draft-ietf-i2nsf-consumer-facing-interface-dm-07.txt   draft-ietf-i2nsf-consumer-facing-interface-dm-08.txt 
I2NSF Working Group J. Jeong I2NSF Working Group J. Jeong
Internet-Draft C. Chung Internet-Draft C. Chung
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: May 7, 2020 T. Ahn Expires: September 12, 2020 T. Ahn
Korea Telecom Korea Telecom
R. Kumar R. Kumar
Juniper Networks Juniper Networks
S. Hares S. Hares
Huawei Huawei
November 4, 2019 March 11, 2020
I2NSF Consumer-Facing Interface YANG Data Model I2NSF Consumer-Facing Interface YANG Data Model
draft-ietf-i2nsf-consumer-facing-interface-dm-07 draft-ietf-i2nsf-consumer-facing-interface-dm-08
Abstract Abstract
This document describes an information model and a YANG data model This document describes an information model and a YANG data model
for the Consumer-Facing Interface between an Interface to Network for the Consumer-Facing Interface between an Interface to Network
Security Functions (I2NSF) User and Security Controller in an I2NSF Security Functions (I2NSF) User and Security Controller in an I2NSF
system in a Network Functions Virtualization (NFV) environment. The system in a Network Functions Virtualization (NFV) environment. The
information model defines various types of managed objects and the information model defines various types of managed objects and the
relationship among them needed to build the interface. The relationship among them needed to build the interface. The
information model is organized based on the "Event-Condition-Action" information model is organized based on the "Event-Condition-Action"
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 7, 2020. This Internet-Draft will expire on September 12, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 6 skipping to change at page 3, line 6
9.4. Scenario 3: Mitigate HTTP and HTTPS Flood Attacks on a 9.4. Scenario 3: Mitigate HTTP and HTTPS Flood Attacks on a
Company Web Server . . . . . . . . . . . . . . . . . . . 40 Company Web Server . . . . . . . . . . . . . . . . . . . 40
10. Security Considerations . . . . . . . . . . . . . . . . . . . 42 10. Security Considerations . . . . . . . . . . . . . . . . . . . 42
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 42 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 42
13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 42 13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 42
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
14.1. Normative References . . . . . . . . . . . . . . . . . . 44 14.1. Normative References . . . . . . . . . . . . . . . . . . 44
14.2. Informative References . . . . . . . . . . . . . . . . . 45 14.2. Informative References . . . . . . . . . . . . . . . . . 45
Appendix A. Changes from draft-ietf-i2nsf-consumer-facing- Appendix A. Changes from draft-ietf-i2nsf-consumer-facing-
interface-dm-06 . . . . . . . . . . . . . . . . . . 47 interface-dm-07 . . . . . . . . . . . . . . . . . . 47
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47
1. Introduction 1. Introduction
In a framework of Interface to Network Security Functions (I2NSF), In a framework of Interface to Network Security Functions (I2NSF),
each vendor can register their NSFs using a Developer's Management each vendor can register their NSFs using a Developer's Management
System (DMS). Assuming that vendors also provide the front-end web System (DMS). Assuming that vendors also provide the front-end web
applications registered with an I2NSF User, the Consumer-Facing applications registered with an I2NSF User, the Consumer-Facing
Interface is required because the web applications developed by each Interface is required because the web applications developed by each
vendor need to have a standard interface specifying the data types vendor need to have a standard interface specifying the data types
skipping to change at page 5, line 32 skipping to change at page 5, line 32
4. Information Model for Policy 4. Information Model for Policy
A Policy object represents a mechanism to express a Security Policy A Policy object represents a mechanism to express a Security Policy
by Security Administrator (i.e., I2NSF User) using Consumer-Facing by Security Administrator (i.e., I2NSF User) using Consumer-Facing
Interface toward Security Controller; the policy would be enforced on Interface toward Security Controller; the policy would be enforced on
an NSF. Figure 2 shows the YANG tree of the Policy object. The an NSF. Figure 2 shows the YANG tree of the Policy object. The
Policy object SHALL have the following information: Policy object SHALL have the following information:
Name: This field identifies the name of this object. Name: This field identifies the name of this object.
Date: Date when this object was created or last modified. Owners: This field contains the owners of the policy. For
example, the owners who created it, and can modify it.
This field represents multiple groups owning as owners,
having full CRUD privileges by default. Note that it is
assumed that a factory-default owner (e.g., root) is
defined and preconfigured in Security Controller in order
to create new policy objects at first.
Rule: This field contains a list of rules. These rules are Rule: This field contains a list of rules. These rules are
defined for 1) communication between two Endpoint Groups, defined for 1) communication between two Endpoint Groups,
2) for preventing communication with externally or 2) for preventing communication with externally or
internally identified threats, and 3) for implementing internally identified threats, and 3) for implementing
business requirement such as controlling access to internal business requirement such as controlling access to internal
or external resources for meeting regulatory compliance or or external resources for meeting regulatory compliance or
business objectives. An organization may restrict certain business objectives. An organization may restrict certain
communication between a set of user and applications for communication between a set of user and applications for
example. The threats may be from threat feeds obtained example. The threats may be from threat feeds obtained
from external sources or dynamically identified by using from external sources or dynamically identified by using
specialty devices in the network. Rule conflict analysis specialty devices in the network. Rule conflict analysis
should be triggered by the monitoring service to perform an should be triggered by the monitoring service to perform an
exhaustive detection of anomalies among the configuration exhaustive detection of anomalies among the configuration
rules installed into the security functions. rules installed into the security functions.
+--rw i2nsf-cfi-policy* [policy-name] +--rw i2nsf-cfi-policy* [policy-name]
+--rw policy-name string +--rw policy-name string
| +--rw rule* [rule-name] | uses owners-ref
+--rw endpoint-group | +--rw rules* [rule-name]
+--rw endpoint-groups
+--rw threat-prevention +--rw threat-prevention
Figure 2: Policy YANG Data Tree Figure 2: Policy YANG Data Tree
A policy is a container of Rule. In order to express a Rule, a Rule A policy is a container of Rule(s). In order to express a Rule, a
must have complete information such as where and when a policy needs Rule must have complete information such as where and when a policy
to be applied. This is done by defining a set of managed objects and needs to be applied. This is done by defining a set of managed
relationship among them. A Policy Rule may be related segmentation, objects and relationship among them. A Policy Rule may be related
threat mitigation or telemetry data collection from an NSF in the segmentation, threat mitigation or telemetry data collection from an
network, which will be specified as the sub-model of the policy model NSF in the network, which will be specified as the sub-model of the
in the subsequent sections. Figure 3 shows the YANG data tree of the policy model in the subsequent sections. Figure 3 shows the YANG
Rule object. The rule object SHALL have the following information: data tree of the Rule object. The rule object SHALL have the
following information:
Name: This field identifies the name of this object. Name: This field identifies the name of this object.
Owners: This field contains the owners of the rule. For example,
the owners who created it, and can modify it. This field
represents multiple groups owning as owners, having full
CRUD privileges by default.
Event: This field includes the information to determine whether Event: This field includes the information to determine whether
the Rule Condition can be evaluated or not. See details in the Rule Condition can be evaluated or not. See details in
Section 4.1. Section 4.1.
Condition: This field contains all the checking conditions to Condition: This field contains all the checking conditions to
apply to the objective traffic. See details in apply to the objective traffic. See details in
Section 4.2. Section 4.2.
Action: This field identifies the action taken when a rule is Action: This field identifies the action taken when a rule is
matched. There is always an implicit action to drop matched. There is always an implicit action to drop
traffic if no rule is matched for a traffic type. See traffic if no rule is matched for a traffic type. See
details in Section 4.3. details in Section 4.3.
IPsec-Method: This field contains the information about IPsec IPsec-Method: This field contains the information about IPsec
method type. There are two types such as IPsec-IKE and method type. There are two types such as IPsec-IKE and
IPsec-IKEless [i2nsf-ipsec]. IPsec-IKEless [i2nsf-ipsec].
Owner: This field contains the onwer of the rule. For example, +--rw rules* [rule-name]
the person who created it, and eligible for modifying it.
+--rw rule* [rule-name]
+--rw rule-name string +--rw rule-name string
| uses owners-ref
+--rw event +--rw event
+--rw (condition)? +--rw (condition)?
+--rw action +--rw action
+--rw ipsec-method +--rw ipsec-method
+--rw owner identityref
Figure 3: Rule YANG Data Tree Figure 3: Rule YANG Data Tree
Note that in the case of policy conflicts, the resolution of the
conflicted policies conforms to the guidelines of "Information Model
of NSFs Capabilities" [i2nsf-capability-im].
4.1. Event Sub-model 4.1. Event Sub-model
The Event Object contains information related to scheduling a Rule. The Event Object contains information related to scheduling a Rule.
The Rule could be activated based on a set time or security event. The Rule could be activated based on a set time or security event.
