[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01

Interface to Network Security Functions (I2NSF)                   L. Xia
Internet-Draft                                                    Q. Lin
Intended status: Standards Track                                  Huawei
Expires: April 24, 2019                                 October 21, 2018


              I2NSF Security Policy Object YANG Data Model
                    draft-xia-i2nsf-sec-object-dm-01

Abstract

   This document describes a set of policy objects which are reusable
   and can be referenced by variable I2NSF policy rules.  And the YANG
   data models of these policy objects are provided.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 24, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.





Xia & Lin                Expires April 24, 2019                 [Page 1]


Internet-Draft      Security Policy Object Data Model       October 2018


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . .   3
   5.  Policy Object . . . . . . . . . . . . . . . . . . . . . . . .   4
     5.1.  Address Object and Address Group  . . . . . . . . . . . .   4
     5.2.  Service Object and Service Group  . . . . . . . . . . . .   5
     5.3.  Application Object and Application Group  . . . . . . . .   7
     5.4.  User Object, User Group and Security Group  . . . . . . .   9
     5.5.  Time Range Object . . . . . . . . . . . . . . . . . . . .  11
     5.6.  Region Object and Region Group  . . . . . . . . . . . . .  11
     5.7.  Domain Object . . . . . . . . . . . . . . . . . . . . . .  12
   6.  I2NSF Security Policy Object YANG Module  . . . . . . . . . .  13
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  46
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  46
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  46
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  46
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  46
     10.2.  Informative References . . . . . . . . . . . . . . . . .  46
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  47

1.  Introduction

   As described in [RFC8329], provisioning to NSFs can be standardized
   by using policy rules, and I2NSF uses Event-Condition-Action (ECA)
   model to represent policy rules.  According to
   [I-D.ietf-i2nsf-terminology], an I2SNF condition is defined as a set
   of attributes, features, and/or values that are to be compared with a
   set of known attributes, features, and/or values in order to
   determine whether the set of actions in that I2NSF policy rules can
   be executed or not.  Information Model of NSFs Capabilities
   [I-D.ietf-i2nsf-capability] describes attributes of different
   condition subclasses.  When configuring I2NSF condition clause by
   attributes or features, it is common to see that the same value of an
   attribute or the same value set of several attributes are configured
   for many times.  And modifications of the policy rules are also very
   tedious and time-consuming.

   To facilitate the provisioning of NSF instances, this document
   describes a set of policy objects which are reusable.  These policy
   objects can then be referenced in the condition clause of variable
   I2NSF policy rules.  A policy object consists of a name attribute
   that identifies itself and one or several attributes that are
   typically used together to represent a certain condition.  For
   example, protocol type and port number are usually used together to
   represent a certain service.  Each policy object should be predefined



Xia & Lin                Expires April 24, 2019                 [Page 2]


Internet-Draft      Security Policy Object Data Model       October 2018


   and named in order to be used in I2NSF policy rules.  By defining
   policy objects, the creation and maintenance of policy rules are
   greatly simplified.

   o  A policy object can be referenced in different policy rules as
      required to provide re-usability.  And a policy rule can reference
      several policy objects.

   o  The modification of a policy object will be propagated to the
      I2NSF policy rules that reference this object.  No modification
      should be made to the related policy rules.

   According to [I-D.ietf-i2nsf-terminology], there are two kinds of
   I2NSF policy rules, I2NSF Directly Consumable Policy Rule and I2NSF
   Indirectly Consumable Policy Rule.  The former one can be executed by
   a network device without translating its content or structure, while
   the latter one can not be executed by a network device without first
   translating its content or structure.  In this document, policy
   objects are defined for I2NSF directly consumable policy rules.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Terminology

   This document uses the terms defined in [I-D.ietf-i2nsf-terminology]
   and [RFC7950].

4.  Tree Diagrams

   Tree diagram defined in [RFC8340] is used to represent the policy
   objects defined in this document.  The meaning of the symbols used in
   the tree diagrams of following sections and the syntax are as
   follows:

   o  Groupings, offset by 2 spaces, and identified by the keyword
      "grouping" followed by the name of the grouping and a colon (":")
      character.

   o  Each node in the tree is prefaces with "+--".  Schema nodes that
      are children of another node are offset from the parent by 3
      spaces.

   o  Brackets "[" and "]" enclose list keys.




Xia & Lin                Expires April 24, 2019                 [Page 3]


Internet-Draft      Security Policy Object Data Model       October 2018


   o  Abbreviations before data node names: "rw" means configuration
      (read-write) and "ro" means state data (read-only), and "-u"
      indicates the use of a predefined grouping.

   o  Symbols after data node names: "?" means an optional node, "!"
      means a presence container, and "*" denotes a "list" and "leaf-
      list".

   o  Parentheses enclose choice and case nodes, and case nodes are also
      marked with a colon (":").

   o  Curly brackets and a question mark "{...}?" are combined to
      represent the features that node depends on.

5.  Policy Object

   These document defines policy objects that are commonly used.
   Figure 1 shows all the defined policy objects and their
   relationships.

   +-------------------------------------------------------------------+
   |                       Policy Object                               |
   +-------------------------------------------------------------------+
       |         |           |          |        |      |    |     |
       |         |           |          |        |      |    |     |
   +-------+ +-------+ +-----------+ +-----+ +--------+ |    |     |
   |Address| |Service| |Application| |User | |Security| |    |     |
   |Group  | |Group  | |Group      | |Group| |Group   | | +------+ |
   +-------+ +-------+ +-----------+ +-----+ +--------+ | |Domain| |
       |         |           |          |        |      | |Object| |
       |         |           |          +--------+      | +------+ |
       |         |           |              |           |          |
   +-------+ +-------+ +-----------+     +------+  +----------+ +------+
   |Address| |Service| |Application|     |User  |  |Time Range| |Region|
   |Object | |Object | |Object     |     |Object|  |Object    | |Object|
   +-------+ +-------+ +-----------+     +------+  +----------+ +------+

                   Figure 1: The Policy Objects Overview

5.1.  Address Object and Address Group

   An address object is identified by a unique name, which contains a
   set of IPv4/IPv6 addresses or MAC addresses.  Several address objects
   can be organized into an address group object.

   This document defines groupings for address objects and address
   groups.




Xia & Lin                Expires April 24, 2019                 [Page 4]


Internet-Draft      Security Policy Object Data Model       October 2018


   The tree diagram of address object is:

   grouping address-objects:
     +--rw address-object* [name]
        +--rw name                    address-set-name
        +--rw desc?                   string
        +--rw vpn-instance?           string
        +--rw elements*   [elem-id]
           +--rw elem-id              uint16
           +--rw (object-items)
              +--:(ipv4)
              |  +--rw address-ipv4   inet:ipv4-prefix
              +--:(ipv6)
              |  +--rw address-ipv6   inet:ipv6-prefix
              +--:(mac)
              |  +--rw mac-address    yang:mac-address
              |  +--rw mac-address-mask  yang:mac-address
              +--:(ipv4-range)
              |  +--rw start-ipv4     inet:ipv4-address
              |  +--rw end-ipv4       inet:ipv4-address
              +--:(ipv6-range)
                 +--rw start-ipv6     inet:ipv6-address
                 +--rw end-ipv6       inet:ipv6-address

   The tree diagram of address group is:

   grouping address-groups:
     +--rw address-group* [name]
        +--rw name                     address-set-name
        +--rw desc?                    string
        +--rw vpn-instance             string
        +--rw elements* [elem-id]
           +--rw elem-id               uint16
           +--rw addr-object-name      address-set-name

5.2.  Service Object and Service Group

   A service object is a kind of service based on IP, or ICMP, or UDP,
   or TCP, or SCTP.  Several related objects consist a service group.
   To identify different kinds of services, different kinds of
   attributes should be specified.

   o  UDP, TCP, or SCTP based service is recognized by port number.  The
      source port number and destination port number are used to
      identify the sending and receiving service respectively.

   o  ICMP or ICMPv6 based service is recognized by two header fields in
      the ICMP/ICMPv6 packets: type field and code field.



