--- 1/draft-ietf-i2nsf-nsf-facing-interface-dm-13.txt 2021-09-15 09:14:14.707584353 -0700 +++ 2/draft-ietf-i2nsf-nsf-facing-interface-dm-14.txt 2021-09-15 09:14:14.847587871 -0700 @@ -1,23 +1,23 @@ I2NSF Working Group J. Kim, Ed. Internet-Draft J. Jeong, Ed. Intended status: Standards Track Sungkyunkwan University -Expires: 16 February 2022 J. Park +Expires: 19 March 2022 J. Park ETRI S. Hares Q. Lin Huawei - 15 August 2021 + 15 September 2021 I2NSF Network Security Function-Facing Interface YANG Data Model - draft-ietf-i2nsf-nsf-facing-interface-dm-13 + draft-ietf-i2nsf-nsf-facing-interface-dm-14 Abstract This document defines a YANG data model for configuring security policy rules on Network Security Functions (NSF) in the Interface to Network Security Functions (I2NSF) framework. The YANG data model in this document corresponds to the information model for NSF-Facing Interface in the I2NSF framework. Status of This Memo @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 16 February 2022. + This Internet-Draft will expire on 19 March 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -238,22 +238,22 @@ module: ietf-i2nsf-policy-rule-for-nsf +--rw i2nsf-security-policy* [system-policy-name] ... +--rw rules* [rule-name] | ... | +--rw event | ... | +--rw condition | | +--rw condition-clause-description? string - | | +--rw mac - | | | +--rw mac-description? string + | | +--rw ethernet + | | | +--rw ethernet-description? string | | | +--rw source-address* yang:mac-address | | | +--rw destination-address* yang:mac-address | | | +--rw ether-type* uint16 | | +--rw ipv4 | | | +--rw description? string | | | +--rw header-length* [start end] | | | | +--rw start uint8 | | | | +--rw end uint8 | | | +--rw dscp* inet:dscp | | | +--rw total-length* [start end] @@ -265,78 +265,78 @@ | | | | +--rw start uint16 | | | | +--rw end uint16 | | | +--rw ttl* [start end] | | | | +--rw start uint8 | | | | +--rw end uint8 | | | +--rw protocol* uint8 | | | +--rw source-address | | | | +--rw (match-type)? | | | | +--:(prefix) | | | | | +--rw ipv4-prefix* [ipv4] - | | | | | +--rw ipv4 inet:ipv4-address + | | | | | +--rw ipv4 inet:ipv4-address-no-zone | | | | | +--rw (subnet)? | | | | | +--:(prefix-length) | | | | | | +--rw prefix-length? uint8 | | | | | +--:(netmask) | | | | | +--rw netmask? yang:dotted-quad | | | | +--:(range) | | | | +--rw ipv4-range* [start end] - | | | | +--rw start inet:ipv4-address - | | | | +--rw end inet:ipv4-address + | | | | +--rw start inet:ipv4-address-no-zone + | | | | +--rw end inet:ipv4-address-no-zone | | | +--rw destination-address | | | | +--rw (match-type)? | | | | +--:(prefix) | | | | | +--rw ipv4-prefix* [ipv4] - | | | | | +--rw ipv4 inet:ipv4-address + | | | | | +--rw ipv4 inet:ipv4-address-no-zone | | | | | +--rw (subnet)? | | | | | +--:(prefix-length) | | | | | | +--rw prefix-length? uint8 | | | | | +--:(netmask) | | | | | +--rw netmask? yang:dotted-quad | | | | +--:(range) | | | | +--rw ipv4-range* [start end] - | | | | +--rw start inet:ipv4-address - | | | | +--rw end inet:ipv4-address + | | | | +--rw start inet:ipv4-address-no-zone + | | | | +--rw end inet:ipv4-address-no-zone | | | +--rw ipopts* identityref | | +--rw ipv6 | | | +--rw description? string | | | +--rw dscp* inet:dscp | | | +--rw flow-label* [start end] | | | | +--rw start inet:ipv6-flow-label | | | | +--rw end inet:ipv6-flow-label | | | +--rw payload-length* [start end] | | | | +--rw start uint16 | | | | +--rw end uint16 | | | +--rw next-header* uint8 | | | +--rw hop-limit* [start end] | | | | +--rw start uint8 | | | | +--rw end uint8 | | | +--rw source-address | | | | +--rw (match-type)? | | | | +--:(prefix) | | | | | +--rw ipv6-prefix* [ipv6] - | | | | | +--rw ipv6 inet:ipv6-address + | | | | | +--rw ipv6 inet:ipv6-address-no-zone | | | | | +--rw prefix-length? uint8 | | | | +--:(range) | | | | +--rw ipv6-range* [start end] - | | | | +--rw start inet:ipv6-address - | | | | +--rw end inet:ipv6-address + | | | | +--rw start inet:ipv6-address-no-zone + | | | | +--rw end inet:ipv6-address-no-zone | | | +--rw destination-address | | | +--rw (match-type)? | | | +--:(prefix) | | | | +--rw ipv6-prefix* [ipv6] - | | | | +--rw ipv6 inet:ipv6-address + | | | | +--rw ipv6 inet:ipv6-address-no-zone | | | | +--rw prefix-length? uint8 | | | +--:(range) | | | +--rw ipv6-range* [start end] - | | | +--rw start inet:ipv6-address - | | | +--rw end inet:ipv6-address + | | | +--rw start inet:ipv6-address-no-zone + | | | +--rw end inet:ipv6-address-no-zone | | +--rw tcp | | | +--rw description? string | | | +--rw source-port-number* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw destination-port-number* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw flags* identityref | | +--rw udp @@ -382,22 +382,22 @@ | | | +--rw description? string | | | +--rw source-voice-id* string | | | +--rw destination-voice-id* string | | | +--rw user-agent* string | | +--rw ddos | | | +--rw description? string | | | +--rw alert-packet-rate? uint32 | | | +--rw alert-flow-rate? uint32 | | | +--rw alert-byte-rate? uint32 | | +--rw anti-virus - | | | +--rw profile? string - | | | +--rw exception-files? string + | | | +--rw profile* string + | | | +--rw exception-files* string | | +--rw payload | | | +--rw packet-payload-description? string | | | +--rw payload-content* string | | +--rw context | | +--rw context-description? string | | +--rw application | | | +--rw description? string | | | +--rw object* string | | | +--rw group* string | | | +--rw label* string @@ -530,27 +530,27 @@ firewall, web filter, VoIP/VoLTE security service, and DDoS-attack mitigation in Section 5. 