draft-ietf-i2nsf-nsf-facing-interface-dm-12.txt   draft-ietf-i2nsf-nsf-facing-interface-dm-13.txt 
I2NSF Working Group J. Kim, Ed. I2NSF Working Group J. Kim, Ed.
Internet-Draft J. Jeong, Ed. Internet-Draft J. Jeong, Ed.
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: September 9, 2021 J. Park Expires: 16 February 2022 J. Park
ETRI ETRI
S. Hares S. Hares
Q. Lin Q. Lin
Huawei Huawei
March 8, 2021 15 August 2021
I2NSF Network Security Function-Facing Interface YANG Data Model I2NSF Network Security Function-Facing Interface YANG Data Model
draft-ietf-i2nsf-nsf-facing-interface-dm-12 draft-ietf-i2nsf-nsf-facing-interface-dm-13
Abstract Abstract
This document defines a YANG data model for configuring security This document defines a YANG data model for configuring security
policy rules on Network Security Functions (NSF) in the Interface to policy rules on Network Security Functions (NSF) in the Interface to
Network Security Functions (I2NSF) framework. The YANG data model in Network Security Functions (I2NSF) framework. The YANG data model in
this document corresponds to the information model for NSF-Facing this document corresponds to the information model for NSF-Facing
Interface in the I2NSF framework. Interface in the I2NSF framework.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 9, 2021. This Internet-Draft will expire on 16 February 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents (https://trustee.ietf.org/
(https://trustee.ietf.org/license-info) in effect on the date of license-info) in effect on the date of publication of this document.
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document. Code Components
to this document. Code Components extracted from this document must extracted from this document must include Simplified BSD License text
include Simplified BSD License text as described in Section 4.e of as described in Section 4.e of the Trust Legal Provisions and are
the Trust Legal Provisions and are provided without warranty as provided without warranty as described in the Simplified BSD License.
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 3. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3
3.1. General I2NSF Security Policy Rule . . . . . . . . . . . 3 3.1. General I2NSF Security Policy Rule . . . . . . . . . . . 3
3.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 5 3.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 5
3.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 6 3.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 6
3.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 12 3.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 11
4. YANG Data Model of NSF-Facing Interface . . . . . . . . . . . 13 4. YANG Data Model of NSF-Facing Interface . . . . . . . . . . . 12
4.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 14 4.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 12
5. XML Configuration Examples of Low-Level Security Policy Rules 85 5. XML Configuration Examples of Low-Level Security Policy
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.1. Security Requirement 1: Block Social Networking Service 5.1. Security Requirement 1: Block Social Networking Service
(SNS) Access during Business Hours . . . . . . . . . . . 85 (SNS) Access during Business Hours . . . . . . . . . . . 64
5.2. Security Requirement 2: Block Malicious VoIP/VoLTE 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets
Packets Coming to a Company . . . . . . . . . . . . . . . 89 Coming to a Company . . . . . . . . . . . . . . . . . . . 68
5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood
Attacks on a Company Web Server . . . . . . . . . . . . . 92 Attacks on a Company Web Server . . . . . . . . . . . . . 71
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 95 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 74
7. Security Considerations . . . . . . . . . . . . . . . . . . . 95 7. Security Considerations . . . . . . . . . . . . . . . . . . . 74
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 96 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 75
9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 97 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 75
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 98 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 76
10.1. Normative References . . . . . . . . . . . . . . . . . . 98 10.1. Normative References . . . . . . . . . . . . . . . . . . 76
10.2. Informative References . . . . . . . . . . . . . . . . . 101 10.2. Informative References . . . . . . . . . . . . . . . . . 79
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80
1. Introduction 1. Introduction
This document defines a YANG [RFC6020][RFC7950] data model for This document defines a YANG [RFC6020][RFC7950] data model for
security policy rule configuration of Network Security Functions security policy rule configuration of Network Security Functions
(NSF). The YANG data model in this document is based on the (NSF). The YANG data model in this document is based on the
information model in [I-D.ietf-i2nsf-capability-data-model] for the information and data model in [I-D.ietf-i2nsf-capability-data-model]
NSF-Facing Interface in the Interface to Network Security Functions for the NSF-Facing Interface in the Interface to Network Security
(I2NSF) architecture [RFC8329]. The YANG data model in this document Functions (I2NSF) architecture [RFC8329]. The YANG data model in
focuses on security policy configuration for generic network security this document focuses on security policy configuration for the NSFs
functions (e.g., firewall, web filter, and Distributed-Denial-of- discussed in [I-D.ietf-i2nsf-capability-data-model], i.e., generic
Service (DDoS) attack mitigator) NSF (.
[I-D.ietf-i2nsf-capability-data-model]. Security policy
configuration for advanced network security functions is out of the
scope of this document, such as Intrusion Prevention System (IPS) and
anti-virus [I-D.ietf-i2nsf-capability-data-model].
This YANG data model uses an "Event-Condition-Action" (ECA) policy This YANG data model uses an "Event-Condition-Action" (ECA) policy
model that is used as the basis for the design of I2NSF Policy model that is used as the basis for the design of I2NSF Policy
described in [RFC8329] and [I-D.ietf-i2nsf-capability-data-model]. described in [RFC8329] and [I-D.ietf-i2nsf-capability-data-model].
The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this
document provides the configuration of the following features. document provides the configuration of the following features.
o A general security policy rule of a generic network security * A security policy rule of a network security function.
function.
o An event clause of a generic network security function. * An event clause of a generic network security function.
o A condition clause of a generic network security function. * A condition clause of a generic network security function.
o An action clause of a generic network security function. * An action clause of a generic network security function.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses the terminology described in [RFC8329]. This document uses the terminology described in [RFC8329].
This document follows the guidelines of [RFC8407], uses the common This document follows the guidelines of [RFC8407], uses the common
YANG types defined in [RFC6991], and adopts the Network Management YANG types defined in [RFC6991], and adopts the Network Management
Datastore Architecture (NMDA). The meaning of the symbols in tree Datastore Architecture (NMDA). The meaning of the symbols in tree
diagrams is defined in [RFC8340]. diagrams is defined in [RFC8340].
3. YANG Tree Diagram 3. YANG Tree Diagram
This section shows a YANG tree diagram of generic network security This section shows a YANG tree diagram of policy for network security
functions. Advanced network security functions can be defined in functions. [I-D.ietf-i2nsf-capability-data-model].
future. Advanced network security functions is out of the scope of
this document can be defined in future, such as Intrusion Prevention
System (IPS), Distributed-Denial-of-Service (DDoS) attack mitigator,
and anti-virus [I-D.ietf-i2nsf-capability-data-model].
3.1. General I2NSF Security Policy Rule 3.1. General I2NSF Security Policy Rule
This section shows a YANG tree diagram for a general I2NSF security This section shows a YANG tree diagram for a general I2NSF security
policy rule for generic network security functions. policy rule for generic network security functions.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy* [system-policy-name]
+--rw system-policy* [system-policy-name] +--rw system-policy-name string
+--rw system-policy-name string +--rw priority-usage? identityref
+--rw priority-usage? identityref +--rw resolution-strategy? identityref
+--rw resolution-strategy? identityref +--rw default-action? identityref
+--rw default-action? identityref +--rw rules* [rule-name]
+--rw rules* [rule-name] | +--rw rule-name string
| +--rw rule-name string | +--rw rule-description? string
| +--rw rule-description? string | +--rw rule-priority? uint8
| +--rw rule-priority? uint8 | +--rw rule-enable? boolean
| +--rw rule-enable? boolean | +--rw session-aging-time? uint16
| +--rw rule-session-aging-time? uint16 | +--rw long-connection
| +--rw rule-long-connection | | +--rw enable? boolean
| | +--rw enable? boolean | | +--rw duration? uint16
| | +--rw duration? uint16 | +--rw event
| +--rw time-intervals | ...
| | +--rw absolute-time-interval | +--rw action
| | | +--rw start-time? start-time-type | ...
| | | +--rw end-time? end-time-type +--rw rule-group
| | +--rw periodic-time-interval +--rw groups* [group-name]
| | +--rw day +--rw group-name string
| | | +--rw every-day? boolean +--rw rule-range
| | | +--rw specific-day* day-type | +--rw start-rule? string
| | +--rw month | +--rw end-rule? string
| | +--rw every-month? boolean +--rw enable? boolean
| | +--rw specific-month* month-type +--rw description? string
| +--rw event-clause-container
| | ...
| +--rw condition-clause-container
| | ...
| +--rw action-clause-container
| ...
+--rw rule-group
+--rw groups* [group-name]
+--rw group-name string
+--rw rule-range
| +--rw start-rule? string
| +--rw end-rule? string
+--rw enable? boolean
+--rw description? string
Figure 1: YANG Tree Diagram for Network Security Policy Figure 1: YANG Tree Diagram for Network Security Policy
The system policy provides for multiple system policies in one NSF, The system policy provides for multiple system policies in one NSF,
and each system policy is used by one virtual instance of the NSF/ and each system policy is used by one virtual instance of the NSF/
device. The system policy includes system policy name, priority device. The system policy includes system policy name, priority
usage, resolution strategy, default action, and rules. usage, resolution strategy, default action, and rules.
A resolution strategy is used to decide how to resolve conflicts that A resolution strategy is used to decide how to resolve conflicts that
occur between the actions of the same or different policy rules that occur between the actions of the same or different policy rules that
are matched and contained in a particular NSF. The resolution are matched and contained in a particular NSF. The resolution
strategy is defined as First Matching Rule (FMR), Last Matching Rule strategy is defined as First Matching Rule (FMR), Last Matching Rule
(LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and
Prioritized Matching Rule with No Errors (PMRN). The resolution Prioritized Matching Rule with No Errors (PMRN). The resolution
strategy can be extended according to specific vendor action strategy can be extended according to specific vendor action
features. The resolution strategy is described in detail in features. The resolution strategy is described in detail in
[I-D.ietf-i2nsf-capability-data-model]. [I-D.ietf-i2nsf-capability-data-model].
A default action is used to execute I2NSF policy rule when no rule A default action is used to execute I2NSF policy rule when no rule
matches a packet. The default action is defined as pass, drop, matches a packet. The default action is defined as pass, drop, rate-
reject, alert, and mirror. The default action can be extended limit, and mirror. The default action can be extended according to
according to specific vendor action features. The default action is specific vendor action features. The default action is described in
described in detail in [I-D.ietf-i2nsf-capability-data-model]. detail in [I-D.ietf-i2nsf-capability-data-model].
The rules include rule name, rule description, rule priority, rule The rules include rule name, rule description, rule priority, rule
enable, time zone, event clause container, condition clause enable, event, condition, and action.
container, and action clause container.
3.2. Event Clause 3.2. Event Clause
This section shows a YANG tree diagram for an event clause for a This section shows a YANG tree diagram for an event clause for a
general I2NSF security policy rule for generic network security general I2NSF security policy rule for generic network security
functions. functions.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy* [system-policy-name]
+--rw system-policy* [system-policy-name] ...
+--rw rules* [rule-name]
| ...
| +--rw event
| | +--rw event-clause-description? string
| | +--rw time
| | | +--rw start-date-time? yang:date-and-time
| | | +--rw end-date-time? yang:date-and-time
| | | +--rw period
| | | | +--rw start-time? time
| | | | +--rw end-time? time
| | | | +--rw day* identityref
| | | | +--rw date* int32
| | | | +--rw month* string
| | | +--rw frequency? enumeration
| | +--rw event-clauses
| | +--rw system-event* identityref
| | +--rw system-alarm* identityref
| +--rw condition
| | ...
| +--rw action
| ...
+--rw rule-group
... ...
+--rw rules* [rule-name]
| ...
| +--rw event-clause-container
| | +--rw event-clause-description? string
| | +--rw event-clauses
| | +--rw system-event* identityref
| | +--rw system-alarm* identityref
| +--rw condition-clause-container
| | ...
| +--rw action-clause-container
| ...
+--rw rule-group
...
Figure 2: YANG Tree Diagram for an Event Clause Figure 2: YANG Tree Diagram for an Event Clause
An event clause is any important occurrence at a specific time of a An event clause is any important occurrence at a specific time of a
change in the system being managed, and/or in the environment of the change in the system being managed, and/or in the environment of the
system being managed. An event clause is used to trigger the system being managed. An event clause is used to trigger the
evaluation of the condition clause of the I2NSF Policy Rule. The evaluation of the condition clause of the I2NSF Policy Rule. The
event clause is defined as a system event and system alarm event clause is defined as a system event, system alarm
[I-D.ietf-i2nsf-nsf-monitoring-data-model]. The event clause can be [I-D.ietf-i2nsf-nsf-monitoring-data-model] and time. The event
extended according to specific vendor event features. The event clause can be extended according to specific vendor event features.
clause is described in detail in The event clause is described in detail in
[I-D.ietf-i2nsf-capability-data-model]. [I-D.ietf-i2nsf-capability-data-model].
3.3. Condition Clause 3.3. Condition Clause
This section shows a YANG tree diagram for a condition clause for a This section shows a YANG tree diagram for a condition clause for a
general I2NSF security policy rule for generic network security general I2NSF security policy rule for generic network security
functions. functions.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy* [system-policy-name]
... ...
+--rw rules* [rule-name] +--rw rules* [rule-name]
| ... | ...
| +--rw event-clause-container | +--rw event
| | ... | ...
| +--rw condition-clause-container | +--rw condition
| | +--rw condition-clause-description? string | | +--rw condition-clause-description? string
| | +--rw packet-security-ipv4-condition | | +--rw mac
| | | +--rw ipv4-description? string | | | +--rw mac-description? string
| | | +--rw pkt-sec-ipv4-header-length | | | +--rw source-address* yang:mac-address
| | | | +--rw (match-type)? | | | +--rw destination-address* yang:mac-address
| | | | +--:(exact-match) | | | +--rw ether-type* uint16
| | | | | +--rw ipv4-header-length* uint8 | | +--rw ipv4
| | | | +--:(range-match) | | | +--rw description? string
| | | | +--rw range-ipv4-header-length* | | | +--rw header-length* [start end]
[start-ipv4-header-length end-ipv4-header-length] | | | | +--rw start uint8
| | | | +--rw start-ipv4-header-length uint8 | | | | +--rw end uint8
| | | | +--rw end-ipv4-header-length uint8 | | | +--rw dscp* inet:dscp
| | | +--rw pkt-sec-ipv4-tos* identityref | | | +--rw total-length* [start end]
| | | +--rw pkt-sec-ipv4-total-length | | | | +--rw start uint16
| | | | +--rw (match-type)? | | | | +--rw end uint16
| | | | +--:(exact-match) | | | +--rw identification* uint16
| | | | | +--rw ipv4-total-length* uint16 | | | +--rw fragment-flags* identityref
| | | | +--:(range-match) | | | +--rw fragment-offset* [start end]
| | | | +--rw range-ipv4-total-length* | | | | +--rw start uint16
[start-ipv4-total-length end-ipv4-total-length] | | | | +--rw end uint16
| | | | +--rw start-ipv4-total-length uint16 | | | +--rw ttl* [start end]
| | | | +--rw end-ipv4-total-length uint16 | | | | +--rw start uint8
| | | +--rw pkt-sec-ipv4-id* uint16 | | | | +--rw end uint8
| | | +--rw pkt-sec-ipv4-fragment-flags* identityref | | | +--rw protocol* uint8
| | | +--rw pkt-sec-ipv4-fragment-offset | | | +--rw source-address
| | | | +--rw (match-type)?
| | | | +--:(exact-match)
| | | | | +--rw ipv4-fragment-offset* uint16
| | | | +--:(range-match)
| | | | +--rw range-ipv4-fragment-offset*
[start-ipv4-fragment-offset end-ipv4-fragment-offset]
| | | | +--rw start-ipv4-fragment-offset uint16
| | | | +--rw end-ipv4-fragment-offset uint16
| | | +--rw pkt-sec-ipv4-ttl
| | | | +--rw (match-type)?
| | | | +--:(exact-match)
| | | | | +--rw ipv4-ttl* uint8
| | | | +--:(range-match)
| | | | +--rw range-ipv4-ttl*
[start-ipv4-ttl end-ipv4-ttl]
| | | | +--rw start-ipv4-ttl uint8
| | | | +--rw end-ipv4-ttl uint8
| | | +--rw pkt-sec-ipv4-protocol* identityref
| | | +--rw pkt-sec-ipv4-src
| | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | +--:(exact-match) | | | | +--:(prefix)
| | | | | +--rw ipv4-address* [ipv4] | | | | | +--rw ipv4-prefix* [ipv4]
| | | | | +--rw ipv4 inet:ipv4-address | | | | | +--rw ipv4 inet:ipv4-address
| | | | | +--rw (subnet)? | | | | | +--rw (subnet)?
| | | | | +--:(prefix-length) | | | | | +--:(prefix-length)
| | | | | | +--rw prefix-length? uint8 | | | | | | +--rw prefix-length? uint8
| | | | | +--:(netmask) | | | | | +--:(netmask)
| | | | | +--rw netmask? yang:dotted-quad | | | | | +--rw netmask? yang:dotted-quad
| | | | +--:(range-match) | | | | +--:(range)
| | | | +--rw range-ipv4-address* | | | | +--rw ipv4-range* [start end]
[start-ipv4-address end-ipv4-address] | | | | +--rw start inet:ipv4-address
| | | | +--rw start-ipv4-address inet:ipv4-address | | | | +--rw end inet:ipv4-address
| | | | +--rw end-ipv4-address inet:ipv4-address | | | +--rw destination-address
| | | +--rw pkt-sec-ipv4-dest
| | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | +--:(exact-match) | | | | +--:(prefix)
| | | | | +--rw ipv4-address* [ipv4] | | | | | +--rw ipv4-prefix* [ipv4]
| | | | | +--rw ipv4 inet:ipv4-address | | | | | +--rw ipv4 inet:ipv4-address
| | | | | +--rw (subnet)? | | | | | +--rw (subnet)?
| | | | | +--:(prefix-length) | | | | | +--:(prefix-length)
| | | | | | +--rw prefix-length? uint8 | | | | | | +--rw prefix-length? uint8
| | | | | +--:(netmask) | | | | | +--:(netmask)
| | | | | +--rw netmask? yang:dotted-quad | | | | | +--rw netmask? yang:dotted-quad
| | | | +--:(range-match) | | | | +--:(range)
| | | | +--rw range-ipv4-address* | | | | +--rw ipv4-range* [start end]
[start-ipv4-address end-ipv4-address] | | | | +--rw start inet:ipv4-address
| | | | +--rw start-ipv4-address inet:ipv4-address | | | | +--rw end inet:ipv4-address
| | | | +--rw end-ipv4-address inet:ipv4-address | | | +--rw ipopts* identityref
| | | +--rw pkt-sec-ipv4-ipopts* identityref | | +--rw ipv6
| | | +--rw pkt-sec-ipv4-same-ip? boolean | | | +--rw description? string
| | | +--rw pkt-sec-ipv4-geo-ip* string | | | +--rw dscp* inet:dscp
| | +--rw packet-security-ipv6-condition | | | +--rw flow-label* [start end]
| | | +--rw ipv6-description? string | | | | +--rw start inet:ipv6-flow-label
| | | +--rw pkt-sec-ipv6-traffic-class* identityref | | | | +--rw end inet:ipv6-flow-label
| | | +--rw pkt-sec-ipv6-flow-label | | | +--rw payload-length* [start end]
| | | | +--rw (match-type)? | | | | +--rw start uint16
| | | | +--:(exact-match) | | | | +--rw end uint16
| | | | | +--rw ipv6-flow-label* uint32 | | | +--rw next-header* uint8
| | | | +--:(range-match) | | | +--rw hop-limit* [start end]
| | | | +--rw range-ipv6-flow-label* | | | | +--rw start uint8
[start-ipv6-flow-label end-ipv6-flow-label] | | | | +--rw end uint8
| | | | +--rw start-ipv6-flow-label uint32 | | | +--rw source-address
| | | | +--rw end-ipv6-flow-label uint32
| | | +--rw pkt-sec-ipv6-payload-length
| | | | +--rw (match-type)?