Xia & Lin                Expires April 24, 2019                 [Page 5]


Internet-Draft      Security Policy Object Data Model       October 2018


   o  IP based service is recognized by the value of the protocol field
      in IP packet header.

   Besides, a set of well-known services should be predefined by NSFs as
   service objects to support direct usage.

   The tree diagram of service object is:

   grouping service-objects:
     +--ro pre-defined-service* [name]
     |  +--ro name                   string
     |  +--ro session-aging-time     uint16
     +--rw service-object* [name]
        +--rw name                   service-set-name
        +--rw session-aging-time     uint16
        +--rw desc?                  string
        +--rw items* [id]
           +--rw id                  uint16
           +--rw (item)
              +--:(tcp-item)
              |  +--rw tcp
              |     +---u port-items
              +--:(udp-item)
              |  +--rw udp
              |     +---u port-items
              +--:(sctp-item)
              |  +--rw sctp
              |     +---u port-items
              +--:(icmp-item)
              |  +--rw (icmp-type)
              |     +--:(name-type)
              |     |  +--rw icmp-name          icmp-name-type
              |     +--:(type-code)
              |        +--rw icmp-type-code
              |           +--rw icmp-type-number    uint8
              |           +--rw icmp-code-number    string
              +--:(icmp6-item)
              |  +--rw (icmp6)
              |     +--:(name-type)
              |     |  +--rw icmp6-name         icmp6-name-type
              |     +--:(type-code)
              |        +--rw icmp6-type-code
              |           +--rw icmp-type-number    uint8
              |           +--rw icmp-code-number    string
              +--:(protocol-id)
                 +--rw proto-id                 proto-id-range





Xia & Lin                Expires April 24, 2019                 [Page 6]


Internet-Draft      Security Policy Object Data Model       October 2018


   The "port-items" grouping reuses "port-range-or-operator" grouping
   defined in [I-D.ietf-netmod-acl-model].

   grouping port-items:
     +--rw source-port
     |  +---u pf:port-range-or-operator
     +--rw dest-port
        +---u pf:port-range-or-operator

   The tree diagram of service group is:

   grouping service-groups:
     +--rw service-group* [name]
        +--rw name                   service-set-name
        +--rw desc?                  string
        +--rw items* [id]
           +--rw id                  uint16
           +--rw service-set-name    service-set-name

5.3.  Application Object and Application Group

   Due to the diversity and large amount of applications, it is not able
   to identify a certain application based on protocol type and port
   number.  For example, there are many web applications with different
   risk levels run on ports 80 and 443 using HTTP and HTTPS, such as web
   gaming application and web chat application.  Protocol type and port
   number could not distinguish applications using the same application
   protocol.  In this document, category, subcategory, data transmission
   model, and risk level are used to describe an application.  A set of
   well-known application objects should be predefined in NSFs to
   support direct reference.

   The tree diagram of application object is:


















Xia & Lin                Expires April 24, 2019                 [Page 7]


Internet-Draft      Security Policy Object Data Model       October 2018


   grouping application-objects:
     +--rw user-defined-application {user-defined-application}?
     |  +--rw application* [name]
     |     +--rw name                 string
     |     +--rw label*               string
     |     +--rw data-model?          string
     |     +--rw category?            string
     |     +--rw subcategory?         string
     |     +--ro risk-value?          uint32
     |     +--rw desc?   string
     |     +--rw rule* [name]
     |        +--rw name               string
     |        +--rw protocol?          protocol
     |        +--rw signature
     |        |  +--rw mode?           mode
     |        |  +--rw direction?      direction
     |        |  +--rw pattern-type?   pattern-type
     |        |  +--rw pattern?        string
     |        |  +--rw field?          identityref
     |        +--rw ip-address*    inet:ip-prefix
     |        +--rw port*          inet:port-number
     |        +--rw desc?   string
     +--ro predefined-application
        +--ro application* [name]
           +--ro name                  string
           +--ro protocol*             string
           +--ro risk-value?           uint32
           +--ro label*                string
           +--ro abandon?              boolean
           +--ro multichannel?         boolean
           +--ro data-model?           string
           +--ro category?             string
           +--ro subcategory?          string
           +--ro desc?                 string

   The tree diagram of application group is:

   grouping application-groups:
     +--rw application-group* [name]
        +--rw name                          string
        +--rw desc?                         string
        +--rw items* [id]
           +--rw id                         uint16
           +--rw application-object-name    string







Xia & Lin                Expires April 24, 2019                 [Page 8]


Internet-Draft      Security Policy Object Data Model       October 2018


5.4.  User Object, User Group and Security Group

   A user object identifies a person who may access network resources.
   It is the basis of implementing user-based policy control.  The user
   objects may be created locally on the NSFs, or be imported from third
   parties, such as authentication servers.  User objects that require
   the same policy enforcement are grouped as user group objects or
   security group objects.  The user group objects are organized as a
   hierarchical structure.  A security group object consists of user
   objects from different user group objects that require the same
   policy enforcement.

                       +---------------------------+
                       |        UserGroup_3        |
                       +---------------------------+
                         |                       |
                         |                       |
                 +--------------+         +--------------+
                 | UserGroup_1  |         | UserGroup_2  |
                 +--------------+         +--------------+
                   |          |             |          |
                   |          |             |          |
              +--------+  +--------+   +--------+  +--------+
              | User_1 |  | User_2 |   | User_a |  | User_b |
              +--------+  +--------+   +--------+  +--------+
                               \           /
                                \         /
                            +-----------------+
                            | SecurityGroup_1 |
                            +-----------------+

    Figure 2: Example of User, User Group and Security Group Structure

   The tree diagram of user object is:

















Xia & Lin                Expires April 24, 2019                 [Page 9]


Internet-Draft      Security Policy Object Data Model       October 2018


   grouping user-objects:
     +--rw user-object* [name aaa-domain]
        +--rw name         user-name
        +--rw aaa-domain   string
        +--rw desc?        string
        +--rw password?    ianach:crypt-hash
        +--rw parent-user-group       user-group-name
        +--rw parent-security-group   user-security-group-name
        +--rw expiration-time
        |  +--:(expiration-type)
        |     +--rw (never-expire)
        |     |  +--rw never-expire
        |     +--rw (expire-after-this-time)
        |        +--rw expiration-time  yang:date-and-time
        +--rw ip-mac-binding
           +--: (bind-state)
              +--rw (no-binding)
              |  +--rw no-binding
              +--rw (binding)
                 +--rw bind-mode       ip-mac-binding-type
                 +--rw ip-binding*     inet:ipv4-address
                 +--rw mac-binding*    yang:mac-address
                 +--rw ip-mac-bindings [ip-binding]
                    +--rw ip-binding   inet:ipv4-address
                    +--rw mac-binding  yang:mac-address;