Figure 4 shows the YANG tree of the Event object. Event object SHALL Figure 4 shows the YANG tree of the Event object. Event object SHALL
have following information: have following information:
Security-event: This field identifies for which security event Security-event: This field identifies for which security event
the policy is enforced. The examples of security events the policy is enforced. The examples of security events
are: "DDOS", "spyware", "trojan", and "ransomware". are: "DDOS", "spyware", "trojan", and "ransomware".
skipping to change at page 7, line 43 skipping to change at page 8, line 9
begin-time and end-time information. begin-time and end-time information.
Frequency: This represents how frequent the rule should be Frequency: This represents how frequent the rule should be
enforced. There are four options: "only-once", "daily", enforced. There are four options: "only-once", "daily",
"weekly" and "monthly". "weekly" and "monthly".
+--rw event +--rw event
+--rw security-event identityref +--rw security-event identityref
+--rw (enforce-type)? +--rw (enforce-type)?
| +--:(admin) | +--:(admin)
| | +--rw admin? identityref | | +--rw admin?
| +--:(time) | +--:(time)
| +--rw time-information | +--rw time-information
| +--rw begin-time? yang:date-and-time | +--rw begin-time? date-and-time
| +--rw end-time? yang:date-and-time | +--rw end-time? date-and-time
+--rw frequency? enumeration +--rw frequency? enumeration
Figure 4: Event Sub-model YANG Data Tree Figure 4: Event Sub-model YANG Data Tree
4.2. Condition Sub-model 4.2. Condition Sub-model
This object represents Conditions that Security Administrator wants This object represents Conditions that Security Administrator wants
to apply the checking on the traffic in order to determine whether to apply the checking on the traffic in order to determine whether
the set of actions in the Rule can be executed or not. The Condition the set of actions in the Rule can be executed or not. The Condition
Sub-model consists of three different types of containers each Sub-model consists of three different types of containers each
representing different cases, such as general firewall and DDoS- representing different cases, such as general firewall and DDoS-
mitigation cases, and a case when the condition is based on the mitigation cases, and a case when the condition is based on the
payload strings of packets. Each containers have source-target and payload strings of packets. Each containers have source and
destination-target to represent the source and destination for each destination-target to represent the source and destination for each
case. Figure 5 shows the YANG tree of the Condition object. The case. Figure 5 shows the YANG tree of the Condition object. The
Condition Sub-model SHALL have following information: Condition Sub-model SHALL have following information:
Case (Firewall-condition): This field represents the general Case (Firewall-condition): This field represents the general
firewall case, where a security admin can set up firewall firewall case, where a security admin can set up firewall
conditions using the information present in this field. conditions using the information present in this field.
The source and destination is represented as firewall- The source and destination is represented as firewall-
source and firewall-destination, each referring to the IP- source and firewall-destination, each referring to the IP-
address-based groups defined in the endpoint-group. address-based groups defined in the endpoint-groups.
Case (DDoS-condition): This field represents the condition for Case (DDoS-condition): This field represents the condition for
DDoS mitigation, where a security admin can set up DDoS DDoS mitigation, where a security admin can set up DDoS
mitigation conditions using the information present in this mitigation conditions using the information present in this
field. The source and destination is represented as ddos- field. The source and destination is represented as ddos-
source and ddos-destination, each referring to the device- source and ddos-destination, each referring to the device-
groups defined and registered in the endpoint-group. groups defined and registered in the endpoint-groups.
Case (Custom-condition): This field contains the payload string Case (Custom-condition): This field contains the payload string
information. This information is useful when security rule information. This information is useful when security rule
condition is based on the string contents of incoming or condition is based on the string contents of incoming or
outgoing packets. The source and destination is outgoing packets. The source and destination is
represented as custom-source and custom-destination, each represented as custom-source and custom-destination, each
referring to the payload-groups defined and registered in referring to the payload-groups defined and registered in
the endpoint-group. the endpoint-groups.
Case (Threat-feed-condition): This field contains the information Case (Threat-feed-condition): This field contains the information
obtained from threat-feeds (e.g., Palo-Alto, or RSA- obtained from threat-feeds (e.g., Palo-Alto, or RSA-
netwitness). This information is useful when security rule netwitness). This information is useful when security rule
condition is based on the existing threat reports gathered condition is based on the existing threat reports gathered
by other sources. The source and destination is by other sources. The source and destination is
represented as threat-feed-source and threat-feed- represented as threat-feed-source and threat-feed-
destination. For clarity, threat-feed-source/destination destination. For clarity, threat-feed-source/destination
represent the source/destination of a target security represent the source/destination of a target security
threat, not the information source/destination of a threat- threat, not the information source/destination of a threat-
feed. feed.
+--rw (condition)? +--rw (condition)?
+--:(firewall-condition) +--:(firewall-condition)
| +--rw firewall-source | +--rw source -> /../../nacm:group/nacm:user-name
| | +--rw src-target -> /../../nacm:group/nacm:user-name | +--rw dest-target* -> /../../nacm:group/nacm:user-name
| +--rw firewall-destination +--:(ddos-condition)
| +--rw dest-target* -> /../../nacm:group/nacm:user-name | +--rw source* -> /../../device-group/name
+--:(ddos-condition) | +--rw dest-target* -> /../../device-group/name
| +--rw ddos-source | +--rw rate-limit
| | +--rw src-target* -> /../../device-group/name +--:(custom-condition)
| +--rw ddos-destination | +--rw source* -> /../../payload-content/name
| | +--rw dest-target* -> /../../device-group/name | +--rw dest-target -> /../../payload-content/name
| +--rw rate-limit +--:(threat-feed-condition)
| +--rw packet-per-second? uint16 +--rw source* -> /../../threat-feed-list/name
+--:(custom-condition) +--rw dest-target -> /../../threat-feed-list/name
| +--rw custon-source
| | +--rw src-target* -> /../../payload-content/name
| +--rw custom-destination
| +--rw dest-target -> /../../payload-content/name
+--:(threat-feed-condition)
+--rw threat-feed-source
| +--rw src-target* -> /../../threat-feed-list/feed-name
+--rw threat-feed-destination
+--rw dest-target -> /../../threat-feed-list/feed-name
Figure 5: Condition Sub-model YANG Data Tree Figure 5: Condition Sub-model YANG Data Tree
4.3. Action Sub-model 4.3. Action Sub-model
This object represents actions that Security Admin wants to perform This object represents actions that Security Admin wants to perform
based on certain traffic class. Figure 6 shows the YANG tree of the based on certain traffic class. Figure 6 shows the YANG tree of the
Action object. The Action object SHALL have following information: Action object. The Action object SHALL have following information:
Primary-action: This field identifies the action when a rule is Primary-action: This field identifies the action when a rule is
skipping to change at page 10, line 13 skipping to change at page 10, line 19
Figure 6: Action Sub-model YANG Data Tree Figure 6: Action Sub-model YANG Data Tree
5. Information Model for Policy Endpoint Groups 5. Information Model for Policy Endpoint Groups
The Policy Endpoint Group is a very important part of building User- The Policy Endpoint Group is a very important part of building User-
Construct based policies. A Security Administrator would create and Construct based policies. A Security Administrator would create and
use these objects to represent a logical entity in their business use these objects to represent a logical entity in their business
environment, where a Security Policy is to be applied. There are environment, where a Security Policy is to be applied. There are
multiple managed objects that constitute a Policy's Endpoint Group as multiple managed objects that constitute a Policy's Endpoint Group as
shown in Figure 7. Figure 8 shows the YANG tree of the Endpoint- shown in Figure 7. Figure 8 shows the YANG tree of the Endpoint-
Group object. This section lists these objects and relationship Groups object. This section lists these objects and relationship
among them. among them.
+-------------------+ +-------------------+
| Endpoint Group | | Endpoint Groups |
+---------+---------+ +---------+---------+
^ ^
| |
+--------------+----------------+ +--------------+----------------+
1..n | 1..n | 1..n | 1..n | 1..n | 1..n |
+-----+----+ +------+-----+ +-------+------+ +-----+----+ +------+-----+ +-------+------+
|User-group| |Device-group| |Location-group| |User-group| |Device-group| |Location-group|
+----------+ +------------+ +--------------+ +----------+ +------------+ +--------------+
Figure 7: Endpoint Group Diagram Figure 7: Endpoint Group Diagram
+--rw endpoint-group +--rw endpoint-groups
+--rw user-group* [name] +--rw user-group* [name]
... ...
+--rw device-group* [name] +--rw device-group* [name]
... ...
+--rw location-group* [name] +--rw location-group* [name]
... ...
Figure 8: Endpoint Group YANG Data Tree Figure 8: Endpoint Group YANG Data Tree
5.1. User Group 5.1. User Group
skipping to change at page 11, line 15 skipping to change at page 11, line 20
range-ipv4-address: This represents the IPv4 address of a user in range-ipv4-address: This represents the IPv4 address of a user in
the user gorup. the user gorup.
range-ipv6-address: This represents the IPv6 address of a user in range-ipv6-address: This represents the IPv6 address of a user in
the user gorup. the user gorup.
+--rw user-group* [name] +--rw user-group* [name]
+--rw name -> /../../nacm:group/nacm:user-name +--rw name -> /../../nacm:group/nacm:user-name
+--rw (match-type)? +--rw (match-type)?