| | | | +--:(exact-match)
| | | | | +--rw ipv6-payload-length* uint16
| | | | +--:(range-match)
| | | | +--rw range-ipv6-payload-length*
[start-ipv6-payload-length end-ipv6-payload-length]
| | | | +--rw start-ipv6-payload-length uint16
| | | | +--rw end-ipv6-payload-length uint16
| | | +--rw pkt-sec-ipv6-next-header* identityref
| | | +--rw pkt-sec-ipv6-hop-limit
| | | | +--rw (match-type)?
| | | | +--:(exact-match)
| | | | | +--rw ipv6-hop-limit* uint8
| | | | +--:(range-match)
| | | | +--rw range-ipv6-hop-limit*
[start-ipv6-hop-limit end-ipv6-hop-limit]
| | | | +--rw start-ipv6-hop-limit uint8
| | | | +--rw end-ipv6-hop-limit uint8
| | | +--rw pkt-sec-ipv6-src
| | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | +--:(exact-match) | | | | +--:(prefix)
| | | | | +--rw ipv6-address* [ipv6] | | | | | +--rw ipv6-prefix* [ipv6]
| | | | | +--rw ipv6 inet:ipv6-address | | | | | +--rw ipv6 inet:ipv6-address
| | | | | +--rw prefix-length? uint8 | | | | | +--rw prefix-length? uint8
| | | | +--:(range-match) | | | | +--:(range)
| | | | +--rw range-ipv6-address* | | | | +--rw ipv6-range* [start end]
[start-ipv6-address end-ipv6-address] | | | | +--rw start inet:ipv6-address
| | | | +--rw start-ipv6-address inet:ipv6-address | | | | +--rw end inet:ipv6-address
| | | | +--rw end-ipv6-address inet:ipv6-address | | | +--rw destination-address
| | | +--rw pkt-sec-ipv6-dest
| | | +--rw (match-type)? | | | +--rw (match-type)?
| | | +--:(exact-match) | | | +--:(prefix)
| | | | +--rw ipv6-address* [ipv6] | | | | +--rw ipv6-prefix* [ipv6]
| | | | +--rw ipv6 inet:ipv6-address | | | | +--rw ipv6 inet:ipv6-address
| | | | +--rw prefix-length? uint8 | | | | +--rw prefix-length? uint8
| | | +--:(range-match) | | | +--:(range)
| | | +--rw range-ipv6-address* | | | +--rw ipv6-range* [start end]
[start-ipv6-address end-ipv6-address] | | | +--rw start inet:ipv6-address
| | | +--rw start-ipv6-address inet:ipv6-address | | | +--rw end inet:ipv6-address
| | | +--rw end-ipv6-address inet:ipv6-address | | +--rw tcp
| | +--rw packet-security-tcp-condition | | | +--rw description? string
| | | +--rw tcp-description? string | | | +--rw source-port-number* [start end]
| | | +--rw pkt-sec-tcp-src-port-num | | | | +--rw start inet:port-number
| | | | +--rw (match-type)? | | | | +--rw end inet:port-number
| | | | +--:(exact-match) | | | +--rw destination-port-number* [start end]
| | | | | +--rw port-num* inet:port-number | | | | +--rw start inet:port-number
| | | | +--:(range-match) | | | | +--rw end inet:port-number
| | | | +--rw range-port-num* | | | +--rw flags* identityref
[start-port-num end-port-num] | | +--rw udp
| | | | +--rw start-port-num inet:port-number | | | +--rw description? string
| | | | +--rw end-port-num inet:port-number | | | +--rw source-port-number
| | | +--rw pkt-sec-tcp-dest-port-num | | | | +--rw start? inet:port-number
| | | | +--rw (match-type)? | | | | +--rw end? inet:port-number
| | | | +--:(exact-match) | | | +--rw destination-port-number
| | | | | +--rw port-num* inet:port-number | | | | +--rw start? inet:port-number
| | | | +--:(range-match) | | | | +--rw end? inet:port-number
| | | | +--rw range-port-num* | | | +--rw total-length* [start end]
[start-port-num end-port-num] | | | +--rw start uint32
| | | | +--rw start-port-num inet:port-number | | | +--rw end uint32
| | | | +--rw end-port-num inet:port-number | | +--rw sctp
| | | +--rw pkt-sec-tcp-flags* identityref | | | +--rw description? string
| | +--rw packet-security-udp-condition | | | +--rw source-port-number
| | | +--rw udp-description? string | | | | +--rw start? inet:port-number
| | | +--rw pkt-sec-udp-src-port-num | | | | +--rw end? inet:port-number
| | | | +--rw (match-type)? | | | +--rw destination-port-number
| | | | +--:(exact-match) | | | | +--rw start? inet:port-number
| | | | | +--rw port-num* inet:port-number | | | | +--rw end? inet:port-number
| | | | +--:(range-match) | | | +--rw verification-tag* uint32
| | | | +--rw range-port-num* | | | +--rw chunk-type* uint8
[start-port-num end-port-num] | | +--rw dccp
| | | | +--rw start-port-num inet:port-number | | | +--rw description? string
| | | | +--rw end-port-num inet:port-number | | | +--rw source-port-number
| | | +--rw pkt-sec-udp-dest-port-num | | | | +--rw start? inet:port-number
| | | | +--rw (match-type)? | | | | +--rw end? inet:port-number
| | | | +--:(exact-match) | | | +--rw destination-port-number
| | | | | +--rw port-num* inet:port-number | | | | +--rw start? inet:port-number
| | | | +--:(range-match) | | | | +--rw end? inet:port-number
| | | | +--rw range-port-num* | | | +--rw service-code* uint32
[start-port-num end-port-num] | | +--rw icmp* [version]
| | | | +--rw start-port-num inet:port-number | | | +--rw description? string
| | | | +--rw end-port-num inet:port-number | | | +--rw version enumeration
| | | +--rw pkt-sec-udp-total-length | | | +--rw type* uint8
| | | +--rw (match-type)? | | | +--rw code* uint8
| | | +--:(exact-match) | | +--rw url-category
| | | | +--rw udp-total-length* uint32 | | | +--rw description? string
| | | +--:(range-match) | | | +--rw pre-defined-category* string
| | | +--rw range-udp-total-length* | | | +--rw user-defined-category* string
[start-udp-total-length end-udp-total-length] | | +--rw voice
| | | +--rw start-udp-total-length uint32 | | | +--rw description? string
| | | +--rw end-udp-total-length uint32 | | | +--rw source-voice-id* string
| | +--rw packet-security-sctp-condition | | | +--rw destination-voice-id* string
| | | +--rw sctp-description? string | | | +--rw user-agent* string
| | | +--rw pkt-sec-sctp-src-port-num | | +--rw ddos
| | | | +--rw (match-type)? | | | +--rw description? string
| | | | +--:(exact-match) | | | +--rw alert-packet-rate? uint32
| | | | | +--rw port-num* inet:port-number | | | +--rw alert-flow-rate? uint32
| | | | +--:(range-match) | | | +--rw alert-byte-rate? uint32
| | | | +--rw range-port-num* | | +--rw anti-virus
[start-port-num end-port-num] | | | +--rw profile? string
| | | | +--rw start-port-num inet:port-number | | | +--rw exception-files? string
| | | | +--rw end-port-num inet:port-number | | +--rw payload
| | | +--rw pkt-sec-sctp-dest-port-num
| | | | +--rw (match-type)?
| | | | +--:(exact-match)
| | | | | +--rw port-num* inet:port-number
| | | | +--:(range-match)
| | | | +--rw range-port-num*
[start-port-num end-port-num]
| | | | +--rw start-port-num inet:port-number
| | | | +--rw end-port-num inet:port-number
| | | +--rw pkt-sec-sctp-verification-tag* uint32
| | | +--rw pkt-sec-sctp-chunk-type* uint8
| | +--rw packet-security-dccp-condition
| | | +--dccp-description? string
| | | +--rw pkt-sec-dccp-src-port-num
| | | | +--rw (match-type)?
| | | | +--:(exact-match)
| | | | | +--rw port-num* inet:port-number
| | | | +--:(range-match)
| | | | +--rw range-port-num*
[start-port-num end-port-num]
| | | | +--rw start-port-num inet:port-number
| | | | +--rw end-port-num inet:port-number
| | | +--rw pkt-sec-dccp-dest-port-num
| | | | +--rw (match-type)?
| | | | +--:(exact-match)
| | | | | +--rw port-num* inet:port-number
| | | | +--:(range-match)
| | | | +--rw range-port-num*
[start-port-num end-port-num]
| | | | +--rw start-port-num inet:port-number
| | | | +--rw end-port-num inet:port-number
| | | +--rw pkt-sec-dccp-service-code* uint32
| | +--rw packet-security-icmp-condition
| | | +--rw icmp-description? string
| | | +--rw pkt-sec-icmp-type-and-code* identityref
| | +--rw packet-security-url-category-condition
| | | +--rw url-category-description? string
| | | +--rw pre-defined-category* string
| | | +--rw user-defined-category* string
| | +--rw packet-security-voice-condition
| | | +--rw voice-description? string
| | | +--rw pkt-sec-src-voice-id* string
| | | +--rw pkt-sec-dest-voice-id* string
| | | +--rw pkt-sec-user-agent* string
| | +--rw packet-security-ddos-condition
| | | +--rw ddos-description? string
| | | +--rw pkt-sec-alert-packet-rate? uint32
| | | +--rw pkt-sec-alert-flow-rate? uint32
| | | +--rw pkt-sec-alert-byte-rate? uint32
| | +--rw packet-security-payload-condition
| | | +--rw packet-payload-description? string | | | +--rw packet-payload-description? string
| | | +--rw pkt-payload-content* string | | | +--rw payload-content* string
| | +--rw context-condition | | +--rw context
| | +--rw context-description? string | | +--rw context-description? string
| | +--rw application-condition | | +--rw application
| | | +--rw application-description? string | | | +--rw description? string
| | | +--rw application-object* string | | | +--rw object* string
| | | +--rw application-group* string | | | +--rw group* string
| | | +--rw application-label* string | | | +--rw label* string
| | | +--rw category | | | +--rw category
| | | +--rw application-category* | | | +--rw application-category* [name subcategory]
[name application-subcategory] | | | +--rw name string
| | | +--rw name string | | | +--rw subcategory string
| | | +--rw application-subcategory string | | +--rw target
| | +--rw target-condition | | | +--rw description? string
| | | +--rw target-description? string | | | +--rw device* identityref
| | | +--rw device-sec-context-cond | | +--rw users
| | | +--rw target-device* identityref
| | +--rw users-condition
| | | +--rw users-description? string | | | +--rw users-description? string
| | | +--rw user [user-name user-id] | | | +--rw user* [user-id]
| | | +--rw user-name* string | | | | +--rw user-id uint32
| | | +--rw user-id* uint32 | | | | +--rw user-name? string
| | | +--rw group [group-name group-id] | | | +--rw group* [group-id]
| | | +--rw group-name string | | | | +--rw group-id uint32
| | | +--rw group-id uint32 | | | | +--rw group-name? string
| | | +--rw security-group string | | | +--rw security-group? string
| | +--rw geography-context-condition | | +--rw geography-location
| | +--rw geography-context-description? string | | +--rw description? string
| | +--rw geography-location | | +--rw source* string
| | +--rw src-geography-location* string | | +--rw destination* string
| | +--rw dest-geography-location* string | +--rw action
| +--rw action-clause-container
| ... | ...
+--rw rule-group +--rw rule-group
... ...
Figure 3: YANG Tree Diagram for a Condition Clause Figure 3: YANG Tree Diagram for a Condition Clause
A condition clause is defined as a set of attributes, features, and/ A condition clause is defined as a set of attributes, features, and/
or values that are to be compared with a set of known attributes, or values that are to be compared with a set of known attributes,
features, and/or values in order to determine whether or not the set features, and/or values in order to determine whether or not the set
of actions in that (imperative) I2NSF policy rule can be executed or of actions in that (imperative) I2NSF policy rule can be executed or
not. A condition clause is classified as a condition of generic not. A condition clause is classified as a condition of generic
network security functions, advanced network security functions, or network security functions, advanced network security functions, or
context. A condition clause of generic network security functions is context. A condition clause of generic network security functions is
defined as packet security IPv4 condition, packet security IPv6 defined as IPv4 condition, IPv6 condition, TCP condition, UDP
condition, packet security tcp condition, and packet security icmp condition, SCTP condition, DCCP condition, and ICMP (ICMPv4 and
condition. A condition clause of advanced network security functions ICMPv6) condition.
is defined as packet security url category condition, packet security
voice condition, packet security DDoS condition, or packet security Note that the data model in this document does not focus on only IP
addresses, but focuses on all the fields of IPv4 and IPv6 headers.
The IPv4 and IPv6 headers have similarity with some different fields.
In this case, it is better to handle separately the IPv4 and IPv6
headers such that the different fields can be used to handle IPv4 and
IPv6 packets.
A condition clause of advanced network security functions is defined
as url category condition, voice condition, DDoS condition, or
payload condition. A condition clause of context is defined as payload condition. A condition clause of context is defined as
application condition, target condition, users condition, and application condition, target condition, users condition, and
geography condition. Note that this document deals only with geography condition.
conditions of several advanced network security functions such as url
filter (i.e., web filter), VoIP/VoLTE security, and DDoS-attack Note that this document deals only with conditions of several
mitigator. A condition clause of other advanced network security advanced network security functions such as url filter (i.e., web
functions such as Intrusion Prevention System (IPS) and Data Loss filter), VoIP/VoLTE security, and DDoS-attack mitigator. A condition
Prevention (DLP) can be defined as an extension in future. A clause of other advanced network security functions such as Intrusion
condition clause can be extended according to specific vendor Prevention System (IPS) and Data Loss Prevention (DLP) can be defined
condition features. A condition clause is described in detail in as an extension in future. A condition clause can be extended
[I-D.ietf-i2nsf-capability-data-model]. according to specific vendor condition features. A condition clause
is described in detail in [I-D.ietf-i2nsf-capability-data-model].
3.4. Action Clause 3.4. Action Clause
This section shows a YANG tree diagram for an action clause for a This section shows a YANG tree diagram for an action clause for a
general I2NSF security policy rule for generic network security general I2NSF security policy rule for generic network security
functions. functions.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy* [system-policy-name]
... ...
+--rw rules* [rule-name] +--rw rules* [rule-name]
| ... | ...
| +--rw event-clause-container | +--rw event
| | ... | ...
| +--rw condition-clause-container | +--rw condition
| | ... | ...
| +--rw action-clause-container | +--rw action
| +--rw action-clause-description? string | +--rw action-clause-description? string
| +--rw packet-action | +--rw packet-action
| | +--rw ingress-action? identityref | | +--rw ingress-action? identityref
| | +--rw egress-action? identityref | | +--rw egress-action? identityref
| | +--rw log-action? identityref | | +--rw log-action? identityref
| +--rw flow-action | +--rw flow-action
| | +--rw ingress-action? identityref | | +--rw ingress-action? identityref
| | +--rw egress-action? identityref | | +--rw egress-action? identityref
| | +--rw log-action? identityref | | +--rw log-action? identityref
| +--rw advanced-action | +--rw advanced-action
| +--rw content-security-control* identityref | +--rw content-security-control* identityref
| +--rw attack-mitigation-control* identityref | +--rw attack-mitigation-control* identityref
+--rw rule-group +--rw rule-group
... ...
Figure 4: YANG Tree Diagram for an Action Clause Figure 4: YANG Tree Diagram for an Action Clause
An action is used to control and monitor aspects of flow-based NSFs An action is used to control and monitor aspects of flow-based NSFs
when the policy rule event and condition clauses are satisfied. NSFs when the policy rule event and condition clauses are satisfied. NSFs
provide security services by executing various actions. The action provide security services by executing various actions. The action
clause is defined as ingress action, egress action, or log action for clause is defined as ingress action, egress action, or log action for
packet action, flow action, and advanced action for additional packet action, flow action, and advanced action for additional
inspection. The packet action is an action for an individual packet inspection. The packet action is an action for an individual packet
such as an IP datagram. The flow action is an action of a traffic such as an IP datagram as a stateless process that uses the packet's
flow such as the packets of a TCP session (e.g., an HTTP/HTTPS header and payload. The flow action is an action of a traffic flow
session). The advanced action is an action of an advanced action such as the packets of a TCP session (e.g., an HTTP/HTTPS session) as
(e.g., web filter and DDoS-attack mitigator) for either a packet or a a stateful process that uses the traffic flow information such as
traffic flow. The action clause can be extended according to 5-tuple information, packet counts, and byte counts. The advanced
specific vendor action features. The action clause is described in action is an action for an advanced security service (e.g., url
detail in [I-D.ietf-i2nsf-capability-data-model]. filter, DDoS-attack mitigator, and VoIP/VoLTE filter) for either a
packet or a traffic flow according to the intention of such an
advanced security service. The action clause can be extended
according to specific vendor action features. The action clause is
described in detail in [I-D.ietf-i2nsf-capability-data-model].
4. YANG Data Model of NSF-Facing Interface 4. YANG Data Model of NSF-Facing Interface
The main objective of this data model is to provide both an The main objective of this data model is to provide both an
information model and the corresponding YANG data model of I2NSF NSF- information model and the corresponding YANG data model of I2NSF NSF-
Facing Interface. This interface can be used to deliver control and Facing Interface. This interface can be used to deliver control and
management messages between Security Controller and NSFs for the management messages between Security Controller and NSFs for the
I2NSF low-level security policies. I2NSF low-level security policies.
This data model is designed to support the I2NSF framework that can This data model is designed to support the I2NSF framework that can
skipping to change at page 14, line 18 skipping to change at page 12, line 44
policies as well as the implementation approach. policies as well as the implementation approach.
With the YANG data model of I2NSF NSF-Facing Interface, this document With the YANG data model of I2NSF NSF-Facing Interface, this document
suggests use cases for security policy rules such as time-based suggests use cases for security policy rules such as time-based
firewall, web filter, VoIP/VoLTE security service, and DDoS-attack firewall, web filter, VoIP/VoLTE security service, and DDoS-attack
mitigation in Section 5. mitigation in Section 5.
4.1. YANG Module of NSF-Facing Interface 4.1. YANG Module of NSF-Facing Interface
This section describes a YANG module of NSF-Facing Interface. This This section describes a YANG module of NSF-Facing Interface. This
YANG module imports from [RFC6991]. It makes references to [RFC0768] document provides identities in the data model for the configuration
[RFC0791][RFC0792][RFC0793][RFC3261][RFC4443][RFC8200][RFC8329][RFC83 of an NSF. The identity has the same concept with the corresponding
35][RFC8344][ISO-Country-Codes][IANA-Protocol-Numbers]. identity in [I-D.ietf-i2nsf-consumer-facing-interface-dm] This YANG
module imports from [RFC6991]. It makes references to [RFC0768]
<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2021-03-08.yang" [RFC0791] [RFC0792] [RFC0793] [RFC2474] [RFC3261] [RFC4340] [RFC4960]
module ietf-i2nsf-policy-rule-for-nsf { [RFC6335] [RFC8200] [RFC8329] [RFC8335] [RFC8344] [IEEE-802.3]
yang-version 1.1; [ISO-Country-Codes] [IANA-Protocol-Numbers] [IANA-ICMP-Parameters]
namespace [I-D.ietf-i2nsf-capability-data-model]
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; [I-D.ietf-i2nsf-nsf-monitoring-data-model].
prefix
nsfintf;
import ietf-inet-types{
prefix inet;
reference "RFC 6991";
}
import ietf-yang-types{
prefix yang;
reference "RFC 6991";
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
Editor: Jingyong Tim Kim
<mailto:timkim@skku.edu>
Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>";
description
"This module is a YANG module for Network Security Functions
(NSF)-Facing Interface.
