draft-ietf-i2nsf-nsf-facing-interface-dm-02.txt   draft-ietf-i2nsf-nsf-facing-interface-dm-03.txt 
I2NSF Working Group J. Kim I2NSF Working Group J. Kim
Internet-Draft J. Jeong Internet-Draft J. Jeong
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: May 8, 2019 J. Park Expires: September 12, 2019 J. Park
ETRI ETRI
S. Hares S. Hares
Q. Lin Q. Lin
Huawei Huawei
November 4, 2018 March 11, 2019
I2NSF Network Security Function-Facing Interface YANG Data Model I2NSF Network Security Function-Facing Interface YANG Data Model
draft-ietf-i2nsf-nsf-facing-interface-dm-02 draft-ietf-i2nsf-nsf-facing-interface-dm-03
Abstract Abstract
This document defines a YANG data model corresponding to the This document defines a YANG data model for configuring security
information model for Network Security Functions (NSF)-Facing policy rules on network security functions. The YANG data model in
Interface in Interface to Network Security Functions (I2NSF). It this document is corresponding to the information model for Network
describes a data model for the features provided by generic security Security Functions (NSF)-Facing Interface in Interface to Network
functions. This data model provides vendors with generic components Security Functions (I2NSF).
that they understand well, so these generic components can be used
even if they have some vendor specific functions. These generic
functions represent a point of interoperability, and can be provided
by any product that offers the required capabilities. Also, if they
need additional features for their network security functions, the
vendors can easily add the features by extending the YANG data model
in this document.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 8, 2019. This Internet-Draft will expire on September 12, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
4. The Structure and Objective of I2NSF Security Policy . . . . 4 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
4.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . 4 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4
4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 4 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6
4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 4 4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7
4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 5 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 12
5. Data Model Structure . . . . . . . . . . . . . . . . . . . . 5 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 13
5.1. I2NSF Security Policy Rule . . . . . . . . . . . . . . . 5 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 13
5.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 77
5.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 78
5.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 78
6. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 12 8.1. Normative References . . . . . . . . . . . . . . . . . . 78
6.1. IETF NSF-Facing Interface YANG Data Module . . . . . . . 12 8.2. Informative References . . . . . . . . . . . . . . . . . 79
7. Security Considerations . . . . . . . . . . . . . . . . . . . 47 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 81
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 47 A.1. Security Requirement 1: Block SNS Access during Business
8.1. Normative References . . . . . . . . . . . . . . . . . . 47 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 81
8.2. Informative References . . . . . . . . . . . . . . . . . 47 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE
Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface- Packets Coming to the Company . . . . . . . . . . . . . . 84
dm-01 . . . . . . . . . . . . . . . . . . . . . . . 48 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 48 Attacks on a Company Web Server . . . . . . . . . . . . . 87
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 48 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 dm-02 . . . . . . . . . . . . . . . . . . . . . . . 90
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 91
Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 91
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91
1. Introduction 1. Introduction
This document defines a YANG [RFC6020] data model for the This document defines a YANG [RFC6020][RFC7950] data model for
configuration of security services with the information model for security policy rule configuration of network security devices. The
Network Security Functions (NSF) facing interface in Interface to YANG data model is corresponding to the information model
Network Security Functions (I2NSF). It provides a specific [i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing
information model and the corresponding data models for generic interface in Interface to Network Security Functions (I2NSF). The
network security functions (i.e., network security functions), as YANG data model in this document focuses on security policy
defined in [i2nsf-nsf-cap-im]. With these data model, I2NSF configuration for generic network security functions. Note that
controller can control the capabilities of NSFs. security policy configuration for advanced network security functions
are written in [i2nsf-advanced-nsf-dm].
The "Event-Condition-Action" (ECA) policy model is used as the basis This YANG data model uses an "Event-Condition-Action" (ECA) policy
for the design of I2NSF Policy Rules. model that is used as the basis for the design of I2NSF Policy
described in [RFC8329] and [i2nsf-nsf-cap-im]. Rules.
The "ietf-i2nsf-nsf-facing-interface" YANG module defined in this The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this
document provides the following features: document provides the following features.
o Configuration of I2NSF security policy rule for generic network o Configuration for general security policy rule of generic network
security function policy; security function.
o Configuration of event clause for generic network security o Configuration for an event clause of generic network security
function policy; function.
o Configuration of condition clause for generic network security o Configuration for a condition clause of generic network security
function policy; function.
o Configuration of action clause for generic network security o Configuration for an action clause of generic network security
function policy. function.
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119][RFC8174].
3. Terminology 3. Terminology
This document uses the terminology described in This document uses the terminology described in
[i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the [i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the
following terms are from [supa-policy-info-model]: following terms are from [supa-policy-info-model]:
o Data Model: A data model is a representation of concepts of o Data Model: A data model is a representation of concepts of
interest to an environment in a form that is dependent on data interest to an environment in a form that is dependent on data
repository, data definition language, query language, repository, data definition language, query language,
skipping to change at page 4, line 9 skipping to change at page 3, line 50
o Information Model: An information model is a representation of o Information Model: An information model is a representation of
concepts of interest to an environment in a form that is concepts of interest to an environment in a form that is
independent of data repository, data definition language, query independent of data repository, data definition language, query
language, implementation language, and protocol. language, implementation language, and protocol.
3.1. Tree Diagrams 3.1. Tree Diagrams
A simplified graphical representation of the data model is used in A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these diagrams this document. The meaning of the symbols in these diagrams
[RFC8431] is as follows: [RFC8340] is as follows:
o Brackets "[" and "]" enclose list keys. o Brackets "[" and "]" enclose list keys.
o Abbreviations before data node names: "rw" means configuration o Abbreviations before data node names: "rw" means configuration
(read-write) and "ro" state data (read-only). (read-write) and "ro" state data (read-only).
o Symbols after data node names: "?" means an optional node and "*" o Symbols after data node names: "?" means an optional node and "*"
denotes a "list" and "leaf-list". denotes a "list" and "leaf-list".
o Parentheses enclose choice and case nodes, and case nodes are also o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":"). marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not o Ellipsis ("...") stands for contents of subtrees that are not
shown. shown.
4. The Structure and Objective of I2NSF Security Policy 4. YANG Tree Diagram
4.1. I2NSF Security Policy Rule
This shows a policy rule for generic network security functions. The
object of a policy rule is defined as policy information and rule
information. This includes ECA Policy Rule such as Event Clause
Objects, Condition Clause Objects, Action Clause Objects, Resolution
Strategy, and Default Action.
4.2. Event Clause
This shows an event clause for generic network security functions.
An Event is any important occurrence in time of a change in the
system being managed, and/or in the environment of the system being
managed. When used in the context of I2NSF Policy Rules, it is used
to determine whether the Condition clause of the I2NSF Policy Rule
can be evaluated or not. The object of an event clauses is defined
as user security event, device security event, system security event,
and time security event. The objects of event clauses can be
extended according to specific vendor event features.
4.3. Condition Clause This section shows an YANG tree diagram of generic network security
functions. Note that a detailed data model for the configuration of
the advanced network security functions is described in
[i2nsf-advanced-nsf-dm]. The section describes the following
subjects:
This shows a condition clause for generic network security functions. o General I2NSF security policy rule of generic network security
A condition is defined as a set of attributes, features, and/or function.
values that are to be compared with a set of known attributes,
features, and/or values in order to determine whether or not the set
of Actions in that (imperative) I2NSF Policy Rule can be executed or
not. These objects are defined as packet security condition, packet
payload security condition, target security condition, user security
condition, context condition, and generic context condition. The
objects of action clauses can be extended according to specific
vendor condition features.
4.4. Action Clause o An event clause of generic network security function.
This shows an action clause for generic network security functions. o A condition clause of generic network security function.
An action is used to control and monitor aspects of flow-based NSFs
when the event and condition clauses are satisfied. NSFs provide
security functions by executing various Actions. The object of an
action clause is defined as ingress action, egress action, and apply
profile action. The objects of action clauses can be extended
according to specific vendor action features.
5. Data Model Structure o An action clause of generic network security function.
This section shows a data model structure tree of generic network 4.1. General I2NSF Security Policy Rule
security functions that are defined in the [i2nsf-nsf-cap-im]. Note
that a detailed data model for the configuration of the advanced
network security functions is described in [i2nsf-advanced-nsf-dm].
The section discusses the following subjects:
o Consideration of ECA Policy Model by aggregating the Event, This section shows YANG tree diagram for general I2NSF security
Condition, and Action Clause Objects; policy rule.
o Consideration of Capability Algebra; module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy
+--rw system-policy* [system-policy-name]
+--rw system-policy-name string
+--rw priority-usage? identityref
+--rw resolution-strategy? identityref
+--rw default-action? identityref
+--rw rules* [rule-name]
+--rw rule-name string
+--rw rule-description? string
+--rw rule-priority? uint8
+--rw rule-enable? boolean
+--rw time-zone
| +--rw absolute-time-zone
| | +--rw start-time? start-time-type
| | +--rw end-time? end-time-type
| +--rw periodic-time-zone
| +--rw day
| | +--rw every-day? boolean
| | +--rw specific-day* day-type
| +--rw month
| +--rw every-month? boolean
| +--rw specific-month* month-type
+--rw event-clause-container
| ...
+--rw condition-clause-container
| ...
+--rw action-clause-container
...
o Consideration of NSFs Capability Categories (i.e., Network Figure 1: YANG Tree Diagram for Network Security Policy
Security, Content Security, and Attack Mitigation Capabilities);
o Definition for Network Security Event Class, Network Security This YANG tree diagram shows general I2NSF security policy rule for
Condition Class, and Network Security Action Class. generic network security functions.
5.1. I2NSF Security Policy Rule The system policy represents there could be multiple system policies
in one NSF, and each system policy is used by one virtual instance of
the NSF/device. The system policy includes system policy name,
priority usage, resolutation strategy, default action, and rules.
The data model for the identification of network security policy has A resolution strategy is used to decide how to resolve conflicts that
the following structure: occur between the actions of the same or different policy rules that
are matched and contained in this particular NSF. The resolution
strategy is defined as First Matching Rule (FMR), Last Matching Rule
(LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and
Prioritized Matching Rule with No Errors (PMRN). The resolution
strategy can be extended according to specific vendor action
features. The resolution strategy is described in detail in
[i2nsf-nsf-cap-im].
module: ietf-i2nsf-policy-rule-for-nsf A default action is used to execute I2NSF policy rule when no rule
+--rw i2nsf-security-policy matches a packet. The default action is defined as pass, drop,
+--rw system-policy* [system-policy-name] reject, alert, and mirror. The default action can be extended
+--rw system-policy-name string according to specific vendor action features. The default action is
+--rw priority-usage priority-usage-type described in detail in [i2nsf-nsf-cap-im].
+--rw rules* [rule-name]
| +--rw rule-name string
| +--rw rule-description? string
| +--rw rule-priority? uint8
| +--rw enable? boolean
| +--rw session-aging-time? uint16
| +--rw long-connection
| | +--rw enable? boolean
| | +--rw during? uint16
| +--rw time-zone
| | +--rw absolute-time-zone
| | | +--rw time
| | | | +--rw start-time? yang:date-and-time
| | | | +--rw end-time? yang:date-and-time
| | | +--rw date
| | | +--rw absolute-date? yang:date-and-time
| | +--rw periodic-time-zone
| | +--rw day
| | | +--rw sunday? boolean
| | | +--rw monday? boolean
| | | +--rw tuesday? boolean
| | | +--rw wednesday? boolean
| | | +--rw thursday? boolean
| | | +--rw friday? boolean
| | | +--rw saturday? boolean
| | +--rw month
| | +--rw january? boolean
| | +--rw february? boolean
| | +--rw march? boolean
| | +--rw april? boolean
| | +--rw may? boolean
| | +--rw june? boolean
| | +--rw july? boolean
| | +--rw august? boolean
| | +--rw september? boolean
| | +--rw october? boolean
| | +--rw november? boolean
| | +--rw december? boolean
| +--rw event-clause-container
| | ...
| +--rw condition-clause-container
| | ...
| +--rw action-clause-container
| ...
+--rw resolution-strategy
| +--rw (resolution-strategy-type)?
| +--:(fmr)
| | +--rw first-matching-rule? boolean
| +--:(lmr)
| +--rw last-matching-rule? boolean
+--rw default-action
| +--rw default-action-type? boolean
+--rw rule-group
+--rw groups* [group-name]
+--rw group-name string
+--rw rule-range
| +--rw start-rule? string
| +--rw end-rule? string
+--rw enable? boolean
+--rw description? string
Figure 1: Data Model Structure for Network Security Policy The rules include rule name, rule description, rule priority, rule
Identification enable, time zone, event clause container, condition clause
container, and action clause container.
5.2. Event Clause 4.2. Event Clause
The data model for event rule has the following structure: This section shows YANG tree diagram for an event clause of I2NSF
security policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
+--rw system-policy* [system-policy-name] +--rw system-policy* [system-policy-name]
... ...
| +--rw event-clause-container +--rw rules* [rule-name]
| | +--rw event-clause-list* [eca-object-id] ...
| | +--rw entity-class? identityref +--rw event-clause-container
| | +--rw eca-object-id string | +--rw event-clause-description? string
| | +--rw description? string | +--rw event-clauses
| | +--rw sec-event-content string | +--rw system-event* identityref
| | +--rw sec-event-format sec-event-format | +--rw system-alarm* identityref
| | +--rw sec-event-type string +--rw condition-clause-container
| +--rw condition-clause-container | ...
| | ... +--rw action-clause-container
| +--rw action-clause-container ...
| ...
+--rw resolution-strategy
| ...
+--rw default-action
| ...
+--rw rule-group
...
Figure 2: Data Model Structure for Event Rule Figure 2: YANG Tree Diagram for Network Security Policy
These objects are defined as user security event, device security This YANG tree diagram shows an event clause of I2NSF security policy
event, system security event, and time security event. These objects rule for generic network security functions. An event clause is any
can be extended according to specific vendor event features. We will important occurrence in time of a change in the system being managed,
add additional event objects for more generic network security and/or in the environment of the system being managed. An event
functions. clause is used to trigger the evaluation of the condition clause of
the I2NSF Policy Rule. The event clause is defined as system event
and system alarm. The event clause can be extended according to
specific vendor event features. The event clause is described in
detail in [i2nsf-nsf-cap-im].
5.3. Condition Clause 4.3. Condtion Clause
The data model for condition rule has the following structure: This section shows YANG tree diagram for a condition clause of I2NSF
security policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
+--rw system-policy* [system-policy-name] ...