+--:(exact-match-ipv4) +--:(exact-match-ipv4)
| +--rw ip-address* inet:ipv4-address | +--rw ipv4-address* inet:ipv4-address
+--:(exact-match-ipv6) +--:(exact-match-ipv6)
| +--rw ip-address* inet:ipv4-address | +--rw ipv6-address* inet:ipv6-address
+--:(range-match-ipv4) +--:(range-match-ipv4)
| +--rw range-ipv4-address* | +--rw range-ipv4-address*
[start-ipv4-address end-ipv4-address] [start-ipv4-address end-ipv4-address]
| +--rw start-ipv4-address inet:ipv4-address | +--rw start-ipv4-address inet:ipv4-address
| +--rw end-ipv4-address inet:ipv4-address | +--rw end-ipv4-address inet:ipv4-address
+--:(range-match-ipv6) +--:(range-match-ipv6)
+--rw range-ipv6-address* +--rw range-ipv6-address*
[start-ipv6-vaddress end-ipv6-address] [start-ipv6-vaddress end-ipv6-address]
+--rw start-ipv6-address inet:ipv6-address +--rw start-ipv6-address inet:ipv6-address
+--rw end-ipv6-address inet:ipv6-address +--rw end-ipv6-address inet:ipv6-address
skipping to change at page 12, line 9 skipping to change at page 12, line 13
in the device gorup. in the device gorup.
Protocol: This represents the communication protocols used by the Protocol: This represents the communication protocols used by the
devices. The protocols are "SSH", "FTP", "SMTP", "HTTP", devices. The protocols are "SSH", "FTP", "SMTP", "HTTP",
"HTTPS", and etc. "HTTPS", and etc.
+--rw device-group* [name] +--rw device-group* [name]
+--rw name string +--rw name string
+--rw (match-type)? +--rw (match-type)?
| +--:(exact-match-ipv4) | +--:(exact-match-ipv4)
| | +--rw ip-address* inet:ipv4-address | | +--rw ipv4-address* inet:ipv4-address
| +--:(exact-match-ipv6) | +--:(exact-match-ipv6)
| | +--rw ip-address* inet:ipv4-address | | +--rw ipv6-address* inet:ipv6-address
| +--:(range-match-ipv4) | +--:(range-match-ipv4)
| | +--rw range-ipv4-address* | | +--rw range-ipv4-address*
[start-ipv4-address end-ipv4-address] [start-ipv4-address end-ipv4-address]
| | +--rw start-ipv4-address inet:ipv4-address | | +--rw start-ipv4-address inet:ipv4-address
| | +--rw end-ipv4-address inet:ipv4-address | | +--rw end-ipv4-address inet:ipv4-address
| +--:(range-match-ipv6) | +--:(range-match-ipv6)
| +--rw range-ipv6-address* | +--rw range-ipv6-address*
[start-ipv6-vaddress end-ipv6-address] [start-ipv6-vaddress end-ipv6-address]
| +--rw start-ipv6-address inet:ipv6-address | +--rw start-ipv6-address inet:ipv6-address
| +--rw end-ipv6-address inet:ipv6-address | +--rw end-ipv6-address inet:ipv6-address
skipping to change at page 13, line 43 skipping to change at page 14, line 5
Figure 13: Threat Prevention YANG Data Tree Figure 13: Threat Prevention YANG Data Tree
6.1. Threat Feed 6.1. Threat Feed
This object represents a threat feed which provides signatures of This object represents a threat feed which provides signatures of
malicious activities. Figure 14 shows the YANG tree of a Threat- malicious activities. Figure 14 shows the YANG tree of a Threat-
feed-list. The Threat-Feed object SHALL have the following feed-list. The Threat-Feed object SHALL have the following
information: information:
Feed-name: This field identifies the name of this object. name: This field identifies the name of this object.
Feed-Server-ipv4: This represents the IPv4 server address of the Server-ipv4: This represents the IPv4 server address of the feed
feed provider, it may be external or local servers. provider, it may be external or local servers.
Feed-Server-ipv6: This represents the IPv6 server address of the Server-ipv6: This represents the IPv6 server address of the feed
feed provider, it may be external or local servers. provider, it may be external or local servers.
Feed-description: This is the description of the threat feed. description: This is the description of the threat feed. The
The descriptions should have clear indication of the descriptions should have clear indication of the security
security attack such as attack type (e.g., APT) and file attack such as attack type (e.g., APT) and file types used
types used (e.g., executable malware). (e.g., executable malware).
Threat-file-types: This field identifies the information about Threat-file-types: This field identifies the information about
the file types identified and reported by the threat-feed. the file types identified and reported by the threat-feed.
signatures: This field contains the signatures of malicious signatures: This field contains the signatures of malicious
programs or activities provided by the threat-feed. The programs or activities provided by the threat-feed. The
examples of signature types are "YARA", "SURICATA", and examples of signature types are "YARA", "SURICATA", and
"SNORT". "SNORT".
+--rw threat-prevention +--rw threat-prevention
+--rw threat-feed-list* [feed-name] +--rw threat-feed-list* [name]
+--rw feed-name identityref +--rw name identityref
+--rw feed-server-ipv4? inet:ipv4-address +--rw server-ipv4? inet:ipv4-address
+--rw feed-server-ipv6? inet:ipv6-address +--rw server-ipv6? inet:ipv6-address
+--rw feed-description? string +--rw description? string
+--rw threat-file-types* identityref +--rw threat-file-types* identityref
+--rw signatures* identityref +--rw signatures* identityref
Figure 14: Threat Feed YANG Data Tree Figure 14: Threat Feed YANG Data Tree
6.2. Payload Content 6.2. Payload Content
This object represents a custom list created for the purpose of This object represents a custom list created for the purpose of
defining exception to threat feeds. Figure 15 shows the YANG tree of defining exception to threat feeds. Figure 15 shows the YANG tree of
a Payload-content list. The Payload-Content object SHALL have the a Payload-content list. The Payload-Content object SHALL have the
following information: following information:
Name: This field identifies the name of this object. For Name: This field identifies the name of this object. For
example, the name "backdoor" indicates the payload content example, the name "backdoor" indicates the payload content
is related to backdoor attack. is related to backdoor attack.
payload-description: This represents the description of how the description: This represents the description of how the payload
payload content is related to a security attack. content is related to a security attack.
Content: This contains the payload contents, which are involed in Content: This contains the payload contents, which are involed in
a security attack, as strings. a security attack, as strings.
+--rw payload-content* [name] +--rw payload-content* [name]
+--rw name string +--rw name string
+--rw payload-description string +--rw description string
+--rw content* string +--rw content* string
Figure 15: Payload Content in YANG Data Tree Figure 15: Payload Content in YANG Data Tree
7. Network Configuration Access Control Model (NACM) 7. Network Configuration Access Control Model (NACM)
Network Configuration Access Control Model (NACM) provides a high- Network Configuration Access Control Model (NACM) provides a high-
level overview of the access control with the following features level overview of the access control with the following features
[RFC8341]: [RFC8341]:
skipping to change at page 16, line 16 skipping to change at page 16, line 18
be extended according to the security needs. In other words, the be extended according to the security needs. In other words, the
model design is independent of the content and meaning of specific model design is independent of the content and meaning of specific
policies as well as the implementation approach. This document policies as well as the implementation approach. This document
suggests a VoIP/VoLTE security service as a use case for policy rule suggests a VoIP/VoLTE security service as a use case for policy rule
generation. generation.
This section describes a YANG data model for Consumer-Facing This section describes a YANG data model for Consumer-Facing
Interface, based on the information model of Consumer-Facing Interface, based on the information model of Consumer-Facing
Interface to Security Controller. Interface to Security Controller.
<CODE BEGINS> file "ietf-i2nsf-cfi-policy@2019-11-04.yang" <CODE BEGINS> file "ietf-i2nsf-cfi-policy@2020-03-11.yang"
module ietf-i2nsf-cfi-policy { module ietf-i2nsf-cfi-policy {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy";
prefix prefix
cfi-policy; cfi-policy;
import ietf-yang-types{
prefix yang;
reference
"Section 3 of RFC 6991";
}
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference reference "Section 4 of RFC 6991";
"Section 4 of RFC 6991";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
} }
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
WG Chair: Linda Dunbar WG Chair: Linda Dunbar
<mailto:Linda.duhbar@huawei.com> <mailto:linda.dunbar@futurewei.com>
WG Chair: Yoav Nir WG Chair: Yoav Nir
<mailto:ynir.ietf@gmail.com> <mailto:ynir.ietf@gmail.com>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Chaehong Chung Editor: Chaehong Chung
<mailto:darkhong@skku.edu>"; <mailto:darkhong@skku.edu>";
description description
"This module is a YANG module for Consumer-Facing Interface. "This module is a YANG module for Consumer-Facing Interface.