Copyright (c) 2021 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices.";
revision "2021-03-08"{
description "The latest revision.";
reference
"RFC XXXX: I2NSF Network Security Function-Facing Interface
YANG Data Model";
}
/*
* Identities
*/
identity priority-usage-type {
description
"Base identity for priority usage type.";
}
identity priority-by-order {
base priority-usage-type;
description
"Identity for priority by order";
}
identity priority-by-number {
base priority-usage-type;
description
"Identity for priority by number";
}
identity event {
description
"Base identity for policy events";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - Event";
}
identity system-event {
base event;
description
"Identity for system events";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System event";
}
identity system-alarm {
base event;
description
"Identity for system alarms";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm";
}
identity access-violation {
base system-event;
description
"Identity for access violation
system events";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System event for access
violation";
}
identity configuration-change {
base system-event;
description
"Identity for configuration change
system events";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System event for configuration
change";
}
identity memory-alarm {
base system-alarm;
description
"Identity for memory alarm
system alarms";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for memory";
}
identity cpu-alarm {
base system-alarm;
description
"Identity for CPU alarm
system alarms";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for CPU";
}
identity disk-alarm {
base system-alarm;
description
"Identity for disk alarm
system alarms";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for disk";
}
identity hardware-alarm {
base system-alarm;
description
"Identity for hardware alarm
system alarms";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for hardware";
}
identity interface-alarm {
base system-alarm;
description
"Identity for interface alarm
system alarms";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for interface";
}
identity type-of-service {
description
"Base identity for type of service of IPv4";
reference
"RFC 791: Internet Protocol - Type of Service";
}
identity traffic-class {
description
"Base identity for traffic-class of IPv6";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity normal {
base type-of-service;
base traffic-class;
description
"Identity for normal IPv4 TOS and IPv6 Traffic Class";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity minimize-cost {
base type-of-service;
base traffic-class;
description
"Identity for 'minimize monetary cost' IPv4 TOS and
IPv6 Traffic Class";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity maximize-reliability {
base type-of-service;
base traffic-class;
description
"Identity for 'maximize reliability' IPv4 TOS and
IPv6 Traffic Class";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity maximize-throughput {
base type-of-service;
base traffic-class;
description
"Identity for 'maximize throughput' IPv4 TOS and
IPv6 Traffic Class";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity minimize-delay {
base type-of-service;
base traffic-class;
description
"Identity for 'minimize delay' IPv4 TOS and
IPv6 Traffic Class";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity maximize-security {
base type-of-service;
base traffic-class;
description
"Identity for 'maximize security' IPv4 TOS and
IPv6 Traffic Class";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity fragmentation-flags-type {
description
"Base identity for fragmentation flags type";
reference
"RFC 791: Internet Protocol - Fragmentation Flags";
}
identity fragment {
base fragmentation-flags-type;
description
"Identity for 'More fragment' flag";
reference
"RFC 791: Internet Protocol - Fragmentation Flags";
}
identity no-fragment {
base fragmentation-flags-type;
description
"Identity for 'Do not fragment' flag";
reference
"RFC 791: Internet Protocol - Fragmentation Flags";
}
identity reserved {
base fragmentation-flags-type;
description
"Identity for reserved flags";
reference
"RFC 791: Internet Protocol - Fragmentation Flags";
}
identity protocol {
description
"Base identity for protocol of IPv4";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol";
}
identity next-header {
description
"Base identity for IPv6 next header";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity icmp {
base protocol;
base next-header;
description
"Identity for ICMP IPv4 protocol and
IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity igmp {
base protocol;
base next-header;
description
"Identity for IGMP IPv4 protocol and
IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity tcp {
base protocol;
base next-header;
description
"Identity for TCP protocol";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity igrp {
base protocol;
base next-header;
description
"Identity for IGRP IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity udp {
base protocol;
base next-header;
description
"Identity for UDP IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity gre {
base protocol;
base next-header;
description
"Identity for GRE IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity esp {
base protocol;
base next-header;
description
"Identity for ESP IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity ah {
base protocol;
base next-header;
description
"Identity for AH IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity mobile {
base protocol;
base next-header;
description
"Identity for mobile IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity tlsp {
base protocol;
base next-header;
description
"Identity for TLSP IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity skip {
base protocol;
base next-header;
description
"Identity for skip IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity ipv6-icmp {
base protocol;
base next-header;
description
"Identity for IPv6 ICMP next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6) Specification
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity eigrp {
base protocol;
base next-header;
description
"Identity for EIGRP IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity ospf {
base protocol;
base next-header;
description
"Identity for OSPF IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity l2tp {
base protocol;
base next-header;
description
"Identity for L2TP IPv4 protocol
and IPv6 next header";
reference
"IANA: Assigned Internet Protocol Numbers
RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity ipopts {
description
"Base identity for IP options";
reference
"RFC 791: Internet Protocol - Options";
}
identity rr {
base ipopts;
description
"Identity for 'Record Route' IP Option";
reference
"RFC 791: Internet Protocol - Options";
}
identity eol {
base ipopts;
description
"Identity for 'End of List' IP Option";
reference
"RFC 791: Internet Protocol - Options";
}
identity nop {
base ipopts;
description
"Identity for 'No Operation' IP Option";
reference
"RFC 791: Internet Protocol - Options";
}
identity ts {
base ipopts;
description
"Identity for 'Timestamp' IP Option";
reference
"RFC 791: Internet Protocol - Options";
}
identity sec {
base ipopts;
description
"Identity for 'IP security' IP Option";
reference
"RFC 791: Internet Protocol - Options";
}
identity esec {
base ipopts;
description
"Identity for 'IP extended security' IP Option";
reference
"RFC 791: Internet Protocol - Options";
}
identity lsrr {
base ipopts;
description
"Identity for 'Loose Source Routing' IP Option";
reference
"RFC 791: Internet Protocol - Options";
}
identity ssrr {
base ipopts;
description
"Identity for 'Strict Source Routing' IP Option";
reference
"RFC 791: Internet Protocol - Options";
}
identity satid {
base ipopts;
description
"Identity for 'Stream Identifier' IP Option";
reference
"RFC 791: Internet Protocol - Options";
}
identity any {
base ipopts;
description
"Identity for 'any IP options
included in IPv4 packet";
reference
"RFC 791: Internet Protocol - Options";
}
identity tcp-flags {
description
"Base identity for TCP flags";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity cwr {
base tcp-flags;
description
"Identity for 'Congestion Window Reduced' TCP flag";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity ecn {
base tcp-flags;
description
"Identity for 'Explicit Congestion Notification'
TCP flag";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity urg {
base tcp-flags;
description
"Identity for 'Urgent' TCP flag";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity ack {
base tcp-flags;
description
"Identity for 'acknowledgement' TCP flag";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity psh {
base tcp-flags;
description
"Identity for 'Push' TCP flag";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity rst {
base tcp-flags;
description
"Identity for 'Reset' TCP flag";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity syn {
base tcp-flags;
description
"Identity for 'Synchronize' TCP flag";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity fin {
base tcp-flags;
description
"Identity for 'Finish' TCP flag";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity icmp-type {
description
"Base identity for ICMP Message types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity echo-reply {
base icmp-type;
description
"Identity for 'Echo Reply' ICMP message type";
reference
"RFC 792: Internet Control Message Protocol";
}
identity destination-unreachable {
base icmp-type;
description
"Identity for 'Destination Unreachable'
ICMP message type";
reference
"RFC 792: Internet Control Message Protocol";
}
identity redirect {
base icmp-type;
description
"Identity for 'Redirect' ICMP message type";
reference
"RFC 792: Internet Control Message Protocol";
}
identity echo {
base icmp-type;
description
"Identity for 'Echo' ICMP message type";
reference
"RFC 792: Internet Control Message Protocol";
}
identity router-advertisement {
base icmp-type;
description
"Identity for 'Router Advertisement'
ICMP message type";
reference
"RFC 792: Internet Control Message Protocol";
}
identity router-solicitation {
base icmp-type;
description
"Identity for 'Router Solicitation'
ICMP message type";
reference
"RFC 792: Internet Control Message Protocol";
}
identity time-exceeded {
base icmp-type;
description
"Identity for 'Time exceeded' ICMP message type";
reference
"RFC 792: Internet Control Message Protocol";
}
identity parameter-problem { <CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2021-08-15.yang"
base icmp-type; module ietf-i2nsf-policy-rule-for-nsf {
description yang-version 1.1;
"Identity for 'Parameter Problem' namespace
ICMP message type"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
reference prefix
"RFC 792: Internet Control Message Protocol"; nsfintf;
}
identity timestamp { import ietf-inet-types{
base icmp-type; prefix inet;
description reference
"Identity for 'Timestamp' ICMP message type"; "Section 4 of RFC 6991";
reference }
"RFC 792: Internet Control Message Protocol"; import ietf-yang-types {
} prefix yang;
reference
"Section 3 of RFC 6991";
}
identity timestamp-reply { organization
base icmp-type; "IETF I2NSF (Interface to Network Security Functions)
description Working Group";
"Identity for 'Timestamp Reply'
ICMP message type";
reference contact
"RFC 792: Internet Control Message Protocol"; "WG Web: <http://tools.ietf.org/wg/i2nsf>
} WG List: <mailto:i2nsf@ietf.org>
identity datagram-conversion-error { Editor: Jinyong Tim Kim
base icmp-type; <mailto:timkim@skku.edu>
description
"Identity for 'Datagram Conversion Error'
ICMP message type";
reference
"RFC 792: Internet Control Message Protocol";
}
identity experimental-mobility-protocols { Editor: Jaehoon Paul Jeong
base icmp-type; <mailto:pauljeong@skku.edu>";
description
"Identity for 'Experimental Mobility Protocols'
ICMP message type";
reference
"RFC 792: Internet Control Message Protocol";
}
identity extended-echo-request { description
base icmp-type; "This module is a YANG module for Network Security Functions
description (NSF)-Facing Interface.
"Identity for 'Extended Echo Request'
ICMP message type";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity extended-echo-reply { The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
base icmp-type; 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
description 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
"Identity for 'Extended Echo Reply' document are to be interpreted as described in BCP 14
ICMP message type"; (RFC 2119) (RFC 8174) when, and only when, they appear
reference in all capitals, as shown here.
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity net-unreachable { Copyright (c) 2021 IETF Trust and the persons identified as
base icmp-type; authors of the code. All rights reserved.
description
"Identity for net unreachable
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity host-unreachable { Redistribution and use in source and binary forms, with or
base icmp-type; without modification, is permitted pursuant to, and subject to
description the license terms contained in, the Simplified BSD License set
"Identity for host unreachable forth in Section 4.c of the IETF Trust's Legal Provisions
in destination unreachable types"; Relating to IETF Documents
reference (https://trustee.ietf.org/license-info).
"RFC 792: Internet Control Message Protocol";
}
identity protocol-unreachable { This version of this YANG module is part of RFC XXXX
base icmp-type; (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
description for full legal notices.";
"Identity for protocol unreachable
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity port-unreachable { revision "2021-08-15"{
base icmp-type; description "The latest revision.";
description reference
"Identity for port unreachable "RFC XXXX: I2NSF Network Security Function-Facing Interface
in destination unreachable types"; YANG Data Model";
reference }
"RFC 792: Internet Control Message Protocol";
}
identity fragment-set { /*
base icmp-type; * Identities
description */
"Identity for fragmentation set
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity source-route-failed { identity priority-usage {
base icmp-type; description
description "Base identity for priority usage type.";
"Identity for source route failed }
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity destination-network-unknown {
base icmp-type;
description
"Identity for destination network unknown
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity destination-host-unknown { identity priority-by-order {
base icmp-type; base priority-usage;
description description
"Identity for destination host unknown "Identity for priority by order";
in destination unreachable types"; }
reference
"RFC 792: Internet Control Message Protocol";
}
identity source-host-isolated { identity priority-by-number {
base icmp-type; base priority-usage;
description description
"Identity for source host isolated "Identity for priority by number";
in destination unreachable types"; }
reference
"RFC 792: Internet Control Message Protocol";
}
identity communication-prohibited-with-destination-network { identity event {
base icmp-type; description
description "Base identity for policy events";
"Identity for which communication with destination network reference
is administratively prohibited in destination unreachable "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF
types"; Monitoring YANG Data Model - Event";
reference }
"RFC 792: Internet Control Message Protocol";
}
identity communication-prohibited-with-destination-host { identity system-event {
base icmp-type; base event;
description description
"Identity for which communication with destination host "Identity for system events";
is administratively prohibited in destination unreachable reference
types"; "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF
reference Monitoring YANG Data Model - System event";
"RFC 792: Internet Control Message Protocol"; }
}
identity destination-network-unreachable-for-tos { identity system-alarm {
base icmp-type; base event;
description description
"Identity for destination network unreachable "Identity for system alarms";
for type of service in destination unreachable types"; reference
reference "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF
"RFC 792: Internet Control Message Protocol"; Monitoring YANG Data Model - System alarm";
} }
identity destination-host-unreachable-for-tos { identity access-violation {
base icmp-type; base system-event;
description description
"Identity for destination host unreachable "Identity for access violation
for type of service in destination unreachable types"; system events";
reference reference
"RFC 792: Internet Control Message Protocol"; "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF
} Monitoring YANG Data Model - System event for access
violation";
}
identity communication-prohibited { identity configuration-change {
base icmp-type; base system-event;
description description
"Identity for communication administratively prohibited "Identity for configuration change
in destination unreachable types"; system events";
reference reference
"RFC 792: Internet Control Message Protocol"; "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF
} Monitoring YANG Data Model - System event for configuration
change";
}
identity host-precedence-violation { identity memory-alarm {
base icmp-type; base system-alarm;
description description
"Identity for host precedence violation "Identity for memory alarm
in destination unreachable types"; system alarms";
reference reference
"RFC 792: Internet Control Message Protocol"; "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF
} Monitoring YANG Data Model - System alarm for memory";
}
identity cpu-alarm {
base system-alarm;
description
"Identity for CPU alarm
system alarms";
reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF
Monitoring YANG Data Model - System alarm for CPU";
}
identity precedence-cutoff-in-effect { identity disk-alarm {
base icmp-type; base system-alarm;
description description
"Identity for precedence cutoff in effect "Identity for disk alarm
in destination unreachable types"; system alarms";
reference reference
"RFC 792: Internet Control Message Protocol"; "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF
} Monitoring YANG Data Model - System alarm for disk";
}
identity redirect-datagram-for-the-network { identity hardware-alarm {
base icmp-type; base system-alarm;
description description
"Identity for redirect datagram for the network "Identity for hardware alarm
(or subnet) in redirect types"; system alarms";
reference reference
"RFC 792: Internet Control Message Protocol"; "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF
} Monitoring YANG Data Model - System alarm for hardware";
}
identity redirect-datagram-for-the-host { identity interface-alarm {
base icmp-type; base system-alarm;
description description
"Identity for redirect datagram for the host "Identity for interface alarm
in redirect types"; system alarms";
reference reference
"RFC 792: Internet Control Message Protocol"; "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF
} Monitoring YANG Data Model - System alarm for interface";
}
identity redirect-datagram-for-the-tos-and-network { identity fragmentation-flags {
base icmp-type; description
description "Base identity for fragmentation flags type";
"Identity for redirect datagram for the type of reference
service and network in redirect types"; "RFC 791: Internet Protocol - Fragmentation Flags";
reference }
"RFC 792: Internet Control Message Protocol";
}
identity redirect-datagram-for-the-tos-and-host { identity fragment {
base icmp-type; base fragmentation-flags;
description description
"Identity for redirect datagram for the type of "Identity for 'More fragment' flag";
service and host in redirect types"; reference
reference "RFC 791: Internet Protocol - Fragmentation Flags";
"RFC 792: Internet Control Message Protocol"; }
}
identity normal-router-advertisement { identity no-fragment {
base icmp-type; base fragmentation-flags;
description description
"Identity for normal router advertisement "Identity for 'Do not fragment' flag";
in router advertisement types"; reference
reference "RFC 791: Internet Protocol - Fragmentation Flags";
"RFC 792: Internet Control Message Protocol"; }
}
identity does-not-route-common-traffic { identity reserved {
base icmp-type; base fragmentation-flags;
description description
"Identity for does not route common traffic "Identity for reserved flags";
in router advertisement types"; reference
reference "RFC 791: Internet Protocol - Fragmentation Flags";
"RFC 792: Internet Control Message Protocol"; }
} identity ipopts {
description
"Base identity for IP options";
reference
"RFC 791: Internet Protocol - Options";
}
identity time-to-live-exceeded-in-transit { identity rr {
base icmp-type; base ipopts;
description description
"Identity for time to live exceeded in transit "Identity for 'Record Route' IP Option";
in time exceeded types"; reference
reference "RFC 791: Internet Protocol - Options";
"RFC 792: Internet Control Message Protocol"; }
}
identity fragment-reassembly-time-exceeded { identity eol {
base icmp-type; base ipopts;
description description
"Identity for fragment reassembly time exceeded "Identity for 'End of List' IP Option";
in time exceeded types"; reference
reference "RFC 791: Internet Protocol - Options";
"RFC 792: Internet Control Message Protocol"; }
}
identity pointer-indicates-the-error { identity nop {
base icmp-type; base ipopts;
description description
"Identity for pointer indicates the error "Identity for 'No Operation' IP Option";
in parameter problem types"; reference
reference "RFC 791: Internet Protocol - Options";
"RFC 792: Internet Control Message Protocol"; }
}
identity missing-a-required-option { identity ts {
base icmp-type; base ipopts;
description description
"Identity for missing a required option "Identity for 'Timestamp' IP Option";
in parameter problem types"; reference
reference "RFC 791: Internet Protocol - Options";
"RFC 792: Internet Control Message Protocol"; }
}
identity bad-length { identity sec {
base icmp-type; base ipopts;
description description
"Identity for bad length "Identity for 'IP security' IP Option";
in parameter problem types"; reference
reference "RFC 791: Internet Protocol - Options";
"RFC 792: Internet Control Message Protocol"; }
}
identity bad-spi { identity esec {
base icmp-type; base ipopts;
description description
"Identity for bad spi"; "Identity for 'IP extended security' IP Option";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 791: Internet Protocol - Options";
} }
identity authentication-failed { identity lsrr {
base icmp-type; base ipopts;
description description
"Identity for authentication failed"; "Identity for 'Loose Source Routing' IP Option";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 791: Internet Protocol - Options";
} }