... +--rw rules* [rule-name]
| +--rw event-clause-container ...
| | ... +--rw event-clause-container
| +--rw condition-clause-container | ...
| | +--rw condition-clause-list* [eca-object-id] +--rw condition-clause-container
| | +--rw entity-class? identityref | +--rw condition-clause-description? string
| | +--rw eca-object-id string | +--rw packet-security-ipv4-condition
| | +--rw packet-security-condition | | +--rw pkt-sec-ipv4-header-length
| | | +--rw packet-description? string | | | +--rw (match-type)?
| | | +--rw packet-security-mac-condition | | | +--:(exact-match)
| | | | +--rw pkt-sec-cond-mac-dest* yang:phys-address | | | | +--rw ipv4-header-length* uint8
| | | | +--rw pkt-sec-cond-mac-src* yang:phys-address | | | +--:(range-match)
| | | | +--rw pkt-sec-cond-mac-8021q* string | | | +--rw range-ipv4-header-length*
| | | | +--rw pkt-sec-cond-mac-ether-type* string [start-ipv4-header-length end-ipv4-header-length]
| | | | +--rw pkt-sec-cond-mac-tci* string | | | +--rw start-ipv4-header-length uint8
| | | +--rw packet-security-ipv4-condition | | | +--rw end-ipv4-header-length uint8
| | | | +--rw pkt-sec-cond-ipv4-header-length* uint8 | | +--rw pkt-sec-ipv4-tos* identityref
| | | | +--rw pkt-sec-cond-ipv4-tos* uint8 | | +--rw pkt-sec-ipv4-total-length
| | | | +--rw pkt-sec-cond-ipv4-total-length* uint16 | | | +--rw (match-type)?
| | | | +--rw pkt-sec-cond-ipv4-id* uint8 | | | +--:(exact-match)
| | | | +--rw pkt-sec-cond-ipv4-fragment* uint8 | | | | +--rw ipv4-total-length* uint16
| | | | +--rw pkt-sec-cond-ipv4-fragment-offset* uint16 | | | +--:(range-match)
| | | | +--rw pkt-sec-cond-ipv4-ttl* uint8 | | | +--rw range-ipv4-total-length*
| | | | +--rw pkt-sec-cond-ipv4-protocol* uint8 [start-ipv4-total-length end-ipv4-total-length]
| | | | +--rw pkt-sec-cond-ipv4-src* inet:ipv4-address | | | +--rw start-ipv4-total-length uint16
| | | | +--rw pkt-sec-cond-ipv4-dest* inet:ipv4-address | | | +--rw end-ipv4-total-length uint16
| | | | +--rw pkt-sec-cond-ipv4-ipopts? string | | +--rw pkt-sec-ipv4-id* uint16
| | | | +--rw pkt-sec-cond-ipv4-sameip? boolean | | +--rw pkt-sec-ipv4-fragment-flags* identityref
| | | | +--rw pkt-sec-cond-ipv4-geoip* string | | +--rw pkt-sec-ipv4-fragment-offset
| | | +--rw packet-security-ipv6-condition | | | +--rw (match-type)?
| | | | +--rw pkt-sec-cond-ipv6-dscp* string | | | +--:(exact-match)
| | | | +--rw pkt-sec-cond-ipv6-ecn* string | | | | +--rw ipv4-fragment-offset* uint16
| | | | +--rw pkt-sec-cond-ipv6-traffic-class* uint8 | | | +--:(range-match)
| | | | +--rw pkt-sec-cond-ipv6-flow-label* uint32 | | | +--rw range-ipv4-fragment-offset*
| | | | +--rw pkt-sec-cond-ipv6-payload-length* uint16 [start-ipv4-fragment-offset end-ipv4-fragment-offset]
| | | | +--rw pkt-sec-cond-ipv6-next-header* uint8 | | | +--rw start-ipv4-fragment-offset uint16
| | | | +--rw pkt-sec-cond-ipv6-hop-limit* uint8 | | | +--rw end-ipv4-fragment-offset uint16
| | | | +--rw pkt-sec-cond-ipv6-src* inet:ipv6-address | | +--rw pkt-sec-ipv4-ttl
| | | | +--rw pkt-sec-cond-ipv6-dest* inet:ipv6-address | | | +--rw (match-type)?
| | | +--rw packet-security-tcp-condition | | | +--:(exact-match)
| | | | +--rw pkt-sec-cond-tcp-src-port* inet:port-number | | | | +--rw ipv4-ttl* uint8
| | | | +--rw pkt-sec-cond-tcp-dest-port* inet:port-number | | | +--:(range-match)
| | | | +--rw pkt-sec-cond-tcp-seq-num* uint32 | | | +--rw range-ipv4-ttl*
| | | | +--rw pkt-sec-cond-tcp-ack-num* uint32 [start-ipv4-ttl end-ipv4-ttl]
| | | | +--rw pkt-sec-cond-tcp-window-size* uint16 | | | +--rw start-ipv4-ttl uint8
| | | | +--rw pkt-sec-cond-tcp-flags* uint8 | | | +--rw end-ipv4-ttl uint8
| | | +--rw packet-security-udp-condition | | +--rw pkt-sec-ipv4-protocol* identityref
| | | | +--rw pkt-sec-cond-udp-src-port* inet:port-number | | +--rw pkt-sec-ipv4-src
| | | | +--rw pkt-sec-cond-udp-dest-port* inet:port-number | | | +--rw (match-type)?
| | | | +--rw pkt-sec-cond-udp-length* string | | | +--:(exact-match)
| | | +--rw packet-security-icmp-condition | | | | +--rw ipv4-address* [ipv4]
| | | +--rw pkt-sec-cond-icmp-type* uint8 | | | | +--rw ipv4 inet:ipv4-address
| | | +--rw pkt-sec-cond-icmp-code* uint8 | | | | +--rw (subnet)?
| | | +--rw pkt-sec-cond-icmp-seg-num* uint32 | | | | +--:(prefix-length)
| | +--rw packet-payload-condition | | | | | +--rw prefix-length? uint8
| | | +--rw packet-payload-description? string | | | | +--:(netmask)
| | | +--rw pkt-payload-content* string | | | | +--rw netmask? yang:dotted-quad
| | +--rw acl-number? uint32 | | | +--:(range-match)
| | +--rw application-condition | | | +--rw range-ipv4-address*
| | | +--rw application-description? string [start-ipv4-address end-ipv4-address]
| | | +--rw application-object* string | | | +--rw start-ipv4-address inet:ipv4-address
| | | +--rw application-group* string | | | +--rw end-ipv4-address inet:ipv4-address
| | | +--rw application-label* string | | +--rw pkt-sec-ipv4-dest
| | | +--rw category | | | +--rw (match-type)?
| | | +--rw application-category* | | | +--:(exact-match)
| | | [name application-subcategory] | | | | +--rw ipv4
| | | +--rw name string | | | | +--rw ipv4-address* [ipv4]
| | | +--rw application-subcategory string | | | | +--rw ipv4 inet:ipv4-address
| | +--rw target-condition | | | | +--rw (subnet)?
| | | +--rw target-description? string | | | | +--:(prefix-length)
| | | +--rw device-sec-context-cond | | | | | +--rw prefix-length? uint8
| | | +--rw pc? boolean | | | | +--:(netmask)
| | | +--rw mobile-phone? boolean | | | | +--rw netmask? yang:dotted-quad
| | | +--rw voip-volte-phone? boolean | | | +--:(range-match)
| | | +--rw tablet? boolean | | | +--rw range-ipv4-address*
| | | +--rw iot? boolean [start-ipv4-address end-ipv4-address]
| | | +--rw vehicle? boolean | | | +--rw start-ipv4-address inet:ipv4-address
| | +--rw users-condition | | | +--rw end-ipv4-address inet:ipv4-address
| | | +--rw users-description? string | | +--rw pkt-sec-ipv4-ipopts* identityref
| | | +--rw user | | +--rw pkt-sec-ipv4-sameip? boolean
| | | | +--rw (user-name)? | | +--rw pkt-sec-ipv4-geoip* string
| | | | +--:(tenant) | +--rw packet-security-ipv6-condition
| | | | | +--rw tenant uint8 | | +--rw pkt-sec-ipv6-traffic-class* identityref
| | | | +--:(vn-id) | | +--rw pkt-sec-ipv6-flow-label
| | | | +--rw vn-id uint8 | | | +--rw (match-type)?
| | | +--rw group | | | +--:(exact-match)
| | | | +--rw (group-name)? | | | | +--rw ipv6-flow-label* uint32
| | | | +--:(tenant) | | | +--:(range-match)
| | | | | +--rw tenant uint8 | | | +--rw range-ipv6-flow-label*
| | | | +--:(vn-id) [start-ipv6-flow-label end-ipv6-flow-label]
| | | | +--rw vn-id uint8 | | | +--rw start-ipv6-flow-label uint32
| | | +--rw security-grup string | | | +--rw end-ipv6-flow-label uint32
| | +--rw url-category-condition | | +--rw pkt-sec-ipv6-payload-length
| | | +--rw url-category-description? string | | | +--rw (match-type)?
| | | +--rw pre-defined-category* string | | | +--:(exact-match)
| | | +--rw user-defined-category* string | | | | +--rw ipv6-payload-length* uint16
| | +--rw context-condition | | | +--:(range-match)
| | | +--rw context-description? string | | | +--rw range-ipv6-payload-length*
| | +--rw gen-context-condition [start-ipv6-payload-length end-ipv6-payload-length]
| | +--rw gen-context-description? string | | | +--rw start-ipv6-payload-length uint16
| | +--rw geographic-location | | | +--rw end-ipv6-payload-length uint16
| | +--rw src-geographic-location* uint32 | | +--rw pkt-sec-ipv6-next-header* identityref
| | +--rw dest-geographic-location* uint32 | | +--rw pkt-sec-ipv6-hop-limit
| +--rw action-clause-container | | | +--rw (match-type)?
| ... | | | +--:(exact-match)
+--rw resolution-strategy | | | | +--rw ipv6-hop-limit* uint8
| ... | | | +--:(range-match)
+--rw default-action | | | +--rw range-ipv6-hop-limit*
| ... [start-ipv6-hop-limit end-ipv6-hop-limit]
+--rw rule-group | | | +--rw start-ipv6-hop-limit uint8
... | | | +--rw end-ipv6-hop-limit uint8
| | +--rw pkt-sec-ipv6-src
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw ipv6
| | | | +--rw ipv6-address* [ipv6]
| | | | +--rw ipv6 inet:ipv6-address
| | | | +--rw prefix-length? uint8
| | | +--:(range-match)
| | | +--rw range-ipv6-address*
[start-ipv6-address end-ipv6-address]
| | | +--rw start-ipv6-address inet:ipv6-address
| | | +--rw end-ipv6-address inet:ipv6-address
| | +--rw pkt-sec-ipv6-dest
| | +--rw (match-type)?
| | +--:(exact-match)
| | | +--rw ipv6-address* [ipv6]
| | | +--rw ipv6 inet:ipv6-address
| | | +--rw prefix-length? uint8
| | +--:(range-match)
| | +--rw range-ipv6-address*
[start-ipv6-address end-ipv6-address]
| | +--rw start-ipv6-address inet:ipv6-address
| | +--rw end-ipv6-address inet:ipv6-address
| +--rw packet-security-tcp-condition
| | +--rw pkt-sec-tcp-src-port-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw port-num* inet:port-number
| | | +--:(range-match)
| | | +--rw range-port-num*
[start-port-num end-port-num]
| | | +--rw start-port-num inet:port-number
| | | +--rw end-port-num inet:port-number
| | +--rw pkt-sec-tcp-dest-port-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw port-num* inet:port-number
| | | +--:(range-match)
| | | +--rw range-port-num*
[start-port-num end-port-num]
| | | +--rw start-port-num inet:port-number
| | | +--rw end-port-num inet:port-number
| | +--rw pkt-sec-tcp-seq-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw tcp-seq-num* uint32
| | | +--:(range-match)
| | | +--rw range-tcp-seq-num*
[start-tcp-seq-num end-tcp-seq-num]
| | | +--rw start-tcp-seq-num uint32
| | | +--rw end-tcp-seq-num uint32
| | +--rw pkt-sec-tcp-ack-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw tcp-ack-num* uint32
| | | +--:(range-match)
| | | +--rw range-tcp-ack-num*
[start-tcp-ack-num end-tcp-ack-num]
| | | +--rw start-tcp-ack-num uint32
| | | +--rw end-tcp-ack-num uint32
| | +--rw pkt-sec-tcp-window-size
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw tcp-window-size* uint16
| | | +--:(range-match)
| | | +--rw range-tcp-window-size*
[start-tcp-window-size end-tcp-window-size]
| | | +--rw start-tcp-window-size uint16
| | | +--rw end-tcp-window-size uint16
| | +--rw pkt-sec-tcp-flags* identityref
| +--rw packet-security-udp-condition
| | +--rw pkt-sec-udp-src-port-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw port-num* inet:port-number
| | | +--:(range-match)
| | | +--rw range-port-num*
[start-port-num end-port-num]
| | | +--rw start-port-num inet:port-number
| | | +--rw end-port-num inet:port-number
| | +--rw pkt-sec-udp-dest-port-num
| | | +--rw (match-type)?
| | | +--:(exact-match)
| | | | +--rw port-num* inet:port-number
| | | +--:(range-match)
| | | +--rw range-port-num*
[start-port-num end-port-num]
| | | +--rw start-port-num inet:port-number
| | | +--rw end-port-num inet:port-number
| | +--rw pkt-sec-udp-total-length
| | +--rw (match-type)?
| | +--:(exact-match)
| | | +--rw udp-total-length* uint32
| | +--:(range-match)
| | +--rw range-udp-total-length*
[start-udp-total-length end-udp-total-length]
| | +--rw start-udp-total-length uint32
| | +--rw end-udp-total-length uint32
| +--rw packet-security-icmp-condition
| | +--rw pkt-sec-icmp-type* identityref
| +--rw packet-security-http-condition
| | +--rw pkt-sec-uri-content* string
| | +--rw pkt-sec-url-content* string
| +--rw packet-security-voice-condition
| | +--rw pkt-sec-src-voice-id* string
| | +--rw pkt-sec-dest-voice-id* string
| | +--rw pkt-sec-user-agent* string
| +--rw packet-security-ddos-condition
| +--rw pkt-sec-alert-rate? uint32
+--rw action-clause-container
...
Figure 3: Data Model Structure for Condition Rule Figure 3: YANG Tree Diagram for Network Security Policy
These objects are defined as packet security condition, packet This YANG tree diagram shows an condition clause of I2NSF security
payload security condition, target security condition, user security policy rule for generic network security functions. A condition
condition, context condition, and generic context condition. These clause is defined as a set of attributes, features, and/or values
objects can be extended according to specific vendor condition that are to be compared with a set of known attributes, features,
features. We will add additional condition objects for more generic and/or values in order to determine whether or not the set of actions
network security functions. in that (imperative) I2NSF policy rule can be executed or not. The
condition clause is classified as conditions of generic network
security functions and advanced network security functions. The
condition clause of generic network security functions is defined as
packet security IPv4 condition, packet security IPv6 condition,
packet security tcp condition, and packet security icmp condition.
The condition clause of advanced network security functions is
defined as packet security http condition, packet security voice
condition, and packet security ddos condition. Note that this
document deals only with simple conditions of advanced network
security functions. The condition clauses of advanced network
security functions are described in detail in
[i2nsf-advanced-nsf-dm]. The condition clause can be extended
according to specific vendor condition features. The condition
clause is described in detail in [i2nsf-nsf-cap-im].
5.4. Action Clause 4.4. Action Clause
The data model for action rule has the following structure: This section shows YANG tree diagram for an action clause of I2NSF
security policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
+--rw system-policy* [system-policy-name] ...