Copyright (c) 2018 IETF Trust and the persons identified as Copyright (c) 2020 IETF Trust and the persons
authors of the code. All rights reserved. identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2019-11-04"{ revision "2020-03-11"{
description "The latest revision"; description "The latest revision";
reference reference
"draft-ietf-consumer-facing-interface-dm-07"; "draft-ietf-consumer-facing-interface-dm-07";
} }
identity malware-file-type { identity malware-file-type {
description description
"Base identity for malware file types."; "Base identity for malware file types.";
} }
identity executable-file { identity executable-file {
base malware-file-type; base malware-file-type;
description description
"Identity for executable file types."; "Identity for executable file types.";
} }
identity doc-file { identity doc-file {
base malware-file-type; base malware-file-type;
description description
"Identity for Microsoft document file types."; "Identity for Microsoft document file types.";
} }
identity html-app-file { identity html-app-file {
base malware-file-type; base malware-file-type;
description description
"Identity for html application file types."; "Identity for html application file types.";
} }
identity javascript-file { identity javascript-file {
base malware-file-type; base malware-file-type;
description description
"Identity for Javascript file types."; "Identity for Javascript file types.";
} }
identity pdf-file { identity pdf-file {
base malware-file-type; base malware-file-type;
description description
"Identity for pdf file types."; "Identity for pdf file types.";
} }
identity dll-file { identity dll-file {
base malware-file-type; base malware-file-type;
description description
"Identity for dll file types."; "Identity for dll file types.";
} }
identity msi-file { identity msi-file {
base malware-file-type; base malware-file-type;
description description
"Identity for Microsoft installer file types."; "Identity for Microsoft installer file types.";
} }
identity security-event-type { identity security-event-type {
description description
"Base identity for security event types."; "Base identity for security event types.";
} }
skipping to change at page 18, line 28 skipping to change at page 18, line 29
identity msi-file { identity msi-file {
base malware-file-type; base malware-file-type;
description description
"Identity for Microsoft installer file types."; "Identity for Microsoft installer file types.";
} }
identity security-event-type { identity security-event-type {
description description
"Base identity for security event types."; "Base identity for security event types.";
} }
identity ddos { identity ddos {
base malware-file-type;
description description
"Identity for DDoS event types."; "Identity for DDoS event types.";
} }
identity spyware { identity spyware {
base malware-file-type; base malware-file-type;
description description
"Identity for spyware event types."; "Identity for spyware event types.";
} }
identity trojan { identity trojan {
base malware-file-type; base malware-file-type;
description description
"Identity for Trojan infection event types."; "Identity for Trojan infection event types.";
} }
identity ransomware { identity ransomware {
base malware-file-type; base malware-file-type;
description description
"Identity for ransomware infection event types."; "Identity for ransomware infection event types.";
} }
identity i2nsf-ipsec { identity i2nsf-ipsec {
description description
"Base identity for IPsec method types."; "Base identity for IPsec method types.";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-07";
} }
identity ipsec-ike { identity ipsec-ike {
base i2nsf-ipsec; base i2nsf-ipsec;
description description
"Identity for ipsec-ike."; "Identity for ipsec-ike.";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-07";
} }
identity ipsec-ikeless { identity ipsec-ikeless {
base i2nsf-ipsec; base i2nsf-ipsec;
description description
"Identity for ipsec-ikeless."; "Identity for ipsec-ikeless.";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-07";
} }
identity continent { identity continent {
description description
"Base Identity for continent types."; "Base Identity for continent types.";
} }
identity africa { identity africa {
base continent; base continent;
description description
"Identity for africa."; "Identity for africa.";
} }
identity asia { identity asia {
base continent; base continent;
description description
"Identity for asia."; "Identity for asia.";
} }
identity europe { identity europe {
base continent; base continent;
description description
"Identity for europe."; "Identity for europe.";
} }
identity north-america { identity north-america {
base continent; base continent;
description description
"Identity for north-america."; "Identity for north-america.";
} }
identity south-america { identity south-america {
base continent; base continent;
description description
"Identity for south-america."; "Identity for south-america.";
} }
identity oceania { identity oceania {
base continent; base continent;
description description
"Identity for Oceania"; "Identity for Oceania";
} }
identity enforce-type { identity enforce-type {
description description
"This identity represents the event of "This identity represents the event of
policy enforcement trigger type."; policy enforcement trigger type.";
} }
identity admin { identity admin {
base enforce-type;
description description
"The identity for policy enforcement by admin."; "The identity for policy enforcement by admin.";
} }
identity time { identity time {
base enforce-type;
description description
"The identity for policy enforcement based on time."; "The identity for policy enforcement based on time.";
} }
identity protocol-type { identity protocol-type {
description description
"This identity represents the protocol types."; "This identity represents the protocol types.";
} }
identity ftp { identity ftp {
base protocol-type; base protocol-type;
description description
"The identity for ftp protocol."; "The identity for ftp protocol.";
reference
"RFC 959: File Transfer Protocol (FTP)";
} }
identity ssh { identity ssh {
base protocol-type; base protocol-type;
description description
"The identity for ssh protocol."; "The identity for ssh protocol.";
reference
"RFC 4250: The Secure Shell (SSH) Protocol";
} }
identity telnet { identity telnet {
base protocol-type; base protocol-type;
description description
"The identity for telnet."; "The identity for telnet.";
reference
"RFC 854: Telnet Protocol";
} }
identity smtp { identity smtp {
base protocol-type; base protocol-type;
description description
"The identity for smtp."; "The identity for smtp.";
reference
"RFC 5321: Simple Mail Transfer Protocol (SMTP)";
} }
identity sftp { identity sftp {
base protocol-type; base protocol-type;
description description
"The identity for sftp."; "The identity for sftp.";
reference
"RFC 913: Simple File Transfer Protocol (SFTP)";
} }
identity http { identity http {
base protocol-type; base protocol-type;
description description
"The identity for http."; "The identity for http.";
reference
"RFC 2616: Hypertext Transfer Protocol (HTTP)";
} }
identity https { identity https {
base protocol-type; base protocol-type;
description description
"The identity for https."; "The identity for https.";
reference
"RFC 2818: HTTP over TLS (HTTPS)";
} }
identity pop3 { identity pop3 {
base protocol-type; base protocol-type;
description description
"The identity for pop3."; "The identity for pop3.";
reference
"RFC 1081: Post Office Protocol -Version 3 (POP3)";
} }
identity nat { identity nat {
base protocol-type; base protocol-type;
description description
"The identity for nat."; "The identity for nat.";
reference
"RFC 1631: The IP Network Address Translator (NAT)";
} }
identity primary-action { identity primary-action {
description description
"This identity represents the primary actions, such as "This identity represents the primary actions, such as
PASS, DROP, ALERT, RATE-LIMIT, and MIRROR."; PASS, DROP, ALERT, RATE-LIMIT, and MIRROR.";
} }
identity pass { identity pass {
base primary-action; base primary-action;
description description
"The identity for pass."; "The identity for pass.";
} }
identity drop { identity drop {
base primary-action; base primary-action;
description description
"The identity for drop."; "The identity for drop.";
} }
identity alert { identity alert {
base primary-action; base primary-action;
description description
"The identity for alert."; "The identity for alert.";
} }
identity rate-limit { identity rate-limit {
base primary-action; base primary-action;
description description
"The identity for rate-limit."; "The identity for rate-limit.";
} }
identity mirror { identity mirror {
base primary-action; base primary-action;
description description
"The identity for mirroring."; "The identity for mirroring.";
} }
identity secondary-action { identity secondary-action {
description description
"This field identifies additional actions if a rule is "This field identifies additional actions if a rule is
matched. This could be one of 'LOG', 'SYSLOG', matched. This could be one of 'LOG', 'SYSLOG',
'SESSION-LOG', etc."; 'SESSION-LOG', etc.";
} }
identity log { identity log {
base secondary-action; base secondary-action;
description description
"The identity for logging."; "The identity for logging.";
} }
identity syslog { identity syslog {
base secondary-action; base secondary-action;
description description
"The identity for system logging."; "The identity for system logging.";
} }
identity session-log { identity session-log {
base secondary-action; base secondary-action;
description description
"The identity for session logging."; "The identity for session logging.";
}
identity owner {
description
"This is the base identity for the owner";
}
identity dept-head {
base owner;
description
"This represents the identity of the head of department.";
}
identity manager {
base owner;
description
"This represents the identity of the manager of the department.";
}
identity employee {
base owner;
description
"This represents the identity of department employees.";
}
identity sec-head {
base owner;
description
"This represents the identity of the head of security.";
}
identity sec-admin {
base owner;
description
"This represents the identity of security admin.";
} }
identity signature-type { identity signature-type {
description description
"This represents the base identity for signature types."; "This represents the base identity for signature types.";
} }
identity signature-yara { identity signature-yara {
base signature-type; base signature-type;
description description
"This represents the YARA signatures."; "This represents the YARA signatures.";
} }
identity signature-snort { identity signature-snort {
base signature-type; base signature-type;
description description
"This represents the SNORT signatures."; "This represents the SNORT signatures.";
} }
identity signature-suricata { identity signature-suricata {
base signature-type; base signature-type;
description description
"This represents the SURICATA signatures."; "This represents the SURICATA signatures.";
} }
identity threat-feed-type { identity threat-feed-type {
description description
"This represents the base identity for threat-feed."; "This represents the base identity for threat-feed.";
}
identity palo-alto {
base threat-feed-type;
description
"This represents Palo-Alto threat-feed.";
}
identity rsa-netwitness {
base threat-feed-type;
description
"This represents RSA-netwitness threat-feed.";
}
identity fireeye {
base threat-feed-type;
description
"This represents FireEye threat-feed.";
} }
identity alienvault {
base threat-feed-type; /*
description * Typedefs
"This represents Alienvault threat-feed."; */
typedef date-and-time {
type string {
pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?'