identity decompression-failed { identity ssrr {
base icmp-type; base ipopts;
description description
"Identity for decompression failed"; "Identity for 'Strict Source Routing' IP Option";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 791: Internet Protocol - Options";
} }
identity decryption-failed { identity satid {
base icmp-type; base ipopts;
description description
"Identity for decryption failed"; "Identity for 'Stream Identifier' IP Option";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 791: Internet Protocol - Options";
} }
identity need-authentication { identity any {
base icmp-type; base ipopts;
description description
"Identity for need authentication"; "Identity for 'any IP options
reference included in IPv4 packet";
"RFC 792: Internet Control Message Protocol"; reference
} "RFC 791: Internet Protocol - Options";
}
identity need-authorization { identity tcp-flags {
base icmp-type; description
description "Base identity for TCP flags";
"Identity for need authorization"; reference
reference "RFC 793: Transmission Control Protocol - Flags";
"RFC 792: Internet Control Message Protocol"; }
}
identity req-no-error { identity cwr {
base icmp-type; base tcp-flags;
description description
"Identity for request with no error "Identity for 'Congestion Window Reduced' TCP flag";
in extended echo request types"; reference
reference "RFC 793: Transmission Control Protocol - Flags";
"RFC 792: Internet Control Message Protocol }
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity rep-no-error { identity ecn {
base icmp-type; base tcp-flags;
description description
"Identity for reply with no error "Identity for 'Explicit Congestion Notification'
in extended echo reply types"; TCP flag";
reference reference
"RFC 792: Internet Control Message Protocol "RFC 793: Transmission Control Protocol - Flags";
RFC 8335: PROBE: A Utility for Probing Interfaces"; }
}
identity malformed-query { identity urg {
base icmp-type; base tcp-flags;
description description
"Identity for malformed query "Identity for 'Urgent' TCP flag";
in extended echo reply types"; reference
reference "RFC 793: Transmission Control Protocol - Flags";
"RFC 792: Internet Control Message Protocol }
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity no-such-interface { identity ack {
base icmp-type; base tcp-flags;
description description
"Identity for no such interface "Identity for 'acknowledgement' TCP flag";
in extended echo reply types"; reference
reference "RFC 793: Transmission Control Protocol - Flags";
"RFC 792: Internet Control Message Protocol }
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity no-such-table-entry { identity psh {
base icmp-type; base tcp-flags;
description description
"Identity for no such table entry "Identity for 'Push' TCP flag";
in extended echo reply types"; reference
reference "RFC 793: Transmission Control Protocol - Flags";
"RFC 792: Internet Control Message Protocol }
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity multiple-interfaces-satisfy-query {
base icmp-type;
description
"Identity for multiple interfaces satisfy query
in extended echo reply types";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity target-device { identity rst {
description base tcp-flags;
"Base identity for target devices"; description
reference "Identity for 'Reset' TCP flag";
"draft-ietf-i2nsf-capability-data-model-15: reference
I2NSF Capability YANG Data Model"; "RFC 793: Transmission Control Protocol - Flags";
} }
identity computer { identity syn {
base target-device; base tcp-flags;
description description
"Identity for computer such as personal computer (PC) "Identity for 'Synchronize' TCP flag";
and server"; reference
} "RFC 793: Transmission Control Protocol - Flags";
}
identity mobile-phone { identity fin {
base target-device; base tcp-flags;
description description
"Identity for mobile-phone such as smartphone and "Identity for 'Finish' TCP flag";
cellphone"; reference
} "RFC 793: Transmission Control Protocol - Flags";
}
identity voip-volte-phone { identity target-device {
base target-device; description
description "Base identity for target devices";
"Identity for voip-volte-phone"; reference
} "draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model";
}
identity tablet { identity computer {
base target-device; base target-device;
description description
"Identity for tablet"; "Identity for computer such as personal computer (PC)
} and server";
}
identity network-infrastructure-device { identity mobile-phone {
base target-device; base target-device;
description description
"Identity for network infrastructure devices "Identity for mobile-phone such as smartphone and
such as switch, router, and access point"; cellphone";
} }
identity iot { identity voip-volte-phone {
base target-device; base target-device;
description description
"Identity for IoT (Internet of Things)"; "Identity for voip-volte-phone";
} }
identity vehicle { identity tablet {
base target-device; base target-device;
description description
"Identity for vehicle that connects to and shares "Identity for tablet";
data through the Internet"; }
}
identity content-security-control { identity network-infrastructure-device {
description base target-device;
"Base identity for content security control"; description
reference "Identity for network infrastructure devices
"RFC 8329: Framework for Interface to such as switch, router, and access point";
Network Security Functions - Flow-Based }
NSF Capability Characterization
draft-ietf-i2nsf-capability-data-model-15:
I2NSF Capability YANG Data Model";
}
identity firewall { identity iot-device {
base content-security-control; base target-device;
description description
"Identity for firewall that monitors "Identity for IoT (Internet of Things) devices";
incoming and outgoing network traffic }
and permits or blocks data packets based
on a set of security rules.";
}
identity antivirus { identity ot {
base content-security-control; base target-device;
description description
"Identity for antivirus that prevents, "Identity for Operational Technology";
scans, detects and deletes viruses }
from a computer";
}
identity ips { identity vehicle {
base content-security-control; base target-device;
description description
"Identity for IPS (Intrusion Prevention System) "Identity for vehicle that connects to and shares
that prevents malicious activity within a network"; data through the Internet";
} }
identity ids { identity advanced-nsf {
base content-security-control; description
description "Base identity for advanced Network Security Function (NSF)
"Identity for IDS (Intrusion Detection System) capability. This can be used for advanced NSFs such as
that detects malicious activity within a network"; Anti-DDoS Attack, IPS, URL-Filtering, Antivirus,
} and VoIP/VoLTE Filter.";
reference
"draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model";
}
identity url-filtering { identity content-security-control {
base content-security-control; base advanced-nsf;
description description
"Identity for url filtering that "Base identity for content security control";
limits access by comparing the web traffic's URL reference
with the URLs for web filtering in a database"; "draft-ietf-i2nsf-capability-data-model-17:
} I2NSF Capability YANG Data Model";
}
identity mail-filtering { identity ips {
base content-security-control; base content-security-control;
description description
"Identity for mail filtering that "Identity for IPS (Intrusion Prevention System)
filters out a malicious email message by that prevents malicious activity within a network";
comparing its sender email address with the email }
addresses of malicious users in a database";
}
identity file-blocking { identity url-filtering {
base content-security-control; base content-security-control;
description description
"Identity for file blocking that blocks the "Identity for url filtering that limits access by comparing the
download or upload of malicious files with the web traffic's URL with the URLs for web filtering in a
information of suspicious files in a database"; database";
} }
identity pkt-capture { identity anti-virus {
base content-security-control; base content-security-control;
description description
"Identity for packet capture that "Identity for antivirus to protect the network by detecting and
intercepts a packet that is crossing or moving removing viruses or malwares.";
over a specific network."; }
}
identity application-control { identity voip-volte-filter {
base content-security-control; base content-security-control;
description description
"Identity for application control that "Identity for VoIP/VoLTE security service that filters out the
filters out the packets of malicious applications packets or flows of malicious users with a deny list of
with the information of those applications in a malicious users in a database";
database"; }
}
identity voip-volte { identity attack-mitigation-control {
base content-security-control; base advanced-nsf;
description description
"Identity for VoIP/VoLTE security service that "Base identity for attack mitigation control";
filters out the packets of malicious users reference
with a blacklist of malicious users in a database"; "draft-ietf-i2nsf-capability-data-model-17:
} I2NSF Capability YANG Data Model";
}
identity attack-mitigation-control { identity anti-ddos {
description base attack-mitigation-control;
"Base identity for attack mitigation control"; description
reference "Identity for advanced NSF Anti-DDoS or DDoS Mitigator
"RFC 8329: Framework for Interface to capability.";
Network Security Functions - Flow-Based }
NSF Capability Characterization
draft-ietf-i2nsf-capability-data-model-15:
I2NSF Capability YANG Data Model";
}
identity syn-flood { identity ingress-action {
base attack-mitigation-control; description
description "Base identity for action";
"Identity for syn flood reference
that weakens the SYN flood attack"; "draft-ietf-i2nsf-capability-data-model-17:
} I2NSF Capability YANG Data Model - Ingress Action";
}
identity udp-flood { identity egress-action {
base attack-mitigation-control; description
description "Base identity for egress action";
"Identity for udp flood reference
that weakens the UDP flood attack"; "draft-ietf-i2nsf-capability-data-model-17:
} I2NSF Capability YANG Data Model - Egress Action";
}
identity icmp-flood { identity default-action {
base attack-mitigation-control; description
description "Base identity for default action";
"Identity for icmp flood reference
that weakens the ICMP flood attack"; "draft-ietf-i2nsf-capability-data-model-17:
} I2NSF Capability YANG Data Model - Default Action";
}
identity ip-frag-flood { identity pass {
base attack-mitigation-control; base ingress-action;
description base egress-action;
"Identity for ip frag flood base default-action;
that weakens the IP fragmentation flood attack"; description
} "Identity for pass";
reference
"draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Actions and
Default Action";
}
identity http-and-https-flood { identity drop {
base attack-mitigation-control; base ingress-action;
description base egress-action;
"Identity for http and https flood base default-action;
that weakens the HTTP and HTTPS flood attack"; description
} "Identity for drop";
reference
"draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Actions and
Default Action";
}
identity dns-flood { identity mirror {
base attack-mitigation-control; base ingress-action;
description base egress-action;
"Identity for dns flood base default-action;
that weakens the DNS flood attack"; description
} "Identity for mirror";
reference
"draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Actions and
Default Action";
}
identity dns-amp-flood { identity rate-limit {
base attack-mitigation-control; base ingress-action;
description base egress-action;
"Identity for dns amp flood base default-action;
that weakens the DNS amplification flood attack"; description
} "Identity for rate limiting action";
reference
"draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Actions and
Default Action";
}
identity ntp-amp-flood { identity log-action {
base attack-mitigation-control; description
description "Base identity for log action";
"Identity for ntp amp flood
that weakens the NTP amplification flood attack";
}
identity ssl-ddos { }
base attack-mitigation-control;
description
"Identity for ssl ddos
that weakens the SSL DDoS attack";
}
identity ip-sweep { identity rule-log {
base attack-mitigation-control; base log-action;
description description
"Identity for ip sweep "Identity for rule log";
that weakens the IP sweep attack"; }
}
identity port-scanning { identity session-log {
base attack-mitigation-control; base log-action;
description description
"Identity for port scanning "Identity for session log";
that weakens the port scanning attack"; }
}
identity ping-of-death { identity invoke-signaling {
base attack-mitigation-control; base egress-action;
description description
"Identity for ping-of-death "Identity for invoke signaling";
that weakens the ping-of-death attack"; }
}
identity teardrop { identity tunnel-encapsulation {
base attack-mitigation-control; base egress-action;
description description
"Identity for teardrop "Identity for tunnel encapsulation";
that weakens the teardrop attack"; }
}
identity oversized-icmp { identity forwarding {
base attack-mitigation-control; base egress-action;
description description
"Identity for oversized icmp "Identity for forwarding";
that weakens the oversized icmp attack"; }
}
identity tracert { identity transformation {
base attack-mitigation-control; base egress-action;
description description
"Identity for tracert "Identity for transformation";
that weakens the tracert attack"; }
}
identity ingress-action { identity redirection {
description base egress-action;
"Base identity for action"; description
reference "Identity for redirection";
"draft-ietf-i2nsf-capability-data-model-15: }
I2NSF Capability YANG Data Model - Ingress Action";
}
identity egress-action { identity resolution-strategy {
description description
"Base identity for egress action"; "Base identity for resolution strategy";
reference reference
"draft-ietf-i2nsf-capability-data-model-15: "draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Egress Action"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity default-action {
description
"Base identity for default action";
reference
"draft-ietf-i2nsf-capability-data-model-15:
I2NSF Capability YANG Data Model - Default Action";
}
identity pass { identity fmr {
base ingress-action; base resolution-strategy;
base egress-action; description
base default-action; "Identity for First Matching Rule (FMR)";
description reference
"Identity for pass"; "draft-ietf-i2nsf-capability-data-model-17:
reference I2NSF Capability YANG Data Model - Resolution Strategy";
"draft-ietf-i2nsf-capability-data-model-15: }
I2NSF Capability YANG Data Model - Actions and
Default Action";
}
identity drop { identity lmr {
base ingress-action; base resolution-strategy;
base egress-action; description
base default-action; "Identity for Last Matching Rule (LMR)";
description reference
"Identity for drop"; "draft-ietf-i2nsf-capability-data-model-17:
reference I2NSF Capability YANG Data Model - Resolution Strategy";
"draft-ietf-i2nsf-capability-data-model-15: }
I2NSF Capability YANG Data Model - Actions and
Default Action";
}
identity reject { identity pmr {
base ingress-action; base resolution-strategy;
base egress-action; description
base default-action; "Identity for Prioritized Matching Rule (PMR)";
description reference
"Identity for reject"; "draft-ietf-i2nsf-capability-data-model-17:
reference I2NSF Capability YANG Data Model - Resolution Strategy";
"draft-ietf-i2nsf-capability-data-model-15: }
I2NSF Capability YANG Data Model - Actions and
Default Action";
}
identity alert { identity pmre {
base ingress-action; base resolution-strategy;
base egress-action; description
base default-action; "Identity for Prioritized Matching Rule
description with Errors (PMRE)";
"Identity for alert"; reference
reference "draft-ietf-i2nsf-capability-data-model-17:
"draft-ietf-i2nsf-capability-data-model-15: I2NSF Capability YANG Data Model - Resolution Strategy";
I2NSF Capability YANG Data Model - Actions and }
Default Action";
}
identity mirror { identity pmrn {
base ingress-action; base resolution-strategy;
base egress-action; description
base default-action; "Identity for Prioritized Matching Rule
description with No Errors (PMRN)";
"Identity for mirror"; reference
reference "draft-ietf-i2nsf-capability-data-model-17:
"draft-ietf-i2nsf-capability-data-model-15:
I2NSF Capability YANG Data Model - Actions and
Default Action";
}
identity log-action { I2NSF Capability YANG Data Model - Resolution Strategy";
description }
"Base identity for log action";
}
identity rule-log { identity day {
base log-action; description
description "This represents the base for days.";
"Identity for rule log"; }
}
identity session-log { identity monday {
base log-action; base day;
description description
"Identity for session log"; "This represents Monday.";
} }
identity invoke-signaling { identity tuesday {
base egress-action; base day;
description description
"Identity for invoke signaling"; "This represents Tuesday.";
} }
identity tunnel-encapsulation { identity wednesday {
base egress-action; base day;
description description
"Identity for tunnel encapsulation"; "This represents Wednesday.";
} }
identity forwarding {
base egress-action;
description
"Identity for forwarding";
}
identity redirection { identity thursday {
base egress-action; base day;
description description
"Identity for redirection"; "This represents Thursday.";
}
} identity friday {
base day;
description
"This represents Friday.";
}
identity resolution-strategy { identity saturday {
description base day;
"Base identity for resolution strategy"; description
reference "This represents Saturday.";
"draft-ietf-i2nsf-capability-data-model-15: }
I2NSF Capability YANG Data Model - Resolution Strategy";
}
identity fmr { identity sunday {
base resolution-strategy; base day;
description description
"Identity for First Matching Rule (FMR)"; "This represents Sunday.";
reference
"draft-ietf-i2nsf-capability-data-model-15:
I2NSF Capability YANG Data Model - Resolution Strategy";
}
identity lmr { }
base resolution-strategy;
description
"Identity for Last Matching Rule (LMR)";
reference
"draft-ietf-i2nsf-capability-data-model-15:
I2NSF Capability YANG Data Model - Resolution Strategy";
}
identity pmr { /*
base resolution-strategy; * Typedefs
description */
"Identity for Prioritized Matching Rule (PMR)";
reference
"draft-ietf-i2nsf-capability-data-model-15:
I2NSF Capability YANG Data Model - Resolution Strategy";
}
identity pmre {
base resolution-strategy;
description
"Identity for Prioritized Matching Rule
with Errors (PMRE)";
reference
"draft-ietf-i2nsf-capability-data-model-15:
I2NSF Capability YANG Data Model - Resolution Strategy";
}
identity pmrn { typedef time {
base resolution-strategy; type string {
description pattern '(0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](\.\d+)?'
"Identity for Prioritized Matching Rule + '(Z|[\+\-]((1[0-3]|0[0-9]):([0-5][0-9])|14:00))?';
with No Errors (PMRN)"; }
reference description
"draft-ietf-i2nsf-capability-data-model-15: "The time type represents an instance of time of zero-duration
I2NSF Capability YANG Data Model - Resolution Strategy"; that recurs every day.";
} }
/* /*
* Typedefs * Groupings
*/ */
typedef start-time-type { grouping ipv4-prefix {
type union { description
type string { "The list of IPv4 addresses.";
pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' leaf ipv4 {
+ '(Z|[\+\-]\d{2}:\d{2})'; type inet:ipv4-address;
description
"The value of IPv4 address.";
}
choice subnet {
description
"The subnet can be specified as a prefix length or
netmask.";
leaf prefix-length {
type uint8 {
range "0..32";
}
description
"The length of the subnet prefix.";
} }
leaf netmask {
type enumeration { type yang:dotted-quad;
enum right-away { description
description "The subnet specified as a netmask.";
"Immediate rule execution
in the system.";
}
}
}
description
"Start time when the rules are applied.";
}
typedef end-time-type {
type union {
type string {
pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
+ '(Z|[\+\-]\d{2}:\d{2})';
} }
}
reference
"RFC 791: Internet Protocol - IPv4 address
RFC 8344: A YANG Data Model for IP Management";
type enumeration { }
enum infinitely {
description
"Infinite rule execution
in the system.";
}
}
}
description
"End time when the rules are applied.";
}
typedef day-type {
type enumeration {
enum sunday {
description
"Sunday for periodic day";
}
enum monday {
description
"Monday for periodic day";
}
enum tuesday {
description
"Tuesday for periodic day";
}
enum wednesday {
description
"Wednesday for periodic day";
}
enum thursday {
description
"Thursday for periodic day";
}
enum friday {
description
"Friday for periodic day";
}
enum saturday {
description
"Saturday for periodic day";
}
}
description
"This can be used for the rules to be applied
according to periodic day";
}
typedef month-type {
type enumeration {
enum january {
description
"January for periodic month";
}
enum february {
description
"February for periodic month";
}
enum march {
description
"March for periodic month";
}
enum april {
description
"April for periodic month";
}
enum may {
description
"May for periodic month";
}
enum june {
description
"June for periodic month";
}
enum july {
description
"July for periodic month";
}
enum august {
description
"August for periodic month";
}
enum september {
description
"September for periodic month";
}
enum october {
description
"October for periodic month";
}
enum november {
description
"November for periodic month";
}
enum december {
description
"December for periodic month";
}
}
description
"This can be used for the rules to be applied
according to periodic month";
}
/* grouping ipv6-prefix {
* Groupings description
*/ "The list of IPv6 addresses.";
leaf ipv6 {
type inet:ipv6-address;
description
"The value of IPv6 address.";
}
leaf prefix-length {
type uint8 {
range "0..128";
}
description
"The length of the subnet prefix.";
}
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address
RFC 8344: A YANG Data Model for IP Management";
}
grouping ipv4 { grouping ipv4-range {
list ipv4-address { description
key "ipv4"; "Range match for the IPv4 addresses. If only one value is
description needed, then set both start and end to the same value.
"The list of IPv4 addresses."; The end IPv4 address MUST be equal or greater than the
start IPv4 address.";
leaf start {
type inet:ipv4-address;
description
"Starting IPv4 address for a range match.";
}
leaf end {
type inet:ipv4-address;
description
"Ending IPv4 address for a range match.";
}
reference
"RFC 791: Internet Protocol - IPv4 address";
}
leaf ipv4 { grouping ipv6-range {
type inet:ipv4-address; description
description "Range match for the IPv6 addresses. If only one value is
"The value of IPv4 address."; needed, then set both start and end to the same value.