... +--rw rules* [rule-name]
| +--rw event-clause-container ...
| | ... +--rw event-clause-container
| +--rw condition-clause-container | ...
| | ... +--rw condition-clause-container
| +--rw action-clause-container | ...
| +--rw action-clause-list* [eca-object-id] +--rw action-clause-container
| +--rw entity-class? identityref +--rw action-clause-description? string
| +--rw eca-object-id string +--rw packet-action
| +--rw rule-log? boolean | +--rw ingress-action? identityref
| +--rw session-log? boolean | +--rw egress-action? identityref
| +--rw ingress-action | +--rw log-action? identityref
| | +--rw ingress-description? string +--rw advanced-action
| | +--rw ingress-action-type? ingress-action +--rw content-security-control* identityref
| +--rw egress-action +--rw attack-mitigation-control* identityref
| | +--rw egress-description? string
| | +--rw egress-action-type? egress-action
| +--rw apply-profile
| +--rw profile-description? string
| +--rw content-security-control
| | +--rw content-security-control-types
| | +--rw antivirus? string
| | +--rw ips? string
| | +--rw ids? string
| | +--rw url-filtering? string
| | +--rw data-filtering? string
| | +--rw mail-filtering? string
| | +--rw file-blocking? string
| | +--rw file-isolate? string
| | +--rw pkt-capture? string
| | +--rw application-control? string
| | +--rw voip-volte? string
| +--rw attack-mitigation-control
| +--rw ddos-attack
| | +--rw ddos-attack-type
| | +--rw network-layer-ddos-attack
| | | +--rw network-layer-ddos-attack-type
| | | +--rw syn-flood? string
| | | +--rw udp-flood? string
| | | +--rw icmp-flood? string
| | | +--rw ip-frag-flood? string
| | | +--rw ipv6-related? string
| | +--rw app-layer-ddos-attack
| | +--rw app-ddos-attack-types
| | +--rw http-flood? string
| | +--rw https-flood? string
| | +--rw dns-flood? string
| | +--rw dns-amp-flood? string
| | +--rw ssl-ddos? string
| +--rw single-packet-attack
| +--rw single-packet-attack-type
| +--rw scan-and-sniff-attack
| | +--rw scan-and-sniff-attack-types
| | +--rw ip-sweep? string
| | +--rw port-scanning? string
| +--rw malformed-packet-attack
| | +--rw malformed-packet-attack-types
| | +--rw ping-of-death? string
| | +--rw teardrop? string
| +--rw special-packet-attack
| +--rw special-packet-attack-types
| +--rw oversized-icmp? string
| +--rw tracert? string
+--rw resolution-strategy
| ...
+--rw default-action
| ...
+--rw rule-group
...
Figure 4: Data Model Structure for Action Rule Figure 4: YANG Tree Diagram for Network Security Policy
These objects are defined as ingress action, egress action, and apply This YANG tree diagram shows an action clause of I2NSF security
profile action. These objects can be extended according to specific policy rule for generic network security functions. An action is
vendor action feature. We will add additional action objects for used to control and monitor aspects of flow-based NSFs when the event
more generic network security functions. and condition clauses are satisfied. NSFs provide security services
by executing various actions. The action clause is defined as
ingress action, egress action, log action, and advanced action for
additional inspection. The advanced action is described in detail in
[RFC8329] and [i2nsf-nsf-cap-im]. The action clause can be extended
according to specific vendor action features. The action clause is
described in detail in [i2nsf-nsf-cap-im].
6. YANG Module 5. YANG Data Module
6.1. IETF NSF-Facing Interface YANG Data Module 5.1. I2NSF NSF-Facing Interface YANG Data Module
This section introduces a YANG module for the information model of This section introduces an YANG data module for configuration of
network security functions, as defined in the [i2nsf-nsf-cap-im]. security policy rules on network security functions.
<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2018-11-04.yang" <CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2019-03-11.yang"
module ietf-i2nsf-policy-rule-for-nsf { module ietf-i2nsf-policy-rule-for-nsf {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
prefix prefix
policy-rule-for-nsf; iiprfn;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference "RFC 6991";
} }
import ietf-yang-types{ import ietf-yang-types{
prefix yang; prefix yang;
reference "RFC 6991";
} }
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
skipping to change at page 13, line 27 skipping to change at page 14, line 11
<mailto:timkim@skku.edu> <mailto:timkim@skku.edu>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Susan Hares Editor: Susan Hares
<mailto:shares@ndzh.com>"; <mailto:shares@ndzh.com>";
description description
"This module defines a YANG data module for network security "This module defines a YANG data module for network security
functions."; functions.
revision "2018-11-04"{
description "The fourth revision"; Copyright (c) 2018 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8341; see
the RFC itself for full legal notices.";
revision "2019-03-11"{
description "Initial revision.";
reference reference
"draft-ietf-i2nsf-capability-04"; "RFC XXXX: I2NSF Network Security Function-Facing Interface
YANG Data Model";
} }
typedef sec-event-format { /*
* Identities
*/
identity priority-usage-type {
description
"Base identity for priority usage type.";
}
identity priority-by-order {
base priority-usage-type;
description
"Identity for priority by order";
}
identity priority-by-number {
base priority-usage-type;
description
"Identity for priority by number";
}
identity event {
description
"Base identity for event of policy.";
reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06
- Event";
}
identity system-event {
base event;
description
"Identity for system event";
reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06
- System event";
}
identity system-alarm {
base event;
description
"Identity for system alarm";
reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06
- System alarm";
}
identity access-violation {
base system-event;
description
"Identity for access violation
among system events";
reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06
- System event";
}
identity configuration-change {
base system-event;
description
"Identity for configuration change
among system events";
reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06
- System event";
}
identity memory-alarm {
base system-alarm;
description
"Identity for memory alarm
among system alarms";
reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06
- System alarm";
}
identity cpu-alarm {
base system-alarm;
description
"Identity for cpu alarm
among system alarms";
reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06
- System alarm";
}
identity disk-alarm {
base system-alarm;
description
"Identity for disk alarm
among system alarms";
reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06
- System alarm";
}
identity hardware-alarm {
base system-alarm;
description
"Identity for hardware alarm
among system alarms";
reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06
- System alarm";
}
identity interface-alarm {
base system-alarm;
description
"Identity for interface alarm
among system alarms";
reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06
- System alarm";
}
identity type-of-service {
description
"Base identity for type of service of IPv4";
reference
"RFC 791: Internet Protocol - Type of Service";
}
identity traffic-class {
description
"Base identity for traffic-class of IPv6";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity normal {
base type-of-service;
base traffic-class;
description
"Identity for normal";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity minimize-cost {
base type-of-service;
base traffic-class;
description
"Identity for minimize cost";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity maximize-reliability {
base type-of-service;
base traffic-class;
description
"Identity for maximize reliability";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity maximize-throughput {
base type-of-service;
base traffic-class;
description
"Identity for maximize throughput";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity minimize-delay {
base type-of-service;
base traffic-class;
description
"Identity for minimize delay";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity maximize-security {
base type-of-service;
base traffic-class;
description
"Identity for maximize security";
reference
"RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class";
}
identity fragmentation-flags-type {
description
"Base identity for fragmentation flags type";
reference
"RFC 791: Internet Protocol - Fragmentation Flags";
}
identity fragment {
base fragmentation-flags-type;
description
"Identity for fragment";
reference
"RFC 791: Internet Protocol - Fragmentation Flags";
}
identity no-fragment {
base fragmentation-flags-type;
description
"Identity for no fragment";
reference
"RFC 791: Internet Protocol - Fragmentation Flags";
}
identity reserved {
base fragmentation-flags-type;
description
"Identity for reserved";
reference
"RFC 791: Internet Protocol - Fragmentation Flags";
}
identity protocol {
description
"Base identity for protocol of IPv4";
reference
"RFC 790: Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Protocol";
}
identity next-header {
description
"Base identity for next header of IPv6";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity icmp {
base protocol;
base next-header;
description
"Identity for icmp";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity igmp {
base protocol;
base next-header;
description
"Identity for igmp";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity tcp {
base protocol;
base next-header;
description
"Identity for tcp";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity igrp {
base protocol;
base next-header;
description
"Identity for igrp";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity udp {
base protocol;
base next-header;
description
"Identity for udp";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity gre {
base protocol;
base next-header;
description
"Identity for gre";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity esp {
base protocol;
base next-header;
description
"Identity for esp";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity ah {
base protocol;
base next-header;
description
"Identity for ah";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity mobile {
base protocol;
base next-header;
description
"Identity for mobile";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity tlsp {
base protocol;
base next-header;
description
"Identity for tlsp";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity skip {
base protocol;
base next-header;
description
"Identity for skip";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity ipv6-icmp {
base protocol;
base next-header;
description
"Identity for IPv6 icmp ";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity eigrp {
base protocol;
base next-header;
description
"Identity for eigrp";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity ospf {
base protocol;
base next-header;
description
"Identity for ospf";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity l2tp {
base protocol;
base next-header;
description
"Identity for l2tp";
reference
"RFC 790: - Assigned numbers - Assigned Internet
Protocol Number
RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header";
}
identity ipopts {
description
"Base identity for IP options";
reference
"RFC 791: Internet Protocol - Options";
}
identity rr {
base ipopts;
description
"Identity for record route";
reference
"RFC 791: Internet Protocol - Options";
}
identity eol {
base ipopts;
description
"Identity for end of list";
reference
"RFC 791: Internet Protocol - Options";
}
identity nop {
base ipopts;
description
"Identity for no operation";
reference
"RFC 791: Internet Protocol - Options";
}
identity ts {
base ipopts;
description
"Identity for time stamp";
reference
"RFC 791: Internet Protocol - Options";
}
identity sec {
base ipopts;
description
"Identity for IP security";
reference
"RFC 791: Internet Protocol - Options";
}
identity esec {
base ipopts;
description
"Identity for IP extended security";
reference
"RFC 791: Internet Protocol - Options";
}
identity lsrr {
base ipopts;
description
"Identity for loose source routing";
reference
"RFC 791: Internet Protocol - Options";
}
identity ssrr {
base ipopts;
description
"Identity for strict source routing";
reference
"RFC 791: Internet Protocol - Options";
}
identity satid {
base ipopts;
description
"Identity for stream identifier";
reference
"RFC 791: Internet Protocol - Options";
}
identity any {
base ipopts;
description
"Identity for which any IP options are set";
reference
"RFC 791: Internet Protocol - Options";
}
identity tcp-flags {
description
"Base identity for tcp flags";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity cwr {
base tcp-flags;
description
"Identity for congestion window reduced";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity ecn {
base tcp-flags;
description
"Identity for explicit congestion notification";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity urg {
base tcp-flags;
description
"Identity for urgent";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity ack {
base tcp-flags;
description
"Identity for acknowledgement";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity psh {
base tcp-flags;
description
"Identity for push";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity rst {
base tcp-flags;
description
"Identity for reset";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity syn {
base tcp-flags;
description
"Identity for synchronize";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity fin {
base tcp-flags;
description
"Identity for finish";
reference
"RFC 793: Transmission Control Protocol - Flags";
}
identity icmp-type {
description
"Base identity for icmp types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity echo-reply {
base icmp-type;
description
"Identity for echo reply";
reference
"RFC 792: Internet Control Message Protocol";
}
identity destination-unreachable {
base icmp-type;
description
"Identity for destination unreachable";
reference
"RFC 792: Internet Control Message Protocol";
}
identity source-quench {
base icmp-type;
description
"Identity for source quench";
reference
"RFC 792: Internet Control Message Protocol";
}
identity redirect {
base icmp-type;
description
"Identity for redirect";
reference
"RFC 792: Internet Control Message Protocol";
}
identity alternate-host-address {
base icmp-type;
description
"Identity for alternate host address";
reference
"RFC 792: Internet Control Message Protocol";
}
identity echo {
base icmp-type;
description
"Identity for echo";
reference
"RFC 792: Internet Control Message Protocol";
}
identity router-advertisement {
base icmp-type;
description
"Identity for router advertisement";
reference
"RFC 792: Internet Control Message Protocol";
}
identity router-solicitation {
base icmp-type;
description
"Identity for router solicitation";
reference
"RFC 792: Internet Control Message Protocol";
}
identity time-exceeded {
base icmp-type;
description
"Identity for time exceeded";
reference
"RFC 792: Internet Control Message Protocol";
}
identity parameter-problem {
base icmp-type;
description
"Identity for parameter problem";
reference
"RFC 792: Internet Control Message Protocol";
}
identity timestamp {
base icmp-type;
description
"Identity for timestamp";
reference
"RFC 792: Internet Control Message Protocol";
}
identity timestamp-reply {
base icmp-type;
description
"Identity for timestamp reply";
reference
"RFC 792: Internet Control Message Protocol";
}
identity information-request {
base icmp-type;
description
"Identity for information request";
reference
"RFC 792: Internet Control Message Protocol";
}
identity information-reply {
base icmp-type;
description
"Identity for information reply";
reference
"RFC 792: Internet Control Message Protocol";
}
identity address-mask-request {
base icmp-type;
description
"Identity for address mask request";
reference
"RFC 792: Internet Control Message Protocol";
}
identity address-mask-reply {
base icmp-type;
description
"Identity for address mask reply";
reference
"RFC 792: Internet Control Message Protocol";
}
identity traceroute {
base icmp-type;
description
"Identity for traceroute";
reference
"RFC 792: Internet Control Message Protocol";
}
identity datagram-conversion-error {
base icmp-type;
description
"Identity for datagram conversion error";
reference
"RFC 792: Internet Control Message Protocol";
}
identity mobile-host-redirect {
base icmp-type;
description
"Identity for mobile host redirect";
reference
"RFC 792: Internet Control Message Protocol";
}
identity ipv6-where-are-you {
base icmp-type;
description
"Identity for IPv6 where are you";
reference
"RFC 792: Internet Control Message Protocol";
}
identity ipv6-i-am-here {
base icmp-type ;
description
"Identity for IPv6 i am here";
reference
"RFC 792: Internet Control Message Protocol";
}
identity mobile-registration-request {
base icmp-type;
description
"Identity for mobile registration request";
reference
"RFC 792: Internet Control Message Protocol";
}
identity mobile-registration-reply {
base icmp-type;
description
"Identity for mobile registration reply";
reference
"RFC 792: Internet Control Message Protocol";
}
identity domain-name-request {
base icmp-type;
description
"Identity for domain name request";
reference
"RFC 792: Internet Control Message Protocol";
}
identity domain-name-reply {
base icmp-type;
description
"Identity for domain name reply";
reference
"RFC 792: Internet Control Message Protocol";
}
identity iskip {
base icmp-type;
description
"Identity for icmp skip";
reference
"RFC 792: Internet Control Message Protocol";
}
identity photuris {
base icmp-type;
description
"Identity for photuris";
reference
"RFC 792: Internet Control Message Protocol";
}
identity experimental-mobility-protocols {
base icmp-type;
description
"Identity for experimental mobility protocols";
reference
"RFC 792: Internet Control Message Protocol";
}
identity extended-echo-request {
base icmp-type;
description
"Identity for extended echo request";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity extended-echo-reply {
base icmp-type;
description
"Identity for extended echo reply";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity net-unreachable {
base icmp-type;
description
"Identity for net unreachable
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity host-unreachable {
base icmp-type;
description
"Identity for host unreachable
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity protocol-unreachable {
base icmp-type;
description
"Identity for protocol unreachable
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity port-unreachable {
base icmp-type;
description
"Identity for port unreachable
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity fragment-set {
base icmp-type;
description
"Identity for fragmentation set
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity source-route-failed {
base icmp-type;
description
"Identity for source route failed
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity destination-network-unknown {
base icmp-type;
description
"Identity for destination network unknown
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity destination-host-unknown {
base icmp-type;
description
"Identity for destination host unknown
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity source-host-isolated {
base icmp-type;
description
"Identity for source host isolated
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity communication-prohibited-with-destination-network {
base icmp-type;
description
"Identity for which communication with destination network
is administratively prohibited in destination unreachable
types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity communication-prohibited-with-destination-host {
base icmp-type;
description
"Identity for which communication with destination host
is administratively prohibited in destination unreachable
types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity destination-network-unreachable-for-tos {
base icmp-type;
description
"Identity for destination network unreachable
for type of service in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity destination-host-unreachable-for-tos {
