I2NSF Working Group                                               J. Kim
Internet-Draft                                                  J. Jeong
Intended status: Standards Track                 Sungkyunkwan University
Expires: May 8, September 12, 2019                                      J. Park
                                                                    ETRI
                                                                S. Hares
                                                                  Q. Lin
                                                                  Huawei
                                                        November 4, 2018
                                                          March 11, 2019

    I2NSF Network Security Function-Facing Interface YANG Data Model
              draft-ietf-i2nsf-nsf-facing-interface-dm-02
              draft-ietf-i2nsf-nsf-facing-interface-dm-03

Abstract

   This document defines a YANG data model for configuring security
   policy rules on network security functions.  The YANG data model in
   this document is corresponding to the information model for Network
   Security Functions (NSF)-Facing Interface in Interface to Network
   Security Functions (I2NSF).  It
   describes a data model for the features provided by generic security
   functions.  This data model provides vendors with generic components
   that they understand well, so these generic components can be used
   even if they have some vendor specific functions.  These generic
   functions represent a point of interoperability, and can be provided
   by any product that offers the required capabilities.  Also, if they
   need additional features for their network security functions, the
   vendors can easily add the features by extending the YANG data model
   in this document.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 8, September 12, 2019.

Copyright Notice

   Copyright (c) 2018 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Tree Diagrams . . . . . . . . . . . . . . . . . . . . . .   4   3
   4.  The Structure and Objective of I2NSF Security Policy  YANG Tree Diagram . . . . .   4
     4.1.  I2NSF Security Policy Rule . . . . . . . . . . . . . . .   4
     4.2.  Event Clause . .   4
     4.1.  General I2NSF Security Policy Rule  . . . . . . . . . . .   4
     4.2.  Event Clause  . . . . . . . . . .   4
     4.3.  Condition Clause . . . . . . . . . . . .   6
     4.3.  Condtion Clause . . . . . . . .   4
     4.4.  Action Clause . . . . . . . . . . . . .   7
     4.4.  Action Clause . . . . . . . . .   5
   5.  Data Model Structure . . . . . . . . . . . . .  12
   5.  YANG Data Module  . . . . . . .   5
     5.1.  I2NSF Security Policy Rule . . . . . . . . . . . . . . .   5
     5.2.  Event Clause  13
     5.1.  I2NSF NSF-Facing Interface YANG Data Module . . . . . . .  13
   6.  IANA Considerations . . . . . . . . . . . . . . .   7
     5.3.  Condition Clause . . . . . .  77
   7.  Security Considerations . . . . . . . . . . . . . .   8
     5.4.  Action Clause . . . . .  78
   8.  References  . . . . . . . . . . . . . . . . .  10
   6.  YANG Module . . . . . . . .  78
     8.1.  Normative References  . . . . . . . . . . . . . . . . .  12
     6.1.  IETF NSF-Facing Interface YANG Data Module .  78
     8.2.  Informative References  . . . . . .  12
   7.  Security Considerations . . . . . . . . . . .  79
   Appendix A.  Configuration Examples . . . . . . . .  47
   8.  References . . . . . . .  81
     A.1.  Security Requirement 1: Block SNS Access during Business
           Hours . . . . . . . . . . . . . . . . . .  47
     8.1.  Normative References . . . . . . . .  81
     A.2.  Security Requirement 2: Block Malicious VoIP/VoLTE
           Packets Coming to the Company . . . . . . . . . .  47
     8.2.  Informative References . . . .  84
     A.3.  Security Requirement 3: Mitigate HTTP and HTTPS Flood
           Attacks on a Company Web Server . . . . . . . . . . . . .  47  87
   Appendix A. B.  Changes from draft-ietf-i2nsf-nsf-facing-interface-
                dm-01
                dm-02  . . . . . . . . . . . . . . . . . . . . . . .  48  90
   Appendix B. C.  Acknowledgments  . . . . . . . . . . . . . . . . . .  48  91
   Appendix C. D.  Contributors . . . . . . . . . . . . . . . . . . . .  48  91
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  49  91

1.  Introduction

   This document defines a YANG [RFC6020] [RFC6020][RFC7950] data model for the
   security policy rule configuration of network security services with devices.  The
   YANG data model is corresponding to the information model
   [i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing
   interface in Interface to Network Security Functions (I2NSF).  It provides a specific
   information model and the corresponding  The
   YANG data models model in this document focuses on security policy
   configuration for generic network security functions (i.e., functions.  Note that
   security policy configuration for advanced network security functions), as
   defined functions
   are written in [i2nsf-nsf-cap-im].  With these [i2nsf-advanced-nsf-dm].

   This YANG data model, I2NSF
   controller can control the capabilities of NSFs.

   The model uses an "Event-Condition-Action" (ECA) policy
   model that is used as the basis for the design of I2NSF Policy
   described in [RFC8329] and [i2nsf-nsf-cap-im].  Rules.

   The "ietf-i2nsf-nsf-facing-interface" "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this
   document provides the following features: features.

   o  Configuration of I2NSF for general security policy rule for of generic network
      security function policy; function.

   o  Configuration of for an event clause for of generic network security
      function policy;
      function.

   o  Configuration of for a condition clause for of generic network security
      function policy;
      function.

   o  Configuration of for an action clause for of generic network security
      function policy.
      function.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119]. [RFC2119][RFC8174].

3.  Terminology

   This document uses the terminology described in
   [i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model].  Especially, the
   following terms are from [supa-policy-info-model]:

   o  Data Model: A data model is a representation of concepts of
      interest to an environment in a form that is dependent on data
      repository, data definition language, query language,
      implementation language, and protocol.

   o  Information Model: An information model is a representation of
      concepts of interest to an environment in a form that is
      independent of data repository, data definition language, query
      language, implementation language, and protocol.

3.1.  Tree Diagrams

   A simplified graphical representation of the data model is used in
   this document.  The meaning of the symbols in these diagrams
   [RFC8431]
   [RFC8340] is as follows:

   o  Brackets "[" and "]" enclose list keys.

   o  Abbreviations before data node names: "rw" means configuration
      (read-write) and "ro" state data (read-only).

   o  Symbols after data node names: "?" means an optional node and "*"
      denotes a "list" and "leaf-list".

   o  Parentheses enclose choice and case nodes, and case nodes are also
      marked with a colon (":").

   o  Ellipsis ("...") stands for contents of subtrees that are not
      shown.

4.  The Structure and Objective of I2NSF Security Policy

4.1.  I2NSF Security Policy Rule

   This shows a policy rule for generic network security functions.  The
   object of a policy rule is defined as policy information and rule
   information.  This includes ECA Policy Rule such as Event Clause
   Objects, Condition Clause Objects, Action Clause Objects, Resolution
   Strategy, and Default Action.

4.2.  Event Clause  YANG Tree Diagram

   This section shows an event clause for YANG tree diagram of generic network security
   functions.
   An Event is any important occurrence in time of  Note that a change in the
   system being managed, and/or in detailed data model for the environment configuration of
   the system being
   managed.  When used in the context of I2NSF Policy Rules, it advanced network security functions is used
   to determine whether the Condition clause of described in
   [i2nsf-advanced-nsf-dm].  The section describes the following
   subjects:

   o  General I2NSF Policy Rule
   can be evaluated or not.  The object of an event clauses is defined
   as user security event, device security event, system security event,
   and time security event.  The objects policy rule of generic network security
      function.

   o  An event clauses can be
   extended according to specific vendor event features.

4.3.  Condition Clause

   This shows a condition clause for of generic network security functions. function.

   o  A condition is defined as a set clause of attributes, features, and/or
   values that are to be compared with a set of known attributes,
   features, and/or values in order to determine whether or not the set
   of Actions in that (imperative) I2NSF Policy Rule can be executed or
   not.  These objects are defined as packet security condition, packet
   payload security condition, target security condition, user security
   condition, context condition, and generic context condition.  The
   objects of action clauses can be extended according to specific
   vendor condition features.

4.4.  Action Clause

   This shows an action clause for generic network security functions. function.

   o  An action is used to control and monitor aspects of flow-based NSFs
   when the event and condition clauses are satisfied.  NSFs provide
   security functions by executing various Actions.  The object of an
   action clause is defined as ingress action, egress action, and apply
   profile action.  The objects of action clauses can be extended
   according to specific vendor action features.

5.  Data Model Structure

   This section shows a data model structure tree of generic network security functions that are defined in the [i2nsf-nsf-cap-im].  Note
   that a detailed data model for the configuration of the advanced
   network security functions is described in [i2nsf-advanced-nsf-dm].
   The section discusses the following subjects:

   o  Consideration of ECA Policy Model by aggregating the Event,
      Condition, and Action Clause Objects;

   o  Consideration of Capability Algebra;

   o  Consideration of NSFs Capability Categories (i.e., Network
      Security, Content Security, and Attack Mitigation Capabilities);

   o  Definition for Network Security Event Class, Network Security
      Condition Class, and Network Security Action Class.

5.1. function.

4.1.  General I2NSF Security Policy Rule

   The data model

   This section shows YANG tree diagram for the identification of network general I2NSF security
   policy has
   the following structure: rule.

   module: ietf-i2nsf-policy-rule-for-nsf
     +--rw i2nsf-security-policy
        +--rw system-policy* [system-policy-name]
           +--rw system-policy-name     string
           +--rw priority-usage         priority-usage-type priority-usage?        identityref
           +--rw resolution-strategy?   identityref
           +--rw default-action?        identityref
           +--rw rules* [rule-name]
         |
              +--rw rule-name                     string
         |
              +--rw rule-description?             string
         |
              +--rw rule-priority?                uint8
         |
              +--rw enable? rule-enable?                  boolean
         |
              +--rw session-aging-time?           uint16 time-zone
              |  +--rw long-connection absolute-time-zone
              |  |  +--rw enable?   boolean start-time?   start-time-type
              |  |  +--rw during?   uint16 end-time?     end-time-type
              |  +--rw time-zone
         | periodic-time-zone
              |     +--rw absolute-time-zone
         |  |  |  +--rw time
         |  |  |  |  +--rw start-time?   yang:date-and-time
         |  |  |  |  +--rw end-time?     yang:date-and-time
         |  |  |  +--rw date
         |  |  |     +--rw absolute-date?   yang:date-and-time
         |  |  +--rw periodic-time-zone
         |  |     +--rw day
         |  |     |  +--rw sunday?      boolean
         |  |     |  +--rw monday?      boolean
         |  |     |  +--rw tuesday?     boolean
         |  |     |  +--rw wednesday?   boolean
         |  |     |  +--rw thursday?    boolean
         | day
              |     |  +--rw friday? every-day?      boolean
              |     |     |  +--rw saturday?    boolean
         | specific-day*   day-type
              |     +--rw month
              |  |        +--rw january? every-month?      boolean
              |  |        +--rw february?    boolean
         |  |        +--rw march?       boolean
         |  |        +--rw april?       boolean
         |  |        +--rw may?         boolean
         |  |        +--rw june?        boolean
         |  |        +--rw july?        boolean
         |  |        +--rw august?      boolean
         |  |        +--rw september?   boolean
         |  |        +--rw october?     boolean
         |  |        +--rw november?    boolean
         |  |        +--rw december?    boolean
         | specific-month*   month-type
              +--rw event-clause-container
              |  |  ...
         |
              +--rw condition-clause-container
              |  |  ...
         |
              +--rw action-clause-container
         |
                 ...
         +--rw resolution-strategy
         |  +--rw (resolution-strategy-type)?
         |     +--:(fmr)
         |     |  +--rw first-matching-rule?   boolean
         |     +--:(lmr)
         |        +--rw last-matching-rule?    boolean
         +--rw default-action
         |  +--rw default-action-type?   boolean
         +--rw rule-group
            +--rw groups* [group-name]
               +--rw group-name     string
               +--rw rule-range
               |  +--rw start-rule?   string
               |  +--rw end-rule?     string
               +--rw enable?        boolean
               +--rw description?   string

          Figure 1: Data Model Structure YANG Tree Diagram for Network Security Policy
                              Identification

5.2.  Event Clause

   The data model for event

   This YANG tree diagram shows general I2NSF security policy rule has the following structure:

   module: ietf-i2nsf-policy-rule-for-nsf
   +--rw i2nsf-security-policy
      +--rw system-policy* [system-policy-name]
         ...
         |  +--rw event-clause-container
         |  |  +--rw event-clause-list* [eca-object-id]
         |  |     +--rw entity-class?        identityref
         |  |     +--rw eca-object-id        string
         |  |     +--rw description?         string
         |  |     +--rw sec-event-content    string
         |  |     +--rw sec-event-format     sec-event-format
         |  |     +--rw sec-event-type       string
         |  +--rw condition-clause-container
         |  |  ...
         |  +--rw action-clause-container
         |     ...
         +--rw resolution-strategy
         |  ...
         +--rw default-action
         |  ...
         +--rw rule-group
            ...

               Figure 2: Data Model Structure for Event Rule

   These objects are defined as user security event, device
   generic network security
   event, functions.

   The system security event, and time security event.  These objects
   can policy represents there could be extended according to specific vendor event multiple system policies
   in one NSF, and each system policy is used by one virtual instance of
   the NSF/device.  The system policy includes system policy name,
   priority usage, resolutation strategy, default action, and rules.

   A resolution strategy is used to decide how to resolve conflicts that
   occur between the actions of the same or different policy rules that
   are matched and contained in this particular NSF.  The resolution
   strategy is defined as First Matching Rule (FMR), Last Matching Rule
   (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and
   Prioritized Matching Rule with No Errors (PMRN).  The resolution
   strategy can be extended according to specific vendor action
   features.  We will
   add additional  The resolution strategy is described in detail in
   [i2nsf-nsf-cap-im].