} The end IPv6 address number MUST be equal to or greater than
choice subnet { the start IPv6 address.";
description leaf start {
"The subnet can be specified as a prefix length or type inet:ipv6-address;
netmask."; description
leaf prefix-length { "Starting IPv6 address for a range match.";
type uint8 { }
range "0..32";
}
description
"The length of the subnet prefix.";
}
leaf netmask {
type yang:dotted-quad;
description
"The subnet specified as a netmask.";
}
}
}
description
"Grouping for an IPv4 address";
reference leaf end {
"RFC 791: Internet Protocol - IPv4 address type inet:ipv6-address;
RFC 8344: A YANG Data Model for IP Management"; description
} "Ending IPv6 address for a range match.";
}
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address";
}
grouping ipv6 { grouping ipv4-address {
list ipv6-address { description
key "ipv6"; "Grouping for IPv4 address. IPv4 address can be in the form of
description prefix or range.";
"The list of IPv6 addresses."; choice match-type {
description
"Choose between Prefix or Range";
case prefix {
list ipv4-prefix {
key "ipv4";
uses ipv4-prefix;
description
"The list of IPv4 addresses specified with an
IPv4 address and a prefix-length or
a netmask.";
}
}
case range {
list ipv4-range {
key "start end";
uses ipv4-range;
description
"The list of IPv4 address specified with a
start IPv4 address and an end IPv4 address.
If only one value is needed, then set both
start and end to the same value.";
}
}
}
}
grouping ipv6-address {
description
"Grouping for IPv6 address. IPv6 address can be in the form of
prefix or range.";
choice match-type {
description
"Choose between Prefix or Range";
case prefix {
list ipv6-prefix {
key "ipv6";
uses ipv6-prefix;
description
"The list of IPv6 addresses specified with an
IPv6 address and a prefix-length.";
}
}
case range {
list ipv6-range {
key "start end";
uses ipv6-range;
description
"The list of IPv6 address specified with a
start IPv6 address and an end IPv6 address.
If only one value is needed, then set both
start and end to the same value.";
}
}
}
}
leaf ipv6 { grouping port-range {
type inet:ipv6-address; leaf start {
description type inet:port-number;
"The value of IPv6 address."; description
} "Starting port number for a range match.";
}
leaf end {
type inet:port-number;
must '. >= ../start' {
error-message
"The end port number MUST be equal to or greater than the
start port number.";
}
description
"Ending port number for a range match.";
}
description
"Range match for the port numbers. If only one value is needed,
then set both start and end to the same value.";
reference
"RFC 793: Transmission Control Protocol - Port number
RFC 768: User Datagram Protocol - Port Number
RFC 4960: Stream Control Transmission Protocol - Port number
RFC 4340: Datagram Congestion Control Protocol (DCCP)
- Port number";
}
leaf prefix-length { /*
type uint8 { * Data nodes
range "0..128"; */
}
description
"The length of the subnet prefix.";
}
}
description
"Grouping for an IPv6 address";
reference list i2nsf-security-policy {
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address
RFC 8344: A YANG Data Model for IP Management";
}
grouping pkt-sec-ipv4 { key "system-policy-name";
choice match-type {
description
"There are two types of security policy IPv4 address
matching - exact match and range match.";
case exact-match {
uses ipv4;
description
"Exact match for an IPv4 address.";
}
case range-match {
list range-ipv4-address {
key "start-ipv4-address end-ipv4-address";
leaf start-ipv4-address {
type inet:ipv4-address;
description
"Starting IPv4 address for a range match.";
}
leaf end-ipv4-address { description
type inet:ipv4-address; "Container for security policy
description including a set of security rules according to certain logic,
"Ending IPv4 address for a range match."; i.e., their similarity or mutual relations, etc. The network
} security policy can be applied to both the unidirectional
description and bidirectional traffic across the NSF.
"Range match for an IPv4 address."; The I2NSF security policies use the Event-Condition-Action
} (ECA) policy model ";
}
}
description
"Grouping for an IPv4 address.";
reference reference
"RFC 791: Internet Protocol - IPv4 address"; "RFC 8329: Framework for Interface to Network Security
} Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview";
grouping pkt-sec-ipv6 { leaf system-policy-name {
choice match-type { type string;
description description
"There are two types of security policy IPv6 address "The name of the policy.
matching - exact match and range match."; This must be unique.";
case exact-match { }
uses ipv6;
description
"Exact match for an IPv6 address.";
}
case range-match {
list range-ipv6-address {
key "start-ipv6-address end-ipv6-address";
leaf start-ipv6-address {
type inet:ipv6-address;
description
"Starting IPv6 address for a range match.";
}
leaf end-ipv6-address { leaf priority-usage {
type inet:ipv6-address; type identityref {
description base priority-usage;
"Ending IPv6 address for a range match."; }
} default priority-by-order;
description description
"Range match for an IPv6 address."; "Priority usage type for security policy rule:
} priority by order and priority by number";
} }
}
description
"Grouping for IPv6 address.";
reference leaf resolution-strategy {
"RFC 8200: Internet Protocol, Version 6 (IPv6) type identityref {
Specification - IPv6 address"; base resolution-strategy;
} }
default fmr;
description
"The resolution strategies that can be used to
specify how to resolve conflicts that occur between
actions of the same or different policy rules that
are matched and contained in this particular NSF";
grouping pkt-sec-port-number { reference
choice match-type { "draft-ietf-i2nsf-capability-data-model-17:
description I2NSF Capability YANG Data Model - Resolution strategy";
"There are two types of security policy TCP/UDP port }
matching - exact match and range match.";
case exact-match {
leaf-list port-num {
type inet:port-number;
description
"Exact match for a port number.";
}
}
case range-match {
list range-port-num {
key "start-port-num end-port-num";
leaf start-port-num {
type inet:port-number;
description
"Starting port number for a range match.";
}
leaf end-port-num {
type inet:port-number;
description
"Ending port number for a range match.";
}
description
"Range match for a port number.";
}
}
}
description
"Grouping for port number.";
reference leaf default-action {
"RFC 793: Transmission Control Protocol - Port number type identityref {
RFC 768: User Datagram Protocol - Port Number"; base default-action;
} }
/* default mirror;
* Data nodes description
*/ "This default action can be used to specify a predefined
action when no other alternative action was matched
by the currently executing I2NSF Policy Rule. An analogy
is the use of a default statement in a C switch statement.";
reference
"draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Default Action";
}
container i2nsf-security-policy { list rules {
description key "rule-name";
"Container for security policy description
including a set of security rules according to certain logic, "This is a rule for network security functions.";
i.e., their similarity or mutual relations, etc. The network
security policy can be applied to both the unidirectional
and bidirectional traffic across the NSF.
The I2NSF security policies use the Event-Condition-Action
(ECA) policy model ";
reference leaf rule-name {
"RFC 8329: Framework for Interface to Network Security type string;
Functions - I2NSF Flow Security Policy Structure description
draft-ietf-i2nsf-capability-data-model-15: "The name of the rule.";
I2NSF Capability YANG Data Model - Design Principles and }
ECA Policy Model Overview";
list system-policy { leaf rule-description {
key "system-policy-name"; type string;
description description
"The system-policy represents there could be multiple system "This description gives more information about
policies in one NSF, and each system policy is used by rules.";
one virtual instance of the NSF/device."; }
leaf system-policy-name { leaf rule-priority {
type string; type uint8 {
description range "1..255";
"The name of the policy. }
This must be unique."; description
} "The priority keyword comes with a mandatory
numeric value which can range from 1 till 255.
Note that a higher number means a higher priority";
}
leaf priority-usage { leaf rule-enable {
type identityref { type boolean;
base priority-usage-type; description
} "True is enable.
default priority-by-order; False is not enable.";
description }
"Priority usage type for security policy rule:
priority by order and priority by number";
}
leaf resolution-strategy { leaf session-aging-time {
type identityref { type uint16;
base resolution-strategy; units "second";
description
"This is session aging time.";
}
} container long-connection {
default fmr; description
description "This is long-connection";
"The resolution strategies that can be used to
specify how to resolve conflicts that occur between
actions of the same or different policy rules that
are matched and contained in this particular NSF";
reference leaf enable {
"draft-ietf-i2nsf-capability-data-model-15: type boolean;
I2NSF Capability YANG Data Model - Resolution strategy"; description
} "True is enable.
False is not enable.";
}
leaf default-action { leaf duration {
type identityref { type uint16;
base default-action; description
} "This is the duration of the long-connection.";
default alert; }
description }
"This default action can be used to specify a predefined
action when no other alternative action was matched
by the currently executing I2NSF Policy Rule. An analogy
is the use of a default statement in a C switch statement.";
reference container event {
"draft-ietf-i2nsf-capability-data-model-15: description
I2NSF Capability YANG Data Model - Default Action"; "An event is defined as any important
} occurrence in time of a change in the system being
managed, and/or in the environment of the system being
managed. When used in the context of policy rules for
a flow-based NSF, it is used to determine whether the
Condition clause of the Policy Rule can be evaluated
or not. Examples of an I2NSF event include time and
user actions (e.g., logon, logoff, and actions that
violate any ACL.).";
list rules { reference
key "rule-name"; "RFC 8329: Framework for Interface to Network Security
description Functions - I2NSF Flow Security Policy Structure
"This is a rule for network security functions."; draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview
draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF
NSF Monitoring YANG Data Model - Alarms, Events, Logs,
and Counters";
leaf rule-name { leaf event-clause-description {
type string; type string;
description description
"The name of the rule."; "Description for an event clause";
} }
leaf rule-description { container time {
type string; description
description "Time to determine when the policy should be applied";
"This description gives more information about leaf start-date-time {
rules."; type yang:date-and-time;
} description
"This is the start date and time for a security policy
rule.";
}
leaf rule-priority { leaf end-date-time {
type uint8 { type yang:date-and-time;
range "1..255"; description
} "This is the end date and time for a policy rule. The
description policy rule will stop working after the specified
"The priority keyword comes with a mandatory end-date-time.";
numeric value which can range from 1 till 255. }
Note that a higher number means a higher priority";
}
leaf rule-enable { container period{
type boolean; when
description "../frequency!='only-once'";
"True is enable. description
False is not enable."; "This represents the repetition time. In the case
} where the frequency is weekly, the days can be set.";
leaf start-time {
type time;
description
"This is a period's start time for an event.";
}
leaf end-time {
type time;
description
"This is a period's end time for an event.";
}
leaf-list day {
when
"../../frequency='weekly'";
type identityref{
base day;
}
min-elements 1;
description
"This represents the repeated day of every week
(e.g., Monday and Tuesday). More than one day can
be specified.";
}
leaf-list date {
when
"../../frequency='monthly'";
type int32{
range "1..31";
}
min-elements 1;
description
"This represents the repeated date of every month.
More than one date can be specified.";
}
leaf-list month {
when
"../../frequency='yearly'";
type string{
pattern '\d{2}-\d{2}';
}
min-elements 1;
description
"This represents the repeated date and month of every
year. More than one can be specified. A pattern
used here is Month and Date (MM-DD).";
}
}
leaf frequency {
type enumeration {
enum only-once {
description
"This represents that the rule is immediately
enforcedonly once and not repeated. The policy
will continuously be active from the start-time
to the end-time.";
}
enum daily {
description
"This represents that the rule is enforced on a
daily basis. The policy will be repeated
daily until the end-date.";
}
enum weekly {
description
"This represents that the rule is enforced on a
weekly basis. The policy will be repeated weekly
until the end-date. The repeated days can be
specified.";
}
enum monthly {
description
"This represents that the rule is enforced on a
monthly basis. The policy will be repeated monthly
until the end-date.";
}
enum yearly {
description
"This represents that the rule is enforced on
a yearly basis. The policy will be repeated
yearly until the end-date.";
}
}
default only-once;
description
"This represents how frequently the rule
should be enforced.";
}
}
leaf session-aging-time { container event-clauses {
type uint16; description
units "second"; "System Event Clause - either a system event or
description system alarm";
"This is session aging time."; reference
} "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview
draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF
NSF Monitoring YANG Data Model - Alarms, Events, Logs,
and Counters";
container long-connection { leaf-list system-event {
description type identityref {
"This is long-connection"; base system-event;
}
description
"The security policy rule according to
system events.";
}
leaf enable { leaf-list system-alarm {
type boolean; type identityref {
description base system-alarm;
"True is enable. }
False is not enable."; description
} "The security policy rule according to
system alarms.";
}
}
}
leaf duration { container condition {
type uint16; description
description "A condition is defined as a set
"This is the duration of the long-connection."; of attributes, features, and/or values that are to be
} compared with a set of known attributes, features,
} and/or values in order to determine whether or not the
set of Actions in that (imperative) I2NSF Policy Rule
can be executed or not. Examples of I2NSF Conditions
include matching attributes of a packet or flow, and
comparing the internal state of an NSF to a desired
state.";
reference
"RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview";
container time-intervals { leaf condition-clause-description {
description type string;
"Time zone when the rules are applied"; description
container absolute-time-interval { "Description for a condition clause.";
description }
"Rule execution according to the absolute time.
The absolute time interval means the exact time to
start or end.";
leaf start-time { container ethernet {
type start-time-type; description
default right-away; "The purpose of this container is to represent layer 2
description packet header information to determine the set of policy
"Start time when the rules are applied"; actions in this ECA policy rule should be executed or
} not.";
leaf end-time { reference
type end-time-type; "IEEE 802.3: IEEE Standard for Ethernet";
default infinitely;
description
"End time when the rules are applied";
}
}
container periodic-time-interval { leaf ethernet-description {
description type string;
"Rule execution according to the periodic time. description
The periodic time interval means the repeated time "The MAC Condition description";
such as a day, week, or month."; }
container day { leaf-list source-address {
description type yang:mac-address;
"Rule execution according to day."; description
leaf every-day { "The condition for source Media Access Control (MAC)
type boolean; Address of a Layer 2 packet. Multiple source MAC
default true; Addresses can be given in a single rule.";
description reference
"Rule execution every day"; "IEEE 802.3: IEEE Standard for Ethernet";
} }
leaf-list specific-day { leaf-list destination-address {
when "../every-day = 'false'"; type yang:mac-address;
type day-type; description
description "The condition for destination Media Access Control
"Rule execution according (MAC) Address of a Layer 2 packet. Multiple
to specific day"; destination MAC Addresses can be given in a
} single rule.";
} reference
"IEEE 802.3: IEEE Standard for Ethernet";
}
container month { leaf-list ether-type {
description type uint16;
"Rule execution according to month."; description
leaf every-month { "The condition for matching the 2-octet of IEEE 802.3
type boolean; Length/Type field. Can be specified with decimal or
default true; hexadecimal from 0 through 65535 (0xFFFF)
description
"Rule execution every day";
}
leaf-list specific-month { A value from 0 through 1500 (0x05DC) specifies the
when "../every-month = 'false'"; number of MAC client data octets contained in the
type month-type; subsequent MAC Client Data Field of the basic frame
description
"Rule execution according
to month day";
}
}
}
}
container event-clause-container { A value greater than or equal to 1536 (0x0600)
description specifies that the Length/Type field indicates
"An event is defined as any important Ethertype of the MAC client protocol";
occurrence in time of a change in the system being reference
managed, and/or in the environment of the system being "IEEE 802.3: IEEE Standard for Ethernet";
managed. When used in the context of policy rules for }
a flow-based NSF, it is used to determine whether the }
Condition clause of the Policy Rule can be evaluated
or not. Examples of an I2NSF event include time and
user actions (e.g., logon, logoff, and actions that
violate any ACL.).";
reference container ipv4 {
"RFC 8329: Framework for Interface to Network Security description
Functions - I2NSF Flow Security Policy Structure "The purpose of this container is to represent IPv4
draft-ietf-i2nsf-capability-data-model-15: packet header information to determine if the set
I2NSF Capability YANG Data Model - Design Principles and of policy actions in this ECA policy rule should be
ECA Policy Model Overview executed or not.";
draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF reference
NSF Monitoring YANG Data Model - Alarms, Events, Logs, "RFC 791: Internet Protocol";
and Counters";
leaf event-clause-description { leaf description {
type string; type string;
description description
"Description for an event clause"; "ipv4 condition textual description.";
} }
container event-clauses { list header-length {
description key "start end";
"System Event Clause - either a system event or leaf start{
system alarm"; type uint8 {
reference range "5..15";
"RFC 8329: Framework for Interface to Network Security }
Functions - I2NSF Flow Security Policy Structure description
draft-ietf-i2nsf-capability-data-model-15: "Starting IPv4 header length for a range match.";
I2NSF Capability YANG Data Model - Design Principles and }
ECA Policy Model Overview
draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF
NSF Monitoring YANG Data Model - Alarms, Events, Logs,
and Counters";
leaf-list system-event { leaf end {
type identityref { type uint8 {
base system-event; range "5..15";
} }
description must '. >= ../start' {
"The security policy rule according to error-message
system events."; "The end header length MUST be equal to or greater
} than the start header length.";
}
description
"Ending IPv4 header length for a range match.";
}
description
"The security policy rule according to
IPv4 header length. If only one value is needed, then
set both start and end to the same value.";
reference
"RFC 791: Internet Protocol - Header length";
}
leaf-list system-alarm { leaf-list dscp {
type identityref { type inet:dscp;
base system-alarm; description
} "The security policy rule according to
description IPv4 type of service for DSCP.";
"The security policy rule according to reference
system alarms."; "RFC 791: Internet Protocol - Type of service
} RFC 2474: Definition of the Differentiated
} Services Field (DS Field) in the IPv4 and
} IPv6 Headers.";
}
container condition-clause-container { list total-length {
description key "start end";
"A condition is defined as a set leaf start {
of attributes, features, and/or values that are to be type uint16;
compared with a set of known attributes, features, description
and/or values in order to determine whether or not the "Starting IPv4 total length for a range match.";
set of Actions in that (imperative) I2NSF Policy Rule }
can be executed or not. Examples of I2NSF Conditions leaf end {
include matching attributes of a packet or flow, and type uint16;
comparing the internal state of an NSF to a desired must '. >= ../start' {
state."; error-message
reference "The end total length MUST be equal to or greater
"RFC 8329: Framework for Interface to Network Security than the start total length.";
Functions - I2NSF Flow Security Policy Structure }
draft-ietf-i2nsf-capability-data-model-15: description
I2NSF Capability YANG Data Model - Design Principles and "Ending IPv4 total length for a range match.";
ECA Policy Model Overview"; }
description
"The security policy rule according to
IPv4 total length. If only one value is needed, then
set both start and end to the same value.";
reference
"RFC 791: Internet Protocol - Total length";
}
leaf condition-clause-description { leaf-list identification {
type string; type uint16;
description description
"Description for a condition clause."; "The security policy rule according to
} IPv4 identification.";
reference
"RFC 791: Internet Protocol - Identification";
}
container packet-security-ipv4-condition { leaf-list fragment-flags {
description type identityref {
"The purpose of this container is to represent IPv4 base fragmentation-flags;
packet header information to determine if the set }
of policy actions in this ECA policy rule should be description
executed or not."; "The security policy rule according to
reference IPv4 fragment flags.";
"RFC 791: Internet Protocol"; reference
"RFC 791: Internet Protocol - Fragment flags";
}
leaf ipv4-description { list fragment-offset {
type string; key "start end";
