--- 1/draft-ietf-i2nsf-nsf-facing-interface-dm-14.txt 2021-10-04 08:13:38.335401397 -0700 +++ 2/draft-ietf-i2nsf-nsf-facing-interface-dm-15.txt 2021-10-04 08:13:38.479404989 -0700 @@ -1,23 +1,23 @@ I2NSF Working Group J. Kim, Ed. Internet-Draft J. Jeong, Ed. Intended status: Standards Track Sungkyunkwan University -Expires: 19 March 2022 J. Park +Expires: 7 April 2022 J. Park ETRI S. Hares Q. Lin Huawei - 15 September 2021 + 4 October 2021 I2NSF Network Security Function-Facing Interface YANG Data Model - draft-ietf-i2nsf-nsf-facing-interface-dm-14 + draft-ietf-i2nsf-nsf-facing-interface-dm-15 Abstract This document defines a YANG data model for configuring security policy rules on Network Security Functions (NSF) in the Interface to Network Security Functions (I2NSF) framework. The YANG data model in this document corresponds to the information model for NSF-Facing Interface in the I2NSF framework. Status of This Memo @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 19 March 2022. + This Internet-Draft will expire on 7 April 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -54,37 +54,37 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 3.1. General I2NSF Security Policy Rule . . . . . . . . . . . 3 3.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 5 3.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 6 3.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 11 4. YANG Data Model of NSF-Facing Interface . . . . . . . . . . . 12 - 4.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 12 + 4.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 13 5. XML Configuration Examples of Low-Level Security Policy - Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 64 + Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5.1. Security Requirement 1: Block Social Networking Service - (SNS) Access during Business Hours . . . . . . . . . . . 64 + (SNS) Access during Business Hours . . . . . . . . . . . 65 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets - Coming to a Company . . . . . . . . . . . . . . . . . . . 68 + Coming to a Company . . . . . . . . . . . . . . . . . . . 69 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood - Attacks on a Company Web Server . . . . . . . . . . . . . 71 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 74 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 74 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 75 - 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 75 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 76 - 10.1. Normative References . . . . . . . . . . . . . . . . . . 76 - 10.2. Informative References . . . . . . . . . . . . . . . . . 79 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80 + Attacks on a Company Web Server . . . . . . . . . . . . . 72 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 75 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 75 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 76 + 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 76 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 77 + 10.1. Normative References . . . . . . . . . . . . . . . . . . 77 + 10.2. Informative References . . . . . . . . . . . . . . . . . 80 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 81 1. Introduction This document defines a YANG [RFC6020][RFC7950] data model for security policy rule configuration of Network Security Functions (NSF). The YANG data model in this document is based on the information and data model in [I-D.ietf-i2nsf-capability-data-model] for the NSF-Facing Interface in the Interface to Network Security Functions (I2NSF) architecture [RFC8329]. The YANG data model in this document focuses on security policy configuration for the NSFs @@ -530,27 +530,28 @@ firewall, web filter, VoIP/VoLTE security service, and DDoS-attack mitigation in Section 5. 