base icmp-type;
description
"Identity for destination host unreachable
for type of service in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity communication-prohibited {
base icmp-type;
description
"Identity for communication administratively prohibited
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity host-precedence-violation {
base icmp-type;
description
"Identity for host precedence violation
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity precedence-cutoff-in-effect {
base icmp-type;
description
"Identity for precedence cutoff in effect
in destination unreachable types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity redirect-datagram-for-the-network {
base icmp-type;
description
"Identity for redirect datagram for the network
(or subnet) in redirect types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity redirect-datagram-for-the-host {
base icmp-type;
description
"Identity for redirect datagram for the host
in redirect types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity redirect-datagram-for-the-tos-and-network {
base icmp-type;
description
"Identity for redirect datagram for the type of
service and network in redirect types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity redirect-datagram-for-the-tos-and-host {
base icmp-type;
description
"Identity for redirect datagram for the type of
service and host in redirect types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity normal-router-advertisement {
base icmp-type;
description
"Identity for normal router advertisement
in router advertisement types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity does-not-route-common-traffic {
base icmp-type;
description
"Identity for does not route common traffic
in router advertisement types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity time-to-live-exceeded-in-transit {
base icmp-type;
description
"Identity for time to live exceeded in transit
in time exceeded types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity fragment-reassembly-time-exceeded {
base icmp-type;
description
"Identity for fragment reassembly time exceeded
in time exceeded types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity pointer-indicates-the-error {
base icmp-type;
description
"Identity for pointer indicates the error
in parameter problem types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity missing-a-required-option {
base icmp-type;
description
"Identity for missing a required option
in parameter problem types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity bad-length {
base icmp-type;
description
"Identity for bad length
in parameter problem types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity bad-spi {
base icmp-type;
description
"Identity for bad spi
in photuris types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity authentication-failed {
base icmp-type;
description
"Identity for authentication failed
in photuris types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity decompression-failed {
base icmp-type;
description
"Identity for decompression failed
in photuris types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity decryption-failed {
base icmp-type;
description
"Identity for decryption failed
in photuris types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity need-authentication {
base icmp-type;
description
"Identity for need authentication
in photuris types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity need-authorization {
base icmp-type;
description
"Identity for need authorization
in photuris types";
reference
"RFC 792: Internet Control Message Protocol";
}
identity req-no-error {
base icmp-type;
description
"Identity for request with no error
in extended echo request types";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity rep-no-error {
base icmp-type;
description
"Identity for reply with no error
in extended echo reply types";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity malformed-query {
base icmp-type;
description
"Identity for malformed query
in extended echo reply types";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity no-such-interface {
base icmp-type;
description
"Identity for no such interface
in extended echo reply types";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity no-such-table-entry {
base icmp-type;
description
"Identity for no such table entry
in extended echo reply types";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity multiple-interfaces-satisfy-query {
base icmp-type;
description
"Identity for multiple interfaces satisfy query
in extended echo reply types";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
}
identity content-security-control {
description
"Base identity for content security control";
reference
"RFC 8329: Framework for Interface to
Network Security Functions - Differences
from ACL Data Models
draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities";
}
identity antivirus {
base content-security-control;
description
"Identity for antivirus";
}
identity ips {
base content-security-control;
description
"Identity for ips";
}
identity ids {
base content-security-control;
description
"Identity for ids";
}
identity url-filtering {
base content-security-control;
description
"Identity for url filtering";
}
identity mail-filtering {
base content-security-control;
description
"Identity for mail filtering";
}
identity file-blocking {
base content-security-control;
description
"Identity for file blocking";
}
identity file-isolate {
base content-security-control;
description
"Identity for file isolate";
}
identity pkt-capture {
base content-security-control;
description
"Identity for packet capture";
}
identity application-control {
base content-security-control;
description
"Identity for application control";
}
identity voip-volte {
base content-security-control;
description
"Identity for voip and volte";
}
identity attack-mitigation-control {
description
"Base identity for attack mitigation control";
reference
"RFC 8329: Framework for Interface to
Network Security Functions - Differences
from ACL Data Models
draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities";
}
identity syn-flood {
base attack-mitigation-control;
description
"Identity for syn flood";
}
identity udp-flood {
base attack-mitigation-control;
description
"Identity for udp flood";
}
identity icmp-flood {
base attack-mitigation-control;
description
"Identity for icmp flood";
}
identity ip-frag-flood {
base attack-mitigation-control;
description
"Identity for ip frag flood";
}
identity ipv6-related {
base attack-mitigation-control;
description
"Identity for ipv6 related";
}
identity http-and-https-flood {
base attack-mitigation-control;
description
"Identity for http and https flood";
}
identity dns-flood {
base attack-mitigation-control;
description
"Identity for dns flood";
}
identity dns-amp-flood {
base attack-mitigation-control;
description
"Identity for dns amp flood";
}
identity ssl-ddos {
base attack-mitigation-control;
description
"Identity for ssl ddos";
}
identity ip-sweep {
base attack-mitigation-control;
description
"Identity for ip sweep";
}
identity port-scanning {
base attack-mitigation-control;
description
"Identity for port scanning";
}
identity ping-of-death {
base attack-mitigation-control;
description
"Identity for ping of death";
}
identity teardrop {
base attack-mitigation-control;
description
"Identity for teardrop";
}
identity oversized-icmp {
base attack-mitigation-control;
description
"Identity for oversized icmp";
}
identity tracert {
base attack-mitigation-control;
description
"Identity for tracert";
}
identity ingress-action {
description
"Base identity for action";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Ingress Action";
}
identity egress-action {
description
"Base identity for egress action";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Egress action";
}
identity default-action {
description
"Base identity for default action";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Default action";
}
identity pass {
base ingress-action;
base egress-action;
base default-action;
description
"Identity for pass";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Actions and
default action";
}
identity drop {
base ingress-action;
base egress-action;
base default-action;
description
"Identity for drop";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Actions and
default action";
}
identity reject {
base ingress-action;
base egress-action;
base default-action;
description
"Identity for reject";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Actions and
default action";
}
identity alert {
base ingress-action;
base egress-action;
base default-action;
description
"Identity for alert";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Actions and
default action";
}
identity mirror {
base ingress-action;
base egress-action;
base default-action;
description
"Identity for mirror";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Actions and
default action";
}
identity log-action {
description
"Base identity for log action";
}
identity rule-log {
base log-action;
description
"Identity for rule log";
}
identity session-log {
base log-action;
description
"Identity for session log";
}
identity invoke-signaling {
base egress-action;
description
"Identity for invoke signaling";
}
identity tunnel-encapsulation {
base egress-action;
description
"Identity for tunnel encapsulation";
}
identity forwarding {
base egress-action;
description
"Identity for forwarding";
}
identity redirection {
base egress-action;
description
"Identity for redirection";
}
identity resolution-strategy {
description
"Base identity for resolution strategy";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Resolution Strategy";
}
identity fmr {
base resolution-strategy;
description
"Identity for First Matching Rule (FMR)";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Resolution Strategy";
}
identity lmr {
base resolution-strategy;
description
"Identity for Last Matching Rule (LMR)";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Resolution Strategy";
}
identity pmr {
base resolution-strategy;
description
"Identity for Prioritized Matching Rule (PMR)";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Resolution Strategy";
}
identity pmre {
base resolution-strategy;
description
"Identity for Prioritized Matching Rule
with Errors (PMRE)";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Resolution Strategy";
}
identity pmrn {
base resolution-strategy;
description
"Identity for Prioritized Matching Rule
with No Errors (PMRN)";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Resolution Strategy";
}
/*
* Typedefs
*/
typedef start-time-type {
type union {
type string {
pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
+ '(Z|[\+\-]\d{2}:\d{2})';
}
type enumeration { type enumeration {
enum unknown { enum right-away {
description
"Immediate rule execution
in the system.";
}
}
}
description
"Start time when the rules are applied.";
}
typedef end-time-type {
type union {
type string {
pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
+ '(Z|[\+\-]\d{2}:\d{2})';
}
type enumeration {
enum infinitely {
description
"Infinite rule execution
in the system.";
}
}
}
description
"End time when the rules are applied.";
}
typedef day-type {
type enumeration {
enum sunday {
description description
"If SecEventFormat is unknown"; "Sunday for periodic day";
} }
enum guid { enum monday {
description description
"If SecEventFormat is GUID "Monday for periodic day";
(Generic Unique IDentifier)";
} }
enum uuid { enum tuesday {
description description
"If SecEventFormat is UUID "Tuesday for periodic day";
(Universal Unique IDentifier)";
} }
enum uri { enum wednesday {
description description
"If SecEventFormat is URI "Wednesday for periodic day";
(Uniform Resource Identifier)";
} }
enum fqdn { enum thursday {
description description
"If SecEventFormat is FQDN "Thursday for periodic day";
(Fully Qualified Domain Name)";
} }
enum fqpn { enum friday {
description description
"If SecEventFormat is FQPN "Friday for periodic day";
(Fully Qualified Path Name)"; }
enum saturday {
description
"Saturday for periodic day";
} }
} }
description description
"This is used for SecEventFormat."; "This can be used for the rules to be applied
according to periodic day";
} }
typedef priority-usage-type { typedef month-type {
type enumeration { type enumeration {
enum priority-by-order { enum january {
description description
"If priority type is order"; "January for periodic month";
} }
enum priority-by-number { enum february {
description description
"If priority type is number"; "February for periodic month";
} }
} enum march {
description
"This is used for priority type.";
}
typedef ingress-action {
type enumeration {
enum pass {
description description
"If ingress action is pass"; "March for periodic month";
} }
enum drop { enum april {
description description
"If ingress action is drop"; "April for periodic month";
} }
enum reject { enum may {
description description
"If ingress action is reject"; "May for periodic month";
} }
enum alert { enum june {
description description
"If ingress action is alert"; "June for periodic month";
} }
enum mirror { enum july {
description description
"If ingress action is mirror"; "July for periodic month";
} }
} enum august {
description
"This is used for ingress action.";
}
typedef egress-action {
type enumeration {
enum invoke-signaling {
description description
"If egress action is invoke signaling"; "August for periodic month";
} }
enum tunnel-encapsulation { enum september {
description description
"If egress action is tunnel encapsulation"; "September for periodic month";
} }
enum forwarding { enum october {
description description
"If egress action is forwarding"; "October for periodic month";
} }
enum redirection { enum november {
description description
"If egress action is redirection"; "November for periodic month";
}
enum december {
description
"December for periodic month";
} }
} }
description description
"This is used for egress action."; "This can be used for the rules to be applied
} according to periodic month";
identity ECA-OBJECT-TYPE {
description "TBD";
}
identity ECA-EVENT-TYPE {
base ECA-OBJECT-TYPE;
description "TBD";
} }
identity ECA-CONDITION-TYPE { /*
base ECA-OBJECT-TYPE; * Groupings
description "TBD"; */
}
identity ECA-ACTION-TYPE {
base ECA-OBJECT-TYPE;
description "TBD";
}
identity EVENT-USER-TYPE { grouping ipv4 {
base ECA-EVENT-TYPE; list ipv4-address {
description "TBD"; key "ipv4";
} description
"The list of IPv4 address.";
identity EVENT-DEV-TYPE { leaf ipv4 {
base ECA-EVENT-TYPE; type inet:ipv4-address;
description "TBD"; description
} "The value of IPv4 address.";
}
choice subnet {
description
"The subnet can be specified as a prefix length or
netmask.";
leaf prefix-length {
type uint8 {
range "0..32";
}
description
"The length of the subnet prefix.";
}
leaf netmask {
type yang:dotted-quad;
description
"The subnet specified as a netmask.";
}
}
}
description
"Grouping for an IPv4 address";
identity EVENT-SYS-TYPE { reference
base ECA-EVENT-TYPE; "RFC 791: Internet Protocol - IPv4 address
description "TBD"; RFC 8344: A YANG Data Model for IP Management";
} }
identity EVENT-TIME-TYPE { grouping ipv6 {
base ECA-EVENT-TYPE; list ipv6-address {
description "TBD"; key "ipv6";
} description
"The list of IPv6 address.";
grouping i2nsf-eca-object-type { leaf ipv6 {
leaf entity-class { type inet:ipv6-address;
type identityref { description
base ECA-OBJECT-TYPE; "The value of IPv6 address.";
}
leaf prefix-length {
type uint8 {
range "0..128";
}
description
"The length of the subnet prefix.";
} }
description "TBD";
}
leaf eca-object-id {
type string;
description "TBD";
} }
description "TBD"; description
"Grouping for an IPv6 address";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address
RFC 8344: A YANG Data Model for IP Management";
} }
grouping i2nsf-event-type { grouping pkt-sec-ipv4 {
description "TBD"; choice match-type {
leaf description { description
type string; "There are two types to configure a security policy
for IPv4 address, such as exact match and range match.";
case exact-match {
uses ipv4;
description description
"This is description for event. "Exact match for an IPv4 address.";
Vendors can write instructions for event }
that vendor made"; case range-match {
list range-ipv4-address {
key "start-ipv4-address end-ipv4-address";
leaf start-ipv4-address {
type inet:ipv4-address;
description
"Start IPv4 address for a range match.";
}
leaf end-ipv4-address {
type inet:ipv4-address;
description
"End IPv4 address for a range match.";
}
description
"Range match for an IPv4 address.";
}
} }
}
description
"Grouping for an IPv4 address.";
leaf sec-event-content { reference
type string; "RFC 791: Internet Protocol - IPv4 address";
mandatory true; }
grouping pkt-sec-ipv6 {
choice match-type {
description
"There are two types to configure a security policy
for IPv6 address, such as exact match and range match.";
case exact-match {
uses ipv6;
description description
"This is a mandatory string that contains the content "Exact match for an IPv6 address.";
of the SecurityEvent. The format of the content
is specified in the SecEventFormat class
attribute, and the type of event is defined in the
SecEventType class attribute. An example of the
SecEventContent attribute is a string hrAdmin,
with the SecEventFormat set to 1 (GUID) and the
SecEventType attribute set to 5 (new logon).";
} }
case range-match {
list range-ipv6-address {
key "start-ipv6-address end-ipv6-address";
leaf start-ipv6-address {
type inet:ipv6-address;
description
"Start IPv6 address for a range match.";
}
leaf sec-event-format { leaf end-ipv6-address {
type sec-event-format; type inet:ipv6-address;
mandatory true; description
description "End IPv6 address for a range match.";
"This is a mandatory uint 8 enumerated integer, which }
is used to specify the data type of the description
SecEventContent attribute. The content is "Range match for an IPv6 address.";
specified in the SecEventContent class attribute, }
and the type of event is defined in the
SecEventType class attribute. An example of the
SecEventContent attribute is string hrAdmin,
with the SecEventFormat attribute set to 1 (GUID)
and the SecEventType attribute set to 5
(new logon).";
} }
}
description
"Grouping for IPv6 address.";
leaf sec-event-type { reference
type string; "RFC 2460: Internet Protocol, Version 6 (IPv6)
mandatory true; Specification - IPv6 address";
description }
"This is a mandatory uint 8 enumerated integer, which
is used to specify the type of event that involves grouping pkt-sec-port-number {
this user. The content and format are specified in choice match-type {
the SecEventContent and SecEventFormat class description
attributes, respectively. An example of the "There are two types to configure a security policy
SecEventContent attribute is string hrAdmin, for a port number, such as exact match and range match.";
with the SecEventFormat attribute set to 1 (GUID) case exact-match {
and the SecEventType attribute set to 5 leaf-list port-num {
(new logon)."; type inet:port-number;
description
"Exact match for a port number.";
}
}
case range-match {
list range-port-num {
key "start-port-num end-port-num";
leaf start-port-num {
type inet:port-number;
description
"Start port number for a range match.";
}
leaf end-port-num {
type inet:port-number;
description
"Start port number for a range match.";
}
description
"Range match for a port number.";
}
} }
}
description
"Grouping for port number.";
reference
"RFC 793: Transmission Control Protocol - Port number
RFC 768: User Datagram Protocol - Port Number";
}
/*
* Data nodes
*/
}
container i2nsf-security-policy { container i2nsf-security-policy {
description description
"policy is a container "Container for security policy
including a set of security rules according to certain logic, including a set of security rules according to certain logic,
i.e., their similarity or mutual relations, etc. The network i.e., their similarity or mutual relations, etc. The network
security policy is able to apply over both the unidirectional security policy is able to apply over both the unidirectional
and bidirectional traffic across the NSF."; and bidirectional traffic across the NSF.