   The tree diagram of user group is:

   grouping user-groups:
     +--rw user-group* [name]
        +--rw name               user-group-name
        +--rw desc?              string
        +--rw parent-user-group  user-group-name

   The tree diagram of security group is:

   grouping security-groups:
     +--rw security-group* [name]
        +--rw name                    user-security-group-name
        +--rw desc?                   string
        +--rw parent-security-group*? user-security-group-name
        +--rw filter-action
           +--:(filter-type)
              +--rw (static)
              |  +--rw static
              +--rw (dynamic)
                 +--rw dynamic
                 +--rw filter-rule*  string



Xia & Lin                Expires April 24, 2019                [Page 10]


Internet-Draft      Security Policy Object Data Model       October 2018


5.5.  Time Range Object

   There are two kinds of time ranges: periodic time range and absolute
   time range.  A periodic time range occurs every week.  An absolute
   time range occurs only once.

   The tree diagram of time range object is:

   grouping time-range-objects:
     +--rw time-range-object* [name]
        +--rw name            time-range-name
        +--rw period-time* [start end]
        |  +--rw start        hour-minute-second
        |  +--rw end          hour-minute-second
        |  +--rw weekday      weekday
        +--rw absolute-time* [start end]
           +--rw start        yang:date-and-time
           +--rw end          yang:date-and-time

5.6.  Region Object and Region Group

   A region object is a set of public IP addresses that are assigned to
   a certain geographic location.  A region group consists of a set of
   region objects.

   The tree diagram of region object is:

























Xia & Lin                Expires April 24, 2019                [Page 11]


Internet-Draft      Security Policy Object Data Model       October 2018


   grouping region-objects:
     +--ro pre-defined-region* [name]
     |  +--ro name              region-name
     |  +--ro desc?             string
     |  +--ro region-ipv4-address
     |  |  +--ro address-ipv4*  inet:ipv4-prefix
     |  |  +--ro address-ipv4-range* [start-ipv4 end-ipv4]
     |  |     +--ro start-ipv4  inet:ipv4-address
     |  |     +--ro end-ipv4    inet:ipv4-address
     |  +--ro region-ipv6-address {support-ipv6-address}?
     |     +--ro address-ipv6*  inet:ipv6-prefix
     |     +--ro address-ipv6-range* [start-ipv6 end-ipv6]
     |        +--ro start-ipv6  inet:ipv6-address
     |        +--ro end-ipv6    inet:ipv6-address
     +--rw user-defined-region* [name]
        +--rw name              region-name
        +--rw desc?             string
        +--rw coordinate
        |  +--rw longitude      region-longitude
        |  +--rw latitude       region-latitude
        +--rw region-ipv4-address
        |  +--rw address-ipv4*  inet:ipv4-prefix
        |  +--rw address-ipv4-range* [start-ipv4 end-ipv4]
        |     +--rw start-ipv4  inet:ipv4-address
        |     +--rw end-ipv4    inet:ipv4-address
        +--rw region-ipv6-address {support-ipv6-address}?
           +--rw address-ipv6*  inet:ipv6-prefix
           +--rw address-ipv6-range* [start-ipv6 end-ipv6]
              +--rw start-ipv6  inet:ipv6-address
              +--rw end-ipv6    inet:ipv6-address

   The tree diagram of region group is:

   grouping region-groups:
     +--rw region-group* [name]
        +--rw name                 region-name
        +--rw desc?                string
        +--rw region-name*         region-name
        +--rw region-group-name*   region-name

5.7.  Domain Object

   The tree diagram of domain object is:








Xia & Lin                Expires April 24, 2019                [Page 12]


Internet-Draft      Security Policy Object Data Model       October 2018


   grouping domain-objects:
     +--rw domain-object*  [name]
        +--rw name        domain-name
        +--rw desc?       string
        +--rw domain*     string

6.  I2NSF Security Policy Object YANG Module

<CODE BEGINS> file "ietf-policy-object@2018-10-12.yang"
module ietf-policy-object {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-policy-object";
  prefix policy-object;

  import ietf-inet-types {
    prefix inet;
    reference
      "RFC 6991 - Common YANG Data Types.";
  }

  import ietf-yang-types {
    prefix yang;
    reference
      "RFC 6991 - Common YANG Data Types.";
  }

  import iana-crypt-hash {
    prefix ianach;
    reference
      "RFC7317 - A YANG Data Model for System Management.";
  }

  import ietf-packet-fields {
    prefix pf;
    reference
      "draft-ietf-netmod-acl-model - Network Access Control List (ACL) YANG Data Model.";
  }

  organization
    "IETF I2NSF (Interface To Network Security Functions) Working Group";

  contact
    "WG Web: http://tools.ietf.org/wg/i2nsf/
    WG List: i2nsf@ietf.org

    Editor: Liang Xia
            frank.xialiang@huawei.com
    Editor: Qiushi Lin



Xia & Lin                Expires April 24, 2019                [Page 13]


Internet-Draft      Security Policy Object Data Model       October 2018


            linqiushi@huawei.com";

  description
    "This YANG module defines groupings that are used by ietf-policy-object YANG module. Their usage is not limited to ietf-policy-object and can be used anywhere as applicable.";

  revision 2018-10-12 {
    description "Initial version.";
    reference
      "draft-xia-i2nsf-sec-object-dm-01";
  }

  /*
  * Typedefs for address object and address group
  */
  typedef address-set-name {
    type string {
      length "1..63";
    }
    description
      "This type represents an address object or an address group name.";
  }

  /*
  * Typedefs for service object and service group
  */
  typedef service-set-name {
    type string {
      length "1..63";
    }
    description
      "This type represents a service object or a service group name.";
  }

  typedef port-range {
    type uint16;
    description
      "This type represents a port number, which may be a start port of a port range or an end port of a port range.";
  }

  typedef proto-id-range {
    type uint8 {
      range "0..255";
    }
    description
      "This type represents the range of protocol id.";
  }

  typedef icmp-name-type {



Xia & Lin                Expires April 24, 2019                [Page 14]


Internet-Draft      Security Policy Object Data Model       October 2018


    type enumeration {
      enum echo {
                description
          "ICMP type number 8, ICMP code number 0";
          }
      enum echo-reply {
                description
          "ICMP type number 0, ICMP code number 0";
          }
      enum fragmentneed-DFset {
                description
          "ICMP type number 3, ICMP code number 4";
          }
      enum host-redirect {
                description
          "ICMP type number 5, ICMP code number 1";
          }
      enum host-tos-redirect {
                description
          "ICMP type number 5, ICMP code number 3";
          }
      enum host-unreachable {
                description
          "ICMP type number 3, ICMP code number 1";
          }
      enum information-reply {
                description
          "ICMP type number 16, ICMP code number 0";
          }
      enum information-request {
                description
          "ICMP type number 15, ICMP code number 0";
          }
      enum net-redirect {
                description
          "ICMP type number 5, ICMP code number 0";
          }
      enum net-tos-redirect {
                description
          "ICMP type number 5, ICMP code number 2";
          }
      enum net-unreachable {
                description
          "ICMP type number 3, ICMP code number 0";
          }
      enum parameter-problem {
                description
          "ICMP type number 12, ICMP code number 0";