   A default action is used to execute I2NSF policy rule when no rule
   matches a packet.  The default action is defined as pass, drop,
   reject, alert, and mirror.  The default action can be extended
   according to specific vendor action features.  The default action is
   described in detail in [i2nsf-nsf-cap-im].

   The rules include rule name, rule description, rule priority, rule
   enable, time zone, event objects for more generic network security
   functions.

5.3.  Condition clause container, condition clause
   container, and action clause container.

4.2.  Event Clause

   The data model

   This section shows YANG tree diagram for condition rule has the following structure: an event clause of I2NSF
   security policy rule.

   module: ietf-i2nsf-policy-rule-for-nsf
     +--rw i2nsf-security-policy
        +--rw system-policy* [system-policy-name]
           ...
      |
           +--rw event-clause-container
      |  | rules* [rule-name]
              ...
      |  +--rw condition-clause-container
      |  |  +--rw condition-clause-list* [eca-object-id]
      |  |     +--rw entity-class?                identityref
      |  |     +--rw eca-object-id                string
      |  |     +--rw packet-security-condition
      |  |     |  +--rw packet-description?               string
      |  |     |  +--rw packet-security-mac-condition
      |  |     |  |  +--rw pkt-sec-cond-mac-dest*    yang:phys-address
      |  |     |  |  +--rw pkt-sec-cond-mac-src*     yang:phys-address
      |  |     |  |
              +--rw pkt-sec-cond-mac-8021q*        string
      |  |     | event-clause-container
              |  +--rw pkt-sec-cond-mac-ether-type* event-clause-description?   string
              |  |     |  |  +--rw pkt-sec-cond-mac-tci*          string
      |  | event-clauses
              |     +--rw packet-security-ipv4-condition
      |  |     | system-event*   identityref
              |     +--rw pkt-sec-cond-ipv4-header-length*     uint8
      |  |     |  | system-alarm*   identityref
              +--rw pkt-sec-cond-ipv4-tos*               uint8
      |  |     | condition-clause-container
              |  ...
              +--rw pkt-sec-cond-ipv4-total-length*      uint16
      |  |     | action-clause-container
                 ...

          Figure 2: YANG Tree Diagram for Network Security Policy

   This YANG tree diagram shows an event clause of I2NSF security policy
   rule for generic network security functions.  An event clause is any
   important occurrence in time of a change in the system being managed,
   and/or in the environment of the system being managed.  An event
   clause is used to trigger the evaluation of the condition clause of
   the I2NSF Policy Rule.  The event clause is defined as system event
   and system alarm.  The event clause can be extended according to
   specific vendor event features.  The event clause is described in
   detail in [i2nsf-nsf-cap-im].

4.3.  Condtion Clause

   This section shows YANG tree diagram for a condition clause of I2NSF
   security policy rule.

 module: ietf-i2nsf-policy-rule-for-nsf
  +--rw i2nsf-security-policy
     ...
        +--rw rules* [rule-name]
           ...
           +--rw event-clause-container
           |  ...
           +--rw pkt-sec-cond-ipv4-id*                uint8 condition-clause-container
           |  +--rw condition-clause-description?      string
           |  +--rw packet-security-ipv4-condition
           |  |  +--rw pkt-sec-cond-ipv4-fragment*          uint8
      | pkt-sec-ipv4-header-length
           |  |  |  +--rw pkt-sec-cond-ipv4-fragment-offset*   uint16 (match-type)?
           |  |  |  |  +--rw pkt-sec-cond-ipv4-ttl*               uint8     +--:(exact-match)
           |  |  |     |  +--rw pkt-sec-cond-ipv4-protocol* ipv4-header-length*         uint8
           |  |  |  |  +--rw pkt-sec-cond-ipv4-src*      inet:ipv4-address
      |     +--:(range-match)
           |  |  |        +--rw pkt-sec-cond-ipv4-dest*     inet:ipv4-address
      | range-ipv4-header-length*
           [start-ipv4-header-length end-ipv4-header-length]
           |  |  |           +--rw pkt-sec-cond-ipv4-ipopts?            string
      | start-ipv4-header-length    uint8
           |  |  |           +--rw pkt-sec-cond-ipv4-sameip?            boolean end-ipv4-header-length      uint8
           |  |  +--rw pkt-sec-ipv4-tos*               identityref
           |  |  +--rw pkt-sec-cond-ipv4-geoip*             string pkt-sec-ipv4-total-length
           |  |  |  +--rw packet-security-ipv6-condition (match-type)?
           |  |  |  |  +--rw pkt-sec-cond-ipv6-dscp*             string     +--:(exact-match)
           |  |  |     |  +--rw pkt-sec-cond-ipv6-ecn*              string
      |  | ipv4-total-length*         uint16
           |  |  +--rw pkt-sec-cond-ipv6-traffic-class*    uint8  |     +--:(range-match)
           |  |  |        +--rw pkt-sec-cond-ipv6-flow-label*       uint32
      | range-ipv4-total-length*
           [start-ipv4-total-length end-ipv4-total-length]
           |  |  |           +--rw pkt-sec-cond-ipv6-payload-length* start-ipv4-total-length    uint16
           |  |  |  |           +--rw pkt-sec-cond-ipv6-next-header*      uint8
      |  | end-ipv4-total-length      uint16
           |  |  +--rw pkt-sec-cond-ipv6-hop-limit*        uint8 pkt-sec-ipv4-id*                uint16
           |  |  +--rw pkt-sec-ipv4-fragment-flags*    identityref
           |  |  +--rw pkt-sec-cond-ipv6-src*      inet:ipv6-address
      | pkt-sec-ipv4-fragment-offset
           |  |  |  +--rw pkt-sec-cond-ipv6-dest*     inet:ipv6-address (match-type)?
           |  |  |  +--rw packet-security-tcp-condition     +--:(exact-match)
           |  |  |     |  +--rw pkt-sec-cond-tcp-src-port*   inet:port-number
      |  | ipv4-fragment-offset*         uint16
           |  |  +--rw pkt-sec-cond-tcp-dest-port*  inet:port-number  |     +--:(range-match)
           |  |  |        +--rw pkt-sec-cond-tcp-seq-num*       uint32
      | range-ipv4-fragment-offset*
           [start-ipv4-fragment-offset end-ipv4-fragment-offset]
           |  |  |           +--rw pkt-sec-cond-tcp-ack-num*       uint32
      | start-ipv4-fragment-offset    uint16
           |  |  |           +--rw pkt-sec-cond-tcp-window-size* end-ipv4-fragment-offset      uint16
           |  |     |  |  +--rw pkt-sec-cond-tcp-flags*         uint8 pkt-sec-ipv4-ttl
           |  |  |  +--rw packet-security-udp-condition (match-type)?
           |  |  |  |  +--rw pkt-sec-cond-udp-src-port*   inet:port-number     +--:(exact-match)
           |  |  |     |  +--rw pkt-sec-cond-udp-dest-port*  inet:port-number
      | ipv4-ttl*         uint8
           |  |  |  +--rw pkt-sec-cond-udp-length*      string     +--:(range-match)
           |  |  |        +--rw packet-security-icmp-condition range-ipv4-ttl*
           [start-ipv4-ttl end-ipv4-ttl]
           |  |  |           +--rw pkt-sec-cond-icmp-type* start-ipv4-ttl    uint8
           |  |  |           +--rw pkt-sec-cond-icmp-code* end-ipv4-ttl      uint8
           |  |     |  +--rw pkt-sec-cond-icmp-seg-num*   uint32 pkt-sec-ipv4-protocol*          identityref
           |  |  +--rw packet-payload-condition pkt-sec-ipv4-src
           |  |  |  +--rw packet-payload-description?   string (match-type)?
           |  |  |  +--rw pkt-payload-content*          string     +--:(exact-match)
           |  |     +--rw acl-number?                  uint32  |     |  +--rw application-condition
      | ipv4-address* [ipv4]
           |  |  +--rw application-description?   string
      |  |     |     +--rw application-object*        string
      |  | ipv4            inet:ipv4-address
           |  +--rw application-group*         string  |  |     |     +--rw application-label*         string (subnet)?
           |  |  |  +--rw category     |        +--:(prefix-length)
           |  |     +--rw application-category*  |     |        |                  [name application-subcategory]  +--rw prefix-length?   uint8
           |  |  |        +--rw name                       string     |        +--:(netmask)
           |  |        +--rw application-subcategory    string  |     |           +--rw target-condition netmask? yang:dotted-quad
           |  |  |  +--rw target-description?        string     +--:(range-match)
           |  |  |        +--rw device-sec-context-cond range-ipv4-address*
           [start-ipv4-address end-ipv4-address]
           |  |  |           +--rw pc?                 boolean start-ipv4-address  inet:ipv4-address
           |  |  |           +--rw mobile-phone?       boolean
      | end-ipv4-address    inet:ipv4-address
           |  |  +--rw voip-volte-phone?   boolean pkt-sec-ipv4-dest
           |  |  |  +--rw tablet?             boolean (match-type)?
           |  |  |     +--rw iot?                boolean     +--:(exact-match)
           |  |  |     +--rw vehicle?            boolean
      |     |  +--rw users-condition ipv4
           |  |  |     |     +--rw users-description?   string ipv4-address* [ipv4]
           |  |  |     |        +--rw user ipv4             inet:ipv4-address
           |  |  |     |        +--rw (user-name)? (subnet)?
           |  |  |     |     +--:(tenant)           +--:(prefix-length)
           |  |  |     |           |  +--rw tenant prefix-length?   uint8
           |  |  |     |     +--:(vn-id)           +--:(netmask)
           |  |  |     |              +--rw vn-id     uint8 netmask?    yang:dotted-quad
           |  |  |  +--rw group
      |     +--:(range-match)
           |  |  |        +--rw (group-name)?
      | range-ipv4-address*
           [start-ipv4-address end-ipv4-address]
           |  |  |     +--:(tenant)           +--rw start-ipv4-address  inet:ipv4-address
           |  |  |           +--rw end-ipv4-address    inet:ipv4-address
           |  |  +--rw tenant    uint8 pkt-sec-ipv4-ipopts*            identityref
           |  |  +--rw pkt-sec-ipv4-sameip?            boolean
           |  |     +--:(vn-id)  +--rw pkt-sec-ipv4-geoip*             string
           |  +--rw packet-security-ipv6-condition
           |  |  +--rw pkt-sec-ipv6-traffic-class*    identityref
           |  |  +--rw vn-id     uint8 pkt-sec-ipv6-flow-label
           |  |  |  +--rw security-grup        string (match-type)?
           |  |     +--rw url-category-condition  |     +--:(exact-match)
           |  |  |     |  +--rw url-category-description?   string ipv6-flow-label*         uint32
           |  |  |  +--rw pre-defined-category*       string     +--:(range-match)
           |  |  |        +--rw user-defined-category*      string range-ipv6-flow-label*
           [start-ipv6-flow-label end-ipv6-flow-label]
           |  |  |           +--rw context-condition start-ipv6-flow-label    uint32
           |  |  |           +--rw context-description?   string end-ipv6-flow-label      uint32
           |  |  +--rw gen-context-condition pkt-sec-ipv6-payload-length
           |  |  |  +--rw gen-context-description?   string (match-type)?
           |  |        +--rw geographic-location  |     +--:(exact-match)
           |           +--rw src-geographic-location*    uint32  |  |           +--rw dest-geographic-location*   uint32     |  +--rw action-clause-container ipv6-payload-length*         uint16
           |     ...
      +--rw resolution-strategy  |  ...
      +--rw default-action  |  ...
      +--rw rule-group
         ...

             Figure 3: Data Model Structure for Condition Rule

   These objects are defined as packet security condition, packet
   payload security condition, target security condition, user security
   condition, context condition, and generic context condition.  These
   objects can be extended according to specific vendor condition
   features.  We will add additional condition objects for more generic
   network security functions.