The I2NSF security policies use the Event-Condition-Action
(ECA) policy model ";
list system-policy { reference
key "system-policy-name"; "RFC 8329: Framework for Interface to Network Security
description Functions - I2NSF Flow Security Policy Structure
"The system-policy represents there could be multiple system draft-ietf-i2nsf-capability-04: Information Model
policies in one NSF, and each system policy is used by of NSFs Capabilities - Design Principles and ECA Policy Model
one virtual instance of the NSF/device."; Overview";
list system-policy {
key "system-policy-name";
description
"The system-policy represents there could be multiple system
policies in one NSF, and each system policy is used by
one virtual instance of the NSF/device.";
leaf system-policy-name { leaf system-policy-name {
type string; type string;
mandatory true; mandatory true;
description description
"The name of the policy. "The name of the policy.
This must be unique."; This must be unique.";
} }
leaf priority-usage { leaf priority-usage {
type priority-usage-type; type identityref {
mandatory true; base priority-usage-type;
}
default priority-by-order;
description description
"This is priority type."; "Priority usage type for security policy rule:
priority by order and priority by number";
}
leaf resolution-strategy {
type identityref {
base resolution-strategy;
}
default fmr;
description
"The resolution strategies can be used to
specify how to resolve conflicts that occur between
the actions of the same or different policy rules that
are matched and contained in this particular NSF";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Resolution strategy";
}
leaf default-action {
type identityref {
base default-action;
}
default alert;
description
"This default action can be used to specify a predefined
action when no other alternative action was matched
by the currently executing I2NSF Policy Rule. An analogy
is the use of a default statement in a C switch statement.";
reference
"draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Default action";
} }
list rules { list rules {
key "rule-name"; key "rule-name";
description description
"This is a rule for network security functions."; "This is a rule for network security functions.";
leaf rule-name { leaf rule-name {
type string; type string;
mandatory true; mandatory true;
description description
"The id of the rule. "The name of the rule.
This must be unique."; This must be unique.";
} }
leaf rule-description { leaf rule-description {
type string; type string;
description description
"This description gives more information about "This description gives more information about
rules."; rules.";
} }
leaf rule-priority { leaf rule-priority {
type uint8; type uint8 {
range "1..255";
}
description description
"The priority keyword comes with a mandatory "The priority keyword comes with a mandatory
numeric value which can range from 1 till 255."; numeric value which can range from 1 till 255.";
} }
leaf enable { leaf rule-enable {
type boolean; type boolean;
description description
"True is enable. "True is enable.
False is not enbale."; False is not enbale.";
} }
leaf session-aging-time {
type uint16;
description
"This is session aging time.";
}
container long-connection {
description
"This is long-connection";
leaf enable {
type boolean;
description
"True is enable.
False is not enbale.";
}
leaf during {
type uint16;
description
"This is during time.";
}
}
container time-zone { container time-zone {
description description
"This can be used to apply rules according to time-zone"; "Time zone when the rules are applied";
container absolute-time-zone { container absolute-time-zone {
description description
"This can be used to apply rules according to "Rule execution according to absolute time";
absolute-time";
container time { leaf start-time {
type start-time-type;
default right-away;
description description
"This can be used to apply rules according to time"; "Start time when the rules are applied";
leaf start-time {
type yang:date-and-time;
description
"This is start time for time zone";
}
leaf end-time {
type yang:date-and-time;
description
"This is end time for time zone";
}
} }
container date { leaf end-time {
type end-time-type;
default infinitely;
description description
"This can be used to apply rules according to date"; "End time when the rules are applied";
leaf absolute-date {
type yang:date-and-time;
description
"This is absolute date for time zone";
}
} }
} }
container periodic-time-zone { container periodic-time-zone {
description description
"This can be used to apply rules according to "Rule execution according to periodic time";
periodic-time-zone";
container day { container day {
description description
"This can be used to apply rules according "Rule execution according to day.";
to periodic day"; leaf every-day {
leaf sunday {
type boolean;
description
"This is sunday for periodic day";
}
leaf monday {
type boolean;
description
"This is monday for periodic day";
}
leaf tuesday {
type boolean;
description
"This is tuesday for periodic day";
}
leaf wednesday {
type boolean;
description
"This is wednesday for periodic day";
}
leaf thursday {
type boolean;
description
"This is thursday for periodic day";
}
leaf friday {
type boolean; type boolean;
default true;
description description
"This is friday for periodic day"; "Rule execution every day";
} }
leaf saturday {
type boolean; leaf-list specific-day {
when "../every-day = 'false'";
type day-type;
description description
"This is saturday for periodic day"; "Rule execution according
to specific day";
} }
} }
container month { container month {
description description
"This can be used to apply rules according "Rule execution according to month.";
to periodic month"; leaf every-month {
leaf january {
type boolean;
description
"This is january for periodic month";
}
leaf february {
type boolean;
description
"This is february for periodic month";
}
leaf march {
type boolean;
description
"This is march for periodic month";
}
leaf april {
type boolean;
description
"This is april for periodic month";
}
leaf may {
type boolean;
description
"This is may for periodic month";
}
leaf june {
type boolean;
description
"This is june for periodic month";
}
leaf july {
type boolean;
description
"This is july for periodic month";
}
leaf august {
type boolean;
description
"This is august for periodic month";
}
leaf september {
type boolean;
description
"This is september for periodic month";
}
leaf october {
type boolean;
description
"This is october for periodic month";
}
leaf november {
type boolean; type boolean;
default true;
description description
"This is november for periodic month"; "Rule execution every day";
} }
leaf december {
type boolean; leaf-list specific-month {
when "../every-month = 'false'";
type month-type;
description description
"This is december for periodic month"; "Rule execution according
to month day";
} }
} }
} }
} }
container event-clause-container { container event-clause-container {
description "TBD"; description
list event-clause-list { "An event is defined as any important
key eca-object-id; occurrence in time of a change in the system being
uses i2nsf-eca-object-type { managed, and/or in the environment of the system being
refine entity-class { managed. When used in the context of policy rules for
default ECA-EVENT-TYPE; a flow-based NSF, it is used to determine whether the
Condition clause of the Policy Rule can be evaluated
} or not. Examples of an I2NSF event include time and
} user actions (e.g., logon, logoff, and actions that
violate any ACL.).";
description
" This is abstract. An event is defined as any important
occurrence in time of a change in the system being
managed, and/or in the environment of the system being
managed. When used in the context of policy rules for
a flow-based NSF, it is used to determine whether the
Condition clause of the Policy Rule can be evaluated
or not. Examples of an I2NSF event include time and
user actions (e.g., logon, logoff, and actions that
violate any ACL.).";
uses i2nsf-event-type; reference
} "RFC 8329: Framework for Interface to Network Security
} Functions - I2NSF Flow Security Policy Structure
container condition-clause-container { draft-ietf-i2nsf-capability-04: Information Model
description "TBD"; of NSFs Capabilities - Design Principles and ECA
list condition-clause-list { Policy Model Overview
key eca-object-id; draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG
uses i2nsf-eca-object-type { Data Model for Monitoring I2NSF Network Security
refine entity-class { Functions - System Alarm and System Events";
default ECA-CONDITION-TYPE;
}
}
description
" This is abstract. A condition is defined as a set
of attributes, features, and/or values that are to be
compared with a set of known attributes, features,
and/or values in order to determine whether or not the
set of Actions in that (imperative) I2NSF Policy Rule
can be executed or not. Examples of I2NSF Conditions
include matching attributes of a packet or flow, and
comparing the internal state of an NSF to a desired
state.";
container packet-security-condition { leaf event-clause-description {
type string;
description description
"TBD"; "Description for an event clause";
leaf packet-description { }
type string; container event-clauses {
description description
"This is description for packet condition. "It has two event types such as
Vendors can write instructions for packet condition system event and system alarm.";
that vendor made"; reference
} "RFC 8329: Framework for Interface to Network Security
container packet-security-mac-condition { Functions - I2NSF Flow Security Policy Structure
description draft-ietf-i2nsf-capability-04: Information Model
"The purpose of this Class is to represent packet MAC of NSFs Capabilities - Design Principles and ECA Policy
packet header information that can be used as part of Model Overview
a test to determine if the set of Policy Actions in draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG
this ECA Policy Rule should be execute or not."; Data Model for Monitoring I2NSF Network Security
Functions - System Alarm and System Events";
leaf-list pkt-sec-cond-mac-dest {
type yang:phys-address;
description
"The MAC destination address (6 octets long).";
}
leaf-list pkt-sec-cond-mac-src {
type yang:phys-address;
description
"The MAC source address (6 octets long).";
}
leaf-list pkt-sec-cond-mac-8021q {
type string;
description
"This is an optional string attribute, and defines
The 802.1Q tab value (2 octets long).";
}
leaf-list pkt-sec-cond-mac-ether-type {
type string;
description
"The EtherType field (2 octets long). Values up to
and including 1500 indicate the size of the
payload in octets; values of 1536 and above
define which protocol is encapsulated in the
payload of the frame.";
}
leaf-list pkt-sec-cond-mac-tci { leaf-list system-event {
type string; type identityref {
description base system-event;
"This is an optional string attribute, and defines
the Tag Control Information. This consists of a 3
bit user priority field, a drop eligible indicator
(1 bit), and a VLAN identifier (12 bits).";
} }
}
container packet-security-ipv4-condition {
description description
"The purpose of this Class is to represent IPv4 "The security policy rule according to
packet header information that can be used as system events.";
part of a test to determine if the set of Policy
Actions in this ECA Policy Rule should be executed
or not.";
leaf-list pkt-sec-cond-ipv4-header-length {
type uint8;
description
"The IPv4 packet header consists of 14 fields,
of which 13 are required.";
}
leaf-list pkt-sec-cond-ipv4-tos {
type uint8;
description
"The ToS field could specify a datagram's priority
and request a route for low-delay,
high-throughput, or highly-reliable service..";
}
leaf-list pkt-sec-cond-ipv4-total-length {
type uint16;
description
"This 16-bit field defines the entire packet size,
including header and data, in bytes.";
}
leaf-list pkt-sec-cond-ipv4-id {
type uint8;
description
"This field is an identification field and is
primarily used for uniquely identifying
the group of fragments of a single IP datagram.";
}
leaf-list pkt-sec-cond-ipv4-fragment {
type uint8;
description
"IP fragmentation is an Internet Protocol (IP)
process that breaks datagrams into smaller pieces
(fragments), so that packets may be formed that
can pass through a link with a smaller maximum
transmission unit (MTU) than the original
datagram size.";
}
leaf-list pkt-sec-cond-ipv4-fragment-offset {
type uint16;
description
"Fragment offset field along with Don't Fragment
and More Fragment flags in the IP protocol
header are used for fragmentation and reassembly
of IP datagrams.";
}
leaf-list pkt-sec-cond-ipv4-ttl {
type uint8;
description
"The ttl keyword is used to check for a specific
IP time-to-live value in the header of
a packet.";
}
leaf-list pkt-sec-cond-ipv4-protocol {
type uint8;
description
"Internet Protocol version 4(IPv4) is the fourth
version of the Internet Protocol (IP).";
}
leaf-list pkt-sec-cond-ipv4-src {
type inet:ipv4-address;
description
"Defines the IPv4 Source Address.";
}
leaf-list pkt-sec-cond-ipv4-dest {
type inet:ipv4-address;
description
"Defines the IPv4 Destination Address.";
}
leaf pkt-sec-cond-ipv4-ipopts {
type string;
description
"With the ipopts keyword you can check if
a specific ip option is set. Ipopts has
to be used at the beginning of a rule.";
}
leaf pkt-sec-cond-ipv4-sameip {
type boolean;
description
"Every packet has a source IP-address and
a destination IP-address. It can be that
the source IP is the same as
the destination IP.";
}
leaf-list pkt-sec-cond-ipv4-geoip {
type string;
description
"The geoip keyword enables you to match on
the source, destination or source and destination
IP addresses of network traffic and to see to
which country it belongs. To do this, Suricata
uses GeoIP API with MaxMind database format.";
}
} }
container packet-security-ipv6-condition { leaf-list system-alarm {
description type identityref {
"The purpose of this Class is to represent packet base system-alarm;
IPv6 packet header information that can be used as
part of a test to determine if the set of Policy
Actions in this ECA Policy Rule should be executed
or not.";
leaf-list pkt-sec-cond-ipv6-dscp {
type string;
description
"Differentiated Services Code Point (DSCP)
of ipv6.";
} }
description
"The security policy rule according to
system alarms.";
}
}
}
leaf-list pkt-sec-cond-ipv6-ecn { container condition-clause-container {
type string; description
description "A condition is defined as a set
"ECN allows end-to-end notification of network of attributes, features, and/or values that are to be
congestion without dropping packets."; compared with a set of known attributes, features,
} and/or values in order to determine whether or not the
set of Actions in that (imperative) I2NSF Policy Rule
can be executed or not. Examples of I2NSF Conditions
include matching attributes of a packet or flow, and
comparing the internal state of an NSF to a desired
state.";
reference
"RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Design Principles and ECA Policy
Model Overview";
leaf-list pkt-sec-cond-ipv6-traffic-class { leaf condition-clause-description {
type uint8; type string;
description description
"The bits of this field hold two values. The 6 "Description for a condition clause.";
most-significant bits are used for }
differentiated services, which is used to
classify packets.";
}
leaf-list pkt-sec-cond-ipv6-flow-label { container packet-security-ipv4-condition {
type uint32; description
description "The purpose of this container is to represent IPv4
"The flow label when set to a non-zero value packet header information to determine if the set
serves as a hint to routers and switches of policy actions in this ECA policy rule should be
with multiple outbound paths that these executed or not.";
packets should stay on the same path so that reference
they will not be reordered."; "RFC 791: Internet Protocol";
}
leaf-list pkt-sec-cond-ipv6-payload-length { container pkt-sec-ipv4-header-length {
type uint16; choice match-type {
description description
"The size of the payload in octets, "There are two types to configure a security
including any extension headers."; policy for IPv4 header length, such as exact match
} and range match.";
case exact-match {
leaf-list ipv4-header-length {
type uint8 {