Xia & Lin                Expires April 24, 2019                [Page 15]


Internet-Draft      Security Policy Object Data Model       October 2018


          }
      enum port-unreachable {
                description
          "ICMP type number 3, ICMP code number 3";
          }
      enum protocol-unreachable {
                description
          "ICMP type number 3, ICMP code number 2";
          }
      enum reassembly-timeout {
                description
          "ICMP type number 11, ICMP code number 1";
          }
      enum source-quench {
                description
          "ICMP type number 4, ICMP code number 0";
          }
      enum source-soute-failed {
                description
          "ICMP type number 3, ICMP code number 5";
          }
      enum timestamp-reply {
                description
          "ICMP type number 14, ICMP code number 0";
          }
      enum timestamp-request {
                description
          "ICMP type number 13, ICMP code number 0";
          }
      enum ttl-exceeded {
                description
          "ICMP type number 11, ICMP code number 0";
          }
    }
    description
      "This type is an enumeration of ICMP type names.";
  }

  typedef icmp6-name-type {
    type enumeration {
      enum redirect {
                description
          "ICMPv6 type number 137, ICMPv6 code number 0";
          }
      enum echo {
                description
          "ICMPv6 type number 128, ICMPv6 code number 0";
          }



Xia & Lin                Expires April 24, 2019                [Page 16]


Internet-Draft      Security Policy Object Data Model       October 2018


      enum echo-reply {
                description
          "ICMPv6 type number 129, ICMPv6 code number 0";
          }
      enum err-Header-field {
                description
          "ICMPv6 type number 4, ICMPv6 code number 0";
          }
      enum frag-time-exceeded {
                description
          "ICMPv6 type number 3, ICMPv6 code number 1";
          }
      enum hop-limit-exceeded {
                description
          "ICMPv6 type number 3, ICMPv6 code number 0";
          }
      enum host-admin-prohib {
                description
          "ICMPv6 type number 1, ICMPv6 code number 1";
          }
      enum host-unreachable {
                description
          "ICMPv6 type number 1, ICMPv6 code number 3";
          }
      enum neighbor-advertisement {
                description
          "ICMPv6 type number 136, ICMPv6 code number 0";
          }
      enum neighbor-solicitation {
                description
          "ICMPv6 type number 135, ICMPv6 code number 0";
          }
      enum network-unreachable {
                description
          "ICMPv6 type number 1, ICMPv6 code number 0";
          }
      enum packet-too-big {
                description
          "ICMPv6 type number 2, ICMPv6 code number 0";
          }
      enum port-unreachable {
                description
          "ICMPv6 type number 1, ICMPv6 code number 4";
          }
      enum router-advertisement {
                description
          "ICMPv6 type number 134, ICMPv6 code number 0";
          }



Xia & Lin                Expires April 24, 2019                [Page 17]


Internet-Draft      Security Policy Object Data Model       October 2018


      enum router-solicitation {
                description
          "ICMPv6 type number 133, ICMPv6 code number 0";
          }
      enum unknown-ipv6-opt {
                description
          "ICMPv6 type number 4, ICMPv6 code number 2";
          }
      enum unknown-next-hdr {
                description
          "ICMPv6 type number 4, ICMPv6 code number 1";
          }
    }
    description
      "This type is an enumeration of ICMPv6 type names.";
  }

  /*
  * Typedefs for application object and application group
  */
  typedef protocol {
    type enumeration {
      enum tcp {
                description
          "tcp protocol";
          }
      enum udp {
                description
          "udp protocol";
          }
      enum any {
                description
          "any protocol";
          }
    }
    description
      "The protocol of user-defined application rule:tcp/udp/any.";
  }

  typedef mode {
    type enumeration {
      enum flow {
                description
          "Keyword exists in multiple packets";
          }
      enum packet{
                description
          "Keyword exists in one packet";



Xia & Lin                Expires April 24, 2019                [Page 18]


Internet-Draft      Security Policy Object Data Model       October 2018


          }
    }
    description
      "The mode of keyword identification to identify user-defined applications. If the keyword exists in one packet, the mode is Packet. If the keyword exists in multiple packets, the mode is Flow.";
  }

  typedef direction {
    type enumeration {
      enum request {
        description
          "Request indicates that data to the server is monitored to detect applications.";
      }
      enum response {
        description
          "Response indicates that data from the server is monitored to detect applications.";
      }
      enum both {
        description
          "Both indicates that data from and to the server is monitored to detect applications.";
      }
    }
    description
      "The data flow direction that is monitored to identify user-defined applications:request/response/both. Request indicates that data to the server is monitored to detect applications, Response indicates that data from the server is monitored to detect applications, and Both indicates that data from and to the server is monitored to detect applications.";
  }

  typedef pattern-type {
    type enumeration {
      enum regular {
        description
          "Regular indicates that the keyword of the match pattern is not a fixed string, it is represented by regular expression.";
      }
      enum plain {
        description
          "Plain indicates that the keyword of the match pattern is a fixed string.";
      }
    }
    description
      "The match pattern of the user-defined application rule. If the keyword is a fixed string, the pattern type is Plain. If the keyword is not a fixed string, the pattern type is Regular Expression.";
  }


  /*
  * Typedefs for user object, user group, and security group
  */

  typedef user-name {
    type string {
      length "1..63";



Xia & Lin                Expires April 24, 2019                [Page 19]


Internet-Draft      Security Policy Object Data Model       October 2018


    }
    description
      "This type represents a user name.";
  }

  typedef user-group-name {
    type string {
      length "1..63";
    }
    description
      "This type represents a user group name.";
  }

  typedef user-security-group-name {
    type string {
      length "1..63";
    }
    description
      "This type represents a security group name.";
  }

  typedef ip-mac-binding-type {
    type enumeration {
      enum bidirectional {
        description
          "Bidirectional binding indicates that a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users.";
      }
      enum unidirectional {
        description
          "Unidirectional binding indicates that a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users.";
      }
    }
    description
      "The user and IP/MAC address binding mode: bidirectional, or unidirectional. In unidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users.  In bidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users.";
  }


  /*
  * Typedefs for time range object
  */
  typedef time-range-name {
    type string {
      length "1..32";
    }
    description
      "This type represents a time-range name.";
  }




Xia & Lin                Expires April 24, 2019                [Page 20]


Internet-Draft      Security Policy Object Data Model       October 2018


  typedef hour-minute-second {
    type string {
      pattern '\d{1,2}:\d{1,2}:\d{1,2}';
    }
    description
      "The representation of Hour, Minute, Sencond - hh:mm:ss";
  }

  typedef weekday {
    type enumeration {
      enum sunday {
        description
          "Sunday of the week";
      }
      enum monday {
        description
          "Monday of the week";
      }
      enum tuesday {
        description
          "Tuesday of the week";
      }
      enum wednesday {
        description
          "Wednesday of the week";
      }
      enum thursday {
        description
          "Thursday of the week";
      }
      enum friday {
        description
          "Friday of the week";
      }
      enum saturday {
        description
          "Saturday of the week";
      }
    }
    description
      "A type modeling the weekdays in the Greco-Roman tradition.";
  }