+ '(Z|[\+\-]\d{2}:\d{2})';
}
description
"This is the format of date-and-time.";
reference
"RFC 3339: Date and Time on the Internet: Timestamps
RFC 2579: Textual Conventions for SMIv2
XSD-TYPES: XML Schema Part 2: Datatypes Second Edition";
} }
/* /*
* Groupings * Groupings
*/ */
grouping ipv4-list { grouping ipv4-list {
description
"Grouping for ipv4 based ip-addresses.";
leaf-list ipv4 {
type inet:ipv4-address;
description description
"This is the entry for the ipv4 ip-addresses."; "Grouping for ipv4 based ip-addresses.";
leaf-list ipv4 {
type inet:ipv4-address;
description
"This is the entry for the ipv4 ip-addresses.";
}
} }
}
grouping ipv6-list { grouping ipv6-list {
description
"Grouping for ipv6 based ip-addresses.";
leaf-list ipv6 {
type inet:ipv6-address;
description description
"This is the entry for the ipv6 ip-addresses."; "Grouping for ipv6 based ip-addresses.";
leaf-list ipv6 {
type inet:ipv6-address;
description
"This is the entry for the ipv6 ip-addresses.";
}
} }
}
grouping ipv4 { grouping ipv4 {
description
"Grouping for ipv4 based ip-address.";
leaf ipv4 {
type inet:ipv4-address;
description description
"This is the entry for the ipv4 ip-address."; "Grouping for ipv4 based ip-address.";
}
}
grouping ipv6 { leaf ipv4 {
description type inet:ipv4-address;
"Grouping for ipv6 based ip-address."; description
leaf ipv6 { "This is the entry for the ipv4 ip-address.";
type inet:ipv6-address; }
description
"This is the entry for the ipv6 ip-address.";
} }
}
grouping ip-address-info {
description
"There are two types to configure a security policy
for IPv4 address, such as exact match and range match.";
choice match-type { grouping ipv6 {
description description
"User can choose between 'exact match' and 'range match'."; "Grouping for ipv6 based ip-address.";
case exact-match-ipv4 { leaf ipv6 {
uses ipv4; type inet:ipv6-address;
description description
"Exact ip-address match for ipv4 type addresses"; "This is the entry for the ipv6 ip-address.";
} }
case exact-match-ipv6 { }
uses ipv6;
grouping ip-address-info {
description
"There are two types to configure a security policy
for IPv4 address, such as exact match and range match.";
choice match-type {
description description
"Exact ip-address match for ipv6 type addresses"; "User can choose between 'exact match' and 'range match'.";
} case exact-match-ipv4 {
case range-match-ipv4 { uses ipv4;
list range-ipv4-address {
key "start-ipv4-address end-ipv4-address";
leaf start-ipv4-address {
type inet:ipv4-address;
description
"Start IPv4 address for a range match.";
}
leaf end-ipv4-address {
type inet:ipv4-address;
description
"End IPv4 address for a range match.";
}
description description
"Range match for an IP-address."; "Exact ip-address match for ipv4 type addresses";
} }
} case exact-match-ipv6 {
case range-match-ipv6 { uses ipv6;
list range-ipv6-address { description
key "start-ipv6-address end-ipv6-address"; "Exact ip-address match for ipv6 type addresses";
leaf start-ipv6-address { }
type inet:ipv6-address; case range-match-ipv4 {
list range-ipv4-address {
key "start-ipv4-address end-ipv4-address";
leaf start-ipv4-address {
type inet:ipv4-address;
description
"Start IPv4 address for a range match.";
}
leaf end-ipv4-address {
type inet:ipv4-address;
description
"End IPv4 address for a range match.";
}
description description
"Start IPv6 address for a range match."; "Range match for an IP-address.";
} }
leaf end-ipv6-address { }
type inet:ipv6-address; case range-match-ipv6 {
list range-ipv6-address {
key "start-ipv6-address end-ipv6-address";
leaf start-ipv6-address {
type inet:ipv6-address;
description
"Start IPv6 address for a range match.";
}
leaf end-ipv6-address {
type inet:ipv6-address;
description
"End IPv6 address for a range match.";
}
description description
"End IPv6 address for a range match."; "Range match for an IP-address.";
} }
description
"Range match for an IP-address.";
} }
} }
} }
} grouping ipsec-based-method {
grouping ipsec-based-method {
description
"This represents the ipsec-based method.";
list ipsec-method {
key "method";
description description
"This represents the list of IPsec method types."; "This represents the ipsec-based method.";
list ipsec-method {
leaf method { key "method";
type identityref {
base i2nsf-ipsec;
}
description description
"This represents IPsec IKE and IPsec IKEless cases."; "This represents the list of IPsec method types.";
leaf method {
type identityref {
base i2nsf-ipsec;
}
description
"This represents IPsec IKE and IPsec IKEless cases.
If this is not set, it cannot support IPsec IKE or
IPsec IKEless.";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-07";
}
} }
} }
}
grouping user-group { grouping user-group {
description
"The grouping for user-group entities, and
contains information such as name & ip-address.";
leaf-list name {
type leafref {
path /nacm:nacm/nacm:groups/nacm:group/nacm:user-name;
}
description description
"This represents the name of a user."; "The grouping for user-group entities, and
} contains information such as name & ip-address.";
uses ip-address-info;
}
grouping device-group { leaf name {
description type string;
"This group represents device group information description
such as ip-address protocol."; "This represents the name of a user.";
leaf name {
type string;
description
"This represents the name of a device.";
}
uses ip-address-info;
leaf-list protocol {
type identityref {
base protocol-type;
} }
description uses ip-address-info;
"This represents the communication protocols of devices.";
} }
}
grouping location-group { grouping device-group {
description
"This group represents location-group information
such as geo-ip and continent.";
leaf name {
type string;
description
"This represents the name of a location.";
}
leaf geo-ip-ipv4 {
type inet:ipv4-address;
description
"This represents the IPv4 geo-ip of a location.";
}
leaf geo-ip-ipv6 {
type inet:ipv6-address;
description
"This represents the IPv6 geo-ip of a location.";
}
leaf continent {
type identityref {
base continent;
}
description description
"location-group-based on geo-ip of "This group represents device group information
respective continent."; such as ip-address protocol.";
leaf name {
type string;
description
"This represents the name of a device.";
}
uses ip-address-info;
leaf-list protocol {
type identityref {
base protocol-type;
}
description
"This represents the communication protocols of
devices.
If this is not set, it cannot support the
appropriate protocol";
}
} }
}
grouping threat-feed-info { grouping location-group {
description description
"This is the grouping for the threat-feed-list"; "This group represents location-group information
such as geo-ip and continent.";
leaf name {
type string;
description
"This represents the name of a location.";
}
leaf geo-ip-ipv4 {
type inet:ipv4-address;
description
"This represents the IPv4 geo-ip of a location.";
}
leaf geo-ip-ipv6 {
type inet:ipv6-address;
description
"This represents the IPv6 geo-ip of a location.";
leaf feed-name {
type identityref {
base threat-feed-type;
} }
description leaf continent {
"This represents the name of the a threat-feed."; type identityref {
} base continent;
leaf feed-server-ipv4 { }
type inet:ipv4-address; default asia;
description description
"The IPv4 ip-address for the threat-feed server."; "location-group-based on geo-ip of
} respective continent.";
leaf feed-server-ipv6 { }
type inet:ipv6-address;
description
"The IPv6 ip-address for the threat-feed server.";
}
leaf feed-description {
type string;
description
"This represents the descriptions of a threat-feed.
The description should include information, such as
the type, related threat, method, and file type.";
} }
}
grouping payload-string { grouping threat-feed-info {
description
"The grouping for payload-string content.
It contains information such as name and string content.";
leaf payload-description {
type string;
description
"This represents the description of a payload.";
}
leaf-list content {
type string;
description description
"This represents the payload string content."; "This is the grouping for the threat-feed-list";
leaf name {
type identityref {
base threat-feed-type;
}
description
"This represents the name of the a threat-feed.";
}
leaf server-ipv4 {
type inet:ipv4-address;
description
"The IPv4 ip-address for the threat-feed server.";
}
leaf server-ipv6 {
type inet:ipv6-address;
description
"The IPv6 ip-address for the threat-feed server.";
}
leaf description {
type string;
description
"This represents the descriptions of a threat-feed.
The description should include information, such as
the type, related threat, method, and file type.";
}
} }
}
grouping owners-ref { grouping payload-string {
description
"This grouping is for owners reference using Network configuration Access Control Model (NACM).";
leaf-list owners {
type leafref {
path /nacm:nacm/nacm:groups/nacm:group/nacm:name;
}
description description
"This leaf-list names the owner groups of the "The grouping for payload-string content.
list instace it sits on. Only the owners and It contains information such as name and string
super users are authorized to modify the contents."; content.";
leaf description {
type string;
description
"This represents the description of a payload.