description leaf start {
"ipv4 condition textual description."; type uint16 {
} range "0..16383";
}
description
"Starting IPv4 fragment offset for a range match.";
}
leaf end {
type uint16 {
range "0..16383";
}
must '. >= ../start' {
error-message
"The end fragment offset MUST be equal or greater
than the start fragment offset.";
}
description
"Ending IPv4 fragment offset for a range match.";
}
description
"The security policy rule according to
IPv4 fragment offset.";
reference
"RFC 791: Internet Protocol - Fragment offset";
}
container pkt-sec-ipv4-header-length { list ttl {
choice match-type { key "start end";
description leaf start {
"Security policy IPv4 Header length match - type uint8;
exact match and range match."; description
case exact-match { "Starting IPv4 TTL for a range match.";
leaf-list ipv4-header-length { }
type uint8 { leaf end {
range "5..15"; type uint8;
} must '. >= ../start' {
description error-message
"Exact match for an IPv4 header length."; "The end TTL MUST be equal or greater than
} the start TTL.";
} }
case range-match { description
list range-ipv4-header-length { "Ending IPv4 TTL for a range match.";
key "start-ipv4-header-length }
end-ipv4-header-length"; description
leaf start-ipv4-header-length { "The security policy rule according to
type uint8 { IPv4 time-to-live (TTL). If only one value is needed,
range "5..15"; then set both start and end to the same value.";
} reference
description "RFC 791: Internet Protocol - Time to live";
"Starting IPv4 header length for a range match."; }
}
leaf end-ipv4-header-length { leaf-list protocol {
type uint8 { type uint8;
range "5..15"; description
} "The security policy rule according to
description IPv4 protocol header field.";
"Ending IPv4 header length for a range match."; reference
} "RFC 791: Internet Protocol - Protocol
description IANA: Assigned Internet Protocol Numbers";
"Range match for an IPv4 header length."; }
}
}
}
description
"The security policy rule according to
IPv4 header length.";
reference
"RFC 791: Internet Protocol - Header length";
}
leaf-list pkt-sec-ipv4-tos { container source-address {
type identityref { uses ipv4-address;
base type-of-service; description
} "The security policy rule according to
description IPv4 source address.";
"The security policy rule according to reference
IPv4 type of service."; "RFC 791: Internet Protocol - IPv4 Address";
reference }
"RFC 791: Internet Protocol - Type of service";
}
container pkt-sec-ipv4-total-length { container destination-address {
choice match-type { uses ipv4-address;
description description
"Security policy IPv4 total length matching "The security policy rule according to
- exact match and range match."; IPv4 destination address.";
case exact-match { reference
leaf-list ipv4-total-length { "RFC 791: Internet Protocol - IPv4 Address";
type uint16;
description
"Exact match for an IPv4 total length.";
}
}
case range-match {
list range-ipv4-total-length {
key "start-ipv4-total-length end-ipv4-total-length";
leaf start-ipv4-total-length {
type uint16;
description
"Starting IPv4 total length for a range match.";
}
leaf end-ipv4-total-length {
type uint16;
description
"Ending IPv4 total length for a range match.";
}
description
"Range match for an IPv4 total length.";
}
}
}
description
"The security policy rule according to
IPv4 total length.";
reference
"RFC 791: Internet Protocol - Total length";
}
leaf-list pkt-sec-ipv4-id { }
type uint16;
description
"The security policy rule according to
IPv4 identification.";
reference
"RFC 791: Internet Protocol - Identification";
}
leaf-list pkt-sec-ipv4-fragment-flags { leaf-list ipopts {
type identityref { type identityref {
base fragmentation-flags-type; base ipopts;
} }
description description
"The security policy rule according to "The security policy rule according to
IPv4 fragment flags."; IPv4 options.";
reference reference
"RFC 791: Internet Protocol - Fragment flags"; "RFC 791: Internet Protocol - Options";
} }
}
container pkt-sec-ipv4-fragment-offset { container ipv6 {
choice match-type { description
description "The purpose of this container is to represent
"There are two types to configure a security IPv6 packet header information to determine
policy for IPv4 fragment offset, such as exact match if the set of policy actions in this ECA policy
and range match."; rule should be executed or not.";
case exact-match { reference
leaf-list ipv4-fragment-offset { "RFC 8200: Internet Protocol, Version 6 (IPv6)
type uint16 { Specification";
range "0..16383";
}
description
"Exact match for an IPv4 fragment offset.";
}
}
case range-match {
list range-ipv4-fragment-offset {
key "start-ipv4-fragment-offset
end-ipv4-fragment-offset";
leaf start-ipv4-fragment-offset {
type uint16 {
range "0..16383";
}
description
"Starting IPv4 fragment offset for a range match.";
}
leaf end-ipv4-fragment-offset {
type uint16 {
range "0..16383";
}
description
"Ending IPv4 fragment offset for a range match.";
}
description
"Range match for an IPv4 fragment offset.";
}
}
}
description
"The security policy rule according to
IPv4 fragment offset.";
reference
"RFC 791: Internet Protocol - Fragment offset";
}
container pkt-sec-ipv4-ttl { leaf description {
choice match-type { type string;
description description
"There are two types to configure a security "This is description for ipv6 condition.";
policy for IPv4 TTL, such as exact match }
and range match.";
case exact-match {
leaf-list ipv4-ttl {
type uint8;
description
"Exact match for an IPv4 TTL.";
}
}
case range-match {
list range-ipv4-ttl {
key "start-ipv4-ttl end-ipv4-ttl";
leaf start-ipv4-ttl {
type uint8;
description
"Starting IPv4 TTL for a range match.";
}
leaf end-ipv4-ttl {
type uint8;
description
"Ending IPv4 TTL for a range match.";
}
description
"Range match for an IPv4 TTL.";
}
}
}
description
"The security policy rule according to
IPv4 time-to-live (TTL).";
reference
"RFC 791: Internet Protocol - Time to live";
}
leaf-list pkt-sec-ipv4-protocol { leaf-list dscp {
type identityref { type inet:dscp;
base protocol; description
} "The security policy rule according to
description IPv6 traffic class for DSCP.";
"The security policy rule according to reference
IPv4 protocol."; "RFC 8200: Internet Protocol, Version 6 (IPv6)
reference Specification - Traffic class
"RFC 791: Internet Protocol - Protocol"; RFC 2474: Definition of the Differentiated
} Services Field (DS Field) in the IPv4 and
IPv6 Headers.";
}
container pkt-sec-ipv4-src { list flow-label {
uses pkt-sec-ipv4; key "start end";
description leaf start {
"The security policy rule according to type inet:ipv6-flow-label;
IPv4 source address."; description
reference "Starting IPv6 flow label for a range match.";
"RFC 791: Internet Protocol - IPv4 Address"; }
} leaf end {
type inet:ipv6-flow-label;
must '. >= ../start' {
error-message
"The end flow label MUST be equal or greater than
the start flow label.";
}
description
"Ending IPv6 flow label for a range match.";
}
description
"The security policy rule according to
IPv6 flow label. If only one value is needed,
then set both start and end to the same value.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Flow label";
}
container pkt-sec-ipv4-dest { list payload-length {
uses pkt-sec-ipv4; key "start end";
description leaf start {
"The security policy rule according to type uint16;
IPv4 destination address."; description
reference "Starting IPv6 payload length for a range match.";
"RFC 791: Internet Protocol - IPv4 Address"; }
} leaf end {
type uint16;
must '. >= ../start' {
error-message
"The end payload length MUST be equal or greater
than the start payload length.";
}
description
"Ending IPv6 payload length for a range match.";
}
description
"The security policy rule according to
IPv6 payload length. If only one value is needed,
then set both start and end to the same value.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Payload length";
}
leaf-list next-header {
type uint8;
description
"The security policy rule according to
IPv6 next header.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next header
IANA: Assigned Internet Protocol Numbers";
}
leaf-list pkt-sec-ipv4-ipopts { list hop-limit {
type identityref { key "start end";
base ipopts; leaf start {
} type uint8;
description description
"The security policy rule according to "Start IPv6 hop limit for a range match.";
IPv4 options."; }
reference leaf end {
"RFC 791: Internet Protocol - Options"; type uint8;
} must '. >= ../start' {
error-message
"The end hop limit MUST be equal or greater than
the start hop limit.";
}
description
"End IPv6 hop limit for a range match.";
}
description
"The security policy rule according to
IPv6 hop limit. If only one value is needed,
then set both start and end to the same value.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Hop limit";
}
leaf pkt-sec-ipv4-same-ip { container source-address {
type boolean; uses ipv6-address;
description description
"Match on packets with the same IPv4 source "The security policy rule according to
and IPv4 destination address."; IPv6 source address.";
} reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address";
}
leaf-list pkt-sec-ipv4-geo-ip { container destination-address {
type string; uses ipv6-address;
description description
"The geo-ip keyword enables you to match on "The security policy rule according to
source and destination IP addresses of network IPv6 destination address.";
traffic and to see to which country it belongs."; reference
reference "RFC 8200: Internet Protocol, Version 6 (IPv6)
"ISO 3166: Codes for the representation of Specification - IPv6 address";
names of countries and their subdivisions"; }
} }
}
container packet-security-ipv6-condition { container tcp {
description description
"The purpose of this container is to represent "The purpose of this container is to represent
IPv6 packet header information to determine TCP packet header information to determine
if the set of policy actions in this ECA policy if the set of policy actions in this ECA policy
rule should be executed or not."; rule should be executed or not.";
reference reference
"RFC 8200: Internet Protocol, Version 6 (IPv6) "RFC 793: Transmission Control Protocol";
Specification";
leaf ipv6-description {
type string;
description
"This is description for ipv6 condition.";
}
leaf-list pkt-sec-ipv6-traffic-class {
type identityref {
base traffic-class;
}
description
"The security policy rule according to
IPv6 traffic class.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic class";
}
container pkt-sec-ipv6-flow-label {
choice match-type {
description
"There are two types to configure a security
policy for IPv6 flow label, such as exact match
and range match.";
case exact-match {
leaf-list ipv6-flow-label {
type uint32 {
range "0..1048575";
}
description
"Exact match for an IPv6 flow label.";
}
}
case range-match {
list range-ipv6-flow-label {
key "start-ipv6-flow-label end-ipv6-flow-label";
leaf start-ipv6-flow-label {
type uint32 {
range "0..1048575";
}
description
"Starting IPv6 flow label for a range match.";
}
leaf end-ipv6-flow-label {
type uint32 {
range "0..1048575";
}
description
"Ending IPv6 flow label for a range match.";
}
description
"Range match for an IPv6 flow label.";
}
}
}
description
"The security policy rule according to
IPv6 flow label.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Flow label";
}
container pkt-sec-ipv6-payload-length { leaf description {
choice match-type { type string;
description description
"There are two types to configure a security "This is description for tcp condition.";
policy for IPv6 payload length, such as }
exact match and range match.";
case exact-match {
leaf-list ipv6-payload-length {
type uint16;
description
"Exact match for an IPv6 payload length.";
}
}
case range-match {
list range-ipv6-payload-length {
key "start-ipv6-payload-length
end-ipv6-payload-length";
leaf start-ipv6-payload-length {
type uint16;
description
"Starting IPv6 payload length for a range match.";
}
leaf end-ipv6-payload-length {
type uint16;
description
"Ending IPv6 payload length for a range match.";
}
description
"Range match for an IPv6 payload length.";
}
}
}
description
"The security policy rule according to
IPv6 payload length.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Payload length";
}
leaf-list pkt-sec-ipv6-next-header { list source-port-number {
type identityref { key "start end";
base next-header; uses port-range;
} description
description "The security policy rule according to
"The security policy rule according to tcp source port number.";
IPv6 next header."; reference
reference "RFC 793: Transmission Control Protocol
"RFC 8200: Internet Protocol, Version 6 (IPv6) - Port number";
Specification - Next header"; }
}
container pkt-sec-ipv6-hop-limit { list destination-port-number {
choice match-type { key "start end";
description uses port-range;
"There are two types to configure a security description
policy for IPv6 hop limit, such as exact match "The security policy rule according to
and range match."; tcp destination port number.";
case exact-match { reference
leaf-list ipv6-hop-limit { "RFC 793: Transmission Control Protocol
type uint8; - Port number";
description }
"Exact match for an IPv6 hop limit.";
}
}
case range-match {
list range-ipv6-hop-limit {
key "start-ipv6-hop-limit end-ipv6-hop-limit";
leaf start-ipv6-hop-limit {
type uint8;
description
"Start IPv6 hop limit for a range match.";
}
leaf end-ipv6-hop-limit {
type uint8;
description
"End IPv6 hop limit for a range match.";
}
description
"Range match for an IPv6 hop limit.";
}
}
} leaf-list flags {
description type identityref {
"The security policy rule according to base tcp-flags;
IPv6 hop limit."; }
reference description
"RFC 8200: Internet Protocol, Version 6 (IPv6) "The security policy rule according to
Specification - Hop limit"; tcp flags.";
} reference
"RFC 793: Transmission Control Protocol
- Flags";
}
}
container pkt-sec-ipv6-src { container udp {
uses pkt-sec-ipv6; description
description "The purpose of this container is to represent
"The security policy rule according to UDP packet header information to determine
IPv6 source address."; if the set of policy actions in this ECA policy
reference rule should be executed or not.";
"RFC 8200: Internet Protocol, Version 6 (IPv6) reference
Specification - IPv6 address"; "RFC 768: User Datagram Protocol";
}
container pkt-sec-ipv6-dest { leaf description {
uses pkt-sec-ipv6; type string;
description description
"The security policy rule according to "This is description for udp condition.";
IPv6 destination address."; }
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address";
}
} container source-port-number {
uses port-range;
description
"The security policy rule according to
udp source port number.";
reference
"RFC 768: User Datagram Protocol - Port Number";
}
container packet-security-tcp-condition { container destination-port-number {
description uses port-range;
"The purpose of this container is to represent description
TCP packet header information to determine "The security policy rule according to
if the set of policy actions in this ECA policy udp destination port number.";
rule should be executed or not."; reference
reference "RFC 768: User Datagram Protocol - Port Number";
"RFC 793: Transmission Control Protocol"; }
leaf tcp-description { list total-length {
type string; key "start end";
description leaf start {
"This is description for tcp condition."; type uint32;
} description
"Start udp total length for a range match.";
}
leaf end {
type uint32;
must '. >= ../start' {
error-message
"The end hop limit MUST be equal or greater than
the start hop limit.";
}
description
"End udp total length for a range match.";
}
description
"The security policy rule according to
udp total length. If only one value is needed,
then set both start and end to the same value";
reference
"RFC 768: User Datagram Protocol - Total Length";
}
}
container pkt-sec-tcp-src-port-num { container sctp {
uses pkt-sec-port-number; description
description "The purpose of this container is to represent
"The security policy rule according to SCTP packet header information to determine
tcp source port number."; if the set of policy actions in this ECA policy
reference rule should be executed or not.";
"RFC 793: Transmission Control Protocol leaf description {
- Port number"; type string;
} description
"This is description for sctp condition.";
}
container pkt-sec-tcp-dest-port-num { container source-port-number {
uses pkt-sec-port-number; uses port-range;
description description
"The security policy rule according to "The security policy rule according to
tcp destination port number."; sctp source port number.";
reference reference
"RFC 793: Transmission Control Protocol "RFC 4960: Stream Control Transmission Protocol
- Port number"; - Port number";
} }
leaf-list pkt-sec-tcp-flags { container destination-port-number {
type identityref { uses port-range;
base tcp-flags; description
} "The security policy rule according to
description sctp destination port number.";
"The security policy rule according to reference
tcp flags."; "RFC 4960: Stream Control Transmission Protocol
reference - Port Number";
"RFC 793: Transmission Control Protocol }
- Flags";
}
}
container packet-security-udp-condition { leaf-list verification-tag {
description type uint32;
"The purpose of this container is to represent description
UDP packet header information to determine "The security policy rule according to
if the set of policy actions in this ECA policy udp total length.";
rule should be executed or not."; reference
reference "RFC 4960: Stream Control Transmission Protocol
"RFC 793: Transmission Control Protocol"; - Verification Tag";
}
leaf udp-description { leaf-list chunk-type {
type string; type uint8;
description description
"This is description for udp condition."; "The security policy rule according to
} sctp chunk type ID Value.";
reference
"RFC 4960: Stream Control Transmission Protocol
- Chunk Type";
}
}
container pkt-sec-udp-src-port-num { container dccp {
uses pkt-sec-port-number; description
description "The purpose of this container is to represent
"The security policy rule according to DCCP packet header information to determine
udp source port number."; if the set of policy actions in this ECA policy
reference rule should be executed or not.";
"RFC 768: User Datagram Protocol leaf description {
- Total Length"; type string;
} description
"This is description for dccp condition.";
}
container pkt-sec-udp-dest-port-num { container source-port-number {
uses pkt-sec-port-number; uses port-range;
description description
"The security policy rule according to "The security policy rule according to
udp destination port number."; dccp source port number.";
reference reference
"RFC 768: User Datagram Protocol "RFC 4340: Datagram Congestion Control Protocol (DCCP)
- Total Length"; - Port number";
} }
container pkt-sec-udp-total-length { container destination-port-number {
choice match-type { uses port-range;
description description
"There are two types to configure a security "The security policy rule according to
policy for udp sequence number, dccp destination port number.";
such as exact match and range match."; reference
case exact-match { "RFC 4340: Datagram Congestion Control Protocol (DCCP)
leaf-list udp-total-length { - Port number";
type uint32; }
description
"Exact match for an udp-total-length.";
}
}
case range-match {
list range-udp-total-length {
key "start-udp-total-length end-udp-total-length";
leaf start-udp-total-length {
type uint32;
description
"Start udp total length for a range match.";
}
leaf end-udp-total-length {
type uint32;
description
"End udp total length for a range match.";
}
description
"Range match for a udp total length.";
}
} leaf-list service-code {
} type uint32;
description description
"The security policy rule according to "The security policy rule according to
udp total length."; dccp service code.";
reference reference
"RFC 768: User Datagram Protocol "RFC 4340: Datagram Congestion Control Protocol (DCCP)
- Total Length"; - Service Codes
} RFC 5595: The Datagram Congestion Control Protocol
} (DCCP) Service Codes
RFC 6335: Internet Assigned Numbers Authority (IANA)
Procedures for the Management of the Service
Name and Transport Protocol Port Number
Registry - Service Code";
}
}
container packet-security-sctp-condition { list icmp {
description key "version";
"The purpose of this container is to represent description
SCTP packet header information to determine "The purpose of this container is to represent
if the set of policy actions in this ECA policy ICMP packet header information to determine
rule should be executed or not."; if the set of policy actions in this ECA policy
leaf sctp-description { rule should be executed or not.";
type string; reference
description "RFC 792: Internet Control Message Protocol
"This is description for sctp condition."; RFC 8335: PROBE: A Utility for Probing Interfaces";
}
container pkt-sec-sctp-src-port-num { leaf description {
uses pkt-sec-port-number; type string;
description description
"The security policy rule according to "This is description for icmp condition.";
sctp source port number."; }
reference
"RFC 4960: Stream Control Transmission Protocol
- Port number";
}
container pkt-sec-sctp-dest-port-num { leaf version {
uses pkt-sec-port-number; type enumeration {
description enum icmpv4 {
"The security policy rule according to value "1";
sctp destination port number."; description
reference "The ICMPv4 Protocol as defined in RFC 792";
"RFC 4960: Stream Control Transmission Protocol }
- Total Length"; enum icmpv6 {
} value "2";
description
"The ICMPv6 Protocol as defined in RFC 4443";
}
}
description
"The ICMP version to be matched. This value
affected the type and code values.";
reference
"RFC 792: Internet Control Message Protocol
RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification";
}
leaf-list pkt-sec-sctp-verification-tag { leaf-list type {
type uint32; type uint8;
description description
"The security policy rule according to "The security policy rule according to
udp total length."; ICMPv4 or ICMPv6 type header field.
reference
"RFC 4960: Stream Control Transmission Protocol
- Verification Tag";
}
leaf-list pkt-sec-sctp-chunk-type { The value of this leaf-list is affected by
type uint8; the value of the leaf version.
description
"The security policy rule according to
sctp chunk type ID Value.";
reference
"RFC 4960: Stream Control Transmission Protocol
- Chunk Type";
}
}
container packet-security-dccp-condition { If the version value is icmpv4, the type follows
description the IANA ICMP Parameters.