range "5..15";
}
description
"Exact match for an IPv4 header length.";
}
}
case range-match {
list range-ipv4-header-length {
key "start-ipv4-header-length
end-ipv4-header-length";
leaf start-ipv4-header-length {
type uint8 {
range "5..15";
}
description
"Start IPv4 header length for a range match.";
}
leaf-list pkt-sec-cond-ipv6-next-header { leaf end-ipv4-header-length {
type uint8; type uint8 {
description range "5..15";
"Specifies the type of the next header. }
This field usually specifies the transport description
layer protocol used by a packet's payload."; "End IPv4 header length for a range match.";
}
description
"Range match for an IPv4 header length.";
}
}
} }
description
"The security policy rule according to
IPv4 header length.";
reference
"RFC 791: Internet Protocol - Header length";
}
leaf-list pkt-sec-cond-ipv6-hop-limit { leaf-list pkt-sec-ipv4-tos {
type uint8; type identityref {
description base type-of-service;
"Replaces the time to live field of IPv4.";
} }
description
"The security policy rule according to
IPv4 type of service.";
reference
"RFC 791: Internet Protocol - Type of service";
}
leaf-list pkt-sec-cond-ipv6-src { container pkt-sec-ipv4-total-length {
type inet:ipv6-address; choice match-type {
description description
"The IPv6 address of the sending node."; "There are two types to configure a security
} policy for IPv4 total length, such as exact match
and range match.";
case exact-match {
leaf-list ipv4-total-length {
type uint16;
description
"Exact match for an IPv4 total length.";
}
}
case range-match {
list range-ipv4-total-length {
key "start-ipv4-total-length end-ipv4-total-length";
leaf start-ipv4-total-length {
type uint16;
description
"Start IPv4 total length for a range match.";
leaf-list pkt-sec-cond-ipv6-dest { }
type inet:ipv6-address; leaf end-ipv4-total-length {
description type uint16;
"The IPv6 address of the destination node(s)."; description
"End IPv4 total length for a range match.";
}
description
"Range match for an IPv4 total length.";
}
}
} }
description
"The security policy rule according to
IPv4 total length.";
reference
"RFC 791: Internet Protocol - Total length";
} }
container packet-security-tcp-condition { leaf-list pkt-sec-ipv4-id {
type uint16;
description description
"The purpose of this Class is to represent packet "The security policy rule according to
TCP packet header information that can be used as IPv4 identification.";
part of a test to determine if the set of Policy reference
Actions in this ECA Policy Rule should be executed "RFC 791: Internet Protocol - Identification";
or not."; }
leaf-list pkt-sec-cond-tcp-src-port {
type inet:port-number;
description
"This is a mandatory string attribute, and
defines the Source Port number (16 bits).";
}
leaf-list pkt-sec-cond-tcp-dest-port { leaf-list pkt-sec-ipv4-fragment-flags {
type inet:port-number; type identityref {
description base fragmentation-flags-type;
"This is a mandatory string attribute, and
defines the Destination Port number (16 bits).";
} }
description
"The security policy rule according to
IPv4 fragment flags.";
reference
"RFC 791: Internet Protocol - Fragment flags";
}
leaf-list pkt-sec-cond-tcp-seq-num { container pkt-sec-ipv4-fragment-offset {
type uint32; choice match-type {
description description
"If the SYN flag is set (1), then this is the "There are two types to configure a security
initial sequence number."; policy for IPv4 fragment offset, such as exact match
} and range match.";
case exact-match {
leaf-list ipv4-fragment-offset {
type uint16 {
range "0..16383";
leaf-list pkt-sec-cond-tcp-ack-num { }
type uint32; description
description "Exact match for an IPv4 fragment offset.";
"If the ACK flag is set then the value of this }
field is the next sequence number that the sender }
is expecting."; case range-match {
list range-ipv4-fragment-offset {
key "start-ipv4-fragment-offset
end-ipv4-fragment-offset";
leaf start-ipv4-fragment-offset {
type uint16 {
range "0..16383";
}
description
"Start IPv4 fragment offset for a range match.";
}
leaf end-ipv4-fragment-offset {
type uint16 {
range "0..16383";
}
description
"End IPv4 fragment offset for a range match.";
}
description
"Range match for an IPv4 fragment offset.";
}
}
} }
description
"The security policy rule according to
IPv4 fragment offset.";
reference
"RFC 791: Internet Protocol - Fragment offset";
}
leaf-list pkt-sec-cond-tcp-window-size { container pkt-sec-ipv4-ttl {
type uint16; choice match-type {
description description
"The size of the receive window, which specifies "There are two types to configure a security
the number of windows size units policy for IPv4 TTL, such as exact match
(by default,bytes) (beyond the segment and range match.";
identified by the sequence number in the case exact-match {
acknowledgment field) that the sender of this leaf-list ipv4-ttl {
segment is currently willing to recive."; type uint8;
description
"Exact match for an IPv4 TTL.";
}
}
case range-match {
list range-ipv4-ttl {
key "start-ipv4-ttl end-ipv4-ttl";
leaf start-ipv4-ttl {
type uint8;
description
"Start IPv4 TTL for a range match.";
}
leaf end-ipv4-ttl {
type uint8;
description
"End IPv4 TTL for a range match.";
}
description
"Range match for an IPv4 TTL.";
}
}
} }
description
"The security policy rule according to
IPv4 time-to-live (TTL).";
reference
"RFC 791: Internet Protocol - Time to live";
}
leaf-list pkt-sec-cond-tcp-flags { leaf-list pkt-sec-ipv4-protocol {
type uint8; type identityref {
description base protocol;
"This is a mandatory string attribute, and defines
the nine Control bit flags (9 bits).";
} }
description
"The security policy rule according to
IPv4 protocol.";
reference
"RFC 791: Internet Protocol - Protocol";
} }
container packet-security-udp-condition { container pkt-sec-ipv4-src {
uses pkt-sec-ipv4;
description description
"The purpose of this Class is to represent packet UDP "The security policy rule according to
packet header information that can be used as part IPv4 source address.";
of a test to determine if the set of Policy Actions reference
in this ECA Policy Rule should be executed or not."; "RFC 791: Internet Protocol - IPv4 Address";
leaf-list pkt-sec-cond-udp-src-port {
type inet:port-number;
description
"This is a mandatory string attribute, and
defines the UDP Source Port number (16 bits).";
}
leaf-list pkt-sec-cond-udp-dest-port {
type inet:port-number;
description
"This is a mandatory string attribute, and
defines the UDP Destination Port number (16 bits).";
}
leaf-list pkt-sec-cond-udp-length {
type string;
description
"This is a mandatory string attribute, and defines
the length in bytes of the UDP header and data
(16 bits).";
}
} }
container packet-security-icmp-condition { container pkt-sec-ipv4-dest {
uses pkt-sec-ipv4;
description description
"The internet control message protocol condition."; "The security policy rule according to
IPv4 destination address.";
leaf-list pkt-sec-cond-icmp-type { reference
type uint8; "RFC 791: Internet Protocol - IPv4 Address";
description }
"ICMP type, see Control messages.";
}
leaf-list pkt-sec-cond-icmp-code { leaf-list pkt-sec-ipv4-ipopts {
type uint8; type identityref {
description base ipopts;
"ICMP subtype, see Control messages.";
}
leaf-list pkt-sec-cond-icmp-seg-num {
type uint32;
description
"The icmp Sequence Number.";
} }
description
"The security policy rule according to
IPv4 options.";
reference
"RFC 791: Internet Protocol - Options";
} }
}
container packet-payload-condition { leaf pkt-sec-ipv4-sameip {
description type boolean;
"TBD";
leaf packet-payload-description {
type string;
description description
"This is description for payload condition. "Every packet has a source IP-address and
Vendors can write instructions for payload condition a destination IP-address. It can be that
that vendor made"; the source IP is the same as
the destination IP.";
} }
leaf-list pkt-payload-content {
leaf-list pkt-sec-ipv4-geoip {
type string; type string;
description description
"The content keyword is very important in "The geoip keyword enables you to match on
signatures. Between the quotation marks you the source, destination or source and destination
can write on what you would like the IP addresses of network traffic and to see to
signature to match."; which country it belongs. To do this, Suricata
uses GeoIP API with MaxMind database format.";
} }
} }
leaf acl-number { container packet-security-ipv6-condition {
type uint32;
description description
"This is acl-number."; "The purpose of this container is to represent
} IPv6 packet header information to determine
if the set of policy actions in this ECA policy
rule should be executed or not.";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification";
container application-condition { leaf-list pkt-sec-ipv6-traffic-class {
description type identityref {
"TBD"; base traffic-class;
leaf application-description { }
type string;
description description
"This is description for application condition."; "The security policy rule according to
IPv6 traffic class.";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Traffic class";
} }
leaf-list application-object {
type string; container pkt-sec-ipv6-flow-label {
choice match-type {
description
"There are two types to configure a security
policy for IPv6 flow label, such as exact match
and range match.";
case exact-match {
leaf-list ipv6-flow-label {
type uint32 {
range "0..1048575";
}
description
"Exact match for an IPv6 flow label.";
}
}
case range-match {
list range-ipv6-flow-label {
key "start-ipv6-flow-label end-ipv6-flow-label";
leaf start-ipv6-flow-label {
type uint32 {
range "0..1048575";
}
description
"Start IPv6 flow label for a range match.";
}
leaf end-ipv6-flow-label {
type uint32 {
range "0..1048575";
}
description
"End IPv6 flow label for a range match.";
}
description
"Range match for an IPv6 flow label.";
}
}
}
description description
"This is application object."; "The security policy rule according to
IPv6 flow label.";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Flow label";
} }
leaf-list application-group {
type string; container pkt-sec-ipv6-payload-length {
choice match-type {
description
"There are two types to configure a security
policy for IPv6 payload length, such as
exact match and range match.";
case exact-match {
leaf-list ipv6-payload-length {
type uint16;
description
"Exact match for an IPv6 payload length.";
}
}
case range-match {
list range-ipv6-payload-length {
key "start-ipv6-payload-length
end-ipv6-payload-length";
leaf start-ipv6-payload-length {
type uint16;
description
"Start IPv6 payload length for a range match.";
}
leaf end-ipv6-payload-length {
type uint16;
description
"End IPv6 payload length for a range match.";
}
description
"Range match for an IPv6 payload length.";
}
}
}
description description
"This is application group."; "The security policy rule according to
IPv6 payload length.";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Payload length";
} }
leaf-list application-label { leaf-list pkt-sec-ipv6-next-header {
type string; type identityref {
base next-header;
}
description description
"This is application label."; "The security policy rule according to
IPv6 next header.";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next header";
} }
container category {
description container pkt-sec-ipv6-hop-limit {
"TBD"; choice match-type {
list application-category {
key "name application-subcategory";
description description
"TBD"; "There are two types to configure a security
leaf name { policy for IPv6 hop limit, such as exact match
type string; and range match.";
description case exact-match {
"This is name for application category."; leaf-list ipv6-hop-limit {
type uint8;
description
"Exact match for an IPv6 hop limit.";
}
} }
leaf application-subcategory { case range-match {
type string; list range-ipv6-hop-limit {
description key "start-ipv6-hop-limit end-ipv6-hop-limit";
"This is application subcategory."; leaf start-ipv6-hop-limit {
type uint8;
description
"Start IPv6 hop limit for a range match.";
}
leaf end-ipv6-hop-limit {
type uint8;
description
"End IPv6 hop limit for a range match.";
}
description
"Range match for an IPv6 hop limit.";
}
} }
} }
description
"The security policy rule according to
IPv6 hop limit.";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Hop limit";
} }
}
container target-condition { container pkt-sec-ipv6-src {
description uses pkt-sec-ipv6;
"TBD";
leaf target-description {
type string;
description description
"This is description for target condition. "The security policy rule according to
Vendors can write instructions for target condition IPv6 source address.";
that vendor made"; reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address";
} }
container device-sec-context-cond { container pkt-sec-ipv6-dest {
uses pkt-sec-ipv6;
description description
"The device attribute that can identify a device, "The security policy rule according to
including the device type (i.e., router, switch, IPv6 destination address.";
pc, ios, or android) and the device's owner as reference
well."; "RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address";
}
leaf pc { }
type boolean;
description
"If type of a device is PC.";
}
leaf mobile-phone { container packet-security-tcp-condition {
type boolean; description
description "The purpose of this container is to represent
"If type of a device is mobile-phone."; TCP packet header information to determine
} if the set of policy actions in this ECA policy
rule should be executed or not.";
reference
"RFC 793: Transmission Control Protocol";
leaf voip-volte-phone { container pkt-sec-tcp-src-port-num {
type boolean; uses pkt-sec-port-number;
description description
"If type of a device is voip-volte-phone."; "The security policy rule according to
} tcp source port number.";
reference
"RFC 793: Transmission Control Protocol
- Port number";
}
leaf tablet { container pkt-sec-tcp-dest-port-num {
type boolean; uses pkt-sec-port-number;
description description
"If type of a device is tablet."; "The security policy rule according to
} tcp destination port number.";
reference
"RFC 793: Transmission Control Protocol
- Port number";
}
leaf iot { container pkt-sec-tcp-seq-num {
type boolean; choice match-type {
description description
"If type of a device is Internet of Things."; "There are two types to configure a security
policy for tcp sequence number,
such as exact match and range match.";
case exact-match {
leaf-list tcp-seq-num {
type uint32;
description
"Exact match for an tcp sequence number.";
}
}
case range-match {
list range-tcp-seq-num {
key "start-tcp-seq-num end-tcp-seq-num";
leaf start-tcp-seq-num {
type uint32;
description
"Start tcp sequence number for a range match.";
}
leaf end-tcp-seq-num {
type uint32;
description
"End tcp sequence number for a range match.";
}
description
"Range match for a tcp sequence number.";
}
}
} }
description
"The security policy rule according to
tcp sequence number.";
reference
"RFC 793: Transmission Control Protocol
- Sequence number";
}
leaf vehicle { container pkt-sec-tcp-ack-num {
type boolean; choice match-type {
description description
"If type of a device is vehicle."; "There are two types to configure a security
policy for tcp acknowledgement number,
such as exact match and range match.";
case exact-match {
leaf-list tcp-ack-num {
type uint32;
description
"Exact match for an tcp acknowledgement number.";
}
}
case range-match {
list range-tcp-ack-num {
key "start-tcp-ack-num end-tcp-ack-num";
leaf start-tcp-ack-num {
type uint32;
description
"Start tcp acknowledgement number
for a range match.";
}
leaf end-tcp-ack-num {
type uint32;
description
"End tcp acknowledgement number
for a range match.";
}
description
"Range match for a tcp acknowledgement number.";
}
}
} }
}
}
container users-condition {
description
"TBD";
leaf users-description {
type string;
description description
"This is description for user condition. "The security policy rule according to
Vendors can write instructions for user condition tcp acknowledgement number.";
that vendor made"; reference
"RFC 793: Transmission Control Protocol
- Acknowledgement number";
} }
container user{
description
"The user (or user group) information with which
network flow is associated: The user has many
attributes such as name, id, password, type,
authentication mode and so on. Name/id is often
used in the security policy to identify the user.