5.4.  Action Clause

   The data model for action rule has the following structure:

   module: ietf-i2nsf-policy-rule-for-nsf
   +--rw i2nsf-security-policy
      +--rw system-policy* [system-policy-name]
         ...     +--:(range-match)
           |  |  |        +--rw event-clause-container range-ipv6-payload-length*
           [start-ipv6-payload-length end-ipv6-payload-length]
           |  |  ...  |           +--rw condition-clause-container start-ipv6-payload-length    uint16
           |  |  ...  |           +--rw action-clause-container end-ipv6-payload-length      uint16
           |     +--rw action-clause-list* [eca-object-id]  |  +--rw entity-class? pkt-sec-ipv6-next-header*      identityref
           |        +--rw eca-object-id     string  |  +--rw rule-log?         boolean pkt-sec-ipv6-hop-limit
           |  |        +--rw session-log?      boolean  |  +--rw ingress-action (match-type)?
           |  |  |     +--:(exact-match)
           |  |  |     |  +--rw ingress-description?   string ipv6-hop-limit*         uint8
           |  |  |     +--:(range-match)
           |  |  |        +--rw ingress-action-type?   ingress-action range-ipv6-hop-limit*
           [start-ipv6-hop-limit end-ipv6-hop-limit]
           |  |  |           +--rw egress-action start-ipv6-hop-limit    uint8
           |  |  |           +--rw egress-description?   string end-ipv6-hop-limit      uint8
           |  |  +--rw egress-action-type?   egress-action pkt-sec-ipv6-src
           |  |  |  +--rw apply-profile (match-type)?
           |  |  |     +--:(exact-match)
           |  |  |     |  +--rw profile-description?         string ipv6
           |  |  |     |     +--rw content-security-control ipv6-address* [ipv6]
           |  |  |     |        +--rw content-security-control-types ipv6             inet:ipv6-address
           |  |  |     |        +--rw antivirus?             string prefix-length?   uint8
           |  |  |     +--:(range-match)
           |  |  |        +--rw ips?                   string range-ipv6-address*
           [start-ipv6-address end-ipv6-address]
           |  |  |           +--rw ids?                   string start-ipv6-address  inet:ipv6-address
           |  |  |           +--rw url-filtering?         string end-ipv6-address    inet:ipv6-address
           |  |  +--rw data-filtering?        string pkt-sec-ipv6-dest
           |  |     +--rw mail-filtering?        string (match-type)?
           |  |        +--:(exact-match)
           |  |        |  +--rw file-blocking?         string ipv6-address* [ipv6]
           |  |        |     +--rw file-isolate?          string ipv6             inet:ipv6-address
           |  |        |     +--rw pkt-capture?           string prefix-length?   uint8
           |  |        +--:(range-match)
           |  |           +--rw application-control?   string range-ipv6-address*
           [start-ipv6-address end-ipv6-address]
           |  |              +--rw voip-volte?            string start-ipv6-address  inet:ipv6-address
           |  |              +--rw attack-mitigation-control end-ipv6-address    inet:ipv6-address
           |  +--rw ddos-attack packet-security-tcp-condition
           |  |  +--rw ddos-attack-type pkt-sec-tcp-src-port-num
           |  |  |  +--rw network-layer-ddos-attack (match-type)?
           |  |  |  +--rw network-layer-ddos-attack-type     +--:(exact-match)
           |  |  |     |  +--rw syn-flood?       string port-num*         inet:port-number
           |  |  |     +--rw udp-flood?       string     +--:(range-match)
           |  |  |        +--rw icmp-flood?      string range-port-num*
           [start-port-num end-port-num]
           |  |  |           +--rw ip-frag-flood?   string start-port-num    inet:port-number
           |  |  |           +--rw ipv6-related?    string end-port-num      inet:port-number
           |  |  +--rw app-layer-ddos-attack pkt-sec-tcp-dest-port-num
           |  |  |  +--rw app-ddos-attack-types (match-type)?
           |  |           +--rw http-flood?      string  |     +--:(exact-match)
           |  |           +--rw https-flood?     string  |     |  +--rw dns-flood?       string port-num*         inet:port-number
           |  |           +--rw dns-amp-flood?   string  |     +--:(range-match)
           |           +--rw ssl-ddos?        string  |              +--rw single-packet-attack  |        +--rw single-packet-attack-type range-port-num*
           [start-port-num end-port-num]
           |                    +--rw scan-and-sniff-attack  |  |           +--rw scan-and-sniff-attack-types start-port-num    inet:port-number
           |  |  |           +--rw ip-sweep?        string end-port-num      inet:port-number
           |  |  +--rw port-scanning?   string pkt-sec-tcp-seq-num
           |                    +--rw malformed-packet-attack  |  |  +--rw malformed-packet-attack-types (match-type)?
           |  |     +--rw ping-of-death?   string  |     +--:(exact-match)
           |     +--rw teardrop?        string  |                    +--rw special-packet-attack  |                       +--rw special-packet-attack-types     |  +--rw oversized-icmp?   string tcp-seq-num*         uint32
           |  |  |     +--:(range-match)
           |                          +--rw tracert?          string
         +--rw resolution-strategy  |  ...
         +--rw default-action  |  ...        +--rw rule-group range-tcp-seq-num*
           [start-tcp-seq-num end-tcp-seq-num]
           |  |  |           +--rw start-tcp-seq-num    uint32
           |  |  |           +--rw end-tcp-seq-num      uint32
           |  |  +--rw pkt-sec-tcp-ack-num
           |  |  |  +--rw (match-type)?
           |  |  |     +--:(exact-match)
           |  |  |     |  +--rw tcp-ack-num*         uint32
           |  |  |     +--:(range-match)
           |  |  |        +--rw range-tcp-ack-num*
           [start-tcp-ack-num end-tcp-ack-num]
           |  |  |           +--rw start-tcp-ack-num    uint32
           |  |  |           +--rw end-tcp-ack-num      uint32
           |  |  +--rw pkt-sec-tcp-window-size
           |  |  |  +--rw (match-type)?
           |  |  |     +--:(exact-match)
           |  |  |     |  +--rw tcp-window-size*         uint16
           |  |  |     +--:(range-match)
           |  |  |        +--rw range-tcp-window-size*
           [start-tcp-window-size end-tcp-window-size]
           |  |  |           +--rw start-tcp-window-size    uint16
           |  |  |           +--rw end-tcp-window-size      uint16
           |  |  +--rw pkt-sec-tcp-flags*           identityref
           |  +--rw packet-security-udp-condition
           |  |  +--rw pkt-sec-udp-src-port-num
           |  |  |  +--rw (match-type)?
           |  |  |     +--:(exact-match)
           |  |  |     |  +--rw port-num*         inet:port-number
           |  |  |     +--:(range-match)
           |  |  |        +--rw range-port-num*
           [start-port-num end-port-num]
           |  |  |           +--rw start-port-num    inet:port-number
           |  |  |           +--rw end-port-num      inet:port-number
           |  |  +--rw pkt-sec-udp-dest-port-num
           |  |  |  +--rw (match-type)?
           |  |  |     +--:(exact-match)
           |  |  |     |  +--rw port-num*         inet:port-number
           |  |  |     +--:(range-match)
           |  |  |        +--rw range-port-num*
           [start-port-num end-port-num]
           |  |  |           +--rw start-port-num    inet:port-number
           |  |  |           +--rw end-port-num      inet:port-number
           |  |  +--rw pkt-sec-udp-total-length
           |  |     +--rw (match-type)?
           |  |        +--:(exact-match)
           |  |        |  +--rw udp-total-length*         uint32
           |  |        +--:(range-match)
           |  |           +--rw range-udp-total-length*
           [start-udp-total-length end-udp-total-length]
           |  |              +--rw start-udp-total-length    uint32
           |  |              +--rw end-udp-total-length      uint32
           |  +--rw packet-security-icmp-condition
           |  |  +--rw pkt-sec-icmp-type*   identityref
           |  +--rw packet-security-http-condition
           |  |  +--rw pkt-sec-uri-content*   string
           |  |  +--rw pkt-sec-url-content*   string
           |  +--rw packet-security-voice-condition
           |  |  +--rw pkt-sec-src-voice-id*     string
           |  |  +--rw pkt-sec-dest-voice-id*     string
           |  |  +--rw pkt-sec-user-agent*   string
           |  +--rw packet-security-ddos-condition
           |     +--rw pkt-sec-alert-rate?   uint32
           +--rw action-clause-container
              ...

          Figure 4: Data Model Structure 3: YANG Tree Diagram for Action Rule

   These objects are Network Security Policy

   This YANG tree diagram shows an condition clause of I2NSF security
   policy rule for generic network security functions.  A condition
   clause is defined as ingress action, egress action, and apply
   profile action.  These objects can be extended a set of attributes, features, and/or values
   that are to be compared with a set of known attributes, features,
   and/or values in order to determine whether or not the set of actions
   in that (imperative) I2NSF policy rule can be executed or not.  The
   condition clause is classified as conditions of generic network
   security functions and advanced network security functions.  The
   condition clause of generic network security functions is defined as
   packet security IPv4 condition, packet security IPv6 condition,
   packet security tcp condition, and packet security icmp condition.
   The condition clause of advanced network security functions is
   defined as packet security http condition, packet security voice
   condition, and packet security ddos condition.  Note that this
   document deals only with simple conditions of advanced network
   security functions.  The condition clauses of advanced network
   security functions are described in detail in
   [i2nsf-advanced-nsf-dm].  The condition clause can be extended
   according to specific vendor condition features.  The condition
   clause is described in detail in [i2nsf-nsf-cap-im].

4.4.  Action Clause

   This section shows YANG tree diagram for an action feature.  We will add additional clause of I2NSF
   security policy rule.

    module: ietf-i2nsf-policy-rule-for-nsf
     +--rw i2nsf-security-policy
        ...
           +--rw rules* [rule-name]
              ...
              +--rw event-clause-container
              |  ...
              +--rw condition-clause-container
              |  ...
              +--rw action-clause-container
                 +--rw action-clause-description?   string
                 +--rw packet-action
                 |  +--rw ingress-action?           identityref
                 |  +--rw egress-action?            identityref
                 |  +--rw log-action?               identityref
                 +--rw advanced-action
                    +--rw content-security-control*    identityref
                    +--rw attack-mitigation-control*   identityref

          Figure 4: YANG Tree Diagram for Network Security Policy

   This YANG tree diagram shows an action clause of I2NSF security
   policy rule for generic network security functions.  An action is
   used to control and monitor aspects of flow-based NSFs when the event
   and condition clauses are satisfied.  NSFs provide security services
   by executing various actions.  The action objects clause is defined as
   ingress action, egress action, log action, and advanced action for
   additional inspection.  The advanced action is described in detail in
   [RFC8329] and [i2nsf-nsf-cap-im].  The action clause can be extended
   according to specific vendor action features.  The action clause is
   described in detail in [i2nsf-nsf-cap-im].

5.  YANG Data Module

5.1.  I2NSF NSF-Facing Interface YANG Data Module

   This section introduces an YANG data module for configuration of
   security policy rules on network security functions.

<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2019-03-11.yang"

module ietf-i2nsf-policy-rule-for-nsf {
  yang-version 1.1;
  namespace
    "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
  prefix
    iiprfn;

  import ietf-inet-types{
    prefix inet;
    reference "RFC 6991";
  }
  import ietf-yang-types{
    prefix yang;
    reference "RFC 6991";
  }

  organization
    "IETF I2NSF (Interface to Network Security Functions)
     Working Group";

  contact
    "WG Web: <http://tools.ietf.org/wg/i2nsf>
     WG List: <mailto:i2nsf@ietf.org>

     WG Chair: Adrian Farrel
     <mailto:Adrain@olddog.co.uk>

     WG Chair: Linda Dunbar
     <mailto:Linda.duhbar@huawei.com>

     Editor: Jingyong Tim Kim
     <mailto:timkim@skku.edu>

     Editor: Jaehoon Paul Jeong
     <mailto:pauljeong@skku.edu>

     Editor: Susan Hares
     <mailto:shares@ndzh.com>";

  description
    "This module defines a YANG data module for network security
     functions.

    Copyright (c) 2018 IETF Trust and the persons
    identified as authors of the code.  All rights reserved.

    Redistribution and use in source and binary forms, with or
    without modification, is permitted pursuant to, and subject
    to the license terms contained in, the Simplified BSD License
    set forth in Section 4.c of the IETF Trust's Legal Provisions
    Relating to IETF Documents
    (http://trustee.ietf.org/license-info).

    This version of this YANG module is part of RFC 8341; see
    the RFC itself for full legal notices.";

  revision "2019-03-11"{
    description "Initial revision.";
    reference
      "RFC XXXX: I2NSF Network Security Function-Facing Interface
       YANG Data Model";
  }

  /*
   * Identities
   */

  identity priority-usage-type {
    description
      "Base identity for priority usage type.";
  }

  identity priority-by-order {
    base priority-usage-type;
    description
      "Identity for priority by order";
  }

  identity priority-by-number {
    base priority-usage-type;
    description
      "Identity for priority by number";
  }

  identity event {
    description
      "Base identity for event of policy.";
    reference
      "draft-hong-i2nsf-nsf-monitoring-data-model-06
       - Event";
  }

  identity system-event {
    base event;
    description
      "Identity for system event";
    reference
      "draft-hong-i2nsf-nsf-monitoring-data-model-06
       - System event";
  }

  identity system-alarm {
    base event;
    description
      "Identity for system alarm";
    reference
      "draft-hong-i2nsf-nsf-monitoring-data-model-06
       - System alarm";
  }

  identity access-violation {
    base system-event;
    description
      "Identity for access violation
      among system events";
    reference
      "draft-hong-i2nsf-nsf-monitoring-data-model-06
       - System event";
  }

  identity configuration-change {
    base system-event;
    description
      "Identity for configuration change
      among system events";
    reference
      "draft-hong-i2nsf-nsf-monitoring-data-model-06
       - System event";
  }
  identity memory-alarm {
    base system-alarm;
    description
      "Identity for memory alarm
      among system alarms";
    reference
      "draft-hong-i2nsf-nsf-monitoring-data-model-06
       - System alarm";
  }

  identity cpu-alarm {
    base system-alarm;
    description
      "Identity for cpu alarm
      among system alarms";
    reference
      "draft-hong-i2nsf-nsf-monitoring-data-model-06
       - System alarm";
  }

  identity disk-alarm {
    base system-alarm;
    description
      "Identity for disk alarm
      among system alarms";
    reference
      "draft-hong-i2nsf-nsf-monitoring-data-model-06
       - System alarm";
  }

  identity hardware-alarm {
    base system-alarm;
    description
      "Identity for hardware alarm
      among system alarms";
    reference
      "draft-hong-i2nsf-nsf-monitoring-data-model-06
       - System alarm";
  }

  identity interface-alarm {
    base system-alarm;
    description
      "Identity for interface alarm
      among system alarms";
    reference
      "draft-hong-i2nsf-nsf-monitoring-data-model-06
       - System alarm";