  /*
  * Typedefs for region object and region group
  */
  typedef region-name {



Xia & Lin                Expires April 24, 2019                [Page 21]


Internet-Draft      Security Policy Object Data Model       October 2018


    type string;
    description
      "This type represents a location or location set name.";
  }

  typedef region-longitude {
    type string;
    description
      "This type represents a region longitude number(-180.00 - 180.00).";
  }

  typedef region-latitude {
    type string;
    description
      "This type represents a region latitude number(-90.00 - 90.00).";
  }

  typedef domain-name {
    type string {
      length "1..63";
    }
    description
      "This type represents a domain object name.";
  }


  /*
  * Identities for application object and application group
  */
  identity protocol-field {
    description
      "Base type of protocol field.";
  }

  identity general-payload {
    base protocol-field;
    description
      "The field of signature is general-payload.";
  }

  identity http-method {
    base protocol-field;
    description
      "The field of signature is http.method.";
  }

  identity http-uri {
    base protocol-field;



Xia & Lin                Expires April 24, 2019                [Page 22]


Internet-Draft      Security Policy Object Data Model       October 2018


    description
      "The field of signature is http.uri.";
  }

  identity http-user-agent {
    base protocol-field;
    description
      "The field of signature is http.user-agent.";
  }

  identity http-host {
    base protocol-field;
    description
      "The field of signature is http.host.";
  }

  identity http-content-type {
    base protocol-field;
    description
      "The field of signature is http.content-type.";
  }

  identity http-cookie {
    base protocol-field;
    description
      "The field of signature is http.cookie.";
  }

  identity http-body {
    base protocol-field;
    description
      "The field of signature is http.body.";
  }


  /*
  * Features for application object
  */
  feature user-defined-application {
    description
      "This feature means the NSF supports user-defined application function that can be used to define application rule.";
  }

  /*
  * Features for region object
  */
  feature support-ipv6-address {
    description



Xia & Lin                Expires April 24, 2019                [Page 23]


Internet-Draft      Security Policy Object Data Model       October 2018


      "This feature means the NSF support configuring IPv6 addresses for Region Object.";
  }

  /*
  * Groupings for address object and address group
  */
  grouping address-objects {
    list address-object {
      key "name";
      leaf name {
        type address-set-name;
        description
          "The name of the address object.";
      }
      leaf desc {
        type string{
          length "1..127";
        }
        description
          "The description of the address object.";
      }
      leaf vpn-instance {
        type string;
        description
          "The name of the vpn-instrance.";
      }
      list elements {
        key "elem-id";
        leaf elem-id {
          type uint16;
          description
            "The id of the element in address object.";
        }
        choice object-items {
          case ipv4 {
            leaf address-ipv4 {
              type inet:ipv4-prefix;
              description
                "A set of IPv4 addresses that are represented by an IPv4 address prefix.";
            }
          }
          case ipv6 {
            leaf address-ipv6 {
              type inet:ipv6-prefix;
              description
                "A set of IPv6 addresses that are represented by an IPv6 address prefix.";
            }
          }



Xia & Lin                Expires April 24, 2019                [Page 24]


Internet-Draft      Security Policy Object Data Model       October 2018


          case mac {
            leaf mac-address {
              type yang:mac-address;
              description
                "MAC address. This leaf is combined with the mac-address-mask leaf to represent a single MAC address or a set of MAC addresses. If the mac-address-mask leaf is not presented, this leaf represents a single MAC address. If the mac-address-mask leaf is setted, this leaf represents a range of contiguous MAC addresses.";
            }
            leaf mac-address-mask {
              type yang:mac-address;
              description
                "If this leaf is not presented, the mac-address leaf represents a single MAC address. If this leaf is setted, the mac-address leaf represents a range of contiguous MAC addresses.";
            }
          }
          case ipv4-range {
            leaf start-ipv4 {
              type inet:ipv4-address;
              description
                "The start IPv4 address of an IPv4 address range.";
            }
            leaf end-ipv4 {
              type inet:ipv4-address;
              description
                "The end IPv4 address of an IPv4 address range.";
            }
          }
          case ipv6-range {
            leaf start-ipv6 {
              type inet:ipv6-address;
              description
                "The start IPv6 address of an IPv6 address range.";
            }
            leaf end-ipv6 {
              type inet:ipv6-address;
              description
                "The end IPv6 address of an IPv6 address range.";
            }
          }
              description
            "Diffrent types of addresses: IPv4, IPv6, MAC.";
        }
                description
          "A list of addresses that belong to a specific address object.";
      }
          description
        "A list of address objects.";
    }
    description
      "This grouping represents a list of address objects. An address object is identified by a unique name and contains a set of IPv4/IPv6 addresses or MAC addresses. This grouping reuse the predefined address-object-item grouping.";
  }



Xia & Lin                Expires April 24, 2019                [Page 25]


Internet-Draft      Security Policy Object Data Model       October 2018


  grouping address-groups {
    list address-group {
      key "name";
      leaf name {
        type address-set-name;
        description
          "The name of the address group.";
      }
      leaf desc {
        type string{
          length "1..127";
        }
        description
          "The description of the address group.";
      }
      leaf vpn-instance {
        type string;
        description
          "The name of the vpn-instrance.";
      }
      list elements {
        key "elem-id";
        leaf elem-id {
          type uint16;
          description
            "The id of the element in address group.";
        }
        leaf addr-object-name {
          type address-set-name;
          mandatory true;
          description
            "The name of the address object that consists the address group.";
        }
                description
          "A list of address objects that consists the address group object.";
      }
          description
        "A list of address group objects.";
    }
    description
      "An address group object is comprised of several address objects that require the same policy enforcement. This grouping represents a list of address groups.";
  }


  /*
  * Groupings for service object and service group
  */
  grouping port-items {



Xia & Lin                Expires April 24, 2019                [Page 26]


Internet-Draft      Security Policy Object Data Model       October 2018


    container source-port {
      uses pf:port-range-or-operator;
      description
        "Source port definition from range or operator.";
    }
    container dest-port {
      uses pf:port-range-or-operator;
      description
        "Destination port definition from range or operator.";
    }
    description
      "This grouping consists of the source port numbers and destination port numbers that represent UDP, TCP or SCTP based services.";
  }


  grouping service-objects {
    list pre-defined-service {
      key "name";
          config false;
      leaf name {
        type service-set-name;
        config false;
        description
          "The name of the predefined service object.";
      }
      leaf session-aging-time {
        type uint16;
        units second;
        config false;
        description
          "The aging time of the predefined service object.";
      }
      description
        "A list of the predefined service objects.";
    }
    list service-object {
      key "name";
      leaf name {
        type service-set-name;
        description
          "The name of the service object.";
      }
      leaf session-aging-time {
        type uint16;
        units second;
        description
          "The aging time of the service object.";
      }



Xia & Lin                Expires April 24, 2019                [Page 27]


