsf-nsf-facing-interface-dm-07 Abstract This document defines a YANG data model for configuring security - policy rules on Network Security Functions (NSF). The YANG data - model in this document corresponds to the information model for NSF- - Facing Interface in Interface to Network Security Functions (I2NSF). + policy rules on Network Security Functions (NSF) in the Interface to + Network Security Functions (I2NSF) framework. The YANG data model in + this document corresponds to the information model for NSF-Facing + Interface in the I2NSF framework. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 14, 2019. + This Internet-Draft will expire on January 26, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -49,162 +50,150 @@ to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 + 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 - 4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7 + 4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 7 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14 4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 15 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 15 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 89 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 90 - 8.1. Normative References . . . . . . . . . . . . . . . . . . 90 - 8.2. Informative References . . . . . . . . . . . . . . . . . 91 - Appendix A. Configuration Examples . . . . . . . . . . . . . . . 93 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 87 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 87 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 88 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 88 + 8.2. Informative References . . . . . . . . . . . . . . . . . 90 + Appendix A. Configuration Examples . . . . . . . . . . . . . . . 91 A.1. Security Requirement 1: Block SNS Access during Business - Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 93 + Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 91 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE - Packets Coming to the Company . . . . . . . . . . . . . . 96 + Packets Coming to the Company . . . . . . . . . . . . . . 94 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood - Attacks on a Company Web Server . . . . . . . . . . . . . 99 + Attacks on a Company Web Server . . . . . . . . . . . . . 97 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- - dm-05 . . . . . . . . . . . . . . . . . . . . . . . 102 - Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 102 - Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 102 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 103 + dm-06 . . . . . . . . . . . . . . . . . . . . . . . 100 + Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 100 + Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 100 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101 1. Introduction This document defines a YANG [RFC6020][RFC7950] data model for security policy rule configuration of Network Security Functions (NSF). The YANG data model corresponds to the information model - [i2nsf-nsf-cap-im] for NSF-Facing Interface in Interface to Network - Security Functions (I2NSF). The YANG data model in this document - focuses on security policy configuration for generic network security - functions. Note that security policy configuration for advanced - network security functions are written in [i2nsf-advanced-nsf-dm]. + [draft-ietf-i2nsf-capability] for NSF-Facing Interface in Interface + to Network Security Functions (I2NSF). The YANG data model in this + document focuses on security policy configuration for generic network + security functions. Note that security policy configuration for + advanced network security functions are defined in + [draft-dong-i2nsf-asf-config]. This YANG data model uses an "Event-Condition-Action" (ECA) policy model that is used as the basis for the design of I2NSF Policy - described in [RFC8329] and [i2nsf-nsf-cap-im]. + described in [RFC8329] and [draft-ietf-i2nsf-capability]. The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this document provides the following features. - o Configuration for general security policy rule of generic network - security function. + o Configuration of general security policy rule for generic network + security functions. - o Configuration for an event clause of generic network security - function. + o Configuration of event clause for generic network security + functions. - o Configuration for a condition clause of generic network security - function. + o Configuration of condition clause for generic network security + functions. - o Configuration for an action clause of generic network security - function. + o Configuration of action clause for generic network security + functions. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119][RFC8174]. 3. Terminology - This document uses the terminology described in - [i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the - following terms are from [supa-policy-info-model]: + This document uses the terminology described in [draft-ietf-i2nsf-cap + ability][RFC8431][draft-ietf-supa-generic-policy-info-model]. + Especially, the following terms are from + [draft-ietf-supa-generic-policy-info-model]: o Data Model: A data model is a representation of concepts of interest to an environment in a form that is dependent on data repository, data definition language, query language, implementation language, and protocol. o Information Model: An information model is a representation of concepts of interest to an environment in a form that is independent of data repository, data definition language, query language, implementation language, and protocol. 3.1. Tree Diagrams A simplified graphical representation of the data model is used in - this document. The meaning of the symbols in these diagrams - [RFC8340] is as follows: - - o Brackets "[" and "]" enclose list keys. - - o Abbreviations before data node names: "rw" means configuration - (read-write) and "ro" state data (read-only). - - o Symbols after data node names: "?" means an optional node and "*" - denotes a "list" and "leaf-list". - - o Parentheses enclose choice and case nodes, and case nodes are also - marked with a colon (":"). - - o Ellipsis ("...") stands for contents of subtrees that are not - shown. + this document. The meaning of the symbols in these diagrams is + referred from [RFC8340]. 4. YANG Tree Diagram This section shows a YANG tree diagram of generic network security functions. Note that a detailed data model for the configuration of the advanced network security functions is described in - [i2nsf-advanced-nsf-dm]. The section describes the following + [draft-dong-i2nsf-asf-config]. The section describes the following subjects: - o General I2NSF security policy rule of generic network security + o General I2NSF security policy rule of the generic network security function. - o An event clause of generic network security function. + o An event clause of the generic network security function. - o A condition clause of generic network security function. + o A condition clause of the generic network security function. - o An action clause of generic network security function. + o An action clause of the generic network security function. 4.1. General I2NSF Security Policy Rule This section shows the YANG tree diagram for general I2NSF security - policy rule. + policy rules. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy | +--rw system-policy* [system-policy-name] | +--rw system-policy-name string | +--rw priority-usage? identityref | +--rw resolution-strategy? identityref | +--rw default-action? identityref | +--rw rules* [rule-name] | | +--rw rule-name string | | +--rw rule-description? string | | +--rw rule-priority? uint8 | | +--rw rule-enable? boolean | | +--rw rule-session-aging-time? uint16 | | +--rw rule-long-connection | | | +--rw enable? boolean | | | +--rw during? uint16 - | | +--rw time-zone - | | | +--rw absolute-time-zone + | | +--rw time-intervals + | | | +--rw absolute-time-interval | | | | +--rw start-time? start-time-type | | | | +--rw end-time? end-time-type - | | | +--rw periodic-time-zone + | | | +--rw periodic-time-interval | | | +--rw day | | | | +--rw every-day? boolean | | | | +--rw specific-day* day-type | | | +--rw month | | | +--rw every-month? boolean | | | +--rw specific-month* month-type | | +--rw event-clause-container | | | ... | | +--rw condition-clause-container | | | ... @@ -215,52 +204,52 @@ | +--rw group-name string | +--rw rule-range | | +--rw start-rule? string | | +--rw end-rule? string | +--rw enable? boolean | +--rw description? string +--rw i2nsf-ipsec? identityref Figure 1: YANG Tree Diagram for Network Security Policy - This YANG tree diagram shows general I2NSF security policy rule for - generic network security functions. + This YANG tree diagram shows the general I2NSF security policy rule + for generic network security functions. - The system policy represents there could be multiple system policies - in one NSF, and each system policy is used by one virtual instance of - the NSF/device. The system policy includes system policy name, - priority usage, resolutation strategy, default action, and rules. + The system policy provides for multiple system policies in one NSF, + and each system policy is used by one virtual instance of the NSF/ + device. The system policy includes system policy name, priority + usage, resolutation strategy, default action, and rules. A resolution strategy is used to decide how to resolve conflicts that occur between the actions of the same or different policy rules that - are matched and contained in this particular NSF. The resolution + are matched and contained in a particular NSF. The resolution strategy is defined as First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and Prioritized Matching Rule with No Errors (PMRN). The resolution strategy can be extended according to specific vendor action features. The resolution strategy is described in detail in - [i2nsf-nsf-cap-im]. + [draft-ietf-i2nsf-capability]. A default action is used to execute I2NSF policy rule when no rule matches a packet. The default action is defined as pass, drop, reject, alert, and mirror. The default action can be extended according to specific vendor action features. The default action is - described in detail in [i2nsf-nsf-cap-im]. + described in detail in [draft-ietf-i2nsf-capability]. The rules include rule name, rule description, rule priority, rule enable, time zone, event clause container, condition clause container, and action clause container. 