4.1. YANG Module of NSF-Facing Interface This section describes a YANG module of NSF-Facing Interface. This document provides identities in the data model for the configuration of an NSF. The identity has the same concept with the corresponding identity in [I-D.ietf-i2nsf-consumer-facing-interface-dm] This YANG module imports from [RFC6991]. It makes references to [RFC0768] - [RFC0791] [RFC0792] [RFC0793] [RFC2474] [RFC3261] [RFC4340] [RFC4443] - [RFC4960] [RFC5595] [RFC6335] [RFC8200] [RFC8329] [RFC8335] [RFC8344] + [RFC0791] [RFC0792] [RFC2474] [RFC3261] [RFC4340] [RFC4443] [RFC4960] + [RFC5595] [RFC6335] [RFC8200] [RFC8329] [RFC8335] [RFC8344] [IEEE-802.3] [ISO-Country-Codes] [IANA-Protocol-Numbers] - [IANA-ICMP-Parameters] [I-D.ietf-i2nsf-capability-data-model] + [IANA-ICMP-Parameters] [I-D.ietf-tcpm-rfc793bis] + [I-D.ietf-i2nsf-capability-data-model] [I-D.ietf-i2nsf-nsf-monitoring-data-model]. - file "ietf-i2nsf-policy-rule-for-nsf@2021-09-15.yang" + file "ietf-i2nsf-policy-rule-for-nsf@2021-10-04.yang" module ietf-i2nsf-policy-rule-for-nsf { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; prefix nsfintf; import ietf-inet-types{ prefix inet; reference @@ -594,21 +595,21 @@ without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices."; - revision "2021-09-15"{ + revision "2021-10-04"{ description "The latest revision."; reference "RFC XXXX: I2NSF Network Security Function-Facing Interface YANG Data Model"; } /* * Identities */ @@ -842,86 +846,114 @@ "Identity for 'any IP options included in IPv4 packet"; reference "RFC 791: Internet Protocol - Options"; } identity tcp-flags { description "Base identity for TCP flags"; reference - "RFC 793: Transmission Control Protocol - Flags"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol + (TCP) Specification - TCP Header Flags + RFC 3168: The Addition of Explicit Congestion Notification + (ECN) to IP - ECN-Echo (ECE) Flag and Congestion Window + Reduced (CWR) Flag + draft-ietf-tcpm-accurate-ecn-15: More Accurate ECN Feedback + in TCP - ECN-Echo (ECE) Flag and Congestion Window Reduced + (CWR) Flag"; } identity cwr { base tcp-flags; description "Identity for 'Congestion Window Reduced' TCP flag"; reference - "RFC 793: Transmission Control Protocol - Flags"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol + (TCP) Specification - TCP Header Flags + RFC 3168: The Addition of Explicit Congestion Notification + (ECN) to IP - ECN-Echo (ECE) Flag and Congestion Window + Reduced (CWR) Flag + draft-ietf-tcpm-accurate-ecn-15: More Accurate ECN Feedback + in TCP - ECN-Echo (ECE) Flag and Congestion Window Reduced + (CWR) Flag"; } - identity ecn { + identity ece { base tcp-flags; description - "Identity for 'Explicit Congestion Notification' + "Identity for 'Explicit Congestion Notification-Echo' TCP flag"; reference - "RFC 793: Transmission Control Protocol - Flags"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol + (TCP) Specification - TCP Header Flags + RFC 3168: The Addition of Explicit Congestion Notification + (ECN) to IP - ECN-Echo (ECE) Flag and Congestion Window + Reduced (CWR) Flag + draft-ietf-tcpm-accurate-ecn-15: More Accurate ECN Feedback + in TCP - ECN-Echo (ECE) Flag and Congestion Window Reduced + (CWR) Flag"; } identity urg { base tcp-flags; description "Identity for 'Urgent' TCP flag"; reference - "RFC 793: Transmission Control Protocol - Flags"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol + (TCP) Specification - Flags"; } identity ack { base tcp-flags; description "Identity for 'acknowledgement' TCP flag"; reference - "RFC 793: Transmission Control Protocol - Flags"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol + (TCP) Specification - Flags"; } identity psh { base tcp-flags; description "Identity for 'Push' TCP flag"; + reference - "RFC 793: Transmission Control Protocol - Flags"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol + (TCP) Specification - Flags"; } identity rst { base tcp-flags; description "Identity for 'Reset' TCP flag"; reference - "RFC 793: Transmission Control Protocol - Flags"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol + (TCP) Specification - Flags"; } identity syn { base tcp-flags; description "Identity for 'Synchronize' TCP flag"; reference - "RFC 793: Transmission Control Protocol - Flags"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol + (TCP) Specification - Flags"; } identity fin { base tcp-flags; description "Identity for 'Finish' TCP flag"; reference - "RFC 793: Transmission Control Protocol - Flags"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol + (TCP) Specification - Flags"; } identity target-device { description "Base identity for target devices"; reference "draft-ietf-i2nsf-capability-data-model-17: I2NSF Capability YANG Data Model"; } @@ -1460,25 +1492,26 @@ "The end port