  }

  identity type-of-service {
    description
      "Base identity for type of service of IPv4";
    reference
      "RFC 791: Internet Protocol - Type of Service";
  }

  identity traffic-class {
    description
      "Base identity for traffic-class of IPv6";
    reference
      "RFC 2460: Internet Protocol, Version 6 (IPv6)
      Specification - Traffic Class";
  }

  identity normal {
    base type-of-service;
    base traffic-class;
    description
      "Identity for normal";
    reference
      "RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
      Specification - Traffic Class";
  }

  identity minimize-cost {
    base type-of-service;
    base traffic-class;
    description
      "Identity for minimize cost";
    reference
      "RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
      Specification - Traffic Class";
  }

  identity maximize-reliability {
    base type-of-service;
    base traffic-class;
    description
      "Identity for maximize reliability";
    reference
      "RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
      Specification - Traffic Class";

  }

  identity maximize-throughput {
    base type-of-service;
    base traffic-class;
    description
      "Identity for maximize throughput";
    reference
      "RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
      Specification - Traffic Class";
  }

  identity minimize-delay {
    base type-of-service;
    base traffic-class;
    description
      "Identity for minimize delay";
    reference
      "RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
      Specification - Traffic Class";
  }

  identity maximize-security {
    base type-of-service;
    base traffic-class;
    description
      "Identity for maximize security";
    reference
      "RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
      Specification - Traffic Class";
  }

  identity fragmentation-flags-type {
    description
      "Base identity for fragmentation flags type";
    reference
      "RFC 791: Internet Protocol - Fragmentation Flags";
  }

  identity fragment {
    base fragmentation-flags-type;
    description
      "Identity for fragment";
    reference
      "RFC 791: Internet Protocol - Fragmentation Flags";

  }

  identity no-fragment {
    base fragmentation-flags-type;
    description
      "Identity for no fragment";
    reference
      "RFC 791: Internet Protocol - Fragmentation Flags";
  }

  identity reserved {
    base fragmentation-flags-type;
    description
      "Identity for reserved";
    reference
      "RFC 791: Internet Protocol - Fragmentation Flags";
  }

  identity protocol {
    description
      "Base identity for protocol of IPv4";
    reference
      "RFC 790: Assigned numbers - Assigned Internet
       Protocol Number
       RFC 791: Internet Protocol - Protocol";
  }

  identity next-header {
    description
      "Base identity for next header of IPv6";
    reference
      "RFC 2460: Internet Protocol, Version 6 (IPv6)
      Specification - Next Header";
  }

  identity icmp {
    base protocol;
    base next-header;
    description
      "Identity for icmp";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }
  identity igmp {
    base protocol;
    base next-header;
    description
      "Identity for igmp";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity tcp {
    base protocol;
    base next-header;
    description
      "Identity for tcp";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity igrp {
    base protocol;
    base next-header;
    description
      "Identity for igrp";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity udp {
    base protocol;
    base next-header;
    description
      "Identity for udp";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity gre {
    base protocol;
    base next-header;
    description
      "Identity for gre";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity esp {
    base protocol;
    base next-header;
    description
      "Identity for esp";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity ah {
    base protocol;
    base next-header;
    description
      "Identity for ah";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity mobile {
    base protocol;
    base next-header;
    description
      "Identity for mobile";

    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity tlsp {
    base protocol;
    base next-header;
    description
      "Identity for tlsp";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity skip {
    base protocol;
    base next-header;
    description
      "Identity for skip";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity ipv6-icmp {
    base protocol;
    base next-header;
    description
      "Identity for IPv6 icmp ";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }
  identity eigrp {
    base protocol;
    base next-header;
    description
      "Identity for eigrp";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity ospf {
    base protocol;
    base next-header;
    description
      "Identity for ospf";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity l2tp {
    base protocol;
    base next-header;
    description
      "Identity for l2tp";
    reference
      "RFC  790: - Assigned numbers - Assigned Internet
       Protocol Number
       RFC  791: Internet Protocol - Type of Service
       RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - Next Header";
  }

  identity ipopts {
    description
      "Base identity for IP options";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity rr {
    base ipopts;
    description
      "Identity for record route";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity eol {
    base ipopts;
    description
      "Identity for end of list";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity nop {
    base ipopts;
    description
      "Identity for no operation";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity ts {
    base ipopts;
    description
      "Identity for time stamp";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity sec {
    base ipopts;
    description
      "Identity for IP security";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity esec {
    base ipopts;
    description
      "Identity for IP extended security";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity lsrr {
    base ipopts;
    description
      "Identity for loose source routing";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity ssrr {
    base ipopts;
    description
      "Identity for strict source routing";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity satid {
    base ipopts;
    description
      "Identity for stream identifier";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity any {
    base ipopts;
    description
      "Identity for which any IP options are set";
    reference
      "RFC 791: Internet Protocol - Options";
  }

  identity tcp-flags {
    description
      "Base identity for tcp flags";
    reference
      "RFC 793: Transmission Control Protocol - Flags";
  }

  identity cwr {
    base tcp-flags;
    description
      "Identity for congestion window reduced";
    reference
      "RFC 793: Transmission Control Protocol - Flags";
  }

  identity ecn {
    base tcp-flags;
    description
      "Identity for explicit congestion notification";
    reference
      "RFC 793: Transmission Control Protocol - Flags";
  }

  identity urg {
    base tcp-flags;
    description
      "Identity for urgent";
    reference
      "RFC 793: Transmission Control Protocol - Flags";
  }

  identity ack {
    base tcp-flags;
    description
      "Identity for acknowledgement";
    reference
      "RFC 793: Transmission Control Protocol - Flags";
  }

  identity psh {
    base tcp-flags;
    description
      "Identity for push";
    reference
      "RFC 793: Transmission Control Protocol - Flags";
  }

  identity rst {
    base tcp-flags;
    description
      "Identity for reset";
    reference
      "RFC 793: Transmission Control Protocol - Flags";
  }

  identity syn {
    base tcp-flags;
    description
      "Identity for synchronize";
    reference
      "RFC 793: Transmission Control Protocol - Flags";
  }

  identity fin {
    base tcp-flags;
    description
      "Identity for finish";
    reference
      "RFC 793: Transmission Control Protocol - Flags";
  }

  identity icmp-type {
    description
      "Base identity for icmp types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity echo-reply {
    base icmp-type;
    description
      "Identity for echo reply";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity destination-unreachable {
    base icmp-type;
    description
      "Identity for destination unreachable";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity source-quench  {
    base icmp-type;
    description
      "Identity for source quench";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity redirect {
    base icmp-type;
    description
      "Identity for redirect";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity alternate-host-address {
    base icmp-type;
    description
      "Identity for alternate host address";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity echo {
    base icmp-type;
    description
      "Identity for echo";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity router-advertisement {
    base icmp-type;
    description
      "Identity for router advertisement";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity router-solicitation {
    base icmp-type;
    description
      "Identity for router solicitation";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity time-exceeded {
    base icmp-type;
    description
      "Identity for time exceeded";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity parameter-problem {
    base icmp-type;
    description
      "Identity for parameter problem";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity timestamp {
    base icmp-type;
    description
      "Identity for timestamp";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity timestamp-reply {
    base icmp-type;
    description
      "Identity for timestamp reply";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity information-request {
    base icmp-type;
    description
      "Identity for information request";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity information-reply {
    base icmp-type;
    description
      "Identity for information reply";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity address-mask-request {
    base icmp-type;
    description
      "Identity for address mask request";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity address-mask-reply {
    base icmp-type;
    description
      "Identity for address mask reply";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity traceroute {
    base icmp-type;
    description
      "Identity for traceroute";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity datagram-conversion-error {
    base icmp-type;
    description
      "Identity for datagram conversion error";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity mobile-host-redirect {
    base icmp-type;
    description
      "Identity for mobile host redirect";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity ipv6-where-are-you {
    base icmp-type;
    description
      "Identity for IPv6 where are you";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity ipv6-i-am-here {
    base icmp-type ;
    description
      "Identity for IPv6 i am here";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity mobile-registration-request {
    base icmp-type;
    description
      "Identity for mobile registration request";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity mobile-registration-reply {
    base icmp-type;
    description
      "Identity for mobile registration reply";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity domain-name-request {
    base icmp-type;
    description
      "Identity for domain name request";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity domain-name-reply {
    base icmp-type;
    description
      "Identity for domain name reply";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity iskip {
    base icmp-type;
    description
      "Identity for icmp skip";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity photuris {
    base icmp-type;
    description
      "Identity for photuris";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity experimental-mobility-protocols {
    base icmp-type;
    description
      "Identity for experimental mobility protocols";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity extended-echo-request {
    base icmp-type;
    description
      "Identity for extended echo request";
    reference
      "RFC  792: Internet Control Message Protocol
       RFC 8335: PROBE: A Utility for Probing Interfaces";
  }

  identity extended-echo-reply {
    base icmp-type;
    description
      "Identity for extended echo reply";
    reference
      "RFC  792: Internet Control Message Protocol
       RFC 8335: PROBE: A Utility for Probing Interfaces";
  }

  identity net-unreachable {
    base icmp-type;
    description
      "Identity for net unreachable
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity host-unreachable {
    base icmp-type;
    description
      "Identity for host unreachable
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity protocol-unreachable {
    base icmp-type;
    description
      "Identity for protocol unreachable
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity port-unreachable {
    base icmp-type;
    description
      "Identity for port unreachable
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity fragment-set {
    base icmp-type;
    description
      "Identity for fragmentation set
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity source-route-failed {
    base icmp-type;
    description
      "Identity for source route failed
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity destination-network-unknown {
    base icmp-type;
    description
      "Identity for destination network unknown
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity destination-host-unknown {
    base icmp-type;
    description
      "Identity for destination host unknown
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity source-host-isolated {
    base icmp-type;
    description
      "Identity for source host isolated
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }
  identity communication-prohibited-with-destination-network {
    base icmp-type;
    description
      "Identity for which communication with destination network
      is administratively prohibited in destination unreachable
      types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity communication-prohibited-with-destination-host {
    base icmp-type;
    description
      "Identity for which communication with destination host
      is administratively prohibited in destination unreachable
      types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity destination-network-unreachable-for-tos {
    base icmp-type;
    description
      "Identity for destination network unreachable
      for type of service in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity destination-host-unreachable-for-tos {
    base icmp-type;
    description
      "Identity for destination host unreachable
      for type of service in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity communication-prohibited {
    base icmp-type;
    description
      "Identity for communication administratively prohibited
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity host-precedence-violation {
    base icmp-type;
    description
      "Identity for host precedence violation
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity precedence-cutoff-in-effect {
    base icmp-type;
    description
      "Identity for precedence cutoff in effect
      in destination unreachable types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity redirect-datagram-for-the-network {
    base icmp-type;
    description
      "Identity for redirect datagram for the network
      (or subnet) in redirect types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity redirect-datagram-for-the-host {
    base icmp-type;
    description
      "Identity for redirect datagram for the host
      in redirect types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity redirect-datagram-for-the-tos-and-network {
    base icmp-type;
    description
      "Identity for redirect datagram for the type of
      service and network in redirect types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity redirect-datagram-for-the-tos-and-host {
    base icmp-type;
    description
      "Identity for redirect datagram for the type of
      service and host in redirect types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity normal-router-advertisement {
    base icmp-type;
    description
      "Identity for normal router advertisement
      in router advertisement types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity does-not-route-common-traffic {
    base icmp-type;
    description
      "Identity for does not route common traffic
      in router advertisement types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity time-to-live-exceeded-in-transit {
    base icmp-type;
    description
      "Identity for time to live exceeded in transit
      in time exceeded types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity fragment-reassembly-time-exceeded {
    base icmp-type;
    description
      "Identity for fragment reassembly time exceeded
      in time exceeded types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity pointer-indicates-the-error {
    base icmp-type;
    description
      "Identity for pointer indicates the error
      in parameter problem types";
    reference
      "RFC 792: Internet Control Message Protocol";

  }

  identity missing-a-required-option {
    base icmp-type;
    description
      "Identity for missing a required option
      in parameter problem types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity bad-length {
    base icmp-type;
    description
      "Identity for bad length
      in parameter problem types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity bad-spi {
    base icmp-type;
    description
      "Identity for bad spi
      in photuris types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity authentication-failed {
    base icmp-type;
    description
      "Identity for authentication failed
      in photuris types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity decompression-failed {
    base icmp-type;
    description
      "Identity for decompression failed
      in photuris types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity decryption-failed {
    base icmp-type;
    description
      "Identity for decryption failed
      in photuris types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity need-authentication {
    base icmp-type;
    description
      "Identity for need authentication
      in photuris types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity need-authorization {
    base icmp-type;
    description
      "Identity for need authorization
      in photuris types";
    reference
      "RFC 792: Internet Control Message Protocol";
  }

  identity req-no-error {
    base icmp-type;
    description
      "Identity for request with no error
      in extended echo request types";
    reference
      "RFC  792: Internet Control Message Protocol
       RFC 8335: PROBE: A Utility for Probing Interfaces";
  }

  identity rep-no-error {
    base icmp-type;
    description
      "Identity for reply with no error
      in extended echo reply types";
    reference
      "RFC  792: Internet Control Message Protocol
       RFC 8335: PROBE: A Utility for Probing Interfaces";
  }

  identity malformed-query {
    base icmp-type;
    description
      "Identity for malformed query
      in extended echo reply types";
    reference
      "RFC  792: Internet Control Message Protocol
       RFC 8335: PROBE: A Utility for Probing Interfaces";
  }

  identity no-such-interface {
    base icmp-type;
    description
      "Identity for no such interface
      in extended echo reply types";
    reference
      "RFC  792: Internet Control Message Protocol
       RFC 8335: PROBE: A Utility for Probing Interfaces";
  }

  identity no-such-table-entry {
    base icmp-type;
    description
      "Identity for no such table entry
      in extended echo reply types";
    reference
      "RFC  792: Internet Control Message Protocol
       RFC 8335: PROBE: A Utility for Probing Interfaces";
  }

  identity multiple-interfaces-satisfy-query {
    base icmp-type;
    description
      "Identity for multiple interfaces satisfy query
      in extended echo reply types";
    reference
      "RFC  792: Internet Control Message Protocol
       RFC 8335: PROBE: A Utility for Probing Interfaces";
  }

  identity content-security-control {
    description
      "Base identity for content security control";
    reference
      "RFC 8329: Framework for Interface to
       Network Security Functions - Differences
       from ACL Data Models
       draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities";
  }
  identity antivirus {
    base content-security-control;
    description
      "Identity for antivirus";
  }

  identity ips {
    base content-security-control;
    description
      "Identity for ips";
  }

  identity ids {
    base content-security-control;
    description
      "Identity for ids";
  }

  identity url-filtering {
    base content-security-control;
    description
      "Identity for url filtering";
  }

  identity mail-filtering {
    base content-security-control;
    description
      "Identity for mail filtering";
  }

  identity file-blocking {
    base content-security-control;
    description
      "Identity for
   more generic network security functions.