4.2. Event Clause - This section shows the YANG tree diagram for an event clause of I2NSF - security policy rule. + This section shows the YANG tree diagram for an event clause for + I2NSF security policy rules. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy | +--rw system-policy* [system-policy-name] | ... | +--rw rules* [rule-name] | | ... | | +--rw event-clause-container | | | +--rw event-clause-description? string | | | +--rw event-clauses @@ -269,34 +258,34 @@ | | +--rw condition-clause-container | | | ... | | +--rw action-clause-container | | ... | +--rw rule-group | ... +--rw i2nsf-ipsec? identityref Figure 2: YANG Tree Diagram for an Event Clause - This YANG tree diagram shows an event clause of I2NSF security policy - rule for generic network security functions. An event clause is any - important occurrence in time of a change in the system being managed, - and/or in the environment of the system being managed. An event - clause is used to trigger the evaluation of the condition clause of - the I2NSF Policy Rule. The event clause is defined as system event - and system alarm. The event clause can be extended according to - specific vendor event features. The event clause is described in - detail in [i2nsf-nsf-cap-im]. + This YANG tree diagram shows an event clause of an I2NSF security + policy rule for generic network security functions. An event clause + is any important occurrence at a specific time of a change in the + system being managed, and/or in the environment of the system being + managed. An event clause is used to trigger the evaluation of the + condition clause of the I2NSF Policy Rule. The event clause is + defined as a system event and system alarm. The event clause can be + extended according to specific vendor event features. The event + clause is described in detail in [draft-ietf-i2nsf-capability]. -4.3. Condtion Clause +4.3. Condition Clause This section shows the YANG tree diagram for a condition clause of - I2NSF security policy rule. + I2NSF security policy rules. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy | ... | +--rw rules* [rule-name] | | ... | | +--rw event-clause-container | | | ... | | +--rw condition-clause-container | | | +--rw condition-clause-description? string @@ -518,21 +507,20 @@ | | | | +--rw pkt-sec-dest-voice-id* string | | | | +--rw pkt-sec-user-agent* string | | | +--rw packet-security-ddos-condition | | | | +--rw ddos-description? string | | | | +--rw pkt-sec-alert-rate? uint32 | | | +--rw packet-security-payload-condition | | | | +--rw packet-payload-description? string | | | | +--rw pkt-payload-content* string | | | +--rw context-condition | | | +--rw context-description? string - | | | +--rw acl-number* uint32 | | | +--rw application-condition | | | | +--rw application-description? string | | | | +--rw application-object* string | | | | +--rw application-group* string | | | | +--rw application-label* string | | | | +--rw category | | | | +--rw application-category* [name application-subcategory] | | | | +--rw name string | | | | +--rw application-subcategory string @@ -561,46 +549,47 @@ | | | +--rw src-geographic-location* uint32 | | | +--rw dest-geographic-location* uint32 | | +--rw action-clause-container | | ... | +--rw rule-group | ... +--rw i2nsf-ipsec? identityref Figure 3: YANG Tree Diagram for a Condition Clause - This YANG tree diagram shows a condition clause of I2NSF security + This YANG tree diagram shows a condition clause for an I2NSF security policy rule for generic network security functions. A condition clause is defined as a set of attributes, features, and/or values that are to be compared with a set of known attributes, features, and/or values in order to determine whether or not the set of actions - in that (imperative) I2NSF policy rule can be executed or not. The - condition clause is classified as conditions of generic network - security functions, advanced network security functions, and context. - The condition clause of generic network security functions is defined + in that (imperative) I2NSF policy rule can be executed or not. A + condition clause is classified as a conditions of generic network + security functions, advanced network security functions, or context. + A condition clause of generic network security functions is defined as packet security IPv4 condition, packet security IPv6 condition, - packet security tcp condition, and packet security icmp condition. - The condition clause of advanced network security functions is - defined as packet security url category condition, packet security - voice condition, packet security ddos condition, and packet security - payload condition. The condition clause of context is defined as acl - number condition, application condition, target condition, users - condition, and geography condition. Note that this document deals - only with simple conditions of advanced network security functions. - The condition clauses of advanced network security functions are - described in detail in [i2nsf-advanced-nsf-dm]. The condition clause - can be extended according to specific vendor condition features. The - condition clause is described in detail in [i2nsf-nsf-cap-im]. + packet security tcp condition, and packet security icmp condition. A + condition clause of advanced network security functions is defined as + packet security url category condition, packet security voice + condition, packet security DDoS condition, or packet security payload + condition. A condition clause of context is defined as ACL number + condition, application condition, target condition, user condition, + and geography condition. Note that this document deals only with + simple conditions of advanced network security functions. A + condition clauses of advanced network security functions are + described in detail in [draft-dong-i2nsf-asf-config]. A condition + clause can be extended according to specific vendor condition + features. A condition clause is described in detail in + [draft-ietf-i2nsf-capability]. 4.4. Action Clause - This section shows the YANG tree diagram for an action clause of + This section shows the YANG tree diagram for an action clause of an I2NSF security policy rule. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy | ... | +--rw rules* [rule-name] | | ... | | +--rw event-clause-container | | | ... | | +--rw condition-clause-container @@ -613,29 +602,30 @@ | | | +--rw log-action? identityref | | +--rw advanced-action | | +--rw content-security-control* identityref | | +--rw attack-mitigation-control* identityref | +--rw rule-group | ... +--rw i2nsf-ipsec? identityref Figure 4: YANG Tree Diagram for an Action Clause - This YANG tree diagram shows an action clause of I2NSF security + This YANG tree diagram shows an action clause of an I2NSF security policy rule for generic network security functions. An action is - used to control and monitor aspects of flow-based NSFs when the event - and condition clauses are satisfied. NSFs provide security services - by executing various actions. The action clause is defined as - ingress action, egress action, and log action for packet action, and - advanced action for additional inspection. The action clause can be - extended according to specific vendor action features. The action - clause is described in detail in [i2nsf-nsf-cap-im]. + used to control and monitor aspects of flow-based NSFs when the + policy rule event and condition clauses are satisfied. NSFs provide + security services by executing various actions. The action clause is + defined as ingress action, egress action, or log action for packet + action, and advanced action for additional inspection. The action + clause can be extended according to specific vendor action features. + The action clause is described in detail in + [draft-ietf-i2nsf-capability]. 4.5. I2NSF Internet Key Exchange This section shows the YANG tree diagram for an I2NSF IPsec. module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy | ... | +--rw rules* [rule-name] | | ... @@ -644,81 +634,82 @@ | | +--rw condition-clause-container | | | ... | | +--rw action-clause-container | | ... | +--rw rule-group | ... +--rw i2nsf-ipsec? identityref Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage - This YANG tree diagram shows an I2NSF IPsec for an Internet key - exchange. An I2NSF IPsec is used to define a method required to - manage IPsec parameters for creating IPsec Security Associations - between two NSFs through either the IKEv2 protocol or the Security - Controller [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec - considers two cases such as IKE case (i.e., IPsec through IKE) and - IKEless case (i.e., IPsec not through IKE, but through a Security - Controller). Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection] - for the detailed description of the I2NSF IPsec. + This YANG tree diagram shows an I2NSF IPsec specification for an + Internet Key Exchange IKE). An I2NSF IPsec specification is used to + define a method required to manage IPsec parameters for creating + IPsec Security Associations (SAs) between two NSFs through either the + IKEv2 protocol or the Security Controller + [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec considers + two cases, theIKE case (i.e., IPsec through IKE) and IKE-less case + (i.e., IPsec not through IKE, but through a Security Controller). + Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection] for the + detailed description of the I2NSF IPsec. 5. YANG Data Module 5.1. I2NSF NSF-Facing Interface YANG Data Module - This section introduces an YANG data module for configuration of + This section contains a YANG data module for configuration of security policy rules on network security functions. - file "ietf-i2nsf-policy-rule-for-nsf@2019-06-12.yang" + file "ietf-i2nsf-policy-rule-for-nsf@2019-07-25.yang" module ietf-i2nsf-policy-rule-for-nsf { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; prefix - iiprfn; + nsfintf; import ietf-inet-types{ prefix inet; reference "RFC 6991"; } import ietf-yang-types{ prefix yang; reference "RFC 6991"; } organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact "WG Web: WG List: - WG Chair: Adrian Farrel - - WG Chair: Linda Dunbar - + + + WG Chair: Yoav Nir + Editor: Jingyong Tim Kim Editor: Jaehoon Paul Jeong Editor: Susan Hares "; description - "This module defines a YANG data module for network security - functions. + "This module defines a YANG data module for the Network Security + Functions (NSF) facing interface. Copyright (c) 2018 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). @@ -715,25 +706,24 @@ Copyright (c) 2018 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). - This version of this YANG module is part of RFC 8341; see the RFC itself for full legal notices."; - revision "2019-06-12"{ + revision "2019-07-25"{ description "Initial revision."; reference "RFC XXXX: I2NSF Network Security Function-Facing Interface YANG Data Model"; } /* * Identities */ @@ -749,841 +739,737 @@ } identity priority-by-number { base priority-usage-type; description "Identity for priority by number"; } identity event { description - "Base identity for event of policy."; + "Base identity for policy events"; reference - "draft-hong-i2nsf-nsf-monitoring-data-model-06 + "draft-ietf-i2nsf-nsf-monitoring-data-model-01 - Event"; } identity system-event { base event; description - "Identity for system event"; + "Identity for system events"; reference - "draft-hong-i2nsf-nsf-monitoring-data-model-06 + "draft-ietf-i2nsf-nsf-monitoring-data-model-01 - System event"; } - identity system-alarm { base event; description - "Identity for system alarm"; + "Identity for system alarms"; reference - "draft-hong-i2nsf-nsf-monitoring-data-model-06 + "draft-ietf-i2nsf-nsf-monitoring-data-model-01 - System alarm"; } identity access-violation { base system-event; description "Identity for access violation - among system events"; + system events"; reference - "draft-hong-i2nsf-nsf-monitoring-data-model-06 + "draft-ietf-i2nsf-nsf-monitoring-data-model-01 - System event"; } identity configuration-change { base system-event; description "Identity for configuration change - among system events"; + system events"; reference - "draft-hong-i2nsf-nsf-monitoring-data-model-06 + "draft-ietf-i2nsf-nsf-monitoring-data-model-01 - System event"; } identity memory-alarm { base system-alarm; description "Identity for memory alarm - among system alarms"; + system alarms"; reference - "draft-hong-i2nsf-nsf-monitoring-data-model-06 + "draft-ietf-i2nsf-nsf-monitoring-data-model-01 - System alarm"; } identity cpu-alarm { base system-alarm; description - "Identity for cpu alarm - among system alarms"; + "Identity for CPU alarm + system alarms"; reference - "draft-hong-i2nsf-nsf-monitoring-data-model-06 + "draft-ietf-i2nsf-nsf-monitoring-data-model-01 - System alarm"; } - identity disk-alarm { base system-alarm; description "Identity for disk alarm - among system alarms"; + system alarms"; reference - "draft-hong-i2nsf-nsf-monitoring-data-model-06 + "draft-ietf-i2nsf-nsf-monitoring-data-model-01 - System alarm"; } identity hardware-alarm { base system-alarm; description "Identity for hardware alarm - among system alarms"; + system alarms"; reference - "draft-hong-i2nsf-nsf-monitoring-data-model-06 + "draft-ietf-i2nsf-nsf-monitoring-data-model-01 - System alarm"; } identity interface-alarm { base system-alarm; description "Identity for interface alarm - among system alarms"; + system alarms"; reference - "draft-hong-i2nsf-nsf-monitoring-data-model-06 + "draft-ietf-i2nsf-nsf-monitoring-data-model-01 - System alarm"; } identity type-of-service { description "Base identity for type of service of IPv4"; reference "RFC 791: Internet Protocol - Type of Service"; } identity traffic-class { description "Base identity for traffic-class of IPv6"; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity normal { base type-of-service; base traffic-class; description - "Identity for normal"; - + "Identity for normal IPv4 TOS and IPv6 Traffic Class"; reference "RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity minimize-cost { base type-of-service; base traffic-class; description - "Identity for minimize cost"; + "Identity for 'minimize monetary cost' IPv4 TOS and + IPv6 Traffic Class"; reference "RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity maximize-reliability { base type-of-service; base traffic-class; description - "Identity for maximize reliability"; + "Identity for 'maximize reliability' IPv4 TOS and + IPv6 Traffic Class"; reference "RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity maximize-throughput { base type-of-service; base traffic-class; description - "Identity for maximize throughput"; + "Identity for 'maximize throughput' IPv4 TOS and + IPv6 Traffic Class"; reference "RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity minimize-delay { base type-of-service; base traffic-class; description - "Identity for minimize delay"; + "Identity for 'minimize delay' IPv4 TOS and + IPv6 Traffic Class"; reference "RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; - } identity maximize-security { base type-of-service; base traffic-class; description - "Identity for maximize security"; + "Identity for 'maximize security' IPv4 TOS and + IPv6 Traffic Class"; reference "RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity fragmentation-flags-type { description "Base identity for fragmentation flags type"; reference "RFC 791: Internet Protocol - Fragmentation Flags"; } identity fragment { base fragmentation-flags-type; description - "Identity for fragment"; + "Identity for 'More fragment' flag"; reference "RFC 791: Internet Protocol - Fragmentation Flags"; } identity no-fragment { base fragmentation-flags-type; description - "Identity for no fragment"; + "Identity for 'Do not fragment' flag"; reference "RFC 791: Internet Protocol - Fragmentation Flags"; } identity reserved { base fragmentation-flags-type; description - "Identity for reserved"; + "Identity for reserved flags"; reference "RFC 791: Internet Protocol - Fragmentation Flags"; } identity protocol { description "Base identity for protocol of IPv4"; reference "RFC 790: Assigned numbers - Assigned Internet Protocol Number RFC 791: Internet Protocol - Protocol"; } identity next-header { description - "Base identity for next header of IPv6"; + "Base identity for IPv6 next header"; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity icmp { base protocol; base next-header; description - "Identity for icmp"; + "Identity for ICMP IPv4 protocol and + IPv6 nett header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity igmp { base protocol; base next-header; description - "Identity for igmp"; + "Identity for IGMP IPv4 protocol and + IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } - identity tcp { base protocol; base next-header; description - "Identity for tcp"; + "Identity for TCP protocol"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity igrp { base protocol; base next-header; description - "Identity for igrp"; + "Identity for IGRP IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity udp { base protocol; base next-header; description - "Identity for udp"; + "Identity for UDP IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity gre { base protocol; base next-header; description - "Identity for gre"; + "Identity for GRE IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity esp { base protocol; base next-header; description - "Identity for esp"; - + "Identity for ESP IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity ah { base protocol; base next-header; description - "Identity for ah"; + "Identity for AH IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity mobile { base protocol; base next-header; description - "Identity for mobile"; + "Identity for mobile IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } - identity tlsp { base protocol; base next-header; description - "Identity for tlsp"; + "Identity for TLSP IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity skip { base protocol; base