If this is not set, it cannot support the
description of how the payload content is
related to a security attack.";
}
leaf-list content {
type string;
description
"This represents the string of the payload
contents. This content leaf-list contains the
payload of a packet to analyze a threat.
Due to the types of threats, the type of the
content is defined as string to accommodate
any kind of a payload type such as HTTP, HTTPS,
and SIP.
If this is not set, it cannot support the
payload contents involved in a security attack
as strings";
}
} }
}
list i2nsf-cfi-policy { grouping owners-ref {
key "policy-name";
description
"This is the security policy list. Each policy in the list
contains a list of security rules, and is a policy instance
to have complete information such as where and when a
policy needs to be applied.";
leaf policy-name {
type string;
mandatory true;
description description
"The name which identifies the policy."; "This grouping is for owners reference using
Network Configuration Access Control Model
(NACM).";
leaf-list owners {
type leafref {
path "/nacm:nacm/nacm:groups/nacm:group/nacm:name";
}
description
"This leaf-list names the owner groups of the
list instance it sits on. Only the owners listed
in a NACM group are authorized to get full CRUD
privileges for the contents.
If this is not set, it cannot support who has
the prvilege of the contents";
}
} }
uses owners-ref;
container rule{ list i2nsf-cfi-policy {
key "policy-name";
description description
"This container is for rules."; "This is the security policy list. Each policy in
nacm:default-deny-write; the list contains a list of security rules, and is
list rule { a policy instance to have complete information
leaf rule-name { such as where and when a policy needs to be
type string; applied.";
mandatory true; leaf policy-name {
description type string;
"This represents the name for the rule."; mandatory true;
}
key "rule-name";
description description
"There can be a single or multiple number of rules."; "The name which identifies the policy.";
uses owners-ref; }
uses owners-ref;
container event { container rules{
description description
"This represents the event (e.g., a security event, "This container is for rules.";
which a security rule is made for.)"; nacm:default-deny-write;
leaf security-event { list rule {
type identityref { key "rule-name";
base security-event-type; ordered-by user;
} leaf rule-name {
type string;
mandatory true; mandatory true;
description description
"This contains the description of security events."; "This represents the name for the rule.";
} }
choice enforce-type { description
"There can be a single or multiple number of
rules.";
uses owners-ref;
container event {
description description
"There are three different enforcement types; admin, and time."; "This represents the event (e.g., a security
case enforce-admin { event, for which a security rule is made.)";
leaf admin { leaf security-event {
type identityref { type identityref {
base enforce-type; base security-event-type;
}
description
"This represents the enforcement type based on admin's
decision.";
} }
description
"This contains the description of security
events. If this is not set, it cannot
support which security event is enforced";
} }
case time { choice enforce-type {
container time-information { description
description "There are two different enforcement types;
"The begin-time and end-time information admin, and time.
when the security rule should be applied."; It cannot be allowed to configure
leaf enforce-time { admin=='time' or enforce-time=='admin'.";
type identityref { case enforce-admin {
base enforce-type; leaf admin {
type string;
description
"This represents the enforcement type
based on admin's decision.";
}
}
case time {
container time-information {
description
"The begin-time and end-time information
when the security rule should be applied.";
leaf enforce-time {
type date-and-time;
description
"The enforcement type is time-enforced.";
}
leaf begin-time {
type date-and-time;
description
"This is start time for time zone";
}
leaf end-time {
type date-and-time;
description
"This is end time for time zone";
} }
}
}
}
leaf frequency {
type enumeration {
enum only-once {
description description
"The enforcement type is time-enforced."; "This represents the rule is enforced
only once immediately and not
repeated.";
} }
leaf begin-time { enum daily {
type yang:date-and-time;
description description
"This is start time for time zone"; "This represents the rule is enforced
on a daily basis.";
} }
leaf end-time { enum weekly {
type yang:date-and-time;
description description
"This is end time for time zone"; "This represents the rule is enforced
on a weekly basis.";
}
enum monthly {
description
"This represents the rule is enforced
on a monthly basis.";
} }
} }
default only-once;
description
"This represents how frequent the rule
should be enforced.";
} }
} }
leaf frequency {
type enumeration {
enum only-once {
description
"This represents the rule is enforced only once.";
}
enum daily {
description
"This represents the rule is enforced on a daily basis.";
}
enum weekly {
description
"This represents the rule is enforced on a weekly basis.";
}
enum monthly {
description
"This represents the rule is enforced on a monthly basis.";
}
}
default only-once;
description
"This represents how frequent the rule should be enforced.";
}
}
container condition { container condition {
description description
"The conditions for general security policies."; "The conditions for general security policies.";
choice condition { container firewall-condition {
description description
"This choice condition is for general firewall.";
case firewall-condition {
description
"The general firewall condition."; "The general firewall condition.";
container firewall-source { leaf source {
description type leafref {
"This represents the source."; path "/i2nsf-cfi-policy/endpoint-groups/user-group/name";
leaf src-target {
type leafref {
path /nacm:nacm/nacm:groups/nacm:group/nacm:user-name;
}
mandatory true;
description
"This describes the paths to
the source reference.";
}
} }
container firewall-destination { description
description "This describes the paths to the source reference.";
"This represents the destination."; }
leaf-list dest-target { leaf-list dest-target {
type leafref { type leafref {
path /nacm:nacm/nacm:groups/nacm:group/nacm:user-name; path "/i2nsf-cfi-policy/endpoint-groups/user-group/name";
}
description
"This describes the paths to the
destination target reference.";
}
} }
description
"This describes the paths to the destination
target reference.";
} }
case ddos-condition { }
description container ddos-condition {
description
"The condition for DDoS mitigation."; "The condition for DDoS mitigation.";
container ddos-source { leaf-list source {
description type leafref {
"This represents the source."; path "/i2nsf-cfi-policy/endpoint-groups/device-group/name";
leaf-list src-target {
type leafref {
path "/i2nsf-cfi-policy/endpoint-group/device-group/name";
}
description
"This describes the path to the
source target references.";
}
}
container ddos-destination {
description
"This represents the target.";
leaf-list dest-target {
type leafref {
path "/i2nsf-cfi-policy/endpoint-group/device-group/name";
}
description
"This describes the path to the
destination target references.";
}
} }
container rate-limit { description
description "This describes the rate-limit."; "This describes the path to the
leaf packet-per-second { source target references.";
type uint16; }
description leaf-list dest-target {
"The rate-limit limits the amount of incoming packets."; type leafref {
} path "/i2nsf-cfi-policy/endpoint-groups/device-group/name";
} }
description
"This describes the path to the destination target
references.";
} }
case custom-condition { container rate-limit {
description description
"The condition based on packet contents."; "This describes the rate-limit.";
container custon-source { leaf packet-threshold-per-second{
description type uint32;
"This represents the source.";
leaf-list src-target {
type leafref {
path "/i2nsf-cfi-policy/threat-prevention/payload-content/name";
}
description description
"Describes the payload string "This is a trigger value for the condition.";
content condition source.";
}
} }
container custom-destination { }
description }
"This represents the destination."; container custom-condition {
leaf dest-target { description
type leafref { "The condition based on packet contents.";
path "/i2nsf-cfi-policy/threat-prevention/payload-content/name"; leaf-list source {
} type leafref {
mandatory true; path "/i2nsf-cfi-policy/threat-preventions/payload-content/name";
description
"Describes the payload string
content condition destination.";
}
} }
description
"Describes the payload string content condition
source.";
} }
case threat-feed-condition { leaf dest-target {
type leafref {
path "/i2nsf-cfi-policy/threat-preventions/payload-content/name";
}
description description
"The condition based on the threat-feed information."; "Describes the payload string content condition destination.";
container threat-feed-source { }
description }
"This represents the source."; container threat-feed-condition {
leaf-list src-target { description
type leafref { "The condition based on the threat-feed information.";
path "/i2nsf-cfi-policy/threat-prevention/threat-feed-list/feed-name"; leaf-list source {
} type leafref {
description "Describes the threat-feed path "/i2nsf-cfi-policy/threat-preventions/threat-feed-list/name";
condition source.";
}
} }
container threat-feed-destination { description
description "Describes the threat-feed condition source.";
"This represents the destination."; }
leaf dest-target { leaf dest-target {
type leafref { type leafref {
path "/i2nsf-cfi-policy/threat-prevention/threat-feed-list/feed-name"; path "/i2nsf-cfi-policy/threat-preventions/threat-feed-list/name";
}
mandatory true;
description "Describes the threat-feed
condition destination.";
}
} }
description
"Describes the threat-feed condition destination.";
} }
} }
} }
container action {
description container actions {
"This is the action container.";
leaf primary-action {
type identityref {
base primary-action;
}
mandatory true;
description description
"This represent the primary actions (e.g., PASS, DROP, "This is the action container.";
ALERT, and MIRROR) to be applied a condition."; leaf primary-action {
} type identityref {
leaf secondary-action { base primary-action;
type identityref { }
base secondary-action; description
"This represent the primary actions (e.g.,
PASS, DROP, ALERT, and MIRROR) to be
applied a condition.