Internet-Draft      Security Policy Object Data Model       October 2018


      leaf desc {
        type string{
          length "1..127";
        }
        description
          "The description of the service object.";
      }
      list items {
        key "id";
        leaf id {
          type uint16;
          description
            "The id of the element in service object.";
        }
        choice item {
          case tcp-item {
            container tcp {
              uses port-items;
              description
                "TCP based service is recognized by source port number and destination port number. This container reuse the port-items grouping.";
            }
          }
          case udp-item {
            container udp {
              uses port-items;
              description
                "UDP based service is recognized by source port number and destination port number. This container reuse the port-items grouping.";
            }
          }
          case sctp-item {
            container sctp {
              uses port-items;
              description
                "SCTP based service is recognized by source port number and destination port number. This container reuse the port-items grouping.";
            }
          }
          case icmp-item {
            choice icmp-type {
              case name-type {
                leaf icmp-name {
                  type icmp-name-type;
                  mandatory true;
                  description
                    "The ICMP based service is identified by the predefined ICMP name type.";
                }
              }
              case type-code {
                container icmp-type-code {



Xia & Lin                Expires April 24, 2019                [Page 28]


Internet-Draft      Security Policy Object Data Model       October 2018


                  leaf icmp-type-number {
                    type uint8;
                    mandatory true;
                    description
                      "The ICMP type number.";
                  }
                  leaf icmp-code-number {
                    type string;
                    mandatory true;
                    description
                      "The ICMP code number.";
                  }
                  description
                    "The ICMP based service is recognized by two header fields in the ICMP packets: type field and code field.";
                }
              }
                      description
                "The ICMP based service object and its attributes.";
            }
          }
          case icmp6-item {
            choice icmp6-type {
              case name-type {
                leaf icmp6-name {
                  type icmp6-name-type;
                  mandatory true;
                  description
                    "The ICMPv6 based service is identified by the predefined ICMPv6 name type.";
                }
              }
              case type-code {
                container icmp6-type-code {
                  leaf icmp6-type-number {
                    type uint8;
                    mandatory true;
                    description
                      "The ICMPv6 type number.";
                  }
                  leaf icmp6-code-number {
                    type string;
                    mandatory true;
                    description
                      "The ICMP code number.";
                  }
                  description
                    "The ICMPv6 based service is recognized by two header fields in the ICMPv6 packets: type field and code field.";
                }
              }



Xia & Lin                Expires April 24, 2019                [Page 29]


Internet-Draft      Security Policy Object Data Model       October 2018


                      description
                "The ICMPv6 based service object and its attributes.";
            }
                    description
              "The ICMPv6 based service object and its attributes.";
          }
          case protocol-id {
            leaf proto-id {
              type proto-id-range;
              mandatory true;
              description
                "IP based service is identified by the value of the protocol field in IP packet header.";
            }
          }
              description
            "Diffrent types of protocols for service definition.";
        }
                description
          "A list of service items that consist an service object.";
      }
      description
        "A list of user defined service objects.";
    }
    description
      "A list of the predefined service objects and user defined service objects.";
  }

  grouping service-groups {
    list service-group {
      key "name";
      leaf name {
        type service-set-name;
        description
          "The name of the service group.";
      }
      leaf desc {
        type string{
          length "1..127";
        }
        description
          "The description of the service group.";
      }
      list items {
        key "id";
        leaf id {
          type uint16;
          description
            "The id of the element in service group.";



Xia & Lin                Expires April 24, 2019                [Page 30]


Internet-Draft      Security Policy Object Data Model       October 2018


        }
        leaf service-object-name {
          type service-set-name;
          mandatory true;
          description
            "The name of the service object that consists the service group.";
        }
                description
          "A list of service objects that consists the service group object.";
      }
          description
        "A list of service group objects.";
    }
    description
      "A service group object is comprised of several service objects that require the same policy enforcement. This grouping represents a list of service groups.";
  }


  /*
  * Groupings for application object and application group
  */
  grouping application-objects {
    container user-defined-application {
      if-feature user-defined-application;
      container applications {
        list application {
          key "name";
          leaf name {
            type string;
            description
              "The name of user-defined application object.";
          }
          leaf-list label {
            type string;
            description
              "A list of labels for user-defined application.";
          }
          leaf data-model {
            type string;
            description
              "The data transmission model of user-defined application. Examples are client/server, peer-to-peer. Data transmission models are predefined in the NSF.";
          }
          leaf category {
            type string;
            description
              "The category of user-defined application. The value of this leaf is selected from a predefined set of categories, e.g., general category, network category.";
          }
          leaf subcategory {



Xia & Lin                Expires April 24, 2019                [Page 31]


Internet-Draft      Security Policy Object Data Model       October 2018


            type string;
            description
              "The subcategory of user-defined application. ";
          }
          leaf risk-value {
            type uint32;
            config false;
            description
              "The risk value of predefined application.";
          }
          leaf desc {
            type string;
            description
              "The description information of user-defined application.";
          }
          list rule {
            key "name";
            leaf name {
              type string;
              description
                "The name of the user-defined application rule.";
            }
            leaf protocol {
              type protocol;
              description
                "The protocol that user-defined application is based on.";
            }
            container signature {
              leaf mode {
                type string;
                description
                  "The mode of keyword identification. If the keyword exists in one packet, the mode is Packet. If the keyword exists in multiple packets, the mode is Flow.";
              }
              leaf direction {
                type direction;
                description
                  "The traffic direction for application identification. Request indicates that data to the server is detected, Response indicates that data from the server is detected, and Both indicates that data from and to the server is detected.";
              }
              leaf pattern-type{
                type pattern-type;
                description
                  "The match pattern of the user-defined application rule. If the keyword is a fixed string, the pattern type is Plain. If the keyword is not a fixed string, the pattern type is Regular Expression.";
              }
              leaf pattern {
                type string;
                description
                  "The keyword of user-defined application rule.";
              }



Xia & Lin                Expires April 24, 2019                [Page 32]


Internet-Draft      Security Policy Object Data Model       October 2018


              leaf field {
                type identityref {
                  base protocol-field;
                }
                default general-payload;
                description
                  "The protocol field to search for a signature. The default protocol field is General-payload.";
              }
              description
                "The signature/characteristics of user-defined application.";
            }
            description
              "The rule used to identify the user-defined application.";
          }
          leaf-list ip-address {
            type inet:ip-prefix;
            description
              "The destination IPv4/IPv6 address of user-defined application.";
          }
          leaf-list port {
            type inet:port-number;
            description
              "The destination port number of user-defined application.";
          }
          description
            "A list of user-defined application objects.";
        }
                description
          "When the NSF supports user-defined application function, these are a list of user-defined application objects.";
      }
      description
        "When the NSF supports user-defined application function, this container is used to configure application objects.";
    }
    container predefined-application {
      config false;
      list application {
        key "name";
        leaf name {
          type string;
          config false;
          description
            "The name of the predefined application.";
        }
        leaf-list protocol {
          type string;
          config false;
          description
            "The protocol information of application.";



Xia & Lin                Expires April 24, 2019                [Page 33]


Internet-Draft      Security Policy Object Data Model       October 2018


                 }
        leaf risk-value {
          type uint32;
          config false;
          description
            "The risk value of predefined application.";
        }
        leaf-list label {
          type string;
          config false;
          description
            "The label of predefined application,an application may have multiple labels.";
        }
        leaf abandon {
          type boolean;
          config false;
          description
            "The abandon flag of predefined application.";
        }
        leaf multichannel {
          type boolean;
          config false;
          description
            "The multi channel flag of predefined application.";
        }
        leaf data-model {
          type string;
          description
            "The data transmission model of user-defined application. Examples are client/server, peer-to-peer. Data transmission models are predefined in the NSF.";
        }
        leaf category {
          type string;
          config false;
          description
            "The category of user-defined application. The value of this leaf is selected from a predefined set of categories, e.g., general category, network category.";
        }
        leaf subcategory {
          type string;
          config false;
          description
            "The name of application subcategory.";
        }
        leaf desc {
          type string;
          config false;
          description
            "The description information of application.";
        }