6.  YANG Module

6.1.  IETF NSF-Facing Interface YANG Data Module

   This section introduces a YANG module file blocking";
  }

  identity file-isolate {
    base content-security-control;
    description
      "Identity for the information model of
   network security functions, as defined in the [i2nsf-nsf-cap-im].

<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2018-11-04.yang"

module ietf-i2nsf-policy-rule-for-nsf isolate";
  }

  identity pkt-capture {
  yang-version 1.1;
  namespace
    "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
  prefix
    policy-rule-for-nsf;

  import ietf-inet-types{
    prefix inet;
    base content-security-control;
    description
      "Identity for packet capture";
  }
  import ietf-yang-types{
    prefix yang;
  identity application-control {
    base content-security-control;
    description
      "Identity for application control";
  }

  organization
    "IETF I2NSF (Interface to Network Security Functions)
     Working Group";

  contact
    "WG Web: <http://tools.ietf.org/wg/i2nsf>
     WG List: <mailto:i2nsf@ietf.org>

     WG Chair: Adrian Farrel
     <mailto:Adrain@olddog.co.uk>

     WG Chair: Linda Dunbar
     <mailto:Linda.duhbar@huawei.com>

     Editor: Jingyong Tim Kim
     <mailto:timkim@skku.edu>

     Editor: Jaehoon Paul Jeong
     <mailto:pauljeong@skku.edu>

     Editor: Susan Hares
     <mailto:shares@ndzh.com>";

  identity voip-volte {
    base content-security-control;
    description
    "This module defines a YANG data module
      "Identity for network security
     functions.";
  revision "2018-11-04"{ voip and volte";
  }

  identity attack-mitigation-control {
    description "The fourth revision";
      "Base identity for attack mitigation control";
    reference
      "draft-ietf-i2nsf-capability-04";
      "RFC 8329: Framework for Interface to
       Network Security Functions - Differences
       from ACL Data Models
       draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities";
  }

  typedef sec-event-format {
      type enumeration

  identity syn-flood {
        enum unknown
    base attack-mitigation-control;
    description
      "Identity for syn flood";
  }

  identity udp-flood {
    base attack-mitigation-control;
    description
              "If SecEventFormat is unknown";
      "Identity for udp flood";
  }
        enum guid

  identity icmp-flood {
    base attack-mitigation-control;
    description
              "If SecEventFormat is GUID
              (Generic Unique IDentifier)";
      "Identity for icmp flood";
  }
        enum uuid

  identity ip-frag-flood {
    base attack-mitigation-control;
    description
              "If SecEventFormat is UUID
              (Universal Unique IDentifier)";
      "Identity for ip frag flood";
  }
        enum uri

  identity ipv6-related {
    base attack-mitigation-control;
    description
              "If SecEventFormat is URI
              (Uniform Resource Identifier)";
      "Identity for ipv6 related";
  }
        enum fqdn

  identity http-and-https-flood {
    base attack-mitigation-control;
    description
              "If SecEventFormat is FQDN
              (Fully Qualified Domain Name)";
      "Identity for http and https flood";
  }
        enum fqpn

  identity dns-flood {
    base attack-mitigation-control;
    description
              "If SecEventFormat is FQPN
              (Fully Qualified Path Name)";
      "Identity for dns flood";
  }

  identity dns-amp-flood {
    base attack-mitigation-control;
    description
      "Identity for dns amp flood";
  }

  identity ssl-ddos {
    base attack-mitigation-control;
    description
        "This is used
      "Identity for SecEventFormat."; ssl ddos";
  }

  typedef priority-usage-type

  identity ip-sweep {
      type enumeration
    base attack-mitigation-control;
    description
      "Identity for ip sweep";
  }

  identity port-scanning {
        enum priority-by-order
    base attack-mitigation-control;
    description
      "Identity for port scanning";
  }

  identity ping-of-death {
    base attack-mitigation-control;
    description
              "If priority type is order";
      "Identity for ping of death";
  }
        enum priority-by-number

  identity teardrop {
    base attack-mitigation-control;
    description
              "If priority type is number";
      "Identity for teardrop";
  }

  identity oversized-icmp {
    base attack-mitigation-control;
    description
      "Identity for oversized icmp";
  }

  identity tracert {
    base attack-mitigation-control;
    description
        "This is used
      "Identity for priority type."; tracert";
  }

  typedef

  identity ingress-action {
      type enumeration
    description
      "Base identity for action";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Ingress Action";
  }

  identity egress-action {
        enum
    description
      "Base identity for egress action";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Egress action";
  }

  identity default-action {
    description
      "Base identity for default action";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Default action";
  }

  identity pass {
    base ingress-action;
    base egress-action;
    base default-action;
    description
              "If ingress action is
      "Identity for pass";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Actions and
       default action";
  }
        enum

  identity drop {
    base ingress-action;
    base egress-action;
    base default-action;
    description
              "If ingress action is
      "Identity for drop";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Actions and
       default action";
  }
        enum

  identity reject {
    base ingress-action;
    base egress-action;
    base default-action;
    description
              "If ingress action is
      "Identity for reject";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Actions and
       default action";
  }
        enum

  identity alert {
    base ingress-action;
    base egress-action;
    base default-action;
    description
              "If ingress action is
      "Identity for alert";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Actions and
       default action";
  }
        enum

  identity mirror {
    base ingress-action;
    base egress-action;
    base default-action;
    description
              "If ingress action is
      "Identity for mirror";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Actions and
       default action";
  }
      }

  identity log-action {
    description
        "This is used
      "Base identity for ingress action."; log action";
  }

  typedef egress-action

  identity rule-log {
      type enumeration
    base log-action;
    description
      "Identity for rule log";
  }

  identity session-log {
        enum
    base log-action;
    description
      "Identity for session log";
  }

  identity invoke-signaling {
    base egress-action;
    description
              "If egress action is
      "Identity for invoke signaling";
  }
        enum

  identity tunnel-encapsulation {
    base egress-action;
    description
              "If egress action is
      "Identity for tunnel encapsulation";
  }
        enum

  identity forwarding {
    base egress-action;
    description
              "If egress action is
      "Identity for forwarding";
  }
        enum

  identity redirection {
    base egress-action;
    description
              "If egress action is redirection";
        }
      }
      description
        "This is used
      "Identity for egress action.";
  }

  identity ECA-OBJECT-TYPE {
    description "TBD"; redirection";

  }

  identity ECA-EVENT-TYPE resolution-strategy {
    base ECA-OBJECT-TYPE;
    description "TBD";
  }
      "Base identity ECA-CONDITION-TYPE {
    base ECA-OBJECT-TYPE;
    description "TBD"; for resolution strategy";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Resolution Strategy";
  }

  identity ECA-ACTION-TYPE fmr {
    base ECA-OBJECT-TYPE; resolution-strategy;
    description "TBD";
      "Identity for First Matching Rule (FMR)";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Resolution Strategy";
  }

  identity EVENT-USER-TYPE lmr {
    base ECA-EVENT-TYPE; resolution-strategy;
    description "TBD";
      "Identity for Last Matching Rule (LMR)";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Resolution Strategy";
  }

  identity EVENT-DEV-TYPE pmr {
    base ECA-EVENT-TYPE; resolution-strategy;
    description "TBD";
      "Identity for Prioritized Matching Rule (PMR)";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Resolution Strategy";
  }

  identity EVENT-SYS-TYPE pmre {
    base ECA-EVENT-TYPE; resolution-strategy;
    description "TBD";
      "Identity for Prioritized Matching Rule
      with Errors (PMRE)";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Resolution Strategy";
  }

  identity EVENT-TIME-TYPE pmrn {
    base ECA-EVENT-TYPE; resolution-strategy;
    description "TBD";
      "Identity for Prioritized Matching Rule
      with No Errors (PMRN)";
    reference
      "draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Resolution Strategy";
  }

  grouping i2nsf-eca-object-type

  /*
   * Typedefs
   */

  typedef start-time-type {
    leaf entity-class
    type union {
       type identityref string {
        base ECA-OBJECT-TYPE;
         pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
               + '(Z|[\+\-]\d{2}:\d{2})';
       }

      type enumeration {
        enum right-away {
          description
            "Immediate rule execution
             in the system.";
        }
      }
    }

    description "TBD";
      "Start time when the rules are applied.";
  }
    leaf eca-object-id

  typedef end-time-type {
    type string; union {
       type string {
         pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
               + '(Z|[\+\-]\d{2}:\d{2})';
       }

      type enumeration {
        enum infinitely {
          description "TBD";
            "Infinite rule execution
             in the system.";
        }
      }
    }
    description "TBD";
      "End time when the rules are applied.";
  }

  grouping i2nsf-event-type
   typedef day-type {
      type enumeration {
        enum sunday {
            description "TBD";
      leaf description
              "Sunday for periodic day";
        }
        enum monday {
        type string;
            description
          "This is
              "Monday for periodic day";
        }
        enum tuesday {
            description
              "Tuesday for event.
          Vendors can write instructions periodic day";
        }
        enum wednesday {
            description
              "Wednesday for event
          that vendor made"; periodic day";
        }

      leaf sec-event-content
        enum thursday {
        type string;
        mandatory true;
            description
         "This is a mandatory string that contains the content
          of the SecurityEvent. The format of the content
          is specified in the SecEventFormat class
          attribute, and the type of event is defined in the
          SecEventType class attribute. An example of the
          SecEventContent attribute is a string hrAdmin,
          with the SecEventFormat set to 1 (GUID) and the
          SecEventType attribute set to 5 (new logon).";
              "Thursday for periodic day";
        }

      leaf sec-event-format
        enum friday {
        type sec-event-format;
        mandatory true;
            description
         "This is a mandatory uint 8 enumerated integer, which
          is used to specify the data type of the
          SecEventContent attribute. The content is
          specified in the SecEventContent class attribute,
          and the type of event is defined in the
          SecEventType class attribute. An example of the
          SecEventContent attribute is string hrAdmin,
          with the SecEventFormat attribute set to 1 (GUID)
          and the SecEventType attribute set to 5
          (new logon).";
              "Friday for periodic day";
        }

      leaf sec-event-type
        enum saturday {
        type string;
        mandatory true;
            description
              "Saturday for periodic day";
        }
      }
      description
        "This is a mandatory uint 8 enumerated integer, which
          is can be used to specify the type of event that involves
          this user. The content and format are specified in
          the SecEventContent and SecEventFormat class
          attributes, respectively. An example of the
          SecEventContent attribute is string hrAdmin,
          with for the SecEventFormat attribute set rules to 1 (GUID)
          and the SecEventType attribute set be applied
        according to 5
         (new logon)."; periodic day";
  }

   typedef month-type {
      type enumeration {
        enum january {
            description
              "January for periodic month";
        }
  container i2nsf-security-policy
        enum february {
            description
      "policy is a container
       including a set of security
              "February for periodic month";
        }
        enum march {
            description
              "March for periodic month";
        }
        enum april {
            description
              "April for periodic month";
        }
        enum may {
            description
              "May for periodic month";
        }
        enum june {
            description
              "June for periodic month";
        }
        enum july {
            description
              "July for periodic month";
        }
        enum august {
            description
              "August for periodic month";
        }
        enum september {
            description
              "September for periodic month";
        }
        enum october {
            description
              "October for periodic month";
        }
        enum november {
            description
              "November for periodic month";
        }
        enum december {
            description
              "December for periodic month";
        }
      }
      description
        "This can be used for the rules according to certain logic,
       i.e., their similarity or mutual relations, etc. The network
       security policy is able be applied
        according to apply over both the unidirectional
       and bidirectional traffic across the NSF."; periodic month";
  }