If this is not set, it cannot support
the primary actions.";
} }
description leaf secondary-action {
"This represents the secondary actions (e.g., log type identityref {
and syslog) to be applied if needed."; base secondary-action;
}
description
"This represents the secondary actions
(e.g., log and syslog) to be applied
if needed.
If this is not set, it cannot support
the secondary actions.";
} }
} }
container ipsec-method { container ipsec-method {
description
"This container represents the IPsec IKE and IKEless cases.";
leaf method {
type identityref {
base i2nsf-ipsec;
}
description description
"This references the IPsec method types, "This container represents the IPsec IKE
which includes IPsec IKE and IPsec IKEless cases."; and IKEless cases.";
leaf method {
type identityref {
base i2nsf-ipsec;
}
description
"This references the IPsec method types,
which includes IPsec IKE and IPsec IKEless
cases.
If this is not set, it cannot support
IPsec IKE or IPsec IKEless.";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-07";
} }
} }
leaf owner {
type identityref {
base owner;
}
mandatory true;
description
"This field defines the owner of this
rule. Only the owner is authorized to
modify the contents of the rule.";
}
} }
} }
container endpoint-group {
description container endpoint-groups {
"A logical entity in their business
environment, where a security policy
is to be applied.";
uses user-group;
list device-group {
key "name";
uses device-group;
description
"This represents the device group.";
}
list location-group{
key "name";
uses location-group;
description description
"This represents the location group."; "A logical entity in their business
environment, where a security policy
is to be applied.";
list user-group{
uses user-group;
key "name";
description
"This represents the user group.";
}
list device-group {
key "name";
uses device-group;
description
"This represents the device group.";
}
list location-group{
key "name";
uses location-group;
description
"This represents the location group.";
} }
} }
container threat-prevention { container threat-preventions {
description
"this describes the list of threat-prevention.";
list threat-feed-list {
key "feed-name";
description description
"This represents the threat feed list."; "this describes the list of threat-prevention.";
uses threat-feed-info; list threat-feed-list {
key "name";
description
"There can be a single or multiple number of
threat-feeds.";
uses threat-feed-info;
leaf-list threat-file-types {
type identityref {
base malware-file-type;
}
default executable-file;
description
"This contains a list of file types needed to
be scanned for the virus.";
leaf-list threat-file-types {
type identityref {
base malware-file-type;
} }
default executable-file; leaf-list signatures {
description type identityref {
"This contains a list of file types needed to base signature-type;
be scanned for the virus.";
}
leaf-list signatures {
type identityref {
base signature-type;
} }
default signature-suricata; default signature-suricata;
description description
"This contains a list of signatures or hash "This contains a list of signatures or hash
of the threats."; of the threats.";
} }
} }
list payload-content { list payload-content {
key "name"; key "name";
leaf name { leaf name {
type string; type string;
description description
"This represents the name of payload-content. "This represents the name of payload-content.
It should give an idea of why specific payload It should give an idea of why specific payload
content is marked as threat. For example, the name content is marked as threat. For example, the
'backdoor' indicates the payload content is related name 'backdoor' indicates the payload content
to backdoor attack."; is related to backdoor attack.";
} }
description description
"This represents the payload-string group."; "This represents the payload-string group.";
uses payload-string; uses payload-string;
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
Figure 16: YANG for Consumer-Facing Interface Figure 16: YANG for Consumer-Facing Interface
9. XML Configuration Examples of High-Level Security Policy Rules 9. XML Configuration Examples of High-Level Security Policy Rules
skipping to change at page 37, line 6 skipping to change at page 37, line 10
If new endpoints are introduced to the network, it is necessary to If new endpoints are introduced to the network, it is necessary to
first register their data to the database. For example, if new first register their data to the database. For example, if new
members are newly introduced in either of three different groups members are newly introduced in either of three different groups
(i.e., user-group, device-group, and payload-group), each of them (i.e., user-group, device-group, and payload-group), each of them
should be registered with information such as ip-addresses or should be registered with information such as ip-addresses or
protocols used by devices. Figure 17 shows an example XML protocols used by devices. Figure 17 shows an example XML
representation of the registered information for the user-group and representation of the registered information for the user-group and
device-group. device-group.
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<endpoint-group xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy"> <endpoint-groups xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy">
<user-group> <user-group>
<name>employees</name> <name>employees</name>
<range-ip-address> <range-ipv4-address>
<start-ip-address>221.159.112.1</start-ip-address> <start-ipv4-address>221.159.112.1</start-ipv4-address>
<end-ip-address>221.159.112.90</end-ip-address> <end-ipv4-address>221.159.112.90</end-ipv4-address>
</range-ip-address> </range-ipv4-address>
</user-group> </user-group>
<device-group> <device-group>
<name>webservers</name> <name>webservers</name>
<range-ip-address> <range-ipv4-address>
<start-ip-address>221.159.112.91</start-ip-address> <start-ipv4-address>221.159.112.91</start-ipv4-address>
<end-ip-address>221.159.112.97</end-ip-address> <end-ipv4-address>221.159.112.97</end-ipv4-address>
</range-ip-address> </range-ipv4-address>
<protocol>http</protocol> <protocol>http</protocol>
<protocol>https</protocol> <protocol>https</protocol>
</device-group> </device-group>
</endpoint-group xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy"> </endpoint-groups>
Figure 17: Registering User-group and Device-group Information Figure 17: Registering User-group and Device-group Information
9.2. Scenario 1: Block SNS Access during Business Hours 9.2. Scenario 1: Block SNS Access during Business Hours
The first example scenario is to "block SNS access during office The first example scenario is to "block SNS access during office
hours" using a time-based firewall policy. In this scenario, all hours" using a time-based firewall policy. In this scenario, all
users registered as "employees" in the user-group list are unable to users registered as "employees" in the user-group list are unable to
access Social Networking Services (SNS) during the office hours. The access Social Networking Services (SNS) during the office hours. The
XML instance is described below: XML instance is described below:
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy"> <i2nsf-cfi-policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy">
<policy-name>security_policy_for_blocking_sns</policy-name> <policy-name>security_policy_for_blocking_sns</policy-name>
<rule> <rules>
<rule-name>block_access_to_sns_during_office_hours</rule-name> <rule>
<event> <rule-name>block_access_to_sns_during_office_hours</rule-name>
<time-information> <event>
<begin-time>09:00</begin-time> <time-information>
<end-time>18:00</end-time> <begin-time>2020-03-11T09:00:00.00Z</begin-time>
</time-information> <end-time>2020-03-11T18:00:00.00Z</end-time>
</event> </time-information>
<condition> <frequency>only-once</frequency>
<firewall-condition> </event>
<source-target> <conditions>
<src-target>employees</src-target> <firewall-condition>
</source-target> <source>employees</source>
</firewall-condition> </firewall-condition>
<custom-condition> <custom-condition>
<destination-target> <dest-target>sns-websites</dest-target>
<dest-target>sns-websites</dest-target> </custom-condition>
</destination-target> </conditions>
</custom-condition> <actions>
</condition> <primary-action>drop</primary-action>
<action> </actions>
<primary-action>drop</primary-action> <ipsec-method>
</action> <method>ipsec-ike</method>
<ipsec-method> </ipsec-method>
<method>ipsec-ike</method> </rule>
</ipsec-method> </rules>
</rule> </i2nsf-cfi-policy>
</policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy">
Figure 18: An XML Example for Time-based Firewall Figure 18: An XML Example for Time-based Firewall
Time-based-condition Firewall Time-based-condition Firewall
1. The policy name is "security_policy_for_blocking_sns". 1. The policy name is "security_policy_for_blocking_sns".
2. The rule name is "block_access_to_sns_during_office_hours". 2. The rule name is "block_access_to_sns_during_office_hours".
3. The Source-target is "employees". 3. The Source is "employees".
4. The destination target is "sns-websites". "sns-websites" is the 4. The destination target is "sns-websites". "sns-websites" is the
key which represents the list containing the information, such as key which represents the list containing the information, such as
URL, about sns-websites. URL, about sns-websites.
5. The action required is to "drop" any attempt to connect to 5. The action required is to "drop" any attempt to connect to
websites related to Social networking. websites related to Social networking.
6. The IPsec method type used for nsf traffic steering is set to 6. The IPsec method type used for nsf traffic steering is set to
"ipsec-ike". "ipsec-ike".
skipping to change at page 39, line 26 skipping to change at page 39, line 26
cases assume that the security administrators or someone responsible cases assume that the security administrators or someone responsible
for the existing and newly generated policies, are not aware of which for the existing and newly generated policies, are not aware of which
and/or how many NSFs are needed to meet the security requirements. and/or how many NSFs are needed to meet the security requirements.