4.1. YANG Module of NSF-Facing Interface This section describes a YANG module of NSF-Facing Interface. This document provides identities in the data model for the configuration of an NSF. The identity has the same concept with the corresponding identity in [I-D.ietf-i2nsf-consumer-facing-interface-dm] This YANG module imports from [RFC6991]. It makes references to [RFC0768] - [RFC0791] [RFC0792] [RFC0793] [RFC2474] [RFC3261] [RFC4340] [RFC4960] - [RFC6335] [RFC8200] [RFC8329] [RFC8335] [RFC8344] [IEEE-802.3] - [ISO-Country-Codes] [IANA-Protocol-Numbers] [IANA-ICMP-Parameters] - [I-D.ietf-i2nsf-capability-data-model] + [RFC0791] [RFC0792] [RFC0793] [RFC2474] [RFC3261] [RFC4340] [RFC4443] + [RFC4960] [RFC5595] [RFC6335] [RFC8200] [RFC8329] [RFC8335] [RFC8344] + [IEEE-802.3] [ISO-Country-Codes] [IANA-Protocol-Numbers] + [IANA-ICMP-Parameters] [I-D.ietf-i2nsf-capability-data-model] [I-D.ietf-i2nsf-nsf-monitoring-data-model]. - file "ietf-i2nsf-policy-rule-for-nsf@2021-08-15.yang" + file "ietf-i2nsf-policy-rule-for-nsf@2021-09-15.yang" module ietf-i2nsf-policy-rule-for-nsf { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; prefix nsfintf; import ietf-inet-types{ prefix inet; reference @@ -560,21 +560,21 @@ prefix yang; reference "Section 3 of RFC 6991"; } organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact - "WG Web: + "WG Web: WG List: Editor: Jinyong Tim Kim Editor: Jaehoon Paul Jeong "; description "This module is a YANG module for Network Security Functions @@ -594,21 +594,21 @@ without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices."; - revision "2021-08-15"{ + revision "2021-09-15"{ description "The latest revision."; reference "RFC XXXX: I2NSF Network Security Function-Facing Interface YANG Data Model"; } /* * Identities */ @@ -626,110 +626,110 @@ identity priority-by-number { base priority-usage; description "Identity for priority by number"; } identity event { description "Base identity for policy events"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - Event"; } identity system-event { base event; description "Identity for system events"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - System event"; } identity system-alarm { base event; description "Identity for system alarms"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - System alarm"; } identity access-violation { base system-event; description "Identity for access violation system events"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - System event for access violation"; } identity configuration-change { base system-event; description "Identity for configuration change system events"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - System event for configuration change"; } identity memory-alarm { base system-alarm; description "Identity for memory alarm system alarms"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - System alarm for memory"; } identity cpu-alarm { base system-alarm; description "Identity for CPU alarm system alarms"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - System alarm for CPU"; } identity disk-alarm { base system-alarm; description "Identity for disk alarm system alarms"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - System alarm for disk"; } identity hardware-alarm { base system-alarm; description "Identity for hardware alarm system alarms"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - System alarm for hardware"; } identity interface-alarm { base system-alarm; description "Identity for interface alarm system alarms"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - System alarm for interface"; } identity fragmentation-flags { description "Base identity for fragmentation flags type"; reference "RFC 791: Internet Protocol - Fragmentation Flags"; } @@ -1036,39 +1036,48 @@ I2NSF Capability YANG Data Model"; } identity anti-ddos { base attack-mitigation-control; description "Identity for advanced NSF Anti-DDoS or DDoS Mitigator capability."; } - identity ingress-action { + identity action { description "Base identity for action"; + } + + identity ingress-action { + base action; + description + "Base identity for ingress action"; reference "draft-ietf-i2nsf-capability-data-model-17: I2NSF Capability YANG Data Model - Ingress Action"; } identity egress-action { + base action; description "Base identity for egress action"; reference "draft-ietf-i2nsf-capability-data-model-17: I2NSF Capability YANG Data Model - Egress Action"; } identity default-action { + base action; description "Base identity for default action"; + reference "draft-ietf-i2nsf-capability-data-model-17: I2NSF Capability YANG Data Model - Default Action"; } identity pass { base ingress-action; base egress-action; base default-action; description @@ -1109,23 +1118,23 @@ base default-action; description "Identity for rate limiting action"; reference "draft-ietf-i2nsf-capability-data-model-17: I2NSF Capability YANG Data Model - Actions and Default Action"; } identity log-action { + base action; description "Base identity for log action"; - } identity rule-log { base log-action; description "Identity for rule log"; } identity session-log { base log-action; @@ -1282,21 +1290,21 @@ } /* * Groupings */ grouping ipv4-prefix { description "The list of IPv4 addresses."; leaf ipv4 { - type inet:ipv4-address; + type inet:ipv4-address-no-zone; description "The value of IPv4 address."; } choice subnet { description "The subnet can be specified as a prefix length or netmask."; leaf prefix-length { type uint8 { range "0..32"; @@ -1306,28 +1314,27 @@ } leaf netmask { type yang:dotted-quad; description "The subnet specified as a netmask."; } } reference "RFC 791: Internet Protocol - IPv4 address RFC 8344: A YANG Data Model for IP Management"; - } grouping ipv6-prefix { description "The list of IPv6 addresses."; leaf ipv6 { - type inet:ipv6-address; + type inet:ipv6-address-no-zone; description "The value of IPv6 address."; } leaf prefix-length { type uint8 { range "0..128"; } description "The length of the subnet prefix."; } @@ -1337,47 +1344,47 @@ RFC 8344: A YANG Data Model for IP Management"; } grouping ipv4-range { description "Range match for the IPv4 addresses. If only one value is needed, then set both start and end to the same value. The end IPv4 address MUST be equal or greater than the start IPv4 address."; leaf start { - type inet:ipv4-address; + type inet:ipv4-address-no-zone; description "Starting IPv4 address for a range match."; } leaf end { - type inet:ipv4-address; + type inet:ipv4-address-no-zone; description "Ending IPv4 address for a range match."; } reference "RFC 791: Internet Protocol - IPv4 address"; } grouping ipv6-range { description "Range match for the IPv6 addresses. If only one value is needed, then set both start and end to the same value. The end IPv6 address number MUST be equal to or greater than the start IPv6 address."; leaf start { - type inet:ipv6-address; + type inet:ipv6-address-no-zone; description "Starting IPv6 address for a range match."; } leaf end { - type inet:ipv6-address; + type inet:ipv6-address-no-zone; description "Ending IPv6 address for a range match."; } reference "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - IPv6 address"; } grouping ipv4-address { description @@ -1556,51 +1562,54 @@ "This description gives more information about rules."; } leaf rule-priority { type uint8 { range "1..255"; } description "The priority keyword comes with a mandatory - numeric value which can range from 1 till 255. + numeric value which can range from 1 up to 255. Note that a higher number means a higher priority"; } leaf rule-enable { type boolean; description "True is enable. False is not enable."; } leaf session-aging-time { type uint16; units "second"; description "This is session aging time."; } container long-connection { description - "This is long-connection"; + "A container for long connection. A long connection is a + connection that is maintained after the socket connection + is established, regardless of whether it is used for data + traffic or not."; leaf enable { type boolean; description - "True is enable. - False is not enable."; + "True is enabled. + False is not enabled."; } - leaf duration { type uint16; + units "second"; description "This is the duration of the long-connection."; } } container event { description "An event is defined as any important occurrence in time of a change in the system being managed, and/or in the environment of the system being @@ -1610,21 +1619,21 @@ or not. Examples of an I2NSF event include time and user actions (e.g., logon, logoff, and actions that violate any ACL.)."; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure draft-ietf-i2nsf-capability-data-model-17: I2NSF Capability YANG Data Model - Design Principles and ECA Policy Model Overview - draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF + draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - Alarms, Events, Logs, and Counters"; leaf event-clause-description { type string; description "Description for an event clause"; } container time { @@ -1742,21 +1753,21 @@ container event-clauses { description "System Event Clause - either a system event or system alarm"; reference "RFC 8329: Framework for Interface to Network Security Functions - I2NSF Flow Security Policy Structure draft-ietf-i2nsf-capability-data-model-17: I2NSF Capability YANG Data Model - Design Principles and ECA Policy Model Overview - draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF + draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF Monitoring YANG Data Model - Alarms, Events, Logs, and Counters"; leaf-list system-event { type identityref { base system-event; } description "The security policy rule according to system events."; @@ -2962,41 +2975,35 @@ key "group-name"; description "This is a group for rules"; leaf group-name { type string; description "This is a group for rules"; } - container rule-range { - description - "This is a rule range."; - - leaf start-rule { - type string; - description - "This is a start rule"; + leaf-list rule-name { + type leafref { + path + "../../../rules/rule-name"; } - leaf end-rule { - type string; description - "This is a end rule"; - } + "The names of the rules to be grouped."; } + leaf enable { type boolean; description - "This is enable - False is not enable."; + "True is enabled, and False is not enabled."; } + leaf description { type string; description "This is a description for rule-group"; } } } } } @@ -3469,21 +3476,21 @@ 9. Contributors This document is made by the group effort of I2NSF working group. Many people actively contributed to this document, such as Acee Lindem and Roman Danyliw. The authors sincerely appreciate their contributions. The following are co-authors of this document: - Patrick Lingga Department of Computer Science and Engineering + Patrick Lingga Department of Electrical and Computer Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 16419 Republic of Korea EMail: patricklink@skku.edu Hyoungshick Kim Department of Computer Science and Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 16419 Republic of Korea EMail: hyoung@skku.edu Daeyoung Hyun Department of Computer Science and Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 16419 Republic of Korea EMail: dyhyun@skku.edu @@ -3540,24 +3547,34 @@ [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram Congestion Control Protocol (DCCP)", RFC 4340, DOI 10.17487/RFC4340, March 2006, . + [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet + Control Message Protocol (ICMPv6) for the Internet + Protocol Version 6 (IPv6) Specification", STD 89, + RFC 4443, DOI 10.17487/RFC4443, March 2006, + . + [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", RFC 4960, DOI 10.17487/RFC4960, September 2007, . + [RFC5595] Fairhurst, G., "The Datagram Congestion Control Protocol + (DCCP) Service Codes", RFC 5595, DOI 10.17487/RFC5595, + September 2009, . + [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, . [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . @@ -3629,56 +3646,62 @@ Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. Lin, "I2NSF Capability YANG Data Model", Work in Progress, Internet-Draft, draft-ietf-i2nsf-capability-data-model-17, 14 August 2021, . [I-D.ietf-i2nsf-nsf-monitoring-data-model] Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. Birkholz, "I2NSF NSF Monitoring Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf- - i2nsf-nsf-monitoring-data-model-08, 29 April 2021, + i2nsf-nsf-monitoring-data-model-09, 24 August 2021, . + monitoring-data-model-09.txt>. 10.2. Informative References [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, . [I-D.ietf-i2nsf-consumer-facing-interface-dm] Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, "I2NSF Consumer-Facing Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf-i2nsf-consumer- - facing-interface-dm-13, 8 March 2021, + facing-interface-dm-14, 21 August 2021, . + consumer-facing-interface-dm-14.txt>. [ISO-Country-Codes] "Codes for the representation of names of countries and their subdivisions", ISO 3166, September 2018, . [IANA-Protocol-Numbers] - Internet Assigned Numbers Authority (IANA), "Internet - Control Message Procotol (ICMP) Parameters", September - 2020, . - - [IANA-ICMP-Parameters] Internet Assigned Numbers Authority (IANA), "Assigned - Internet Protocol Numbers", February 2021, + Internet Protocol Numbers", September 2020, . + [IANA-ICMP-Parameters] + Internet Assigned Numbers Authority (IANA), "Internet + Control Message Procotol (ICMP) Parameters", February + 2021, . + + [IANA-ICMPv6-Parameters] + Internet Assigned Numbers Authority (IANA), "Internet + Control Message Procotol version 6 (ICMPv6) Parameters", + February 2021, . + [IEEE-802.3] Institute of Electrical and Electronics Engineers, "IEEE Standard for Ethernet", 2018, . Authors' Addresses Jinyong (Tim) Kim (editor) Department of Electronic, Electrical and Computer Engineering Sungkyunkwan University