number MUST be equal to or greater than the start port number."; } description "Ending port number for a range match."; } description "Range match for the port numbers. If only one value is needed, then set both start and end to the same value."; reference - "RFC 793: Transmission Control Protocol - Port number + "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol + (TCP) Specification - Port Number RFC 768: User Datagram Protocol - Port Number - RFC 4960: Stream Control Transmission Protocol - Port number + RFC 4960: Stream Control Transmission Protocol - Port Number RFC 4340: Datagram Congestion Control Protocol (DCCP) - - Port number"; + - Port Number"; } /* * Data nodes */ list i2nsf-security-policy { key "system-policy-name"; @@ -2198,60 +2233,61 @@ } } container tcp { description "The purpose of this container is to represent TCP packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference - "RFC 793: Transmission Control Protocol"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control + Protocol (TCP) Specification"; leaf description { type string; description "This is description for tcp condition."; } list source-port-number { key "start end"; uses port-range; description "The security policy rule according to tcp source port number."; reference - "RFC 793: Transmission Control Protocol - - Port number"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control + Protocol (TCP) Specification - Port Number"; } list destination-port-number { key "start end"; uses port-range; description "The security policy rule according to tcp destination port number."; reference - "RFC 793: Transmission Control Protocol - - Port number"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control + Protocol (TCP) Specification - Port Number"; } leaf-list flags { type identityref { base tcp-flags; } description "The security policy rule according to tcp flags."; reference - "RFC 793: Transmission Control Protocol - - Flags"; + "draft-ietf-tcpm-rfc793bis-25: Transmission Control + Protocol (TCP) Specification - Flags"; } } container udp { description "The purpose of this container is to represent UDP packet header information to determine if the set of policy actions in this ECA policy rule should be executed or not."; reference @@ -3517,24 +3556,20 @@ . [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 10.17487/RFC0791, September 1981, . [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, DOI 10.17487/RFC0792, September 1981, . - [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, - RFC 793, DOI 10.17487/RFC0793, September 1981, - . - [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, DOI 10.17487/RFC2474, December 1998, . @@ -3635,49 +3670,56 @@ [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., and R. Wilton, "YANG Library", RFC 8525, DOI 10.17487/RFC8525, March 2019, . + [I-D.ietf-tcpm-rfc793bis] + Eddy, W. M., "Transmission Control Protocol (TCP) + Specification", Work in Progress, Internet-Draft, draft- + ietf-tcpm-rfc793bis-25, 7 September 2021, + . + [I-D.ietf-i2nsf-capability-data-model] Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. Lin, "I2NSF Capability YANG Data Model", Work in Progress, - Internet-Draft, draft-ietf-i2nsf-capability-data-model-17, - 14 August 2021, . + Internet-Draft, draft-ietf-i2nsf-capability-data-model-19, + 28 September 2021, . [I-D.ietf-i2nsf-nsf-monitoring-data-model] Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. Birkholz, "I2NSF NSF Monitoring Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf- - i2nsf-nsf-monitoring-data-model-09, 24 August 2021, + i2nsf-nsf-monitoring-data-model-10, 15 September 2021, . + monitoring-data-model-10.txt>. 10.2. Informative References [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, . [I-D.ietf-i2nsf-consumer-facing-interface-dm] Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, "I2NSF Consumer-Facing Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf-i2nsf-consumer- - facing-interface-dm-14, 21 August 2021, + facing-interface-dm-15, 15 September 2021, . + consumer-facing-interface-dm-15.txt>. [ISO-Country-Codes] "Codes for the representation of names of countries and their subdivisions", ISO 3166, September 2018, . [IANA-Protocol-Numbers] Internet Assigned Numbers Authority (IANA), "Assigned Internet Protocol Numbers", September 2020,