  /*
   * Groupings
   */

  grouping ipv4 {
    list system-policy ipv4-address {
      key "system-policy-name"; "ipv4";
      description
        "The system-policy represents there could be multiple system
          policies in one NSF, and each system policy is used by
          one virtual instance list of the NSF/device."; IPv4 address.";

      leaf system-policy-name ipv4 {
        type string;
        mandatory true; inet:ipv4-address;
        description
          "The name value of the policy.
           This must IPv4 address.";
      }
      choice subnet {
        description
          "The subnet can be unique."; specified as a prefix length or
          netmask.";
        leaf prefix-length {
          type uint8 {
            range "0..32";
          }
          description
            "The length of the subnet prefix.";
        }
        leaf priority-usage netmask {
          type priority-usage-type;
        mandatory true; yang:dotted-quad;
          description
          "This is priority type.";
            "The subnet specified as a netmask.";
        }
      }
    }
    description
      "Grouping for an IPv4 address";

    reference
      "RFC  791: Internet Protocol - IPv4 address
       RFC 8344: A YANG Data Model for IP Management";
  }

  grouping ipv6 {
    list rules ipv6-address {
      key "rule-name"; "ipv6";
      description
          "This is a rule for network security functions.";
        "The list of IPv6 address.";

      leaf rule-name ipv6 {
        type string;
          mandatory true; inet:ipv6-address;
        description
          "The id value of the rule.
             This must be unique."; IPv6 address.";
      }
      leaf rule-description prefix-length {
        type string; uint8 {
          range "0..128";
        }
        description
            "This
          "The length of the subnet prefix.";
      }
    }
    description gives more information about
             rules.";
      "Grouping for an IPv6 address";

    reference
      "RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - IPv6 address
       RFC 8344: A YANG Data Model for IP Management";
  }

        leaf rule-priority

  grouping pkt-sec-ipv4 {
    choice match-type {
          type uint8;
      description
            "The priority keyword comes with
        "There are two types to configure a mandatory
             numeric value which can security policy
        for IPv4 address, such as exact match and range from 1 till 255."; match.";
      case exact-match {
        uses ipv4;
        description
          "Exact match for an IPv4 address.";
      }
      case range-match {
        list range-ipv4-address {
          key "start-ipv4-address end-ipv4-address";
          leaf enable start-ipv4-address {
            type boolean; inet:ipv4-address;
            description
            "True is enable.
             False is not enbale.";
              "Start IPv4 address for a range match.";
          }

          leaf session-aging-time end-ipv4-address {
            type uint16; inet:ipv4-address;
            description
            "This is session aging time.";
              "End IPv4 address for a range match.";
          }

        container long-connection
          description
            "Range match for an IPv4 address.";
        }
      }
    }
    description
      "Grouping for an IPv4 address.";

    reference
      "RFC 791: Internet Protocol - IPv4 address";
  }

  grouping pkt-sec-ipv6 {
    choice match-type {
      description
            "This is long-connection";
        "There are two types to configure a security policy
        for IPv6 address, such as exact match and range match.";
      case exact-match {
        uses ipv6;
        description
          "Exact match for an IPv6 address.";
      }
      case range-match {
        list range-ipv6-address {
          key "start-ipv6-address end-ipv6-address";
          leaf enable start-ipv6-address {
            type boolean; inet:ipv6-address;
            description
              "True is enable.
               False is not enbale.";
              "Start IPv6 address for a range match.";
          }

          leaf during end-ipv6-address {
            type uint16; inet:ipv6-address;
            description
              "End IPv6 address for a range match.";
          }
          description
              "This is during time.";
            "Range match for an IPv6 address.";
        }
      }
    }

        container time-zone {
    description
            "This can be used to apply rules according to time-zone";
          container absolute-time-zone
      "Grouping for IPv6 address.";

    reference
      "RFC 2460: Internet Protocol, Version 6 (IPv6)
       Specification - IPv6 address";
  }

  grouping pkt-sec-port-number {
            description
            "This can be used to apply rules according to
             absolute-time";
            container time
    choice match-type {
      description
                "This can be used to apply rules according
        "There are two types to time";
              leaf start-time configure a security policy
        for a port number, such as exact match and range match.";
      case exact-match {
        leaf-list port-num {
          type yang:date-and-time; inet:port-number;
          description
                  "This is start time
            "Exact match for time zone"; a port number.";
        }
      }
      case range-match {
        list range-port-num {
          key "start-port-num end-port-num";
          leaf end-time start-port-num {
            type yang:date-and-time; inet:port-number;
            description
                  "This is end time
              "Start port number for time zone";
              } a range match.";
          }
            container date {
              description
                "This can be used to apply rules according to date";
          leaf absolute-date end-port-num {
            type yang:date-and-time; inet:port-number;
            description
                  "This is absolute date
              "Start port number for time zone"; a range match.";
          }
          description
            "Range match for a port number.";
        }
      }
    }
    description
      "Grouping for port number.";

    reference
      "RFC 793: Transmission Control Protocol - Port number
       RFC 768: User Datagram Protocol - Port Number";
  }

  /*
   * Data nodes
   */

  container periodic-time-zone i2nsf-security-policy {
    description
             "This can be used to apply
      "Container for security policy
       including a set of security rules according to
             periodic-time-zone";
            container day {
              description
               "This can be used certain logic,
       i.e., their similarity or mutual relations, etc. The network
       security policy is able to apply rules according over both the unidirectional
       and bidirectional traffic across the NSF.
       The I2NSF security policies use the Event-Condition-Action
       (ECA) policy model ";

    reference
      "RFC 8329: Framework for Interface to periodic day";
              leaf sunday Network Security
       Functions - I2NSF Flow Security Policy Structure
       draft-ietf-i2nsf-capability-04: Information Model
       of NSFs Capabilities - Design Principles and ECA Policy Model
       Overview";

    list system-policy {
                type boolean;
      key "system-policy-name";
      description
                  "This is sunday for periodic day";
              }
        "The system-policy represents there could be multiple system
        policies in one NSF, and each system policy is used by
        one virtual instance of the NSF/device.";

      leaf monday system-policy-name {
        type boolean; string;
        mandatory true;
        description
                  "This is monday for periodic day";
          "The name of the policy.
           This must be unique.";
      }

      leaf tuesday priority-usage {
        type boolean; identityref {
          base priority-usage-type;
        }
        default priority-by-order;
        description
                  "This is tuesday
          "Priority usage type for periodic day"; security policy rule:
           priority by order and priority by number";
      }

      leaf wednesday resolution-strategy {
        type boolean; identityref {
          base resolution-strategy;
        }
        default fmr;
        description
                  "This is wednesday for periodic day";
          "The resolution strategies can be used to
          specify how to resolve conflicts that occur between
          the actions of the same or different policy rules that
          are matched and contained in this particular NSF";

        reference
          "draft-ietf-i2nsf-capability-04: Information Model
           of NSFs Capabilities - Resolution strategy";
      }

      leaf thursday default-action {
        type boolean; identityref {
          base default-action;
        }
        default alert;
        description
          "This default action can be used to specify a predefined
          action when no other alternative action was matched
          by the currently executing I2NSF Policy Rule. An analogy
          is thursday for periodic day"; the use of a default statement in a C switch statement.";

        reference
          "draft-ietf-i2nsf-capability-04: Information Model
           of NSFs Capabilities - Default action";
      }
              leaf friday

      list rules {
                type boolean;
        key "rule-name";
        description
          "This is friday a rule for periodic day";
              } network security functions.";

        leaf saturday rule-name {
          type boolean;
                description
                  "This is saturday for periodic day";
              }
            }
            container month { string;
          mandatory true;
          description
               "This can
            "The name of the rule.
             This must be used to apply rules according
                to periodic month"; unique.";
        }

        leaf january rule-description {
          type boolean; string;
          description
            "This is january for periodic month"; description gives more information about
             rules.";
        }

        leaf february rule-priority {
          type boolean; uint8 {
            range "1..255";
          }
          description
                  "This is february for periodic month";
            "The priority keyword comes with a mandatory
             numeric value which can range from 1 till 255.";
        }

        leaf march rule-enable {
          type boolean;
          description
                  "This
            "True is march for periodic month"; enable.
             False is not enbale.";
        }
              leaf april

        container time-zone {
                type boolean;
          description
                  "This is april for periodic month";
              }
              leaf may
            "Time zone when the rules are applied";
          container absolute-time-zone {
                type boolean;
            description
                  "This is may for periodic month";
              }
              "Rule execution according to absolute time";

            leaf june start-time {
              type boolean; start-time-type;
              default right-away;
              description
                  "This is june for periodic month";
                "Start time when the rules are applied";
            }
            leaf july end-time {
              type boolean; end-time-type;
              default infinitely;
              description
                  "This is july for periodic month";
                "End time when the rules are applied";
            }
              leaf august
          }

          container periodic-time-zone {
                type boolean;
            description
                  "This is august for
              "Rule execution according to periodic month";
              } time";

            container day {
              description
                "Rule execution according to day.";
              leaf september every-day {
                type boolean;
                default true;
                description
                  "This is september for periodic month";
                  "Rule execution every day";
              }
              leaf october

              leaf-list specific-day {
                when "../every-day = 'false'";
                type boolean; day-type;
                description
                  "This is october for periodic month";
                 "Rule execution according
                  to specific day";
              }
            }
            container month {
              description
                "Rule execution according to month.";
              leaf november every-month {
                type boolean;
                default true;
                description
                  "This is november for periodic month";
                  "Rule execution every day";
              }
              leaf december

              leaf-list specific-month {
                when "../every-month = 'false'";
                type boolean; month-type;
                description
                  "This is december for periodic month";
                 "Rule execution according
                  to month day";
              }
            }
          }
        }

        container event-clause-container {
          description "TBD";
      list event-clause-list {
      key eca-object-id;
      uses i2nsf-eca-object-type {
        refine entity-class {
            default ECA-EVENT-TYPE;

        }
      }

      description
        " This is abstract. An
            "An event is defined as any important
             occurrence in time of a change in the system being
             managed, and/or in the environment of the system being
             managed. When used in the context of policy rules for
             a flow-based NSF, it is used to determine whether the
             Condition clause of the Policy Rule can be evaluated
             or not. Examples of an I2NSF event include time and
          user actions (e.g., logon, logoff,
             user actions (e.g., logon, logoff, and actions that
             violate any ACL.).";

          reference
            "RFC 8329: Framework for Interface to Network Security
             Functions - I2NSF Flow Security Policy Structure
             draft-ietf-i2nsf-capability-04: Information Model
             of NSFs Capabilities - Design Principles and ECA
             Policy Model Overview
             draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG
             Data Model for Monitoring I2NSF Network Security
             Functions - System Alarm and System Events";

          leaf event-clause-description {
            type string;
            description
              "Description for an event clause";
          }
          container event-clauses {
            description
              "It has two event types such as
              system event and system alarm.";
            reference
              "RFC 8329: Framework for Interface to Network Security
               Functions - I2NSF Flow Security Policy Structure
               draft-ietf-i2nsf-capability-04: Information Model
               of NSFs Capabilities - Design Principles and ECA Policy
               Model Overview
               draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG
               Data Model for Monitoring I2NSF Network Security
               Functions - System Alarm and actions that
          violate any ACL.).";

       uses i2nsf-event-type;
       }
    }
      container condition-clause-container System Events";

            leaf-list system-event {
      description "TBD";
      list condition-clause-list
              type identityref {
        key eca-object-id;
        uses i2nsf-eca-object-type
                base system-event;
              }
              description
                "The security policy rule according to
                 system events.";
            }

            leaf-list system-alarm {
            refine entity-class
              type identityref {
                default ECA-CONDITION-TYPE;
                base system-alarm;
              }
              description
                "The security policy rule according to
                 system alarms.";
            }
          }
        }

        container condition-clause-container {
          description
          " This is abstract.  A
            "A condition is defined as a set
            of attributes, features, and/or values that are to be
            compared with a set of known attributes, features,
            and/or values in order to determine whether or not the
            set of Actions in that (imperative) I2NSF Policy Rule
            can be executed or not. Examples of I2NSF Conditions
            include matching attributes of a packet or flow, and
            comparing the internal state of an NSF to a desired
            state.";
          reference
            "RFC 8329: Framework for Interface to Network Security
             Functions - I2NSF Flow Security Policy Structure
             draft-ietf-i2nsf-capability-04: Information Model
             of NSFs Capabilities - Design Principles and ECA Policy
             Model Overview";

          leaf condition-clause-description {
            type string;
            description
              "Description for a condition clause.";
          }

          container packet-security-ipv4-condition {
            description
              "The purpose of this container is to represent IPv4
               packet header information to determine if the set
               of policy actions in this ECA policy rule should be
               executed or not.";
            reference
              "RFC 791: Internet Protocol";

            container packet-security-condition pkt-sec-ipv4-header-length {
              choice match-type {
                description
                  "There are two types to configure a security
                  policy for IPv4 header length, such as exact match
                  and range match.";
                case exact-match {
                  leaf-list ipv4-header-length {
                    type uint8 {
                      range "5..15";
                    }
                    description
              "TBD";
                      "Exact match for an IPv4 header length.";
                  }
                }
                case range-match {
                  list range-ipv4-header-length {
                    key "start-ipv4-header-length
                         end-ipv4-header-length";
                    leaf packet-description start-ipv4-header-length {
                      type string; uint8 {
                        range "5..15";
                      }
                      description
                "This is
                        "Start IPv4 header length for a range match.";
                    }

                    leaf end-ipv4-header-length {
                      type uint8 {
                        range "5..15";
                      }
                      description
                        "End IPv4 header length for packet condition.
                Vendors can write instructions a range match.";
                    }
                    description
                      "Range match for packet condition
                that vendor made"; an IPv4 header length.";
                  }
                }
              }
              description
                "The security policy rule according to
                 IPv4 header length.";
              reference
                "RFC 791: Internet Protocol - Header length";
            }

            leaf-list pkt-sec-ipv4-tos {
              type identityref {
                base type-of-service;
              }
              description
                "The security policy rule according to
                 IPv4 type of service.";
              reference
                "RFC 791: Internet Protocol - Type of service";
            }

            container packet-security-mac-condition pkt-sec-ipv4-total-length {
              choice match-type {
                description
               "The purpose of this Class is
                  "There are two types to represent packet MAC
               packet header information that can be used as part of configure a test to determine if the set of Policy Actions in
               this ECA Policy Rule should be execute or not."; security
                  policy for IPv4 total length, such as exact match
                  and range match.";
                case exact-match {
                  leaf-list pkt-sec-cond-mac-dest ipv4-total-length {
                    type yang:phys-address; uint16;
                    description
                  "The MAC destination address (6 octets long).";
                      "Exact match for an IPv4 total length.";
                  }

              leaf-list pkt-sec-cond-mac-src
                }
                case range-match {
                  list range-ipv4-total-length {
                    key "start-ipv4-total-length end-ipv4-total-length";
                    leaf start-ipv4-total-length {
                      type yang:phys-address; uint16;
                      description
                  "The MAC source address (6 octets long).";
                        "Start IPv4 total length for a range match.";