Besides, NSF is aware of the IP address of the
user provided by a unified user management system
via network. Based on name-address association,
NSF is able to enforce the security functions
over the given user (or user group)";
choice user-name { container pkt-sec-tcp-window-size {
choice match-type {
description description
"The name of the user. "There are two types to configure a security
This must be unique."; policy for tcp window size,
such as exact match and range match.";
case tenant { case exact-match {
description leaf-list tcp-window-size {
"Tenant information."; type uint16;
leaf tenant {
type uint8;
mandatory true;
description description
"User's tenant information."; "Exact match for an tcp window size.";
} }
} }
case range-match {
case vn-id { list range-tcp-window-size {
description key "start-tcp-window-size end-tcp-window-size";
"VN-ID information."; leaf start-tcp-window-size {
type uint16;
leaf vn-id { description
type uint8; "Start tcp window size for a range match.";
mandatory true; }
leaf end-tcp-window-size {
type uint16;
description
"End tcp window size for a range match.";
}
description description
"User's VN-ID information."; "Range match for a tcp window size.";
} }
} }
} }
description
"The security policy rule according to
tcp window size.";
reference
"RFC 793: Transmission Control Protocol
- Window size";
} }
container group {
leaf-list pkt-sec-tcp-flags {
type identityref {
base tcp-flags;
}
description description
"The user (or user group) information with which "The security policy rule according to
network flow is associated: The user has many tcp flags.";
attributes such as name, id, password, type, reference
authentication mode and so on. Name/id is often "RFC 793: Transmission Control Protocol
used in the security policy to identify the user. - Flags";
Besides, NSF is aware of the IP address of the }
user provided by a unified user management system }
via network. Based on name-address association,
NSF is able to enforce the security functions
over the given user (or user group)";
choice group-name { container packet-security-udp-condition {
description description
"The name of the user. "The purpose of this container is to represent
This must be unique."; UDP packet header information to determine
if the set of policy actions in this ECA policy
rule should be executed or not.";
reference
"RFC 793: Transmission Control Protocol";
case tenant { container pkt-sec-udp-src-port-num {
description uses pkt-sec-port-number;
"Tenant information."; description
"The security policy rule according to
udp source port number.";
reference
"RFC 793: Transmission Control Protocol
- Port number";
}
leaf tenant { container pkt-sec-udp-dest-port-num {
type uint8; uses pkt-sec-port-number;
mandatory true; description
"The security policy rule according to
udp destination port number.";
reference
"RFC 768: User Datagram Protocol
- Total Length";
}
container pkt-sec-udp-total-length {
choice match-type {
description
"There are two types to configure a security
policy for udp sequence number,
such as exact match and range match.";
case exact-match {
leaf-list udp-total-length {
type uint32;
description description
"User's tenant information."; "Exact match for an udp-total-length.";
} }
} }
case range-match {
case vn-id { list range-udp-total-length {
description key "start-udp-total-length end-udp-total-length";
"VN-ID information."; leaf start-udp-total-length {
type uint32;
leaf vn-id { description
type uint8; "Start udp total length for a range match.";
mandatory true; }
leaf end-udp-total-length {
type uint32;
description
"End udp total length for a range match.";
}
description description
"User's VN-ID information."; "Range match for a udp total length.";
} }
} }
} }
}
leaf security-grup {
type string;
mandatory true;
description description
"security-grup."; "The security policy rule according to
udp total length.";
reference
"RFC 768: User Datagram Protocol
- Total Length";
} }
} }
container url-category-condition { container packet-security-icmp-condition {
description description
"TBD"; "The purpose of this container is to represent
leaf url-category-description { ICMP packet header information to determine
type string; if the set of policy actions in this ECA policy
rule should be executed or not.";
reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
leaf-list pkt-sec-icmp-type-and-code {
type identityref {
base icmp-type;
}
description description
"This is description for url category condition. "The security policy rule according to
Vendors can write instructions for context condition ICMP parameters.";
that vendor made"; reference
"RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces";
} }
}
leaf-list pre-defined-category { container packet-security-http-condition {
description
"Condition for http.";
leaf-list pkt-sec-uri-content {
type string; type string;
description description
"This is pre-defined-category."; "The security policy rule according to
uri content.";
} }
leaf-list user-defined-category {
leaf-list pkt-sec-url-content {
type string; type string;
description description
"This user-defined-category."; "The security policy rule according to
url content.";
} }
} }
container context-condition { container packet-security-voice-condition {
description description
"TBD"; "For the VoIP/VoLTE security system, a VoIP/
leaf context-description { VoLTE security system can monitor each
VoIP/VoLTE flow and manage VoIP/VoLTE
security rules controlled by a centralized
server for VoIP/VoLTE security service
(called VoIP IPS). The VoIP/VoLTE security
system controls each switch for the
VoIP/VoLTE call flow management by
manipulating the rules that can be added,
deleted, or modified dynamically.";
reference
"RFC 3261: SIP: Session Initiation Protocol";
leaf-list pkt-sec-src-voice-id {
type string; type string;
description description
"This is description for context condition. "The security policy rule according to
Vendors can write instructions for context condition a source voice ID for VoIP and VoLTE.";
that vendor made";
} }
}
container gen-context-condition { leaf-list pkt-sec-dest-voice-id {
description
"TBD";
leaf gen-context-description {
type string; type string;
description description
"This is description for generic context condition. "The security policy rule according to
Vendors can write instructions for generic context a destination voice ID for VoIP and VoLTE.";
condition that vendor made";
} }
container geographic-location { leaf-list pkt-sec-user-agent {
type string;
description description
"The location where network traffic is associated "The security policy rule according to
with. The region can be the geographic location an user agent for VoIP and VoLTE.";
such as country, province, and city,
as well as the logical network location such as
IP address, network section, and network domain.";
leaf-list src-geographic-location {
type uint32;
description
"This is mapped to ip address. We can acquire
source region through ip address stored the
database.";
}
leaf-list dest-geographic-location {
type uint32;
description
"This is mapped to ip address. We can acquire
destination region through ip address stored
the database.";
}
} }
} }
}
}
container action-clause-container {
description "TBD";
list action-clause-list {
key eca-object-id;
uses i2nsf-eca-object-type {
refine entity-class {
default ECA-ACTION-TYPE;
}
}
description
"An action is used to control and monitor aspects of
flow-based NSFs when the event and condition clauses
are satisfied. NSFs provide security functions by
executing various Actions. Examples of I2NSF Actions
include providing intrusion detection and/or protection,
web and flow filtering, and deep packet inspection
for packets and flows.";
leaf rule-log { container packet-security-ddos-condition {
type boolean;
description description
"True is enable "Condition for DDoS attack.";
False is not enable.";
leaf pkt-sec-alert-rate {
type uint32;
description
"The alert rate of flood detect for
same packets.";
}
} }
leaf session-log { }
type boolean;
container action-clause-container {
description
"An action is used to control and monitor aspects of
flow-based NSFs when the event and condition clauses
are satisfied. NSFs provide security functions by
executing various Actions. Examples of I2NSF Actions
include providing intrusion detection and/or protection,
web and flow filtering, and deep packet inspection
for packets and flows.";
reference
"RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Design Principles and ECA Policy
Model Overview";
leaf action-clause-description {
type string;
description description
"True is enable "Description for an action clause.";
False is not enable.";
} }
container ingress-action {
container packet-action {
description description
"TBD"; "Action for packets";
leaf ingress-description { reference
type string; "RFC 8329: Framework for Interface to Network Security
description Functions - I2NSF Flow Security Policy Structure
"This is description for ingress action. draft-ietf-i2nsf-capability-04: Information Model
Vendors can write instructions for ingress action of NSFs Capabilities - Design Principles and ECA
that vendor made"; Policy Model Overview";
}
leaf ingress-action-type { leaf ingress-action {
type ingress-action; type identityref {
base ingress-action;
}
description description
"Ingress action type: permit, deny, and mirror."; "Action: pass, drop, reject, alert, and mirror.";
} }
}
container egress-action { leaf egress-action {
description type identityref {
"TBD"; base egress-action;
leaf egress-description { }
type string;
description description
"This is description for egress action. "Egress action: pass, drop, reject, alert, mirror,
Vendors can write instructions for egress action invoke-signaling, tunnel-encapsulation,
that vendor made"; forwarding, and redirection.";
} }
leaf egress-action-type {
type egress-action; leaf log-action {
type identityref {
base log-action;
}
description description
"Egress-action-type: invoke-signaling, "Log action: rule log and session log";
tunnel-encapsulation, and forwarding.";
} }
} }
container apply-profile { container advanced-action {
description description
"TBD"; "If the packet need be additionally inspected,
leaf profile-description { the packet are passed to advanced network
type string; security functions according to the profile.";
description reference
"This is description for apply profile action. "RFC 8329: Framework for Interface to Network Security
Vendors can write instructions for apply Functions - Differences from ACL Data Models";
profile action that vendor made";
leaf-list content-security-control {
type identityref {
base content-security-control;
}
description
"The Profile is divided into content security
control and attack-mitigation-control.
Content security control: antivirus, ips, ids,
url filtering, mail filtering, file blocking,
file isolate, packet capture, application control,
voip and volte.";
} }
container content-security-control { leaf-list attack-mitigation-control {
type identityref {
base attack-mitigation-control;
}
description description
"Content security control is another category of "The Profile is divided into content security
security capabilities applied to application layer. control and attack-mitigation-control.
Through detecting the contents carried over the Attack mitigation control: syn flood, udp flood,
traffic in application layer, these capabilities icmp flood, ip frag flood, ipv6 related, http flood,
can realize various security purposes, such as https flood, dns flood, dns amp flood, ssl ddos,
defending against intrusion, inspecting virus, ip sweep, port scanning, ping of death, teardrop,
filtering malicious URL or junk email, and blocking oversized icmp, tracert.";
illegal web access or data retrieval."; }
}
}
}
}
}
}
container content-security-control-types { <CODE ENDS>
description
"Content Security types: Antivirus, IPS, IDS,
url-filtering, data-filtering, mail-filtering,
file-blocking, file-isolate, pkt-capture,
application-control, and voip-volte.";
leaf antivirus { Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface
type string;
description
"Additional inspection of antivirus.";
}
leaf ips { 6. IANA Considerations
type string;
description
"Additional inspection of IPS.";
}
leaf ids { This document requests IANA to register the following URI in the
type string; "IETF XML Registry" [RFC3688]:
description
"Additional inspection of IDS.";
}
leaf url-filtering { URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf
type string;
description
"Additional inspection of URL filtering.";
}
leaf data-filtering { Registrant Contact: The IESG.
type string;
description
"Additional inspection of data filtering.";
}
leaf mail-filtering {
type string;
description
"Additional inspection of mail filtering.";
}
leaf file-blocking { XML: N/A; the requested URI is an XML namespace.
type string;
description
"Additional inspection of file blocking.";
}
leaf file-isolate { This document requests IANA to register the following YANG module in
type string; the "YANG Module Names" registry [RFC7950].
description
"Additional inspection of file isolate.";
}
leaf pkt-capture { name: ietf-i2nsf-policy-rule-for-nsf
type string;
description
"Additional inspection of packet capture.";
}
leaf application-control { namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-
type string; nsf
description
"Additional inspection of app control.";
}
leaf voip-volte { prefix: iiprfn
type string;
description
"Additional inspection of VoIP/VoLTE.";
}
}
}
container attack-mitigation-control { reference: RFC XXXX
description
"This category of security capabilities is
specially used to detect and mitigate various
types of network attacks.";
container ddos-attack { 7. Security Considerations
description
"A distributed-denial-of-service (DDoS) is
where the attack source is more than one,
often thousands of unique IP addresses.";
container ddos-attack-type { The YANG module specified in this document defines a data schema
description designed to be accessed through network management protocols such as
"DDoS-attack types: Network Layer NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is
DDoS Attacks and Application Layer the secure transport layer, and the required transport secure
DDoS Attacks."; transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the required transport secure transport is TLS
[RFC8446].
container network-layer-ddos-attack { The NETCONF access control model [RFC8341] provides a means of
description restricting access to specific NETCONF or RESTCONF users to a
"Network layer DDoS-attack."; preconfigured subset of all available NETCONF or RESTCONF protocol
container network-layer-ddos-attack-type { operations and content.
description
"Network layer DDoS attack types:
Syn Flood Attack, UDP Flood Attack,
ICMP Flood Attack, IP Fragment Flood,
IPv6 Related Attacks, and etc";
leaf syn-flood { 8. References
type string;
description
"Additional Inspection of
Syn Flood Attack.";
}
leaf udp-flood { 8.1. Normative References
type string;
description
"Additional Inspection of
UDP Flood Attack.";
}
leaf icmp-flood { [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
type string; Requirement Levels", BCP 14, RFC 2119, March 1997.
description
"Additional Inspection of
ICMP Flood Attack.";
}
leaf ip-frag-flood { [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
type string; Network Configuration Protocol (NETCONF)", RFC 6020,
description October 2010.
"Additional Inspection of
IP Fragment Flood.";
}
leaf ipv6-related { [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG
type string; Data Model Documents", RFC 6087, DOI 10.17487/RFC6087,
description January 2011, <https://www.rfc-editor.org/info/rfc6087>.
"Additional Inspection of
IPv6 Related Attacks.";
}
}
}
container app-layer-ddos-attack { [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
description and A. Bierman, Ed., "Network Configuration Protocol
"Application layer DDoS-attack."; (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
container app-ddos-attack-types { [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
description Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
"Application layer DDoS-attack types: <https://www.rfc-editor.org/info/rfc6242>.
Http Flood Attack, Https Flood Attack,
DNS Flood Attack, and
DNS Amplification Flood Attack,
SSL DDoS Attack, and etc.";
leaf http-flood { [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
type string; RFC 6991, DOI 10.17487/RFC6991, July 2013,
description <https://www.rfc-editor.org/info/rfc6991>.
"Additional Inspection of
Http Flood Attack.";
}
leaf https-flood { [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
type string; RFC 7950, DOI 10.17487/RFC7950, August 2016,
description <https://www.rfc-editor.org/info/rfc7950>.
"Additional Inspection of
Https Flood Attack.";
}
leaf dns-flood { [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
type string; Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
description <https://www.rfc-editor.org/info/rfc8040>.
"Additional Inspection of
DNS Flood Attack.";
}
leaf dns-amp-flood { [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
type string; 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
description May 2017, <https://www.rfc-editor.org/info/rfc8174>.
"Additional Inspection of
DNS Amplification Flood Attack.";
}
leaf ssl-ddos { [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
type string; Kumar, "Framework for Interface to Network Security
description Functions", RFC 8329, February 2018.
"Additional Inspection of
SSL Flood Attack.";
}
}
}
}
}
container single-packet-attack { [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
description BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
"Single Packet Attacks."; <https://www.rfc-editor.org/info/rfc8340>.
container single-packet-attack-type {
description
"DDoS-attack types: Scanning Attack,
Sniffing Attack, Malformed Packet Attack,
Special Packet Attack, and etc.";
container scan-and-sniff-attack { [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
description Access Control Model", STD 91, RFC 8341,
"Scanning and Sniffing Attack."; DOI 10.17487/RFC8341, March 2018,
container scan-and-sniff-attack-types { <https://www.rfc-editor.org/info/rfc8341>.
description
"Scanning and sniffing attack types:
IP Sweep attack, Port Scanning,
and etc.";
leaf ip-sweep { [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
type string; S., and N. Bahadur, "A YANG Data Model for Routing
description Information Base (RIB)", RFC RFC8431, September 2018.
"Additional Inspection of
IP Sweep Attack.";
}
leaf port-scanning { [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
type string; Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
description <https://www.rfc-editor.org/info/rfc8446>.
"Additional Inspection of
Port Scanning Attack.";
}
}
}
container malformed-packet-attack { 8.2. Informative References
description
"Malformed Packet Attack.";
container malformed-packet-attack-types {
description
"Malformed packet attack types:
Ping of Death Attack, Teardrop Attack,
and etc.";
leaf ping-of-death { [i2nsf-advanced-nsf-dm]
type string; Pan, W. and L. Xia, "Configuration of Advanced Security
description Functions with I2NSF Security Controller", draft-dong-
"Additional Inspection of i2nsf-asf-config-01 (work in progress), October 2018.