next-header; description - "Identity for skip"; + "Identity for skip IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity ipv6-icmp { base protocol; base next-header; description - "Identity for IPv6 icmp "; + "Identity for IPv6 ICMP next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity eigrp { base protocol; base next-header; description - "Identity for eigrp"; + "Identity for EIGRP IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity ospf { base protocol; base next-header; description - "Identity for ospf"; + "Identity for OSPF IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity l2tp { base protocol; base next-header; description - "Identity for l2tp"; + "Identity for L2TP IPv4 protocol + and IPv6 next header"; reference "RFC 790: - Assigned numbers - Assigned Internet Protocol Number - RFC 791: Internet Protocol - Type of Service - RFC 2460: Internet Protocol, Version 6 (IPv6) + RFC 791: Internet Protocol - Protocol + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next Header"; } identity ipopts { description "Base identity for IP options"; reference "RFC 791: Internet Protocol - Options"; } identity rr { base ipopts; description - "Identity for record route"; + "Identity for 'Record Route' IP Option"; reference "RFC 791: Internet Protocol - Options"; } identity eol { base ipopts; description - "Identity for end of list"; + "Identity for 'End of List' IP Option"; reference "RFC 791: Internet Protocol - Options"; } identity nop { base ipopts; description - "Identity for no operation"; + "Identity for 'No Operation' IP Option"; reference "RFC 791: Internet Protocol - Options"; } + identity ts { base ipopts; description - "Identity for time stamp"; + "Identity for 'Timestamp' IP Option"; reference "RFC 791: Internet Protocol - Options"; } identity sec { base ipopts; description - "Identity for IP security"; + "Identity for 'IP security' IP Option"; reference "RFC 791: Internet Protocol - Options"; } identity esec { base ipopts; description - "Identity for IP extended security"; + "Identity for 'IP extended security' IP Option"; reference "RFC 791: Internet Protocol - Options"; } identity lsrr { base ipopts; description - "Identity for loose source routing"; + "Identity for 'Loose Source Routing' IP Option"; reference "RFC 791: Internet Protocol - Options"; } identity ssrr { base ipopts; description - "Identity for strict source routing"; + "Identity for 'Strict Source Routing' IP Option"; reference "RFC 791: Internet Protocol - Options"; } identity satid { base ipopts; description - "Identity for stream identifier"; + "Identity for 'Stream Identifier' IP Option"; reference "RFC 791: Internet Protocol - Options"; } + identity any { base ipopts; description - "Identity for which any IP options are set"; + "Identity for 'any IP options + included in IPv4 packet"; reference "RFC 791: Internet Protocol - Options"; } identity tcp-flags { description - "Base identity for tcp flags"; + "Base identity for TCP flags"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity cwr { base tcp-flags; description - "Identity for congestion window reduced"; + "Identity for 'Congestion Window Reduced' TCP flag"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity ecn { base tcp-flags; description - "Identity for explicit congestion notification"; + "Identity for 'Explicit Congestion Notification' + TCP flag"; + reference "RFC 793: Transmission Control Protocol - Flags"; } identity urg { base tcp-flags; description - "Identity for urgent"; + "Identity for 'Urgent' TCP flag"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity ack { base tcp-flags; description - "Identity for acknowledgement"; + "Identity for 'acknowledgement' TCP flag"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity psh { base tcp-flags; description - "Identity for push"; + "Identity for 'Push' TCP flag"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity rst { base tcp-flags; description - "Identity for reset"; + "Identity for 'Reset' TCP flag"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity syn { base tcp-flags; description - "Identity for synchronize"; + "Identity for 'Synchronize' TCP flag"; reference "RFC 793: Transmission Control Protocol - Flags"; } identity fin { base tcp-flags; description - "Identity for finish"; + "Identity for 'Finish' TCP flag"; + reference "RFC 793: Transmission Control Protocol - Flags"; } identity icmp-type { description - "Base identity for icmp types"; + "Base identity for ICMP Message types"; reference "RFC 792: Internet Control Message Protocol"; } identity echo-reply { base icmp-type; description - "Identity for echo reply"; + "Identity for 'Echo Reply' ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity destination-unreachable { base icmp-type; description - "Identity for destination unreachable"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity source-quench { - base icmp-type; - description - "Identity for source quench"; + "Identity for 'Destination Unreachable' + ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity redirect { base icmp-type; description - "Identity for redirect"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity alternate-host-address { - base icmp-type; - description - "Identity for alternate host address"; + "Identity for 'Redirect' ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity echo { base icmp-type; description - "Identity for echo"; + "Identity for 'Echo' ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity router-advertisement { base icmp-type; description - "Identity for router advertisement"; + "Identity for 'Router Advertisement' + ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity router-solicitation { base icmp-type; description - "Identity for router solicitation"; + "Identity for 'Router Solicitation' + ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity time-exceeded { base icmp-type; description - "Identity for time exceeded"; + "Identity for 'Time exceeded' ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity parameter-problem { base icmp-type; description - "Identity for parameter problem"; + "Identity for 'Parameter Problem' + ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity timestamp { base icmp-type; description - "Identity for timestamp"; + "Identity for 'Timestamp' ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity timestamp-reply { base icmp-type; description - "Identity for timestamp reply"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity information-request { - base icmp-type; - description - "Identity for information request"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity information-reply { - base icmp-type; - description - "Identity for information reply"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity address-mask-request { - base icmp-type; - description - "Identity for address mask request"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity address-mask-reply { - base icmp-type; - description - "Identity for address mask reply"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity traceroute { - base icmp-type; - description - "Identity for traceroute"; + "Identity for 'Timestamp Reply' + ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } - identity datagram-conversion-error { base icmp-type; description - "Identity for datagram conversion error"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity mobile-host-redirect { - base icmp-type; - description - "Identity for mobile host redirect"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity ipv6-where-are-you { - base icmp-type; - description - "Identity for IPv6 where are you"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity ipv6-i-am-here { - base icmp-type ; - description - "Identity for IPv6 i am here"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity mobile-registration-request { - base icmp-type; - description - "Identity for mobile registration request"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity mobile-registration-reply { - base icmp-type; - description - "Identity for mobile registration reply"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity domain-name-request { - base icmp-type; - description - "Identity for domain name request"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity domain-name-reply { - base icmp-type; - description - "Identity for domain name reply"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity iskip { - base icmp-type; - description - "Identity for icmp skip"; - reference - "RFC 792: Internet Control Message Protocol"; - } - - identity photuris { - base icmp-type; - description - "Identity for photuris"; + "Identity for 'Datagram Conversion Error' + ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity experimental-mobility-protocols { base icmp-type; description - "Identity for experimental mobility protocols"; + "Identity for 'Experimental Mobility Protocols' + ICMP message type"; reference "RFC 792: Internet Control Message Protocol"; } identity extended-echo-request { base icmp-type; description - "Identity for extended echo request"; + "Identity for 'Extended Echo Request' + ICMP message type"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity extended-echo-reply { base icmp-type; description - "Identity for extended echo reply"; + "Identity for 'Extended Echo Reply' + ICMP message type"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity net-unreachable { base icmp-type; description "Identity for net unreachable in destination unreachable types"; @@ -1939,21 +1824,21 @@ in