"The purpose of this container is to represent
DCCP packet header information to determine
if the set of policy actions in this ECA policy
rule should be executed or not.";
leaf dccp-description {
type string;
description
"This is description for dccp condition.";
}
container pkt-sec-dccp-src-port-num { If the version value is icmpv6, the type follows
uses pkt-sec-port-number; the IANA ICMPv6 Parameters.";
description reference
"The security policy rule according to "RFC 792: Internet Control Message Protocol
dccp source port number."; RFC 4443: Internet Control Message Protocol (ICMPv6)
reference for the Internet Protocol Version 6 (IPv6)
"RFC 4340: Datagram Congestion Control Protocol (DCCP) Specification
- Port number"; RFC 8335: PROBE: A Utility for Probing Interfaces
} IANA: Internet Control Message Protocol (ICMP)
Parameters
IANA: Internet Control Message Protocol version 6
(ICMPv6) Parameters";
}
leaf-list code {
type uint8;
description
"The security policy rule according to
ICMPv4 or ICMPv6 code header field.
container pkt-sec-dccp-dest-port-num { The value of this leaf-list is affected by
uses pkt-sec-port-number; the value of the leaf version.
description
"The security policy rule according to
dccp destination port number.";
reference
"RFC 4340: Datagram Congestion Control Protocol (DCCP)
- Port number";
}
leaf-list pkt-sec-dccp-service-code {
type uint32;
description
"The security policy rule according to
dccp service code.";
reference
"RFC 4340: Datagram Congestion Control Protocol (DCCP)
- Service Codes
RFC 5595: The Datagram Congestion Control Protocol (DCCP)
Service Codes
RFC 6335: Internet Assigned Numbers Authority (IANA)
Procedures for the Management of the Service Name and
Transport Protocol Port Number Registry - Service Code";
}
}
container packet-security-icmp-condition { If the version value is icmpv4, the code follows
description the IANA ICMP parameters.
"The purpose of this container is to represent
ICMP packet header information to determine
if the set of policy actions in this ECA policy
rule should be executed or not.";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
leaf icmp-description { If the version value is icmpv6, the code follows
type string; the IANA ICMPv6 parameters.";
description reference
"This is description for icmp condition."; "RFC 792: Internet Control Message Protocol
} RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification
RFC 8335: PROBE: A Utility for Probing Interfaces
IANA: Internet Control Message Protocol (ICMP)
Parameters
IANA: Internet Control Message Protocol version 6
(ICMPv6) Parameters";
}
}
leaf-list pkt-sec-icmp-type-and-code { container url-category {
type identityref { description
base icmp-type; "Condition for url category";
} leaf description {
description type string;
"The security policy rule according to description
ICMP parameters."; "This is description for the condition of a URL's
reference category such as SNS sites, game sites, ecommerce
"RFC 792: Internet Control Message Protocol sites, company sites, and university sites.";
RFC 8335: PROBE: A Utility for Probing Interfaces"; }
}
}
container packet-security-url-category-condition { leaf-list pre-defined-category {
description type string;
"Condition for url category"; description
"This is pre-defined-category.";
}
leaf-list user-defined-category {
type string;
description
"This user-defined-category.";
}
leaf url-category-description { }
type string;
description
"This is description for the condition of a URL's
category such as SNS sites, game sites, ecommerce
sites, company sites, and university sites.";
}
leaf-list pre-defined-category { container voice {
type string; description
description "For the VoIP/VoLTE security system, a VoIP/
"This is pre-defined-category."; VoLTE security system can monitor each
} VoIP/VoLTE flow and manage VoIP/VoLTE
leaf-list user-defined-category { security rules controlled by a centralized
type string; server for VoIP/VoLTE security service
description (called VoIP IPS). The VoIP/VoLTE security
"This user-defined-category."; system controls each switch for the
} VoIP/VoLTE call flow management by
} manipulating the rules that can be added,
deleted, or modified dynamically.";
reference
"RFC 3261: SIP: Session Initiation Protocol";
container packet-security-voice-condition { leaf description {
description type string;
"For the VoIP/VoLTE security system, a VoIP/ description
VoLTE security system can monitor each "This is description for voice condition.";
VoIP/VoLTE flow and manage VoIP/VoLTE }
security rules controlled by a centralized
server for VoIP/VoLTE security service
(called VoIP IPS). The VoIP/VoLTE security
system controls each switch for the
VoIP/VoLTE call flow management by
manipulating the rules that can be added,
deleted, or modified dynamically.";
reference
"RFC 3261: SIP: Session Initiation Protocol";
leaf voice-description { leaf-list source-voice-id {
type string; type string;
description description
"This is description for voice condition."; "The security policy rule according to
} a source voice ID for VoIP and VoLTE.";
}
leaf-list pkt-sec-src-voice-id { leaf-list destination-voice-id {
type string; type string;
description description
"The security policy rule according to "The security policy rule according to
a source voice ID for VoIP and VoLTE."; a destination voice ID for VoIP and VoLTE.";
} }
leaf-list pkt-sec-dest-voice-id {
type string;
description
"The security policy rule according to
a destination voice ID for VoIP and VoLTE.";
}
leaf-list pkt-sec-user-agent { leaf-list user-agent {
type string; type string;
description description
"The security policy rule according to "The security policy rule according to
an user agent for VoIP and VoLTE."; an user agent for VoIP and VoLTE.";
} }
} }
container packet-security-ddos-condition { container ddos {
description description
"Condition for DDoS attack."; "Condition for DDoS attack.";
leaf ddos-description { leaf description {
type string; type string;
description description
"This is description for ddos condition."; "This is description for ddos condition.";
} }
leaf pkt-sec-alert-packet-rate { leaf alert-packet-rate {
type uint32; type uint32;
units "pps"; units "pps";
description description
"The alert rate of flood detection for "The alert rate of flood detection for
packets per second (PPS) of an IP address."; packets per second (PPS) of an IP address.";
} }
leaf pkt-sec-alert-flow-rate { leaf alert-flow-rate {
type uint32; type uint32;
description description
"The alert rate of flood detection for "The alert rate of flood detection for
flows per second of an IP address."; flows per second of an IP address.";
} }
leaf pkt-sec-alert-byte-rate { leaf alert-byte-rate {
type uint32; type uint32;
units "BPS"; units "BPS";
description description
"The alert rate of flood detection for "The alert rate of flood detection for
bytes per second of an IP address."; bytes per second of an IP address.";
} }
} }
container packet-security-payload-condition {
description
"Condition for packet payload";
leaf packet-payload-description {
type string;
description
"This is description for payload condition.";
}
leaf-list pkt-payload-content {
type string;
description
"This is a condition for packet payload content.";
}
}
container context-condition { container anti-virus {
description description
"Condition for context"; "Condition for antivirus";
leaf context-description {
type string;
description
"This is description for context condition.";
}
container application-condition { leaf-list profile {
description type string;
"Condition for application"; description
leaf application-description { "The security profile for antivirus. This is used to
type string; update the security profile for improving the
description security. The security profile is used to scan
"This is description for application condition."; the viruses.";
} }
leaf-list application-object {
type string;
description
"This is application object.";
}
leaf-list application-group {
type string;
description
"This is application group.";
}
leaf-list application-label {
type string;
description
"This is application label.";
}
container category {
description
"This is application category";
list application-category {
key "name application-subcategory";
description
"This is application category list";
leaf name { leaf-list exception-files {
type string; type string;
description description
"This is name for application category."; "The type or name of the files to be excluded by the
} anti-virus. This can be used to keep the known
leaf application-subcategory { harmless files.";
type string; }
description }
"This is application subcategory.";
}
}
}
}
container target-condition { container payload {
description description
"Condition for target"; "Condition for packet payload";
leaf target-description { leaf packet-payload-description {
type string; type string;
description description
"This is description for target condition. "This is description for payload condition.";
Vendors can write instructions for target condition }
that vendor made"; leaf-list payload-content {
} type string;
description
"This is a condition for packet payload content.";
}
}
container device-sec-context-cond { container context {
description description
"The device attribute that can identify a device, "Condition for context";
including the device type (i.e., router, switch, leaf context-description {
pc, ios, or android) and the device's owner as type string;
well."; description
"This is description for context condition.";
}
leaf-list target-device { container application {
type identityref { description
base target-device; "Condition for application";
} leaf description {
description type string;
"Leaf list for target devices"; description
} "This is description for application condition.";
} }
} leaf-list object {
container users-condition { type string;
description description
"Condition for users"; "This is application object.";
leaf users-description { }
type string; leaf-list group {
description type string;
"This is the description for users' condition."; description
} "This is application group.";
list user{ }
key "user-id"; leaf-list label {
description type string;
"The user (or user group) information with which description
network flow is associated: The user has many "This is application label.";
attributes such as name, id, password, type, }
authentication mode and so on. container category {
id is often used in the security policy to description
identify the user. "This is application category";
Besides, an NSF is aware of the IP address of the list application-category {
user provided by a unified user management system key "name subcategory";
via network. Based on name-address association, description
an NSF is able to enforce the security functions "This is application category list";
over the given user (or user group)";
leaf user-id { leaf name {
type uint32; type string;
description description
"The ID of the user."; "This is name for application category.";
} }
leaf user-name { leaf subcategory {
type string; type string;
description description
"The name of the user."; "This is application subcategory.";
} }
} }
list group { }
key "group-id"; }
description
"The user (or user group) information with which
network flow is associated: The user has many
attributes such as name, id, password, type,
authentication mode and so on.
id is often used in the security policy to
identify the user.
Besides, an NSF is aware of the IP address of the
user provided by a unified user management system
via network. Based on name-address association,
an NSF is able to enforce the security functions
over the given user (or user group)";
leaf group-id { container target {
type uint32; description
description "Condition for target";
"The ID of the group."; leaf description {
} type string;
leaf group-name { description
type string; "This is description for target condition.
description Vendors can write instructions for target condition
"The name of the group."; that vendor made";
} }
}
leaf security-group { leaf-list device {
type string; type identityref {
description base target-device;
"security-group."; }
} description
} "The device attribute that can identify a device,
including the device type (i.e., router, switch,
pc, ios, or android) and the device's owner as
well.";
}
}
container users {
description
"Condition for users";
leaf users-description {
type string;
description
"This is the description for users' condition.";
}
list user {
key "user-id";
description
"The user with which the traffic flow is associated
can be identified by either a user id or user name.
The user-to-IP address mapping is assumed to be
provided by the unified user management system via
network.";
leaf user-id {
type uint32;
description
"The ID of the user.";
}
leaf user-name {
type string;
description
"The name of the user.";
}
}
list group {
key "group-id";
description
"The user group with which the traffic flow is
associated can be identified by either a group id
or group name. The group-to-IP address and
user-to-group mappings are assumed to be provided by
the unified user management system via network.";
leaf group-id {
type uint32;
description
"The ID of the group.";
}
leaf group-name {
type string;
description
"The name of the group.";
}
}
container geography-context-condition { leaf security-group {
description type string;
"Condition for generic context"; description
leaf geography-context-description { "security-group.";
type string; }
description }
"This is description for generic context condition.
Vendors can write instructions for generic context
condition that vendor made";
}
container geography-location { container geography-location {
description description
"The location which network traffic flow is associated "The location which network traffic flow is associated
with. The region can be the geographical location with. The region can be the geographical location
such as country, province, and city, such as country, province, and city,
as well as the logical network location such as as well as the logical network location such as
IP address, network section, and network domain."; IP address, network section, and network domain.";
leaf-list src-geography-location { leaf description {
type string; type string;
description description
"The src-geography-location is a geographical "This is description for generic context condition.
location mapped into an IP address. It matches the Vendors can write instructions for generic context
mapped IP address to the source IP address of the condition that vendor made";
traffic flow."; }
reference
"ISO 3166: Codes for the representation of
names of countries and their subdivisions";
} leaf-list source {
type string;
description
"The src-geography-location is a geographical
location mapped into an IP address. It matches the
mapped IP address to the source IP address of the
traffic flow.";
reference
"ISO 3166: Codes for the representation of
names of countries and their subdivisions";
}
leaf-list dest-geography-location { leaf-list destination {
type string; type string;
description description
"The dest-geography-location is a geographical "The dest-geography-location is a geographical
location mapped into an IP address. It matches the location mapped into an IP address. It matches the
mapped IP address to the destination IP address of mapped IP address to the destination IP address of
the traffic flow."; the traffic flow.";
reference reference
"ISO 3166: Codes for the representation of "ISO 3166: Codes for the representation of
names of countries and their subdivisions"; names of countries and their subdivisions";
} }
} }
} }
} }
} container action {
description
"An action is used to control and monitor aspects of
flow-based NSFs when the event and condition clauses
are satisfied. NSFs provide security functions by
executing various Actions. Examples of I2NSF Actions
include providing intrusion detection and/or protection,
web and flow filtering, and deep packet inspection
for packets and flows.";
reference
"RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview";
container action-clause-container { leaf action-clause-description {
description type string;
"An action is used to control and monitor aspects of description
flow-based NSFs when the event and condition clauses "Description for an action clause.";
are satisfied. NSFs provide security functions by }
executing various Actions. Examples of I2NSF Actions
include providing intrusion detection and/or protection,
web and flow filtering, and deep packet inspection
for packets and flows.";
reference
"RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-15:
I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview";
leaf action-clause-description { container packet-action {
type string; description
description "Action for packets";
"Description for an action clause."; reference
} "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview";
container packet-action { leaf ingress-action {
description type identityref {
"Action for packets"; base ingress-action;
reference }
"RFC 8329: Framework for Interface to Network Security description
Functions - I2NSF Flow Security Policy Structure "Ingress Action: pass, drop, rate-limit, and
draft-ietf-i2nsf-capability-data-model-15: mirror.";
I2NSF Capability YANG Data Model - Design Principles and }
ECA Policy Model Overview";
leaf ingress-action { leaf egress-action {
type identityref { type identityref {
base ingress-action; base egress-action;
} }
description description
"Action: pass, drop, reject, alert, and mirror."; "Egress action: pass, drop, rate-limit, mirror,
} invoke-signaling, tunnel-encapsulation, forwarding,
and redirection.";
}
leaf egress-action { leaf log-action {
type identityref { type identityref {
base egress-action; base log-action;
} }
description description
"Egress action: pass, drop, reject, alert, mirror, "Log action: rule log and session log";
invoke-signaling, tunnel-encapsulation, }
forwarding, and redirection.";
}
leaf log-action { }
type identityref {
base log-action;
}
description
"Log action: rule log and session log";
}
} container flow-action {
description
"Action for flows";
reference
"RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview";
container flow-action { leaf ingress-action {
description type identityref {
"Action for flows"; base ingress-action;
reference }
"RFC 8329: Framework for Interface to Network Security description
Functions - I2NSF Flow Security Policy Structure "Action: pass, drop, rate-limit, and mirror.";
draft-ietf-i2nsf-capability-data-model-15: }
I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview";
leaf ingress-action { leaf egress-action {
type identityref { type identityref {
base ingress-action; base egress-action;
} }
description description
"Action: pass, drop, reject, alert, and mirror."; "Egress action: pass, drop, rate-limit, mirror,
} invoke-signaling, tunnel-encapsulation, forwarding,
leaf egress-action { and redirection.";
type identityref { }
base egress-action;
}
description
"Egress action: pass, drop, reject, alert, mirror,
invoke-signaling, tunnel-encapsulation,
forwarding, and redirection.";
}
leaf log-action { leaf log-action {
type identityref { type identityref {
base log-action; base log-action;
} }
description description
"Log action: rule log and session log"; "Log action: rule log and session log";
} }
} }
container advanced-action { container advanced-action {
description description
"If the packet needs to be additionally inspected, "If the packet needs to be additionally inspected,
the packet is passed to advanced network the packet is passed to advanced network
security functions according to the profile. security functions according to the profile.
The profile means the types of NSFs where the packet The profile means the types of NSFs where the packet
will be forwarded in order to additionally will be forwarded in order to additionally
inspect the packet."; inspect the packet.
reference The advanced action activates Service Function
"RFC 8329: Framework for Interface to Network Security Chaining (SFC) for further inspection of a packet.";
Functions - Differences from ACL Data Models"; reference
"draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - YANG Tree
Diagram";
leaf-list content-security-control { leaf-list content-security-control {
type identityref { type identityref {
base content-security-control; base content-security-control;
} }
description description
"Content-security-control is the NSFs that "Content-security-control is the NSFs that
inspect the payload of the packet. inspect the payload of the packet.
The Profile is divided into content security The profile for the types of NSFs for mitigation is
control and attack-mitigation-control. divided into content security control and
Content security control: antivirus, ips, ids, attack-mitigation-control.
url filtering, mail filtering, file blocking, Content security control: ips, url filtering,
file isolate, packet capture, application control, anti-virus, and voip-volte-filter. This can be
voip and volte."; extended according to the provided NSFs.";
} reference
"draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - YANG Tree Diagram";
}
leaf-list attack-mitigation-control { leaf-list attack-mitigation-control {
type identityref { type identityref {
base attack-mitigation-control; base attack-mitigation-control;
} }
description description
"Attack-mitigation-control is the NSFs that weaken "Attack-mitigation-control is the NSFs that weaken
the attacks related to a denial of service the attacks related to a denial of service
and reconnaissance. and reconnaissance.
The Profile is divided into content security The profile for the types of NSFs for mitigation is
control and attack-mitigation-control. divided into content security control and
Attack mitigation control: syn flood, udp flood, attack-mitigation-control.
icmp flood, ip frag flood, ipv6 related, http flood, Attack mitigation control: Anti-DDoS or DDoS
https flood, dns flood, dns amp flood, ssl ddos, mitigator. This can be extended according to the
ip sweep, port scanning, ping of death, teardrop, provided NSFs such as mitigators for ip sweep,
oversized icmp, tracert."; port scanning, ping of death, teardrop, oversized
} icmp, and tracert.";
} reference
} "draft-ietf-i2nsf-capability-data-model-17:
} I2NSF Capability YANG Data Model - YANG Tree Diagram";
container rule-group { }
description }
"This is rule group"; }
}
container rule-group {
description
"This is rule group";
list groups { list groups {
key "group-name"; key "group-name";
description description
"This is a group for rules"; "This is a group for rules";
leaf group-name { leaf group-name {
type string; type string;
description description
"This is a group for rules"; "This is a group for rules";
} }
container rule-range { container rule-range {
description description
"This is a rule range."; "This is a rule range.";
leaf start-rule { leaf start-rule {
type string; type string;
description description
"This is a start rule"; "This is a start rule";
} }
leaf end-rule { leaf end-rule {
type string; type string;
description description
"This is a end rule"; "This is a end rule";
} }
} }
leaf enable { leaf enable {
type boolean; type boolean;
description description
"This is enable "This is enable
False is not enable."; False is not enable.";
} }
leaf description { leaf description {
type string; type string;
description description
"This is a description for rule-group"; "This is a description for rule-group";
} }
} }
} }
} }
} }
} <CODE ENDS>
<CODE ENDS>
Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface
5. XML Configuration Examples of Low-Level Security Policy Rules 5. XML Configuration Examples of Low-Level Security Policy Rules
This section shows XML configuration examples of low-level security This section shows XML configuration examples of low-level security
policy rules that are delivered from the Security Controller to NSFs policy rules that are delivered from the Security Controller to NSFs
over the NSF-Facing Interface. For security requirements, we assume over the NSF-Facing Interface. For security requirements, we assume
that the NSFs (i.e., General firewall, Time-based firewall, URL that the NSFs (i.e., General firewall, Time-based firewall, URL
filter, VoIP/VoLTE filter, and http and https flood mitigation ) filter, VoIP/VoLTE filter, and http and https flood mitigation )
described in Section Configuration Examples of described in of [I-D.ietf-i2nsf-capability-data-model] are registered
[I-D.ietf-i2nsf-capability-data-model] are registered in the I2NSF in the I2NSF framework. With the registered NSFs, we show
framework. With the registered NSFs, we show configuration examples configuration examples for security policy rules of network security
for security policy rules of network security functions according to functions according to the following three security requirements: (i)
the following three security requirements: (i) Block Social Block Social Networking Service (SNS) access during business hours,
Networking Service (SNS) access during business hours, (ii) Block (ii) Block malicious VoIP/VoLTE packets coming to the company, and
malicious VoIP/VoLTE packets coming to the company, and (iii) (iii) Mitigate http and https flood attacks on company web server.