Figure 19 represents the XML document generated from YANG discussed Figure 19 represents the XML document generated from YANG discussed
in previous sections. Once a high-level seucurity policy is created in previous sections. Once a high-level seucurity policy is created
by a security admin, it is delivered by the Consumer-Facing by a security admin, it is delivered by the Consumer-Facing
Interface, through RESTCONF server, to the security controller. The Interface, through RESTCONF server, to the security controller. The
XML instance is described below: XML instance is described below:
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy"> <i2nsf-cfi-policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy">
<policy-name>security_policy_for_blocking_malicious_voip_packets</policy-name> <policy-name>security_policy_for_blocking_malicious_voip_packets</policy-name>
<rule> <rules>
<rule-name>Block_malicious_voip_and_volte_packets</rule-name> <rule>
<condition> <rule-name>Block_malicious_voip_and_volte_packets</rule-name>
<custom-condition> <conditions>
<source-target> <custom-condition>
<src-target>malicious-id</src-target> <source>malicious-id</source>
</source-target> </custom-condition>
</custom-condition> <firewall-condition>
<firewall-condition>
<destination-target>
<dest-target>employees</dest-target> <dest-target>employees</dest-target>
</destination-target> </firewall-condition>
</firewall-condition> </conditions>
</condition> <actions>
<action> <primary-action>drop</primary-action>
<primary-action>drop</primary-action> </actions>
</action> <ipsec-method>
<ipsec-method> <method>ipsec-ikeless</method>
<method>ipsec-ikeless</method> </ipsec-method>
</ipsec-method> </rule>
</rule> </rules>
</policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy"> </i2nsf-cfi-policy>
Figure 19: An XML Example for VoIP Security Service Figure 19: An XML Example for VoIP Security Service
Custom-condition Firewall Custom-condition Firewall
1. The policy name is 1. The policy name is
"security_policy_for_blocking_malicious_voip_packets". "security_policy_for_blocking_malicious_voip_packets".
2. The rule name is "Block_malicious_voip_and_volte_packets". 2. The rule name is "Block_malicious_voip_and_volte_packets".
3. The Source-target is "malicious-id". This can be a single ID or 3. The Source is "malicious-id". This can be a single ID or a list
a list of IDs, depending on how the ID are stored in the of IDs, depending on how the ID are stored in the database. The
database. The "malicious-id" is the key so that the security "malicious-id" is the key so that the security admin can read
admin can read every stored malicious VOIP IDs that are named as every stored malicious VOIP IDs that are named as "malicious-id".
"malicious-id".
4. The destination target is "employees". "employees" is the key 4. The destination target is "employees". "employees" is the key
which represents the list containing information about employees, which represents the list containing information about employees,
such as IP addresses. such as IP addresses.
5. The action required is "drop" when any incoming packets are from 5. The action required is "drop" when any incoming packets are from
"malicious-id". "malicious-id".
6. The IPsec method used for nsf traffic steering is set to "ipsec- 6. The IPsec method used for nsf traffic steering is set to "ipsec-
ikeless". ikeless".
skipping to change at page 41, line 5 skipping to change at page 41, line 5
provided by the network should be maintained at all times. If the provided by the network should be maintained at all times. If the
packets sent by any sources are more than the set threshold, then the packets sent by any sources are more than the set threshold, then the
admin can set the percentage of the packets to be dropped to safely admin can set the percentage of the packets to be dropped to safely
maintain the service. In this scenario, the source is set as "any" maintain the service. In this scenario, the source is set as "any"
to block any sources which send abnormal amount of packets. The to block any sources which send abnormal amount of packets. The
destination is set as "web_server01". Once the rule is set and destination is set as "web_server01". Once the rule is set and
delivered and enforced to the nsfs by the securiy controller, the delivered and enforced to the nsfs by the securiy controller, the
NSFs will monitor the incoming packet amounts and the destination to NSFs will monitor the incoming packet amounts and the destination to
act according to the rule set. The XML instance is described below: act according to the rule set. The XML instance is described below:
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy"> <i2nsf-cfi-policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy">
<policy-name>security_policy_for_ddos_attacks</policy-name> <policy-name>security_policy_for_ddos_attacks</policy-name>
<rule> <rules>
<rule-name>100_packets_per_second</rule-name> <rule>
<condition> <rule-name>100_packets_per_second</rule-name>
<ddos-condition> <conditions>
<destination-target> <ddos-condition>
<dest-target>webservers</dest-target> <dest-target>webservers</dest-target>
</destination-target> <rate-limit>
<rate-limit> <packet-threshold-per-second>100</packet-threshold-per-second>
<packet-per-second>100</packet-per-second> </rate-limit>
</rate-limit> </ddos-condition>
</ddos-condition> </conditions>
</condition> <actions>
<action> <primary-action>drop</primary-action>
<primary-action>drop</primary-action> </actions>
</action> <ipsec-method>
<ipsec-method> <method>ipsec-ikeless</method>
<method>ipsec-ikeless</method> </ipsec-method>
</ipsec-method> </rule>
</rule> </rules>
</policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy"> </i2nsf-cfi-policy>
Figure 20: An XML Example for DDoS-attack Mitigation Figure 20: An XML Example for DDoS-attack Mitigation
DDoS-condition Firewall DDoS-condition Firewall
1. The policy name is "security_policy_for_ddos_attacks". 1. The policy name is "security_policy_for_ddos_attacks".
2. The rule name is "100_packets_per_second". 2. The rule name is "100_packets_per_second".
3. The destination target is "webservers". "webservers" is the key 3. The destination target is "webservers". "webservers" is the key
which represents the list containing information, such as IP which represents the list containing information, such as IP
addresses and ports, about web-servers. addresses and ports, about web-servers.
4. The rate limit exists to limit the incoming amount of packets per 4. The rate limit exists to limit the incoming amount of packets per
second. In this case the rate limit is "100" packets per second. second. In this case the rate limit is "100" packets per second.
This amount depends on the packet receiving capacity of the This amount depends on the packet receiving capacity of the
server devices. server devices.
5. The Source-target is all sources which send abnormal amount of 5. The Source is all sources which send abnormal amount of packets.
packets.
6. The action required is to "drop" packet reception is more than 6. The action required is to "drop" packet reception is more than
100 packets per second. 100 packets per second.
7. The IPsec method used for nsf traffic steering is set to "ipsec- 7. The IPsec method used for nsf traffic steering is set to "ipsec-
ike". ike".
10. Security Considerations 10. Security Considerations
The data model for the I2NSF Consumer-Facing Interface is based on The data model for the I2NSF Consumer-Facing Interface is based on
the I2NSF framework [RFC8329], so the same security considerations the I2NSF framework [RFC8329], so the same security considerations
with the I2NSF framework should be included in this document. The with the I2NSF framework should be included in this document. The
data model needs a secure communication channel to protect the data model needs a secure communication channel to protect the
Consumer-Facing Interface between the I2NSF User and Security Consumer-Facing Interface between the I2NSF User and Security
Controller. Controller. Also, the data model's management access control is
based on Network Configuration Access Control Model(NACM) mechanisms
[RFC8341].
11. IANA Considerations 11. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy
Registrant Contact: The I2NSF. Registrant Contact: The I2NSF.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
skipping to change at page 47, line 6 skipping to change at page 47, line 6
Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-
protection-07 (work in progress), August 2019. protection-07 (work in progress), August 2019.
[i2nsf-terminology] [i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
Birkholz, "Interface to Network Security Functions (I2NSF) Birkholz, "Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-08 (work in Terminology", draft-ietf-i2nsf-terminology-08 (work in
progress), July 2019. progress), July 2019.
Appendix A. Changes from draft-ietf-i2nsf-consumer-facing-interface- Appendix A. Changes from draft-ietf-i2nsf-consumer-facing-interface-
dm-06 dm-07
The following changes are made from draft-ietf-i2nsf-consumer-facing- The following changes are made from draft-ietf-i2nsf-consumer-facing-
interface-dm-06: interface-dm-07:
o This version has reflected the comments from Jan Lindblad.
o In Section 1, Figure 1 is modified such that "Multi-Tenancy" is
deleted because "Multi-Tenancy" can be described by "Endpoint
Groups" in a policy rule.
o In Section 4, Figure 2 is modified such that the YANG data model
of a policy having at least one rule has a hierarchical structure
rather than a flat structure by deleing the "Multi-Tenancy" field.
o The section named "Information Model for Multi-Tenancy" is
deleted. The multi-tenancy can be specified by "Endpoint Groups"
along with "Network Configuration Access Control Model (NACM)"
mechanisms.
o In Section 5.1, "NACM" is applied in "user-group" and for its
access control.
o In Section 5.2, Figure 10 is modified because the "protocol" field
was missed in the previous version.
o Section 7 is added as "Network Configuration Access Control Model
(NACM)" in order to provide the Consumer-Facing Interface with the
existing access control mechanisms. Also, the reference of
[RFC8341] is added for NACM.
o The section named "Role-based Access Control (RBAC)" is deleted
since this access control can be replaced by "NACM".
o In Section 8, the YANG data module is modified according to the o This version is revised according to the comments from Jan
above changes. Lindblad who reviewed this document as a YANG doctor.
Authors' Addresses Authors' Addresses
Jaehoon Paul Jeong Jaehoon Paul Jeong
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
Phone: +82 31 299 4957 Phone: +82 31 299 4957
Fax: +82 31 290 7996 Fax: +82 31 290 7996
EMail: pauljeong@skku.edu EMail: pauljeong@skku.edu
 End of changes. 242 change blocks. 
789 lines changed or deleted 783 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/