extended echo reply types"; reference "RFC 792: Internet Control Message Protocol RFC 8335: PROBE: A Utility for Probing Interfaces"; } identity target-device { description "Base identity for target devices"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities"; } identity pc { base target-device; description "Identity for pc"; } identity mobile-phone { @@ -1986,21 +1872,21 @@ "Identity for vehicle"; } identity content-security-control { description "Base identity for content security control"; reference "RFC 8329: Framework for Interface to Network Security Functions - Differences from ACL Data Models - draft-ietf-i2nsf-capability-04: Information Model + draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities"; } identity antivirus { base content-security-control; description "Identity for antivirus"; } identity ips { @@ -2057,29 +1942,28 @@ "Identity for voip and volte"; } identity attack-mitigation-control { description "Base identity for attack mitigation control"; reference "RFC 8329: Framework for Interface to Network Security Functions - Differences from ACL Data Models - draft-ietf-i2nsf-capability-04: Information Model + draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities"; } identity syn-flood { base attack-mitigation-control; description "Identity for syn flood"; - } identity udp-flood { base attack-mitigation-control; description "Identity for udp flood"; } identity icmp-flood { base attack-mitigation-control; @@ -2157,97 +2040,96 @@ identity tracert { base attack-mitigation-control; description "Identity for tracert"; } identity ingress-action { description "Base identity for action"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Ingress Action"; } identity egress-action { description "Base identity for egress action"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Egress action"; } identity default-action { description "Base identity for default action"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Default action"; } identity pass { base ingress-action; base egress-action; base default-action; description "Identity for pass"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Actions and default action"; } identity drop { base ingress-action; base egress-action; base default-action; description "Identity for drop"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Actions and default action"; } identity reject { base ingress-action; base egress-action; base default-action; description "Identity for reject"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Actions and default action"; - } identity alert { base ingress-action; base egress-action; base default-action; description "Identity for alert"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Actions and default action"; } identity mirror { base ingress-action; base egress-action; base default-action; description "Identity for mirror"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Actions and default action"; } identity log-action { description "Base identity for log action"; } identity rule-log { @@ -2283,68 +2166,68 @@ base egress-action; description "Identity for redirection"; } identity resolution-strategy { description "Base identity for resolution strategy"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Resolution Strategy"; } identity fmr { base resolution-strategy; description "Identity for First Matching Rule (FMR)"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Resolution Strategy"; } identity lmr { base resolution-strategy; description "Identity for Last Matching Rule (LMR)"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Resolution Strategy"; } identity pmr { base resolution-strategy; description "Identity for Prioritized Matching Rule (PMR)"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Resolution Strategy"; } identity pmre { base resolution-strategy; description "Identity for Prioritized Matching Rule with Errors (PMRE)"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Resolution Strategy"; } identity pmrn { base resolution-strategy; description "Identity for Prioritized Matching Rule with No Errors (PMRN)"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Resolution Strategy"; } identity i2nsf-ipsec { description "Internet Key Exchnage for NSFs in the I2NSF framework"; reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 - i2nsf-ipsec"; @@ -2368,44 +2250,38 @@ "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 - ikeless"; } /* * Typedefs */ typedef start-time-type { type union { - type string { - pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' - + '(Z|[\+\-]\d{2}:\d{2})'; - } + type yang:date-and-time; type enumeration { enum right-away { description "Immediate rule execution in the system."; } } } description "Start time when the rules are applied."; } typedef end-time-type { type union { - type string { - pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' - + '(Z|[\+\-]\d{2}:\d{2})'; - } + type yang:date-and-time; type enumeration { enum infinitely { description "Infinite rule execution in the system."; } } } description @@ -2504,21 +2381,21 @@ } /* * Groupings */ grouping ipv4 { list ipv4-address { key "ipv4"; description - "The list of IPv4 address."; + "The list of IPv4 addresses."; leaf ipv4 { type inet:ipv4-address; description "The value of IPv4 address."; } choice subnet { description "The subnet can be specified as a prefix length or netmask."; @@ -2541,141 +2418,143 @@ reference "RFC 791: Internet Protocol - IPv4 address RFC 8344: A YANG Data Model for IP Management"; } grouping ipv6 { list ipv6-address { key "ipv6"; description - "The list of IPv6 address."; + "The list of IPv6 addresses."; leaf ipv6 { type inet:ipv6-address; description "The value of IPv6 address."; } + leaf prefix-length { type uint8 { range "0..128"; } description "The length of the subnet prefix."; } + } description "Grouping for an IPv6 address"; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - IPv6 address RFC 8344: A YANG Data Model for IP Management"; } grouping pkt-sec-ipv4 { choice match-type { description - "There are two types to configure a security policy - for IPv4 address, such as exact match and range match."; + "There are two types of security policy IPv4 address + matching - exact match and range match."; case exact-match { uses ipv4; description "Exact match for an IPv4 address."; } case range-match { list range-ipv4-address { key "start-ipv4-address end-ipv4-address"; leaf start-ipv4-address { type inet:ipv4-address; description - "Start IPv4 address for a range match."; + "Starting IPv4 address for a range match."; } leaf end-ipv4-address { type inet:ipv4-address; description - "End IPv4 address for a range match."; + "Ending IPv4 address for a range match."; } description "Range match for an IPv4 address."; } } } description "Grouping for an IPv4 address."; reference "RFC 791: Internet Protocol - IPv4 address"; } grouping pkt-sec-ipv6 { choice match-type { description - "There are two types to configure a security policy - for IPv6 address, such as exact match and range match."; + "There are two types of security policy IPv6 address + matching - exact match and range match."; case exact-match { uses ipv6; description "Exact match for an IPv6 address."; } case range-match { list range-ipv6-address { key "start-ipv6-address end-ipv6-address"; leaf start-ipv6-address { type inet:ipv6-address; description - "Start IPv6 address for a range match."; + "Starting IPv6 address for a range match."; } leaf end-ipv6-address { type inet:ipv6-address; description - "End IPv6 address for a range match."; + "Ending IPv6 address for a range match."; } description "Range match for an IPv6 address."; } } } description "Grouping for IPv6 address."; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - IPv6 address"; } grouping pkt-sec-port-number { choice match-type { description - "There are two types to configure a security policy - for a port number, such as exact match and range match."; + "There are two types of security policy TCP/UDP port + matching - exact match and range match."; case exact-match { leaf-list port-num { type inet:port-number; description "Exact match for a port number."; } } case range-match { list range-port-num { key "start-port-num end-port-num"; leaf start-port-num { type inet:port-number; description - "Start port number for a range match."; + "Starting port number for a range match."; } leaf end-port-num { type inet:port-number; description - "Start port number for a range match."; + "Ending port number for a range match."; } description "Range match for a port number."; } } } description "Grouping for port number."; reference @@ -2685,42 +2564,41 @@ /* * Data nodes */ container i2nsf-security-policy { description "Container for security policy including a set of security rules according to certain logic, i.e., their similarity or mutual relations, etc. The network - security policy is able to apply over both the unidirectional + security policy can be applied to both the unidirectional and bidirectional traffic across the NSF. The I2NSF security policies use the Event-Condition-Action (ECA) policy model "; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure - draft-ietf-i2nsf-capability-04: Information Model + draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Design Principles and ECA Policy Model Overview"; list system-policy { key "system-policy-name"; description "The system-policy represents there could be multiple system policies in one NSF, and each system policy is used by one virtual instance of the NSF/device."; leaf