                    }

              leaf-list pkt-sec-cond-mac-8021q
                    leaf end-ipv4-total-length {
                      type string; uint16;
                      description
                  "This is
                        "End IPv4 total length for a range match.";
                    }
                    description
                      "Range match for an optional string attribute, and defines
                   The 802.1Q tab value (2 octets long)."; IPv4 total length.";
                  }
                }
              }
              description
                "The security policy rule according to
                 IPv4 total length.";
              reference
                "RFC 791: Internet Protocol - Total length";
            }

            leaf-list pkt-sec-cond-mac-ether-type pkt-sec-ipv4-id {
              type string; uint16;
              description
                "The EtherType field (2 octets long). Values up security policy rule according to
                   and including 1500 indicate the size of the
                   payload in octets; values of 1536 and above
                   define which protocol is encapsulated in the
                   payload of the frame.";
                 IPv4 identification.";
              reference
                "RFC 791: Internet Protocol - Identification";
            }

            leaf-list pkt-sec-cond-mac-tci pkt-sec-ipv4-fragment-flags {
              type string;
                description
                 "This is an optional string attribute, and defines
                  the Tag Control Information. This consists of a 3
                  bit user priority field, a drop eligible indicator
                  (1 bit), and a VLAN identifier (12 bits)."; identityref {
                base fragmentation-flags-type;
              }
              description
                "The security policy rule according to
                 IPv4 fragment flags.";
              reference
                "RFC 791: Internet Protocol - Fragment flags";
            }

            container packet-security-ipv4-condition pkt-sec-ipv4-fragment-offset {
              choice match-type {
                description
                "The purpose of this Class is
                  "There are two types to represent configure a security
                  policy for IPv4
                 packet header information that can be used fragment offset, such as
                 part of a test to determine if the set of Policy
                 Actions in this ECA Policy Rule should be executed
                 or not."; exact match
                  and range match.";
                case exact-match {
                  leaf-list pkt-sec-cond-ipv4-header-length ipv4-fragment-offset {
                    type uint16 {
                      range "0..16383";

                    }
                    description
                      "Exact match for an IPv4 fragment offset.";
                  }
                }
                case range-match {
                  list range-ipv4-fragment-offset {
                    key "start-ipv4-fragment-offset
                         end-ipv4-fragment-offset";
                    leaf start-ipv4-fragment-offset {
                      type uint8; uint16 {
                        range "0..16383";
                      }
                      description
                  "The
                        "Start IPv4 packet header consists of 14 fields,
                   of which 13 are required."; fragment offset for a range match.";
                    }

              leaf-list pkt-sec-cond-ipv4-tos
                    leaf end-ipv4-fragment-offset {
                      type uint8; uint16 {
                        range "0..16383";
                      }
                      description
                  "The ToS field could specify a datagram's priority
                   and request
                        "End IPv4 fragment offset for a route range match.";
                    }
                    description
                      "Range match for low-delay,
                   high-throughput, or highly-reliable service.."; an IPv4 fragment offset.";
                  }

              leaf-list pkt-sec-cond-ipv4-total-length
                }
              }
              description
                "The security policy rule according to
                 IPv4 fragment offset.";
              reference
                "RFC 791: Internet Protocol - Fragment offset";
            }

            container pkt-sec-ipv4-ttl {
              choice match-type {
                type uint16;
                description
                  "This 16-bit field defines the entire packet size,
                   including header
                  "There are two types to configure a security
                  policy for IPv4 TTL, such as exact match
                  and data, in bytes.";
              } range match.";
                case exact-match {
                  leaf-list pkt-sec-cond-ipv4-id ipv4-ttl {
                    type uint8;
                    description
                  "This field is an identification field and is
                   primarily used
                      "Exact match for uniquely identifying
                   the group of fragments of a single IP datagram."; an IPv4 TTL.";
                  }

              leaf-list pkt-sec-cond-ipv4-fragment
                }
                case range-match {
                  list range-ipv4-ttl {
                    key "start-ipv4-ttl end-ipv4-ttl";
                    leaf start-ipv4-ttl {
                      type uint8;
                      description
                  "IP fragmentation is an Internet Protocol (IP)
                   process that breaks datagrams into smaller pieces
                   (fragments), so that packets may be formed that
                   can pass through a link with
                        "Start IPv4 TTL for a smaller maximum
                   transmission unit (MTU) than the original
                   datagram size."; range match.";
                    }

              leaf-list pkt-sec-cond-ipv4-fragment-offset
                    leaf end-ipv4-ttl {
                      type uint16; uint8;
                      description
                  "Fragment offset field along with Don't Fragment
                   and More Fragment flags in the IP protocol
                   header are used
                        "End IPv4 TTL for fragmentation and reassembly
                   of IP datagrams."; a range match.";
                    }
                    description
                      "Range match for an IPv4 TTL.";
                  }
                }
              }

              leaf-list pkt-sec-cond-ipv4-ttl {
                type uint8;
              description
                "The ttl keyword is used security policy rule according to check for a specific
                   IP
                 IPv4 time-to-live value in the header of
                   a packet."; (TTL).";
              reference
                "RFC 791: Internet Protocol - Time to live";
            }

            leaf-list pkt-sec-cond-ipv4-protocol pkt-sec-ipv4-protocol {
              type uint8; identityref {
                base protocol;
              }
              description
                  "Internet
                "The security policy rule according to
                 IPv4 protocol.";
              reference
                "RFC 791: Internet Protocol version 4(IPv4) is the fourth
                   version of the - Protocol";
            }

            container pkt-sec-ipv4-src {
              uses pkt-sec-ipv4;
              description
                "The security policy rule according to
                 IPv4 source address.";
              reference
                "RFC 791: Internet Protocol (IP)."; - IPv4 Address";
            }

              leaf-list pkt-sec-cond-ipv4-src

            container pkt-sec-ipv4-dest {
                type inet:ipv4-address;
              uses pkt-sec-ipv4;
              description
                  "Defines the
                "The security policy rule according to
                 IPv4 destination address.";
              reference
                "RFC 791: Internet Protocol - IPv4 Source Address."; Address";
            }

            leaf-list pkt-sec-cond-ipv4-dest pkt-sec-ipv4-ipopts {
              type inet:ipv4-address;
                description
                  "Defines the IPv4 Destination Address.";
              }

              leaf pkt-sec-cond-ipv4-ipopts identityref {
                type string;
                base ipopts;
              }
              description
                  "With the ipopts keyword you can check if
                   a specific ip option is set. Ipopts has
                "The security policy rule according to be used at the beginning of a rule.";
                 IPv4 options.";
              reference
                "RFC 791: Internet Protocol - Options";
            }

            leaf pkt-sec-cond-ipv4-sameip pkt-sec-ipv4-sameip {
              type boolean;
              description
                "Every packet has a source IP-address and
                 a destination IP-address. It can be that
                 the source IP is the same as
                 the destination IP.";
            }

            leaf-list pkt-sec-cond-ipv4-geoip pkt-sec-ipv4-geoip {
              type string;
              description
                "The geoip keyword enables you to match on
                 the source, destination or source and destination
                 IP addresses of network traffic and to see to
                 which country it belongs. To do this, Suricata
                 uses GeoIP API with MaxMind database format.";
            }
          }

          container packet-security-ipv6-condition {
            description
               "The purpose of this Class container is to represent packet
                IPv6 packet header information that can be used as
                 part of a test to determine
                if the set of Policy
                 Actions policy actions in this ECA Policy Rule policy
                rule should be executed or not.";
            reference
              "RFC 2460: Internet Protocol, Version 6 (IPv6)
               Specification";

            leaf-list pkt-sec-cond-ipv6-dscp pkt-sec-ipv6-traffic-class {
              type string; identityref {
                base traffic-class;
              }
              description
                  "Differentiated Services Code Point (DSCP)
                   of ipv6.";
                "The security policy rule according to
                 IPv6 traffic class.";
              reference
                "RFC 2460: Internet Protocol, Version 6 (IPv6)
                 Specification - Traffic class";
            }

            container pkt-sec-ipv6-flow-label {
              choice match-type {
                description
                  "There are two types to configure a security
                  policy for IPv6 flow label, such as exact match
                  and range match.";
                case exact-match {
                  leaf-list pkt-sec-cond-ipv6-ecn ipv6-flow-label {
                    type string; uint32 {
                      range "0..1048575";
                    }
                    description
                  "ECN allows end-to-end notification of network
                   congestion without dropping packets.";
                      "Exact match for an IPv6 flow label.";
                  }

              leaf-list pkt-sec-cond-ipv6-traffic-class
                }
                case range-match {
                  list range-ipv6-flow-label {
                    key "start-ipv6-flow-label end-ipv6-flow-label";
                    leaf start-ipv6-flow-label {
                      type uint8; uint32 {
                        range "0..1048575";
                      }
                      description
                  "The bits of this field hold two values. The 6
                   most-significant bits are used
                        "Start IPv6 flow label for
                   differentiated services, which is used to
                   classify packets."; a range match.";
                    }

              leaf-list pkt-sec-cond-ipv6-flow-label
                    leaf end-ipv6-flow-label {
                      type uint32; uint32 {
                        range "0..1048575";
                      }
                      description
                  "The
                        "End IPv6 flow label when set for a range match.";
                    }
                    description
                      "Range match for an IPv6 flow label.";
                  }
                }

              }
              description
                "The security policy rule according to
                 IPv6 flow label.";
              reference
                "RFC 2460: Internet Protocol, Version 6 (IPv6)
                 Specification - Flow label";
            }

            container pkt-sec-ipv6-payload-length {
              choice match-type {
                description
                  "There are two types to configure a non-zero value
                   serves security
                  policy for IPv6 payload length, such as a hint to routers
                  exact match and switches
                   with multiple outbound paths that these
                   packets should stay on the same path so that
                   they will not be reordered."; range match.";
                case exact-match {
                  leaf-list ipv6-payload-length {
                    type uint16;
                    description
                      "Exact match for an IPv6 payload length.";
                  }
                }
                case range-match {
                  list range-ipv6-payload-length {
                    key "start-ipv6-payload-length
                         end-ipv6-payload-length";
                    leaf start-ipv6-payload-length {
                      type uint16;
                      description
                        "Start IPv6 payload length for a range match.";
                    }

              leaf-list pkt-sec-cond-ipv6-payload-length
                    leaf end-ipv6-payload-length {
                      type uint16;
                      description
                  "The size of the
                        "End IPv6 payload in octets,
                   including any extension headers.";
              }

              leaf-list pkt-sec-cond-ipv6-next-header {
                type uint8;
                description
                  "Specifies the type of the next header.
                   This field usually specifies the transport
                   layer protocol used by length for a packet's payload."; range match.";
                    }

              leaf-list pkt-sec-cond-ipv6-hop-limit {
                type uint8;
                    description
                  "Replaces the time to live field of IPv4.";
                      "Range match for an IPv6 payload length.";
                  }
                }
              }

              leaf-list pkt-sec-cond-ipv6-src {
                type inet:ipv6-address;
              description
                "The security policy rule according to
                 IPv6 address of the sending node."; payload length.";
              reference
                "RFC 2460: Internet Protocol, Version 6 (IPv6)
                 Specification - Payload length";
            }
            leaf-list pkt-sec-cond-ipv6-dest pkt-sec-ipv6-next-header {
              type inet:ipv6-address; identityref {
                base next-header;
              }
              description
                "The security policy rule according to
                 IPv6 address of the destination node(s).";
              } next header.";
              reference
                "RFC 2460: Internet Protocol, Version 6 (IPv6)
                 Specification - Next header";
            }

            container packet-security-tcp-condition pkt-sec-ipv6-hop-limit {
              choice match-type {
                description
                "The purpose of this Class is
                  "There are two types to represent packet
                 TCP packet header information that can be used as
                 part of configure a test to determine if the set of Policy
                 Actions in this ECA Policy Rule should be executed
                 or not."; security
                  policy for IPv6 hop limit, such as exact match
                  and range match.";
                case exact-match {
                  leaf-list pkt-sec-cond-tcp-src-port ipv6-hop-limit {
                    type inet:port-number; uint8;
                    description
                  "This is a mandatory string attribute, and
                  defines the Source Port number (16 bits).";
                      "Exact match for an IPv6 hop limit.";
                  }

              leaf-list pkt-sec-cond-tcp-dest-port
                }
                case range-match {
                  list range-ipv6-hop-limit {
                    key "start-ipv6-hop-limit end-ipv6-hop-limit";
                    leaf start-ipv6-hop-limit {
                      type inet:port-number; uint8;
                      description
                  "This is
                        "Start IPv6 hop limit for a mandatory string attribute, and
                  defines the Destination Port number (16 bits)."; range match.";
                    }

              leaf-list pkt-sec-cond-tcp-seq-num
                    leaf end-ipv6-hop-limit {
                      type uint32; uint8;
                      description
                  "If the SYN flag is set (1), then this is the
                   initial sequence number.";
                        "End IPv6 hop limit for a range match.";
                    }

              leaf-list pkt-sec-cond-tcp-ack-num {
                type uint32;
                    description
                  "If the ACK flag is set then the value of this
                   field is the next sequence number that the sender
                   is expecting.";
                      "Range match for an IPv6 hop limit.";
                  }
                }
              }

              leaf-list pkt-sec-cond-tcp-window-size {
                type uint16;
              description
                "The size of the receive window, which specifies
                   the number of windows size units
                   (by default,bytes) (beyond the segment
                   identified by the sequence number in the
                   acknowledgment field) that the sender of this
                   segment is currently willing security policy rule according to
                 IPv6 hop limit.";
              reference
                "RFC 2460: Internet Protocol, Version 6 (IPv6)
                 Specification - Hop limit";
            }

            container pkt-sec-ipv6-src {
              uses pkt-sec-ipv6;
              description
                "The security policy rule according to recive.";
                 IPv6 source address.";
              reference
                "RFC 2460: Internet Protocol, Version 6 (IPv6)
                 Specification - IPv6 address";
            }

              leaf-list pkt-sec-cond-tcp-flags

            container pkt-sec-ipv6-dest {
                type uint8;
              uses pkt-sec-ipv6;
              description
                  "This is a mandatory string attribute, and defines
                   the nine Control bit flags (9 bits).";
                "The security policy rule according to
                 IPv6 destination address.";
              reference
                "RFC 2460: Internet Protocol, Version 6 (IPv6)
                 Specification - IPv6 address";
            }