Ping of Death Attack.";
}
leaf teardrop { [i2nsf-nsf-cap-dm]
type string; Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin,
description "I2NSF Capability YANG Data Model", draft-ietf-i2nsf-
"Additional Inspection of capability-data-model-02 (work in progress), November
Teardrop Attack."; 2018.
}
}
}
container special-packet-attack { [i2nsf-nsf-cap-im]
description Xia, L., Strassner, J., Basile, C., and D. Lopez,
"special Packet Attack."; "Information Model of NSFs Capabilities", draft-ietf-
container special-packet-attack-types { i2nsf-capability-04 (work in progress), October 2018.
description
"Special packet attack types:
Oversized ICMP Attack, Tracert Attack,
and etc.";
leaf oversized-icmp { [supa-policy-info-model]
type string; Strassner, J., Halpern, J., and S. Meer, "Generic Policy
description Information Model for Simplified Use of Policy
"Additional Inspection of Abstractions (SUPA)", draft-ietf-supa-generic-policy-info-
Oversize ICMP Attack."; model-03 (work in progress), May 2017.
}
leaf tracert { Appendix A. Configuration Examples
type string;
description
"Additional Inspection of
Tracrt Attack.";
}
}
}
}
}
}
} This section shows configuration examples of "ietf-i2nsf-policy-rule-
} for-nsf" module for security policy rules of network security
} devices. For security requirements, we assume that the NSFs (i.e.,
General firewall, Time based firewall, Web filter, VoIP/VoLTE filter
http and https flood mitigation ) described in Appendix A.
Configuration Examples of [i2nsf-nsf-cap-dm] are registered in I2NSF
framework. With the registed NSFs, we show configuration examples
for security policy rules of network security functions according to
the following three security requirements: (i) Block SNS access
during business hours, (ii) Block malicious VoIP/VoLTE packets coming
to the company, and (iii) Mitigate http and https flood attacks on
company web server.
} A.1. Security Requirement 1: Block SNS Access during Business Hours
container resolution-strategy {
description
"The resolution strategies can be used to
specify how to resolve conflicts that occur between
the actions of the same or different policy rules that
are matched and contained in this particular NSF";
choice resolution-strategy-type { This section shows a configuration example for blocking SNS access
description during business hours.
"Vendors can use YANG data model to configure rules";
case fmr { <i2nsf-security-policy
leaf first-matching-rule { xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
type boolean; <system-policy>
description <system-policy-name>sns_access</system-policy-name>
"If the resolution strategy is first matching rule"; <rules>
} <rule-name>block_sns_access_during_operation_time</rule-name>
} <time-zone>
case lmr { <absolute-time-zone>
leaf last-matching-rule { <start-time>09:00:00Z</start-time>
type boolean; <end-time>18:00:00Z</end-time>
description </absolute-time-zone>
"If the resolution strategy is last matching rule"; </time-zone>
} <condition-clause-container>
} <packet-security-ipv4-condition>
<pkt-sec-ipv4-src>
<range-ipv4-address>
<start-ipv4-address>221.159.112.1</start-ipv4-address>
<end-ipv4-address>221.159.112.90</end-ipv4-address>
</range-ipv4-address>
</pkt-sec-ipv4-src>
</packet-security-ipv4-condition>
</condition-clause-container>
<action-clause-container>
<advanced-action>
<content-security-control>url-filtering</content-security-control>
</advanced-action>
</action-clause-container>
</rules>
</system-policy>
</i2nsf-security-policy>
} Figure 6: Configuration XML for Time based Firewall to Block SNS
} Access during Business Hours
container default-action { <i2nsf-security-policy
description xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
"This default action can be used to specify a predefined <system-policy>
action when no other alternative action was matched <system-policy-name>sns_access</system-policy-name>
by the currently executing I2NSF Policy Rule. An analogy <rules>
is the use of a default statement in a C switch statement."; <rule-name>block_facebook_and_instgram</rule-name>
<condition-clause-container>
<packet-security-http-condition>
<pkt-sec-url-content>facebook</pkt-sec-url-content>
<pkt-sec-url-content>instagram</pkt-sec-url-content>
</packet-security-http-condition>
</condition-clause-container>
<action-clause-container>
<packet-action>
<egress-action>drop</egress-action>
</packet-action>
</action-clause-container>
</rules>
</system-policy>
</i2nsf-security-policy>
leaf default-action-type { Figure 7: Configuration XML for Web Filter to Block SNS Access during
type boolean; Business Hours
description
"True is permit
False is deny.";
}
} Figure 6 and Figure 7 show the configuration XML documents for time
based firewall and web filter to block SNS access during business
hours. For the security requirement, two NSFs (i.e., a time based
firewall and a web filter) were used because one NSF can not meet the
security requirement. The instances of XML documents for the time
based firewall and the web filter are as follows: Note that a
detailed data model for the configuration of the advanced network
security function (i.e., web filter) is described in
[i2nsf-advanced-nsf-dm].
container rule-group { Time based Firewall
description
"This is rule group";
list groups { 1. The name of the system policy is sns_access.
key "group-name";
description
"This is a group for rules";
leaf group-name { 2. The name of the rule is block_sns_access_during_operation_time.
type string;
description
"This is a group for rules";
}
container rule-range { 3. The rule is operated during the business hours (i.e., from 9 a.m.
description to 6 p.m.).
"This is a rule range.";
leaf start-rule { 4. The rule inspects a source IPv4 address (i.e., from 221.159.112.1
type string; to 221.159.112.90) to inspect the outgoing packets of employees.
description
"This is a start rule";
}
leaf end-rule {
type string;
description
"This is a end rule";
}
}
leaf enable {
type boolean;
description
"This is enable
False is not enable.";
}
leaf description {
type string;
description
"This is a desription for rule-group";
}
}
}
}
}
}
<CODE ENDS> 5. If the outgoing packets match the rules above, the time based
firewall sends the packets to url filtering for additional
inspection because the time based firewall can not inspect
contents of the packets for the SNS URL.
Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface Web Filter
7. Security Considerations 1. The name of the system policy is sns_access.
This document introduces no additional security threats and SHOULD 2. The name of the rule is block_facebook_and_instagram.
follow the security requirements as stated in [RFC8329].
8. References 3. The rule inspects URL address to block the access packets to the
facebook or the instagram.
8.1. Normative References 4. If the outgoing packets match the rules above, the packets are
blocked.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate A.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming
Requirement Levels", BCP 14, RFC 2119, March 1997. to the Company
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the This section shows a configuration example for blocking malicious
Network Configuration Protocol (NETCONF)", RFC 6020, VoIP/VoLTE packets coming to the company.
October 2010.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. <i2nsf-security-policy
Kumar, "Framework for Interface to Network Security xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
Functions", RFC 8329, February 2018. <system-policy>
<system-policy-name>voip_volte_inspection</system-policy-name>
<rules>
<rule-name>block_malicious_voip_volte_packets</rule-name>
<condition-clause-container>
<packet-security-ipv4-condition>
<pkt-sec-ipv4-dest>
<range-ipv4-address>
<start-ipv4-address>221.159.112.1</start-ipv4-address>
<end-ipv4-address>221.159.112.90</end-ipv4-address>
</range-ipv4-address>
</pkt-sec-ipv4-dest>
</packet-security-ipv4-condition>
<packet-security-tcp-condition>
<pkt-sec-tcp-dest-port-num>
<port-num>5060</port-num>
<port-num>5061</port-num>
</pkt-sec-tcp-dest-port-num>
</packet-security-tcp-condition>
</condition-clause-container>
<action-clause-container>
<advanced-action>
<content-security-control>voip-volte</content-security-control>
</advanced-action>
</action-clause-container>
</rules>
</system-policy>
</i2nsf-security-policy>
[RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, Figure 8: Configuration XML for General Firewall to Block Malicious
S., and N. Bahadur, "A YANG Data Model for Routing VoIP/VoLTE Packets Coming to the Company
Information Base (RIB)", RFC RFC8431, September 2018.
8.2. Informative References <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy>
<system-policy-name>malicious_voice_id</system-policy-name>
<rules>
<rule-name>block_malicious_voice_id</rule-name>
<condition-clause-container>
<packet-security-voice-condition>
<pkt-sec-src-voice-id>11111@voip.black.com</pkt-sec-src-voice-id>
<pkt-sec-src-voice-id>22222@voip.black.com</pkt-sec-src-voice-id>
</packet-security-voice-condition>
</condition-clause-container>
<action-clause-container>
<packet-action>
<ingress-action>drop</ingress-action>
</packet-action>
</action-clause-container>
</rules>
</system-policy>
</i2nsf-security-policy>
[i2nsf-advanced-nsf-dm] Figure 9: Configuration XML for VoIP/VoLTE Filter to Block Malicious
Pan, W. and L. Xia, "Configuration of Advanced Security VoIP/VoLTE Packets Coming to the Company
Functions with I2NSF Security Controller", draft-dong-
i2nsf-asf-config-01 (work in progress), October 2018.
[i2nsf-nsf-cap-im] Figure 8 and Figure 9 show the configuration XML documents for
Xia, L., Strassner, J., Basile, C., and D. Lopez, general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE
"Information Model of NSFs Capabilities", draft-ietf- packets coming to the company. For the security requirement, two
i2nsf-capability-04 (work in progress), October 2018. NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used
because one NSF can not meet the security requirement. The instances
of XML documents for the general firewall and the VoIP/VoLTE filter
are as follows: Note that a detailed data model for the configuration
of the advanced network security function (i.e., VoIP/VoLTE filter)
is described in [i2nsf-advanced-nsf-dm].
[supa-policy-info-model] General Firewall
Strassner, J., Halpern, J., and S. Meer, "Generic Policy
Information Model for Simplified Use of Policy
Abstractions (SUPA)", draft-ietf-supa-generic-policy-info-
model-03 (work in progress), May 2017.
Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-01 1. The name of the system policy is voip_volte_inspection.
2. The name of the rule is block_malicious_voip_volte_packets.
3. The rule inspects a destination IPv4 address (i.e., from
221.159.112.1 to 221.159.112.90) to inspect the packets coming
into the company.
4. The rule inspects a port number (i.e., 5060 and 5061) to inspect
VoIP/VoLTE packet.
5. If the incoming packets match the rules above, the general
firewall sends the packets to VoIP/VoLTE filter for additional
inspection because the general firewall can not inspect contents
of the VoIP/VoLTE packets.
VoIP/VoLTE Filter
1. The name of the system policy is malicious_voice_id.
2. The name of the rule is block_malicious_voice_id.
3. The rule inspects the voice id of the VoIP/VoLTE packets to block
the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and
22222@voip.black.com).
4. If the incoming packets match the rules above, the packets are
blocked.
A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a
Company Web Server
This section shows a configuration example for mitigating http and
https flood attacks on a company web server.
<i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy>
<system-policy-name>flood_attack_mitigation</system-policy-name>
<rules>
<rule-name>mitigate_http_and_https_flood_attack</rule-name>
<condition-clause-container>
<packet-security-ipv4-condition>
<pkt-sec-ipv4-dest>
<ipv4-address>
<ipv4>221.159.112.95</ipv4>
</ipv4-address>
</pkt-sec-ipv4-dest>
</packet-security-ipv4-condition>
<packet-security-tcp-condition>
<pkt-sec-tcp-dest-port-num>
<port-num>80</port-num>
<port-num>443</port-num>
</pkt-sec-tcp-dest-port-num>
</packet-security-tcp-condition>
</condition-clause-container>
<action-clause-container>
<advanced-action>
<attack-mitigation-control>http-and-https-flood
</attack-mitigation-control>
</advanced-action>
</action-clause-container>
</rules>
</system-policy>
</i2nsf-security-policy>
Figure 10: Configuration XML for General Firewall to Mitigate HTTP
and HTTPS Flood Attacks on a Company Web Server
<i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy>
<system-policy-name>http_and_https_flood_attack_mitigation
</system-policy-name>
<rules>
<rule-name>100_per_second</rule-name>
<condition-clause-container>
<packet-security-ddos-condition>
<pkt-sec-alert-rate>100</pkt-sec-alert-rate>
</packet-security-ddos-condition>
</condition-clause-container>
<action-clause-container>
<packet-action>
<ingress-action>drop</ingress-action>
</packet-action>
</action-clause-container>
</rules>
</system-policy>
</i2nsf-security-policy>
Figure 11: Configuration XML for HTTP and HTTPS Flood Attack
Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web
Server
Figure 10 and Figure 11 show the configuration XML documents for
general firewall and http and https flood attack mitigation to
mitigate http and https flood attacks on a company web server. For
the security requirement, two NSFs (i.e., a general firewall and a
http and https flood attack mitigation) were used because one NSF can
not meet the security requirement. The instances of XML documents
for the general firewall and http and https flood attack mitigation
are as follows: Note that a detailed data model for the configuration
of the advanced network security function (i.e., http and https flood
attack mitigation) is described in [i2nsf-advanced-nsf-dm].
General Firewall
1. The name of the system policy is flood_attack_mitigation.
2. The name of the rule is mitigate_http_and_https_flood_attack.
3. The rule inspects a destination IPv4 address (i.e.,
221.159.112.95) to inspect the access packets coming into the
company web server.
4. The rule inspects a port number (i.e., 80 and 443) to inspect
http and https packet.
5. If the packets match the rules above, the general firewall sends
the packets to http and https flood attack mitigation for
additional inspection because the general firewall can not contrl
the amount of packets for http and https packets.
HTTP and HTTPS Flood Attack Mitigation
1. The name of the system policy is
http_and_https_flood_attack_mitigation.
2. The name of the rule is 100_per_second.
3. The rule controls the http and https packets according to the
amount of incoming packets.
4. If the incoming packets match the rules above, the packets are
blocked.
Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-02
The following changes are made from draft-ietf-i2nsf-nsf-facing- The following changes are made from draft-ietf-i2nsf-nsf-facing-
interface-dm-01: interface-dm-03:
o We added system policy which represents there could be multiple o We revised this YANG data module according to guidelines for
system policies in one NSF, and each system policy is used by one authors and reviewers of YANG data model documents [RFC6087].
virtual instance of the NSF/device. This is a very general
feature for all the NSFs/devices.
o We changed policy name to system policy name for system policy. o We changed the structure of the overall YANG data model.
o We deleted policy-event-clause-agg-ptr, policy-condition-clause- o We added exact-range type as well as range-based type for the
agg-ptr, and policy-action-clause-agg-ptr. range policy rules.
o We added priority-usage which represents priority of policies by o We changed enumeration type to identity type for scalable
order or number. components.
Appendix B. Acknowledgments o We added a description for the YANG tree diagram of the YANG data
module.
o We revised overall sentences of this YANG data model document.
o We added configuration examples to make it easier for reviewers to
understand.
Appendix C. Acknowledgments
This work was supported by Institute for Information & communications This work was supported by Institute for Information & communications
Technology Promotion (IITP) grant funded by the Korea government Technology Promotion (IITP) grant funded by the Korea government
(MSIP) (No.R-20160222-002755, Cloud based Security Intelligence (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence
Technology Development for the Customized Security Service Technology Development for the Customized Security Service
Provisioning). Provisioning).
Appendix C. Contributors Appendix D. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document. The following are Many people actively contributed to this document. The following are
considered co-authors: considered co-authors:
o Hyoungshick Kim (Sungkyunkwan University) o Hyoungshick Kim (Sungkyunkwan University)
o Daeyoung Hyun (Sungkyunkwan University) o Daeyoung Hyun (Sungkyunkwan University)
o Dongjin Hong (Sungkyunkwan University) o Dongjin Hong (Sungkyunkwan University)
 End of changes. 337 change blocks. 
1725 lines changed or deleted 3586 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/