system-policy-name { type string; - mandatory true; description "The name of the policy. This must be unique."; } leaf priority-usage { type identityref { base priority-usage-type; } default priority-by-order; @@ -2728,57 +2606,55 @@ "Priority usage type for security policy rule: priority by order and priority by number"; } leaf resolution-strategy { type identityref { base resolution-strategy; } default fmr; description - "The resolution strategies can be used to + "The resolution strategies that can be used to specify how to resolve conflicts that occur between - the actions of the same or different policy rules that + actions of the same or different policy rules that are matched and contained in this particular NSF"; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Resolution strategy"; } leaf default-action { type identityref { base default-action; } default alert; description "This default action can be used to specify a predefined action when no other alternative action was matched by the currently executing I2NSF Policy Rule. An analogy is the use of a default statement in a C switch statement."; reference - "draft-ietf-i2nsf-capability-04: Information Model + "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Default action"; } list rules { key "rule-name"; description "This is a rule for network security functions."; leaf rule-name { type string; - mandatory true; description - "The name of the rule. - This must be unique."; + "The name of the rule."; } leaf rule-description { type string; description "This description gives more information about rules."; } leaf rule-priority { @@ -2787,29 +2663,28 @@ } description "The priority keyword comes with a mandatory numeric value which can range from 1 till 255."; } leaf rule-enable { type boolean; description "True is enable. - False is not enbale."; + False is not enable."; } leaf session-aging-time { type uint16; description "This is session aging time."; } - container long-connection { description "This is long-connection"; leaf enable { type boolean; description "True is enable. False is not enbale."; } @@ -2810,47 +2685,52 @@ leaf enable { type boolean; description "True is enable. False is not enbale."; } leaf during { type uint16; description - "This is during time."; + "This has long-connection during a time."; } } - container time-zone { + container time-intervals { description "Time zone when the rules are applied"; - container absolute-time-zone { + container absolute-time-interval { description - "Rule execution according to absolute time"; + "Rule execution according to absolute time. + The absolute time intervals mean the exact time to + start or end."; leaf start-time { type start-time-type; default right-away; description "Start time when the rules are applied"; } leaf end-time { type end-time-type; default infinitely; description "End time when the rules are applied"; } } - container periodic-time-zone { + + container periodic-time-interval { description - "Rule execution according to periodic time"; + "Rule execution according to periodic time. + The periodic time intervals mean repeated time like + day, week, or month."; container day { description "Rule execution according to day."; leaf every-day { type boolean; default true; description "Rule execution every day"; } @@ -2893,44 +2773,44 @@ managed. When used in the context of policy rules for a flow-based NSF, it is used to determine whether the Condition clause of the Policy Rule can be evaluated or not. Examples of an I2NSF event include time and user actions (e.g., logon, logoff, and actions that violate any ACL.)."; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure - draft-ietf-i2nsf-capability-04: Information Model + draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Design Principles and ECA Policy Model Overview - draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG + draft-ietf-i2nsf-nsf-monitoring-data-model-01: A YANG Data Model for Monitoring I2NSF Network Security Functions - System Alarm and System Events"; leaf event-clause-description { type string; description "Description for an event clause"; } container event-clauses { description - "It has two event types such as - system event and system alarm."; + "System Event Clause - either a system event or + system alarm"; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure - draft-ietf-i2nsf-capability-04: Information Model + draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Design Principles and ECA Policy Model Overview - draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG + draft-ietf-i2nsf-nsf-monitoring-data-model-01: A YANG Data Model for Monitoring I2NSF Network Security Functions - System Alarm and System Events"; leaf-list system-event { type identityref { base system-event; } description "The security policy rule according to system events."; @@ -2953,21 +2834,21 @@ compared with a set of known attributes, features, and/or values in order to determine whether or not the set of Actions in that (imperative) I2NSF Policy Rule can be executed or not. Examples of I2NSF Conditions include matching attributes of a packet or flow, and comparing the internal state of an NSF to a desired state."; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure - draft-ietf-i2nsf-capability-04: Information Model + draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Design Principles and ECA Policy Model Overview"; leaf condition-clause-description { type string; description "Description for a condition clause."; } container packet-security-ipv4-condition { @@ -2975,57 +2856,55 @@ "The purpose of this container is to represent IPv4 packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference "RFC 791: Internet Protocol"; leaf ipv4-description { type string; description - "This is description for ipv4 condition."; - + "ipv4 condition texual description."; } container pkt-sec-ipv4-header-length { choice match-type { description - "There are two types to configure a security - policy for IPv4 header length, such as exact match - and range match."; + "Security policy IPv4 Header length match - + exact match and range match."; case exact-match { leaf-list ipv4-header-length { type uint8 { range "5..15"; } description "Exact match for an IPv4 header length."; } } case range-match { list range-ipv4-header-length { key "start-ipv4-header-length end-ipv4-header-length"; leaf start-ipv4-header-length { type uint8 { range "5..15"; } description - "Start IPv4 header length for a range match."; + "Starting IPv4 header length for a range match."; } leaf end-ipv4-header-length { type uint8 { range "5..15"; } description - "End IPv4 header length for a range match."; + "Ending IPv4 header length for a range match."; } description "Range match for an IPv4 header length."; } } } description "The security policy rule according to IPv4 header length."; reference @@ -3024,56 +2903,56 @@ "Range match for an IPv4 header length."; } } } description "The security policy rule according to IPv4 header length."; reference "RFC 791: Internet Protocol - Header length"; } + leaf-list pkt-sec-ipv4-tos { type identityref { base type-of-service; } description "The security policy rule according to IPv4 type of service."; reference - "RFC 791: Internet Protocol - Type of service"; + "RFC 1394: Internet Protocol - Type of service"; } container pkt-sec-ipv4-total-length { choice match-type { description - "There are two types to configure a security - policy for IPv4 total length, such as exact match - and range match."; + "Security policy IPv4 total length matching + - exact match and range match."; case exact-match { leaf-list ipv4-total-length { type uint16; description "Exact match for an IPv4 total length."; } } case range-match { list range-ipv4-total-length { key "start-ipv4-total-length end-ipv4-total-length"; leaf start-ipv4-total-length { type uint16; description - "Start IPv4 total length for a range match."; + "Starting IPv4 total length for a range match."; } leaf end-ipv4-total-length { type uint16; description - "End IPv4 total length for a range match."; + "Ending IPv4 total length for a range match."; } description "Range match for an IPv4 total length."; } } } description "The security policy rule according to IPv4 total length."; reference @@ -3116,28 +2996,28 @@ } case range-match { list range-ipv4-fragment-offset { key "start-ipv4-fragment-offset end-ipv4-fragment-offset"; leaf start-ipv4-fragment-offset { type uint16 { range "0..16383"; } description - "Start IPv4 fragment offset for a range match."; + "Starting IPv4 fragment offset for a range match."; } leaf end-ipv4-fragment-offset { type uint16 { range "0..16383"; } description - "End IPv4 fragment offset for a range match."; + "Ending IPv4 fragment offset for a range match."; } description "Range match for an IPv4 fragment offset."; } } } description "The security policy rule according to IPv4 fragment offset."; reference @@ -3156,26 +3036,26 @@ description "Exact match for an IPv4 TTL."; } } case range-match { list range-ipv4-ttl { key "start-ipv4-ttl end-ipv4-ttl"; leaf start-ipv4-ttl { type uint8; description - "Start IPv4 TTL for a range match."; + "Starting IPv4 TTL for a range match."; } leaf end-ipv4-ttl { type uint8; description - "End IPv4 TTL for a range match."; + "Ending IPv4 TTL for a range match."; } description "Range match for an IPv4 TTL."; } } } description "The security policy rule according to IPv4 time-to-live (TTL)."; reference @@ -3214,67 +3093,67 @@ leaf-list pkt-sec-ipv4-ipopts { type identityref { base ipopts; } description "The security policy rule according to IPv4 options."; reference "RFC 791: Internet Protocol - Options"; } - leaf pkt-sec-ipv4-sameip { + + leaf pkt-sec-ipv4-same-ip { type boolean; description - "Every packet has a source IP-address and - a destination IP-address. It can be that - the source IP is the same as - the destination IP."; + "Match on packets with the same IPv4 source + and IPv4 destination address."; } - leaf-list pkt-sec-ipv4-geoip { + leaf-list pkt-sec-ipv4-geo-ip { type string; description - "The geoip keyword enables you to match on + "The geo-ip keyword enables you to match on the source, destination or source and destination IP addresses of network traffic and to see to which country it belongs. To do this, Suricata uses GeoIP API with MaxMind database format."; } } container packet-security-ipv6-condition { description "The purpose of this container is to represent IPv6 packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification"; leaf ipv6-description { type string; description "This is description for ipv6 condition."; } leaf-list pkt-sec-ipv6-traffic-class { type identityref { base traffic-class; } description "The security policy rule according to IPv6 traffic class."; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Traffic class"; } + container pkt-sec-ipv6-flow-label { choice match-type { description "There are two types to configure a security policy for IPv6 flow label, such as exact match and range match."; case exact-match { leaf-list ipv6-flow-label { type uint32 { range "0..1048575"; @@ -3284,39 +3163,39 @@ } } case range-match { list range-ipv6-flow-label { key "start-ipv6-flow-label end-ipv6-flow-label"; leaf start-ipv6-flow-label { type uint32 { range "0..1048575"; } description - "Start IPv6 flow label for a range match."; + "Starting IPv6 flow label for a range match."; } leaf end-ipv6-flow-label { type uint32 { range "0..1048575"; } description - "End IPv6 flow label for a range match."; + "Ending IPv6 flow label for a range match."; } description "Range match for an IPv6 flow label."; } } } description "The security policy rule according to IPv6 flow label."; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Flow label"; } container pkt-sec-ipv6-payload-length { choice match-type { description "There are two types to configure a security policy for IPv6 payload length, such as exact match and range match."; case exact-match { @@ -3318,59 +3197,61 @@ description "There are two types to configure a security policy for IPv6 payload length, such as exact match and range match."; case exact-match { leaf-list ipv6-payload-length { type uint16; description "Exact match for an IPv6 payload length."; } + } case range-match { list range-ipv6-payload-length { key "start-ipv6-payload-length end-ipv6-payload-length"; leaf start-ipv6-payload-length { type uint16; description - "Start IPv6 payload length for a range match."; + "Starting IPv6 payload length for a range match."; } leaf end-ipv6-payload-length { type uint16; description - "End IPv6 payload length for a range match."; + "Ending IPv6 payload length for a range match."; } description "Range match for an IPv6 payload length."; } } } description "The security policy rule according to IPv6 payload length."; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Payload length"; } leaf-list pkt-sec-ipv6-next-header { type identityref { base next-header; } description "The security policy rule according to IPv6 next header."; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Next header"; } + container pkt-sec-ipv6-hop-limit { choice match-type { description "There are two types to configure a security policy for IPv6 hop limit, such as exact match and range match."; case exact-match { leaf-list ipv6-hop-limit { type uint8; description @@ -3392,40 +3273,41 @@ } description "Range match for an IPv6 hop limit."; } } } description "The security policy rule according to IPv6 hop limit."; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Hop limit"; } container pkt-sec-ipv6-src { uses pkt-sec-ipv6; description "The security policy rule according to IPv6 source address."; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - IPv6 address"; } + container pkt-sec-ipv6-dest { uses pkt-sec-ipv6; description "The security policy rule according to IPv6 destination address."; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6) + "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - IPv6 address"; } } container packet-security-tcp-condition { description "The purpose of this container is to represent TCP packet header information to determine if the set of policy actions in this ECA policy @@ -3803,26 +3686,20 @@ description "Condition for context"; leaf context-description { type string; description "This is description for context condition. Vendors can write instructions for context condition that vendor made"; } - leaf-list acl-number { - type uint32; - description - "This is acl-number."; - } - container application-condition { description "Condition for application"; leaf application-description { type string; description "This is description for application condition."; } leaf-list application-object { type string; @@ -3905,42 +3783,39 @@ authentication mode and so on. Name/id is often used in the security policy to identify the user. Besides, NSF is aware of the IP address of the user provided by a unified user management system via network. Based on name-address association, NSF is able to enforce the security functions over the given user (or user group)"; choice user-name { description - "The name of the user. - This must be unique."; + "The name of the user."; case tenant { description "Tenant information."; leaf tenant { type uint8; - mandatory true; description "User's tenant information."; } } case vn-id { description "VN-ID information."; leaf vn-id { type uint8; - mandatory true; description "User's VN-ID information."; } } } } container group { description "The user (or user group) information with which @@ -3949,55 +3824,50 @@ authentication mode and so on. Name/id is often used in the security policy to identify the user. Besides, NSF is aware of the IP address of the user provided by a unified user management system via network. Based on name-address association, NSF is able to enforce the security functions over the given user (or user group)"; choice group-name { description - "The name of the user. - This must be unique."; + "The name of the user."; case tenant { description "Tenant information."; leaf tenant { type uint8; - mandatory true; description "User's tenant information."; } } case vn-id { description "VN-ID information."; leaf vn-id { type uint8; - mandatory true; description "User's VN-ID information."; } } } - } - leaf security-grup { + leaf security-group { type string; - mandatory true; description - "security-grup."; + "security-group."; } } container gen-context-condition { description "Condition for generic context"; leaf gen-context-description { type string; description "This is description for generic context condition. @@ -4036,37 +3906,37 @@ "An action is used to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied. NSFs provide security functions by executing various Actions. Examples of I2NSF Actions include providing intrusion detection and/or protection, web and flow filtering, and deep packet inspection for packets and flows."; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure - draft-ietf-i2nsf-capability-04: Information Model + draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Design Principles and ECA Policy Model Overview"; leaf action-clause-description { type string; description "Description for an action clause."; } container packet-action { description "Action for packets"; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure - draft-ietf-i2nsf-capability-04: Information Model + draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Design Principles and ECA Policy Model Overview"; leaf ingress-action { type identityref { base ingress-action; } description "Action: pass, drop, reject, alert, and mirror."; } @@ -4206,77 +4075,126 @@ XML: N/A; the requested URI is an XML namespace. This document requests IANA to register the following YANG module in the "YANG Module Names" registry [RFC7950]. name: ietf-i2nsf-policy-rule-for-nsf namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for- nsf - prefix: iiprfn + prefix: nsfintf reference: RFC XXXX 7. Security Considerations The YANG module specified in this document defines a data schema designed to be accessed through network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the required secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the required secure transport is TLS [RFC8446]. The NETCONF access control model [RFC8341] provides a means of restricting access to specific NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. + There are a number of data nodes defined in this YANG module that are + writable/creatable/deletable (i.e., config true, which is the + default). These data nodes may be considered sensitive or vulnerable + in some network environments. Write operations (e.g., edit-config) + to these data nodes without proper protection can have a negative + effect on network operations. These are the subtrees and data nodes + and their sensitivity/vulnerability: + + o ietf-i2nsf-policy-rule-for-nsf: The attacker may provide incorrect + policy information of any target NSFs by illegally modifying this. + + Some of the readable data nodes in this YANG module may be considered + sensitive or vulnerable in some network environments. It is thus + important to control read access (e.g., via get, get-config, or + notification) to these data nodes. These are the subtrees and data + nodes and their sensitivity/vulnerability: + + o ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the + security policy information of any target NSFs and misuse the + security policy information for subsequent attacks. + 8. References 8.1. Normative References + [RFC1394] Robinson, P., "Relationship of Telex Answerback Codes to + Internet Domains", RFC 1394, DOI 10.17487/RFC1394, January + 1993, . + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . + [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, + A., Peterson, J., Sparks, R., Handley, M., and E. + Schooler, "SIP: Session Initiation Protocol", RFC 3261, + DOI 10.17487/RFC3261, June 2002, + . + [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, . [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, . [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, . + [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August + 1980. + + [RFC790] Postel, J., "Assigned Numbers", RFC 790, September 1981. + + [RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981. + + [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, + September 1981. + + [RFC793] Postel, J., "Transmission Control Protocol", RFC 793, + September 1981. + [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, . [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . + [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", STD 86, RFC 8200, + DOI 10.17487/RFC8200, July 2017, + . + [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, . [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, . [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration @@ -4288,79 +4206,79 @@ S., and N. Bahadur, "A YANG Data Model for the Routing Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, September 2018, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . 8.2. Informative References - [draft-ietf-i2nsf-sdn-ipsec-flow-protection] - Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- - Garcia, "Software-Defined Networking (SDN)-based IPsec - Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- - protection-04 (work in progress), March 2019. - - [i2nsf-advanced-nsf-dm] + [draft-dong-i2nsf-asf-config] Pan, W. and L. Xia, "Configuration of Advanced Security Functions with I2NSF Security Controller", draft-dong- i2nsf-asf-config-01 (work in progress), October 2018. - [i2nsf-nsf-cap-dm] - Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, - "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- - capability-data-model-05 (work in progress), June 2019. - - [i2nsf-nsf-cap-im] + [draft-ietf-i2nsf-capability] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", draft-ietf- i2nsf-capability-05 (work in progress), April 2019. - [supa-policy-info-model] + [draft-ietf-i2nsf-capability-data-model] + Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, + "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- + capability-data-model-05 (work in progress), July 2019. + + [draft-ietf-i2nsf-sdn-ipsec-flow-protection] + Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- + Garcia, "Software-Defined Networking (SDN)-based IPsec + Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- + protection-05 (work in progress), July 2019. + + [draft-ietf-supa-generic-policy-info-model] Strassner, J., Halpern, J., and S. Meer, "Generic Policy Information Model for Simplified Use of Policy Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- model-03 (work in progress), May 2017. Appendix A. Configuration Examples This section shows configuration examples of "ietf-i2nsf-policy-rule- for-nsf" module for security policy rules of network security devices. For security requirements, we assume that the NSFs (i.e., General firewall, Time based firewall, URL filter, VoIP/VoLTE filter, and http and https flood mitigation ) described in Appendix A. - Configuration Examples of [i2nsf-nsf-cap-dm] are registered in I2NSF - framework. With the registed NSFs, we show configuration examples - for security policy rules of network security functions according to - the following three security requirements: (i) Block SNS access - during business hours, (ii) Block malicious VoIP/VoLTE packets coming - to the company, and (iii) Mitigate http and https flood attacks on - company web server. + Configuration Examples of [draft-ietf-i2nsf-capability-data-model] + are registered in I2NSF framework. With the registed NSFs, we show + configuration examples for security policy rules of network security + functions according to the following three security requirements: (i) + Block SNS access during business hours, (ii) Block malicious VoIP/ + VoLTE packets coming to the company, and (iii) Mitigate http and + https flood attacks on company web server. A.1. Security Requirement 1: Block SNS Access during Business Hours This section shows a configuration example for blocking SNS access during business hours. sns_access block_sns_access_during_operation_time - - + + 09:00:00Z 18:00:00Z - - + + 221.159.112.1 221.159.112.90 @@ -4401,21 +4319,21 @@ Business Hours Figure 7 and Figure 8 show the configuration XML documents for time based firewall and web filter to block SNS access during business hours. For the security requirement, two NSFs (i.e., a time based firewall and a web filter) were used because one NSF can not meet the security requirement. The instances of XML documents for the time based firewall and the web filter are as follows: Note that a detailed data model for the configuration of the advanced network security function (i.e., web filter) is described in - [i2nsf-advanced-nsf-dm]. + [draft-dong-i2nsf-asf-config]. Time based Firewall 1. The name of the system policy is sns_access. 2. The name of the rule is block_sns_access_during_operation_time. 3. The rule is operated during the business hours (i.e., from 9 a.m. to 6 p.m.). @@ -4504,21 +4422,21 @@ VoIP/VoLTE Packets Coming to the Company Figure 9 and Figure 10 show the configuration XML documents for general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE packets coming to the company. For the security requirement, two NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used because one NSF can not meet the security requirement. The instances of XML documents for the general firewall and the VoIP/VoLTE filter are as follows: Note that a detailed data model for the configuration of the advanced network security function (i.e., VoIP/VoLTE filter) - is described in [i2nsf-advanced-nsf-dm]. + is described in [draft-dong-i2nsf-asf-config]. General Firewall 1. The name of the system policy is voip_volte_inspection. 2. The name of the rule is block_malicious_voip_volte_packets. 3. The rule inspects a destination IPv4 address (i.e., from 221.159.112.1 to 221.159.112.90) to inspect the packets coming into the company. @@ -4610,21 +4528,21 @@ Figure 11 and Figure 12 show the configuration XML documents for general firewall and http and https flood attack mitigation to mitigate http and https flood attacks on a company web server. For the security requirement, two NSFs (i.e., a general firewall and a http and https flood attack mitigation) were used because one NSF can not meet the security requirement. The instances of XML documents for the general firewall and http and https flood attack mitigation are as follows: Note that a detailed data model for the configuration of the advanced network security function (i.e., http and https flood - attack mitigation) is described in [i2nsf-advanced-nsf-dm]. + attack mitigation) is described in [draft-dong-i2nsf-asf-config]. General Firewall 1. The name of the system policy is flood_attack_mitigation. 2. The name of the rule is mitigate_http_and_https_flood_attack. 3. The rule inspects a destination IPv4 address (i.e., 221.159.112.95) to inspect the access packets coming into the company web server. @@ -4643,35 +4561,35 @@ http_and_https_flood_attack_mitigation. 2. The name of the rule is 100_per_second. 3. The rule controls the http and https packets according to the amount of incoming packets. 4. If the incoming packets match the rules above, the packets are blocked. -Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-05 +Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-06 The following changes are made from draft-ietf-i2nsf-nsf-facing- - interface-dm-05: + interface-dm-06: - o We added an I2NSF IPsec field for IPsec management (e.g., ike and - ikeless). + o The version is revised according to the comments from Acee Lindem + who is a YANG doctor for review. Appendix C. Acknowledgments - This work was supported by Institute for Information & communications - Technology Promotion (IITP) grant funded by the Korea government - (MSIP)(No. R-20160222-002755, Cloud based Security Intelligence - Technology Development for the Customized Security Service - Provisioning). + This work was supported by Institute of Information & Communications + Technology Planning & Evaluation (IITP) grant funded by the Korea + MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based + Security Intelligence Technology Development for the Customized + Security Service Provisioning). Appendix D. Contributors This document is made by the group effort of I2NSF working group. Many people actively contributed to this document. The following are considered co-authors: o Hyoungshick Kim (Sungkyunkwan University) o Daeyoung Hyun (Sungkyunkwan University)