Mitigate http and https flood attacks on company web server.
5.1. Security Requirement 1: Block Social Networking Service (SNS) 5.1. Security Requirement 1: Block Social Networking Service (SNS)
Access during Business Hours Access during Business Hours
This section shows a configuration example for blocking SNS access This section shows a configuration example for blocking SNS access
during business hours in IPv4 networks or IPv6 networks. during business hours in IPv4 networks or IPv6 networks.
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy-name>sns_access</system-policy-name>
<system-policy-name>sns_access</system-policy-name> <rules>
<rules> <rule-name>block_sns_access_during_operation_time</rule-name>
<rule-name>block_sns_access_during_operation_time</rule-name> <event>
<time-intervals> <time>
<absolute-time-interval> <start-date-time>2021-03-11T09:00:00.00Z</start-date-time>
<start-time>09:00:00Z</start-time> <end-date-time>2021-12-31T18:00:00.00Z</end-date-time>
<end-time>18:00:00Z</end-time> <period>
</absolute-time-interval> <start-time>09:00:00Z</start-time>
</time-intervals> <end-time>18:00:00Z</end-time>
<condition-clause-container> <day>monday</day>
<packet-security-ipv4-condition> <day>tuesday</day>
<pkt-sec-ipv4-src> <day>wednesday</day>
<range-ipv4-address> <day>thursday</day>
<start-ipv4-address>192.0.2.11</start-ipv4-address> <day>friday</day>
<end-ipv4-address>192.0.2.90</end-ipv4-address> </period>
</range-ipv4-address> </time>
</pkt-sec-ipv4-src> <frequency>weekly</frequency>
</packet-security-ipv4-condition> </event>
</condition-clause-container> <condition>
<action-clause-container> <ipv4>
<advanced-action> <source-address>
<content-security-control>url-filtering</content-security-control> <ipv4-range>
</advanced-action> <start>192.0.2.11</start>
</action-clause-container> <end>192.0.2.90</end>
</rules> </ipv4-range>
</system-policy> </source-address>
</i2nsf-security-policy> </ipv4>
</condition>
<action>
<advanced-action>
<content-security-control>
url-filtering
</content-security-control>
</advanced-action>
</action>
</rules>
</i2nsf-security-policy>
Figure 6: Configuration XML for Time-based Firewall to Block SNS Figure 6: Configuration XML for Time-based Firewall to Block SNS
Access during Business Hours in IPv4 Networks Access during Business Hours in IPv4 Networks
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy-name>sns_access</system-policy-name>
<system-policy-name>sns_access</system-policy-name> <rules>
<rules> <rule-name>block_sns_access_during_operation_time</rule-name>
<rule-name>block_sns_access_during_operation_time</rule-name> <event>
<time-intervals> <time>
<absolute-time-interval> <start-date-time>2021-03-11T09:00:00.00Z</start-date-time>
<start-time>09:00:00Z</start-time> <end-date-time>2021-12-31T18:00:00.00Z</end-date-time>
<end-time>18:00:00Z</end-time> <period>
</absolute-time-interval> <start-time>09:00:00Z</start-time>
</time-intervals> <end-time>18:00:00Z</end-time>
<condition-clause-container> <day>monday</day>
<packet-security-ipv6-condition> <day>tuesday</day>
<pkt-sec-ipv6-src> <day>wednesday</day>
<range-ipv6-address> <day>thursday</day>
<start-ipv6-address>2001:DB8:0:1::11</start-ipv6-address> <day>friday</day>
<end-ipv6-address>2001:DB8:0:1::90</end-ipv6-address> </period>
</range-ipv6-address> </time>
</pkt-sec-ipv6-src> <frequency>weekly</frequency>
</packet-security-ipv6-condition> </event>
</condition-clause-container> <condition>
<action-clause-container> <ipv6>
<advanced-action> <source-address>
<content-security-control>url-filtering</content-security-control> <ipv6-range>
</advanced-action> <start>2001:DB8:0:1::11</start>
</action-clause-container> <end>2001:DB8:0:1::90</end>
</rules> </ipv6-range>
</system-policy> </source-address>
</i2nsf-security-policy> </ipv6>
</condition>
<action>
<advanced-action>
<content-security-control>
url-filtering
</content-security-control>
</advanced-action>
</action>
</rules>
</i2nsf-security-policy>
Figure 7: Configuration XML for Time-based Firewall to Block SNS Figure 7: Configuration XML for Time-based Firewall to Block SNS
Access during Business Hours in IPv6 Networks Access during Business Hours in IPv6 Networks
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy>
<system-policy-name>sns_access</system-policy-name> <system-policy-name>sns_access</system-policy-name>
<rules> <rules>
<rule-name>block_sns_access_during_operation_time</rule-name> <rule-name>block_sns_access_during_operation_time</rule-name>
<time-intervals> <condition>
<absolute-time-interval> <url-category>
<start-time>09:00:00Z</start-time> <user-defined>SNS_1</user-defined>
<end-time>18:00:00Z</end-time> <user-defined>SNS_2</user-defined>
</absolute-time-interval> </url-category>
</time-intervals>
<condition-clause-container>
<packet-security-url-category-condition>
<user-defined-category>SNS_1</user-defined-category>
<user-defined-category>SNS_2</user-defined-category>
</packet-security-url-category-condition>
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<flow-action> <packet-action>
<egress-action>drop</egress-action> <egress-action>drop</egress-action>
</flow-action> </packet-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 8: Configuration XML for Web Filter to Block SNS Access during Figure 8: Configuration XML for Web Filter to Block SNS Access
Business Hours during Business Hours
Figure 6 (or Figure 7) and Figure 8 show the configuration XML Figure 6 (or Figure 7) and Figure 8 show the configuration XML
documents for time-based firewall and web filter to block SNS access documents for time-based firewall and web filter to block SNS access
during business hours in IPv4 networks (or IPv6 networks). For the during business hours in IPv4 networks (or IPv6 networks). For the
security requirement, two NSFs (i.e., a time-based firewall and a web security requirement, two NSFs (i.e., a time-based firewall and a web
filter) were used because one NSF cannot meet the security filter) were used because one NSF cannot meet the security
requirement. The instances of XML documents for the time-based requirement. The instances of XML documents for the time-based
firewall and the web filter are as follows: Note that a detailed data firewall and the web filter are as follows: Note that a detailed data
model for the configuration of the advanced network security function model for the configuration of the advanced network security function
(i.e., web filter) can be defined as an extension in future. (i.e., web filter) can be defined as an extension in future.
Time-based Firewall is as follows: Time-based Firewall is as follows:
1. The name of the system policy is sns_access. 1. The name of the system policy is sns_access.
2. The name of the rule is block_sns_access_during_operation_time. 2. The name of the rule is block_sns_access_during_operation_time.
3. The rule is operated during the business hours (i.e., from 9 a.m. 3. The rule is started from 2021-03-11 at 9 a.m. to 2021-12-31 at 6
to 6 p.m.). p.m.
4. The rule inspects a source IPv4 address (i.e., from 192.0.2.11 to 4. The rule is operated weekly every weekday (i.e., Monday, Tuesday,
Wednesday, Thursday, and Friday) during the business hours (i.e.,
from 9 a.m. to 6 p.m.) .
5. The rule inspects a source IPv4 address (i.e., from 192.0.2.11 to
192.0.2.90) to inspect the outgoing packets of employees. For 192.0.2.90) to inspect the outgoing packets of employees. For
the case of IPv6 networks, the rule inspects a source IPv6 the case of IPv6 networks, the rule inspects a source IPv6
address (i.e., from 2001:DB8:0:1::11 to 2001:DB8:0:1::90) to address (i.e., from 2001:DB8:0:1::11 to 2001:DB8:0:1::90) to
inspect the outgoing packets of employees. inspect the outgoing packets of employees.
5. If the outgoing packets match the rules above, the time-based 6. If the outgoing packets match the rules above, the time-based
firewall sends the packets to url filtering for additional firewall sends the packets to url filtering for additional
inspection because the time-based firewall can not inspect inspection because the time-based firewall can not inspect
contents of the packets for the SNS URL. contents of the packets for the SNS URL.
Web Filter is as follows: Web Filter is as follows:
1. The name of the system policy is sns_access. 1. The name of the system policy is sns_access.
2. The name of the rule is block_SNS_1_and_SNS_2. 2. The name of the rule is block_SNS_1_and_SNS_2.
skipping to change at page 90, line 7 skipping to change at page 69, line 7
blocked. blocked.
5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming
to a Company to a Company
This section shows a configuration example for blocking malicious This section shows a configuration example for blocking malicious
VoIP/VoLTE packets coming to a company. VoIP/VoLTE packets coming to a company.
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy>
<system-policy-name>voip_volte_inspection</system-policy-name> <system-policy-name>voip_volte_inspection</system-policy-name>
<rules> <rules>
<rule-name>block_malicious_voice_id</rule-name> <rule-name>block_malicious_voice_id</rule-name>
<condition-clause-container> <condition>
<packet-security-ipv4-condition> <ipv4>
<pkt-sec-ipv4-dest> <destination-address>
<range-ipv4-address> <ipv4-range>
<start-ipv4-address>192.0.2.11</start-ipv4-address> <start>192.0.2.11</start>
<end-ipv4-address>192.0.2.90</end-ipv4-address> <end>192.0.2.90</end>
</range-ipv4-address> </ipv4-range>
</pkt-sec-ipv4-dest> </destination-address>
</packet-security-ipv4-condition> </ipv4>
<packet-security-tcp-condition> <tcp>
<pkt-sec-tcp-dest-port-num> <destination-port-number>
<port-num>5060</port-num> <start>5060</start>
<port-num>5061</port-num> <start>5061</end>
</pkt-sec-tcp-dest-port-num> </destination-port-number>
</packet-security-tcp-condition> </tcp>
</condition-clause-container> </condition>
<action-clause-container> <action>
<advanced-action> <advanced-action>
<content-security-control>voip-volte</content-security-control> <content-security-control>
voip-volte-filter
</content-security-control>
</advanced-action> </advanced-action>
</action-clause-container> </action>
</rules> </rules>
</system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 9: Configuration XML for General Firewall to Block Malicious Figure 9: Configuration XML for General Firewall to Block
VoIP/VoLTE Packets Coming to a Company Malicious VoIP/VoLTE Packets Coming to a Company
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy-name>voip_volte_inspection</system-policy-name>
<system-policy-name>voip_volte_inspection</system-policy-name> <rules>
<rules> <rule-name>block_malicious_voice_id</rule-name>
<rule-name>block_malicious_voice_id</rule-name> <condition>
<condition-clause-container> <voice>
<packet-security-voice-condition> <source-voice-id>
<pkt-sec-src-voice-id>user1@voip.malicious.example.com</pkt-sec-src-voice-id> user1@voip.malicious.example.com
<pkt-sec-src-voice-id>user2@voip.malicious.example.com</pkt-sec-src-voice-id> </source-voice-id>
</packet-security-voice-condition> <source-voice-id>
</condition-clause-container> user2@voip.malicious.example.com
<action-clause-container> </source-voice-id>
<flow-action> </voice>
<ingress-action>drop</ingress-action> </condition>
</flow-action> <action>
</action-clause-container> <flow-action>
</rules> <ingress-action>drop</ingress-action>
</system-policy> </flow-action>
</i2nsf-security-policy> </action>
</rules>
</i2nsf-security-policy>
Figure 10: Configuration XML for VoIP/VoLTE Filter to Block Malicious Figure 10: Configuration XML for VoIP/VoLTE Filter to Block
VoIP/VoLTE Packets Coming to a Company Malicious VoIP/VoLTE Packets Coming to a Company
Figure 9 and Figure 10 show the configuration XML documents for Figure 9 and Figure 10 show the configuration XML documents for
general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE
packets coming to a company. For the security requirement, two NSFs packets coming to a company. For the security requirement, two NSFs
(i.e., a general firewall and a VoIP/VoLTE filter) were used because (i.e., a general firewall and a VoIP/VoLTE filter) were used because
one NSF can not meet the security requirement. The instances of XML one NSF can not meet the security requirement. The instances of XML
documents for the general firewall and the VoIP/VoLTE filter are as documents for the general firewall and the VoIP/VoLTE filter are as
follows: Note that a detailed data model for the configuration of the follows: Note that a detailed data model for the configuration of the
advanced network security function (i.e., VoIP/VoLTE filter) can be advanced network security function (i.e., VoIP/VoLTE filter) can be
described as an extension in future. described as an extension in future.
skipping to change at page 93, line 7 skipping to change at page 72, line 7
blocked. blocked.
5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a
Company Web Server Company Web Server
This section shows a configuration example for mitigating http and This section shows a configuration example for mitigating http and
https flood attacks on a company web server. https flood attacks on a company web server.
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy>
<system-policy-name>flood_attack_mitigation</system-policy-name> <system-policy-name>flood_attack_mitigation</system-policy-name>
<rules> <rules>
<rule-name>mitigate_http_and_https_flood_attack</rule-name> <rule-name>mitigate_http_and_https_flood_attack</rule-name>
<condition-clause-container> <condition>
<packet-security-ipv4-condition> <ipv4>
<pkt-sec-ipv4-dest> <destination-address>
<ipv4-address> <ipv4-range>
<ipv4>192.0.2.11</ipv4> <start>192.0.2.11</start>
</ipv4-address> <end>192.0.2.11</end>
</pkt-sec-ipv4-dest> </ipv4-range>
</packet-security-ipv4-condition> </destination-address>
<packet-security-tcp-condition> </ipv4>
<pkt-sec-tcp-dest-port-num> <tcp>
<port-num>80</port-num> <destination-port-number>
<port-num>443</port-num> <start>80</start>
</pkt-sec-tcp-dest-port-num> <end>80</end>
</packet-security-tcp-condition> </destination-port>
</condition-clause-container> <destination-port-number>
<action-clause-container> <start>443</start>
<end>443</end>
</destination-port>
</tcp>
</condition>
<action>
<advanced-action> <advanced-action>
<attack-mitigation-control>http-and-https-flood <attack-mitigation-control>
anti-ddos
</attack-mitigation-control> </attack-mitigation-control>
</advanced-action> </advanced-action>
</action-clause-container> </action>
</rules> </rules>
</system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 11: Configuration XML for General Firewall to Mitigate HTTP Figure 11: Configuration XML for General Firewall to Mitigate
and HTTPS Flood Attacks on a Company Web Server HTTP and HTTPS Flood Attacks on a Company Web Server
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy>
<system-policy-name>flood_attack_mitigation</system-policy-name> <system-policy-name>flood_attack_mitigation</system-policy-name>
<rules> <rules>
<rule-name>mitigate_http_and_https_flood_attack</rule-name> <rule-name>mitigate_http_and_https_flood_attack</rule-name>
<condition-clause-container> <condition>
<packet-security-ddos-condition> <ddos>
<pkt-sec-alert-packet-rate>100</pkt-sec-alert-packet-rate> <alert-packet-rate>1000</alert-packet-rate>
</packet-security-ddos-condition> </ddos>
</condition-clause-container> </condition>
<action-clause-container> <action>
<flow-action> <flow-action>
<ingress-action>drop</ingress-action> <ingress-action>drop</ingress-action>
</flow-action> </flow-action>
</action-clause-container> </action>
</rules> </rules>
</system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 12: Configuration XML for HTTP and HTTPS Flood Attack Figure 12: Configuration XML for Anti-DDoS to Mitigate HTTP and
Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web HTTPS Flood Attacks on a Company Web Server
Server
Figure 11 and Figure 12 show the configuration XML documents for Figure 11 and Figure 12 show the configuration XML documents for
general firewall and http and https flood attack mitigation to general firewall and http and https flood attack mitigation to
mitigate http and https flood attacks on a company web server. For mitigate http and https flood attacks on a company web server. For
the security requirement, two NSFs (i.e., a general firewall and a the security requirement, two NSFs (i.e., a general firewall and a
http and https flood attack mitigation) were used because one NSF can http and https flood attack mitigation) were used because one NSF can
not meet the security requirement. The instances of XML documents not meet the security requirement. The instances of XML documents
for the general firewall and http and https flood attack mitigation for the general firewall and http and https flood attack mitigation
are as follows: Note that a detailed data model for the configuration are as follows: Note that a detailed data model for the configuration
of the advanced network security function (i.e., http and https flood of the advanced network security function (i.e., http and https flood
skipping to change at page 95, line 6 skipping to change at page 73, line 50
2. The name of the rule is mitigate_http_and_https_flood_attack. 2. The name of the rule is mitigate_http_and_https_flood_attack.
3. The rule inspects a destination IPv4 address (i.e., 192.0.2.11) 3. The rule inspects a destination IPv4 address (i.e., 192.0.2.11)
to inspect the access packets coming into the company web server. to inspect the access packets coming into the company web server.
4. The rule inspects a port number (i.e., 80 and 443) to inspect 4. The rule inspects a port number (i.e., 80 and 443) to inspect
http and https packet. http and https packet.
5. If the packets match the rules above, the general firewall sends 5. If the packets match the rules above, the general firewall sends
the packets to http and https flood attack mitigation for the packets to anti-DDoS for additional inspection because the
additional inspection because the general firewall can not general firewall can not control the amount of packets for http
control the amount of packets for http and https packets. and https packets.
HTTP and HTTPS Flood Attack Mitigation is as follows: Anti DDoS for HTTP and HTTPS Flood Attack Mitigation is as follows:
1. The name of the system policy is 1. The name of the system policy is flood_attack_mitigation.
http_and_https_flood_attack_mitigation.
2. The name of the rule is 100_per_second. 2. The name of the rule is mitigate_http_and_https_flood_attack.
3. The rule controls the http and https packets according to the 3. The rule controls the http and https packets according to the
amount of incoming packets. amount of incoming packets (1000 packets per second).
4. If the incoming packets match the rules above, the packets are 4. If the incoming packets match the rules above, the packets are
blocked. blocked.
6. IANA Considerations 6. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf
skipping to change at page 96, line 15 skipping to change at page 75, line 9
operations and content. operations and content.
There are a number of data nodes defined in this YANG module that are There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable default). These data nodes may be considered se