Xia & Lin                Expires April 24, 2019                [Page 34]


Internet-Draft      Security Policy Object Data Model       October 2018


        description
          "The attributes of a predefined application.";
      }
      description
        "The information of all predefined applications.";
    }
        description
      "A list of predefined application objects.";
  }

  grouping application-groups {
    list application-group {
      key "name";
      leaf name {
        type string;
        description
          "The name of the application group.";
      }
      leaf desc {
        type string{
          length "1..127";
        }
        description
          "The description of the application group.";
      }
      list items {
        key "id";
        leaf id {
          type uint16;
          description
            "The id of the element in application group.";
        }
        leaf application-object-name {
          type string;
          mandatory true;
          description
            "The name of the application object that consists the application group.";
        }
                description
          "A list of application objects that consist an application group object.";
      }
          description
        "A list of application group objects.";
    }
    description
      "An application group object is comprised of several application objects that require the same policy enforcement. This grouping represents a list of application groups.";
  }




Xia & Lin                Expires April 24, 2019                [Page 35]


Internet-Draft      Security Policy Object Data Model       October 2018


  /*
  * Groupings for user object, user group and security group
  */
  grouping user-objects {
    list user-object {
      key "name aaa-domain";
      leaf name {
        type user-name;
        description
          "The name of the user.";
      }
      leaf aaa-domain {
        type string {
          length "1..64";
        }
        description
              "The name of the domain to which the user belong.";
      }
      leaf desc {
        type string {
          length "1..127";
        }
        description
          "The description of the user.";
      }
      leaf password {
        type ianach:crypt-hash;
        description
          "If user is authenticated locally on the NSF, this attribute is mandatory. It defines the password corresponding to the user name.";
      }
      leaf parent-user-group {
        type user-group-name;
        description
          "The name of the parent group. User objects and user groups are in a hierarchical structure. A user object can only belong to one user group.";
      }
      leaf-list parent-security-group {
        type user-security-group-name;
        max-elements 40;
        description
          "The name of the parent security group. A user object can belong to several security groups.";
      }
      container expiration-time {
        choice expiration-type {
          case never-expire {
            leaf never-expire {
              type empty;
              description
                "This case indicates that the user never expire.";



Xia & Lin                Expires April 24, 2019                [Page 36]


Internet-Draft      Security Policy Object Data Model       October 2018


            }
          }
          case expire-after-this-time {
            leaf expiration-time {
              type yang:date-and-time;
              description
                "User expired time.";
            }
          }
                  description
            "Two types of user expiration configurations.";
        }
        description
          "User expiration time.";
      }
      container ip-mac-binding {
        choice bind-state {
          case no-binding {
            leaf no-binding{
              type empty;
              mandatory true;
              description
                "No binding: Indicates that a user is not bound to any IP or MAC address.";
            }
          }
          case binding {
            leaf bind-mode{
              type ip-mac-binding-type;
              description
                "The user and IP/MAC address binding mode: bidirectional, or unidirectional. In unidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users.  In bidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users.";
            }
            leaf-list ip-binding {
              type inet:ipv4-address;
              description
                "The IP address bound to the user.";
            }
            leaf-list mac-binding {
              type yang:mac-address;
              description
                "The MAC address bound to the user.";
            }
            list ip-mac-bindings {
              key "ip-binding";
              unique "mac-binding";
              leaf ip-binding {
                type inet:ipv4-address;
                description
                  "The bound IPv4 address";



Xia & Lin                Expires April 24, 2019                [Page 37]


Internet-Draft      Security Policy Object Data Model       October 2018


              }
              leaf mac-binding {
                type yang:mac-address;
                description
                  "The bound mac address";
              }
              description
                "Configure the IP address and MAC address pairs bound to the user.";
            }
          }
                  description
            "The binding state: no-binding, binding.";
        }
        description
          "Whether there are IP/MAC addresses bound to the user.";
      }
      description
        "User Object and its attributes.";
    }
    description
      "A list of user objects.";
  }

  grouping security-groups {
    list security-group {
      key "name";
      leaf name {
        type user-security-group-name;
        description
                  "The name of the security-group.";
      }
      leaf desc {
        type string {
          length "1..127";
        }
        description
          "The description of the security-group.";
      }
      leaf-list parent-security-group {
        type user-security-group-name;
        max-elements 40;
        description
          "Configure the name of the parent-security-group.";
      }
      container filter-action {
        choice filter-type {
          case static {
            leaf static {



Xia & Lin                Expires April 24, 2019                [Page 38]


Internet-Draft      Security Policy Object Data Model       October 2018


              type empty;
              mandatory true;
              description
                "Empty leaf indicates that this is a static security group.";
            }
          }
          case dynamic {
            leaf dynamic {
              type empty;
              mandatory true;
              description
                "Empty leaf indicates that this is a dynamic security group.";
            }
            leaf-list filter-rule {
              type string {
                length "1..256";
              }
              max-elements 5;
              description
                "Filter rules for dynamic security group.";
            }
          }
          description
            "The filter type: static, dynamic.";
        }
        description
          "The filter type of the security group, static and dynamic. For dynamic security group, an filter rule needs to be configured.";
      }
      description
        "Security group and its attributes.";
    }
    description
      "A list of security groups.";
  }

  grouping user-groups {
    list user-group {
      key "name";
      leaf name {
        type user-group-name;
        description
          "The name of the user group.";
      }
      leaf desc {
        type string {
          length "1..63";
        }
        description



Xia & Lin                Expires April 24, 2019                [Page 39]


Internet-Draft      Security Policy Object Data Model       October 2018


          "The description of the user group.";
      }
      leaf parent-user-group {
        type user-group-name;
        description
          "The name of the user group. A user group can only belong to one parent user group.";
      }
      description
        "User group and its attributes.";
    }
    description
      "A list of user groups";
  }


  /*
  * Groupings for time range object
  */
  grouping time-range-objects {
    list time-range-object {
      key "name";
      leaf name {
        type time-range-name;
        description
          "The name of the time range object.";
      }
      list period-time {
        key "start end";
        leaf start {
          type hour-minute-second;
          mandatory true;
          description
            "Start time of the periodic time range.";
        }
        leaf end {
          type hour-minute-second;
          mandatory true;
          description
            "End time of the periodic time range.";
        }
        leaf-list weekday {
          type weekday;
                  min-elements 1;
          max-elements 7;
          description
            "The weekday to which the periodic time range belongs.";
        }
        description



Xia & Lin                Expires April 24, 2019                [Page 40]


Internet-Draft      Security Policy Object Data Model       October 2018


          "Periodic time that the associated function starts going into effect.";
      }
      list absolute-time {
        key "start end";
        leaf start {
          type yang:date-and-time;
          description
            "Absolute start time and date";
        }
        leaf end {
          type yang:date-and-time;
          description
            "Absolute end time and date";
        }
        description
          "Absolute time and date that the associated function starts going into effect.";
      }
      description
        "The time range object and its attributes.";
    }
    description
      "A list of time range objects";
  }


  /*
  * Groupings for region object and region group
  */
  grouping region-objects {
    list pre-defined-region {
      key "name";
          config false;
      leaf name {
        type region-name;
        config false;
        description
          "The name of the predefined region.";
      }
      leaf desc {
        type string;
        config false;
        description
          "The description of the predefined region.";
      }
      container region-ipv4-address {
        leaf-list address-ipv4 {
          type inet:ipv4-prefix;
          config false;



Xia & Lin                Expires April 24, 2019                [Page 41]


Internet-Draft      Security Policy Object Data Model       October 2018


          description
            "IPv4 address.";
        }
        list address-ipv4-range {
          key "start-ipv4 end-ipv4";
          leaf start-ipv4 {
            type inet:ipv4-address;
            config false;
            description
               "Start ipv4 address.";
          }
          leaf end-ipv4 {
            type inet:ipv4-address;
            config false;
            description
              "End ipv4 address.";
          }
              description
            "A list of ipv4 address ranges";
        }
        description
          "The IPv4 addresses of the predefined region.";
      }
      container region-ipv6-address {
            if-feature support-ipv6-address;
        leaf-list address-ipv6 {
          type inet:ipv6-prefix;
          config false;
          description
            "IPv6 address.";
        }
        list address-ipv6-range {
          key "start-ipv6 end-ipv6";
          leaf start-ipv6 {
            type inet:ipv6-address;
            config false;
            description
               "Start ipv6 address.";
          }
          leaf end-ipv6 {
            type inet:ipv6-address;
            config false;
            description
              "End ipv6 address.";
          }
              description
            "A list of ipv6 address ranges";
        }



Xia & Lin                Expires April 24, 2019                [Page 42]


Internet-Draft      Security Policy Object Data Model       October 2018


        description
          "The IPv6 addresses of the predefined region.";
      }
      description
        "A list of predefined region objects.";
    }
    list user-defined-region {
      key "name";
      leaf name {
        type region-name;
        description
          "The name of the user-defined region.";
      }
      leaf desc {
        type string;
        description
          "The description of the user-defined region.";
      }
      container coordinate {
        leaf longitude {
          type region-longitude;
          description
            "The latitude of the user-defined region.";
        }
        leaf latitude {
          type region-latitude;
          description
            "The longitude of the user-defined region.";
        }
        description
          "The latitude and longitude of the user-defined region.";
      }
      container region-ipv4-address {
        leaf-list address-ipv4 {
          type inet:ipv4-prefix;
          description
            "IPv4 address.";
        }
        list address-ipv4-range {
          key "start-ipv4 end-ipv4";
          leaf start-ipv4 {
            type inet:ipv4-address;
            description
               "Start ipv4 address.";
          }
          leaf end-ipv4 {
            type inet:ipv4-address;
            description



Xia & Lin                Expires April 24, 2019                [Page 43]


Internet-Draft      Security Policy Object Data Model       October 2018


              "End ipv4 address.";
          }
              description
            "A list of ipv4 address ranges";
        }
        description
          "The IPv4 addresses of the predefined region.";
      }
      container region-ipv6-address {
            if-feature support-ipv6-address;
        leaf-list address-ipv6 {
          type inet:ipv6-prefix;
          description
            "IPv6 address.";
        }
        list address-ipv6-range {
          key "start-ipv6 end-ipv6";
          leaf start-ipv6 {
            type inet:ipv6-address;
            description
               "Start ipv6 address.";
          }
          leaf end-ipv6 {
            type inet:ipv6-address;
            description
              "End ipv6 address.";
          }
              description
            "A list of ipv6 address ranges";
        }
        description
          "The IPv6 addresses of the user-defined region.";
      }
      description
        "A list of user-defined region objects.";
    }
        description
      "A list of predefined region objects and a list of user-defined region objects.";
  }

  grouping region-groups {
    list region-group {
      key "name";
      leaf name {
        type region-name;
        description
          "The name of the region group.";
      }



Xia & Lin                Expires April 24, 2019                [Page 44]


Internet-Draft      Security Policy Object Data Model       October 2018


      leaf desc {
        type string;
        description
          "The description of the region group.";
      }
      leaf-list region-name {
        type region-name;
        description
          "A list of region objects.";
      }
      leaf-list region-group-name {
        type region-name;
        description
          "A list of region groups.";
      }
      description
        "Region group consists of a set of region objects or region groups.";
    }
        description
      "A list of region group objects.";
  }

  /*
  * Groupings for domain object
  */
  grouping domain-objects {
    list domain-object {
      key "name";
      leaf name {
        type domain-name;
        description
          "The name of the domain object.";
      }
      leaf desc {
        type string;
        description
          "The description of the domain object.";
      }
      leaf-list domain {
        type string;
        description
          "A list of domains that consists the domain objects.";
      }
      description
        "Domain object and its attributes.";
    }
    description
      "A list of domain objects.";



Xia & Lin                Expires April 24, 2019                [Page 45]


Internet-Draft      Security Policy Object Data Model       October 2018


  }
}

7.  Acknowledgements

8.  IANA Considerations

   This document requires no IANA actions.

9.  Security Considerations

   Secure transport should be used to retrieve the current status of
   management plane security baseline.

10.  References

10.1.  Normative References

   [I-D.ietf-i2nsf-capability]
              Xia, L., Strassner, J., Basile, C., and D. Lopez,
              "Information Model of NSFs Capabilities", draft-ietf-
              i2nsf-capability-02 (work in progress), July 2018.

   [I-D.ietf-i2nsf-terminology]
              Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
              Birkholz, "Interface to Network Security Functions (I2NSF)
              Terminology", draft-ietf-i2nsf-terminology-06 (work in
              progress), July 2018.

   [I-D.ietf-netmod-acl-model]
              Jethanandani, M., Agarwal, S., Huang, L., and D. Blair,
              "Network Access Control List (ACL) YANG Data Model",
              draft-ietf-netmod-acl-model-20 (work in progress), October
              2018.

   [RFC8329]  Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
              Kumar, "Framework for Interface to Network Security
              Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
              <https://www.rfc-editor.org/info/rfc8329>.

10.2.  Informative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.





Xia & Lin                Expires April 24, 2019                [Page 46]


Internet-Draft      Security Policy Object Data Model       October 2018


   [RFC7950]  Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
              RFC 7950, DOI 10.17487/RFC7950, August 2016,
              <https://www.rfc-editor.org/info/rfc7950>.

   [RFC8340]  Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
              BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
              <https://www.rfc-editor.org/info/rfc8340>.

Authors' Addresses

   Liang Xia
   Huawei
   101 Software Avenue, Yuhuatai District
   Nanjing, Jiangsu  210012
   China

   Email: Frank.xialiang@huawei.com


   Qiushi Lin
   Huawei
   Huawei Industrial Base
   Shenzhen, Guangdong  518129
   China

   Email: linqiushi@huawei.com

























Xia & Lin                Expires April 24, 2019                [Page 47]


Html markup produced by rfcmarkup 1.128b, available from https://tools.ietf.org/tools/rfcmarkup/