          }

          container packet-security-udp-condition packet-security-tcp-condition {
            description
              "The purpose of this Class container is to represent packet UDP
               TCP packet header information that can be used as part
                of a test to determine
               if the set of Policy Actions policy actions in this ECA Policy Rule policy
               rule should be executed or not.";

              leaf-list pkt-sec-cond-udp-src-port {
                type inet:port-number;
                description
                  "This is a mandatory string attribute, and
                  defines the UDP Source Port number (16 bits).";
              }

              leaf-list pkt-sec-cond-udp-dest-port {
                type inet:port-number;
                description
                  "This is a mandatory string attribute, and
                  defines the UDP Destination Port number (16 bits).";
              }

              leaf-list pkt-sec-cond-udp-length {
                type string;
                description
                 "This is a mandatory string attribute, and defines
                  the length in bytes of the UDP header and data
                  (16 bits).";
              }
            }
            reference
              "RFC 793: Transmission Control Protocol";

            container packet-security-icmp-condition pkt-sec-tcp-src-port-num {
              uses pkt-sec-port-number;
              description
                "The internet control message protocol condition.";

              leaf-list pkt-sec-cond-icmp-type {
                type uint8;
                description
                  "ICMP type, see Control messages.";
              }

              leaf-list pkt-sec-cond-icmp-code {
                type uint8;
                description
                  "ICMP subtype, see security policy rule according to
                 tcp source port number.";
              reference
                "RFC 793: Transmission Control messages.";
              }
              leaf-list pkt-sec-cond-icmp-seg-num {
                type uint32;
                description
                  "The icmp Sequence Number.";
              }
            } Protocol
                 - Port number";
            }

            container packet-payload-condition {
            description
              "TBD";
            leaf packet-payload-description {
              type string;
              description
               "This is description for payload condition.
               Vendors can write instructions for payload condition
               that vendor made";
            }
            leaf-list pkt-payload-content pkt-sec-tcp-dest-port-num {
              type string;
              uses pkt-sec-port-number;
              description
                "The content keyword is very important in
                 signatures. Between the quotation marks you
                 can write on what you would like the
                 signature security policy rule according to match.";
            }
          }

          leaf acl-number {
            type uint32;
            description
             "This is acl-number.";
                 tcp destination port number.";
              reference
                "RFC 793: Transmission Control Protocol
                 - Port number";
            }

            container application-condition pkt-sec-tcp-seq-num {
            description
              "TBD";
            leaf application-description
              choice match-type {
              type string;
              description
               "This is
                description
                  "There are two types to configure a security
                  policy for application condition.";
            }
            leaf-list application-object tcp sequence number,
                  such as exact match and range match.";
                case exact-match {
              type string;
              description
                "This is application object.";
            }
                  leaf-list application-group tcp-seq-num {
                    type string; uint32;
                    description
                "This is application group.";
                      "Exact match for an tcp sequence number.";
                  }
            leaf-list application-label {
              type string;
              description
                "This is application label.";
                }
            container category
                case range-match {
              description
                "TBD";
                  list application-category range-tcp-seq-num {
                    key "name application-subcategory";
                description
                  "TBD"; "start-tcp-seq-num end-tcp-seq-num";
                    leaf name start-tcp-seq-num {
                      type string; uint32;
                      description
                   "This is name
                        "Start tcp sequence number for application category."; a range match.";
                    }
                    leaf application-subcategory end-tcp-seq-num {
                      type string; uint32;
                      description
                   "This is application subcategory.";
                        "End tcp sequence number for a range match.";
                    }
                    description
                      "Range match for a tcp sequence number.";
                  }
                }
              }

          container target-condition {
            description
              "TBD";
            leaf target-description {
              type string;
              description
                "This is
              description for target condition.
                Vendors can write instructions for target condition
                that vendor made";
                "The security policy rule according to
                 tcp sequence number.";
              reference
                "RFC 793: Transmission Control Protocol
                 - Sequence number";
            }

            container device-sec-context-cond pkt-sec-tcp-ack-num {
              choice match-type {
                description
                "The device attribute that can identify
                  "There are two types to configure a device,
                 including the device type (i.e., router, switch,
                 pc, ios, or android) and the device's owner security
                  policy for tcp acknowledgement number,
                  such as
                 well.";

              leaf pc exact match and range match.";
                case exact-match {
                type boolean;
                description
                  "If type of a device is PC.";
              }

              leaf mobile-phone
                  leaf-list tcp-ack-num {
                    type boolean; uint32;
                    description
                  "If type of a device is mobile-phone.";
                      "Exact match for an tcp acknowledgement number.";
                  }

              leaf voip-volte-phone {
                type boolean;
                description
                  "If type of a device is voip-volte-phone.";
                }

              leaf tablet
                case range-match {
                type boolean;
                description
                  "If type of a device is tablet.";
              }

              leaf iot
                  list range-tcp-ack-num {
                type boolean;
                description
                  "If type of a device is Internet of Things.";
              }
                    key "start-tcp-ack-num end-tcp-ack-num";
                    leaf vehicle start-tcp-ack-num {
                      type boolean; uint32;
                      description
                  "If type of
                        "Start tcp acknowledgement number
                        for a device is vehicle.";
              }
            } range match.";
                    }
          container users-condition {
            description
              "TBD";
                    leaf users-description end-tcp-ack-num {
                      type string;
              description
                "This is uint32;
                      description
                        "End tcp acknowledgement number
                        for user condition.
                Vendors can write instructions for user condition
                that vendor made";
            }
            container user{
              description
                "The user (or user group) information with which
                 network flow is associated: The user has many
                 attributes such as name, id, password, type,
                 authentication mode and so on. Name/id is often
                 used in the security policy to identify the user.
                 Besides, NSF is aware of the IP address of the
                 user provided by a unified user management system
                 via network. Based on name-address association,
                 NSF is able to enforce the range match.";
                    }
                    description
                      "Range match for a tcp acknowledgement number.";
                  }
                }
              }
              description
                "The security functions
                 over the given user (or user group)"; policy rule according to
                 tcp acknowledgement number.";
              reference
                "RFC 793: Transmission Control Protocol
                 - Acknowledgement number";
            }

            container pkt-sec-tcp-window-size {
              choice user-name match-type {
                description
                  "The name of the user.
                   This must be unique.";
                  "There are two types to configure a security
                  policy for tcp window size,
                  such as exact match and range match.";
                case tenant exact-match {
                  description
                    "Tenant information.";

                  leaf tenant
                  leaf-list tcp-window-size {
                    type uint8;
                    mandatory true; uint16;
                    description
                      "User's tenant information.";
                      "Exact match for an tcp window size.";
                  }
                }
                case vn-id range-match {
                  list range-tcp-window-size {
                    key "start-tcp-window-size end-tcp-window-size";
                    leaf start-tcp-window-size {
                      type uint16;
                      description
                    "VN-ID information.";
                        "Start tcp window size for a range match.";
                    }
                    leaf vn-id end-tcp-window-size {
                      type uint8;
                    mandatory true; uint16;
                      description
                      "User's VN-ID information.";
                        "End tcp window size for a range match.";
                    }
                    description
                      "Range match for a tcp window size.";
                  }
                }
              }
            container group
              description
                "The security policy rule according to
                 tcp window size.";
              reference
                "RFC 793: Transmission Control Protocol
                 - Window size";
            }

            leaf-list pkt-sec-tcp-flags {
              type identityref {
                base tcp-flags;
              }
              description
                "The user (or user group) information with which
                 network flow is associated: The user has many
                 attributes such as name, id, password, type,
                 authentication mode and so on. Name/id is often
                 used in the security policy rule according to identify the user.
                 Besides, NSF is aware of the IP address
                 tcp flags.";
              reference
                "RFC 793: Transmission Control Protocol
                 - Flags";
            }
          }

          container packet-security-udp-condition {
            description
              "The purpose of the
                 user provided by a unified user management system
                 via network. Based on name-address association,
                 NSF this container is able to enforce represent
               UDP packet header information to determine
               if the set of policy actions in this ECA policy
               rule should be executed or not.";
            reference
              "RFC 793: Transmission Control Protocol";

            container pkt-sec-udp-src-port-num {
              uses pkt-sec-port-number;
              description
                "The security functions
                 over the given user (or user group)";

              choice group-name policy rule according to
                 udp source port number.";
              reference
                "RFC 793: Transmission Control Protocol
                 - Port number";
            }

            container pkt-sec-udp-dest-port-num {
              uses pkt-sec-port-number;
              description
                "The name of the user.
                   This must be unique."; security policy rule according to
                 udp destination port number.";
              reference
                "RFC 768: User Datagram Protocol
                 - Total Length";
            }

            container pkt-sec-udp-total-length {
              choice match-type {
                description
                  "There are two types to configure a security
                  policy for udp sequence number,
                  such as exact match and range match.";
                case tenant exact-match {
                  description
                    "Tenant information.";

                  leaf tenant
                  leaf-list udp-total-length {
                    type uint8;
                    mandatory true; uint32;
                    description
                      "User's tenant information.";
                      "Exact match for an udp-total-length.";
                  }
                }
                case vn-id range-match {
                  list range-udp-total-length {
                    key "start-udp-total-length end-udp-total-length";
                    leaf start-udp-total-length {
                      type uint32;
                      description
                    "VN-ID information.";
                        "Start udp total length for a range match.";
                    }
                    leaf vn-id end-udp-total-length {
                      type uint8;
                    mandatory true; uint32;
                      description
                      "User's VN-ID information.";
                        "End udp total length for a range match.";
                    }
                    description
                      "Range match for a udp total length.";
                  }
                }
              }
            leaf security-grup {
              type string;
              mandatory true;
              description
                "security-grup.";
                "The security policy rule according to
                 udp total length.";
              reference
                "RFC 768: User Datagram Protocol
                 - Total Length";
            }
          }

          container url-category-condition {
            description
              "TBD";
            leaf url-category-description packet-security-icmp-condition {
              type string;
            description
                "This
              "The purpose of this container is description for url category condition.
                Vendors can write instructions to represent
               ICMP packet header information to determine
               if the set of policy actions in this ECA policy
               rule should be executed or not.";
            reference
              "RFC  792: Internet Control Message Protocol
               RFC 8335: PROBE: A Utility for context condition
                that vendor made";
            } Probing Interfaces";

            leaf-list pre-defined-category pkt-sec-icmp-type-and-code {
              type string;
              description
                "This is pre-defined-category.";
            }
            leaf-list user-defined-category identityref {
              type string;
                base icmp-type;
              }
              description
                "This user-defined-category.";
                "The security policy rule according to
                 ICMP parameters.";
              reference
                "RFC  792: Internet Control Message Protocol
                 RFC 8335: PROBE: A Utility for Probing Interfaces";
            }
          }

          container context-condition packet-security-http-condition {
            description
              "TBD";
            leaf context-description
              "Condition for http.";

            leaf-list pkt-sec-uri-content {
              type string;
              description
                "This is description for context condition.
                Vendors can write instructions for context condition
                that vendor made";
            }
                "The security policy rule according to
                 uri content.";
            }

          container gen-context-condition {
            description
              "TBD";
            leaf gen-context-description

            leaf-list pkt-sec-url-content {
              type string;
              description
                "This is description for generic context condition.
                Vendors can write instructions for generic context
                condition that vendor made";
                "The security policy rule according to
                 url content.";
            }
          }

          container geographic-location packet-security-voice-condition {
            description
                "The location where network traffic is associated
                 with. The region can be
              "For the geographic location
                 such as country, province, VoIP/VoLTE security system, a VoIP/
               VoLTE security system can monitor each
               VoIP/VoLTE flow and city,
                 as well as manage VoIP/VoLTE
               security rules controlled by a centralized
               server for VoIP/VoLTE security service
               (called VoIP IPS). The VoIP/VoLTE security
               system controls each switch for the logical network location such as
                 IP address, network section, and network domain.";
               VoIP/VoLTE call flow management by
               manipulating the rules that can be added,
               deleted, or modified dynamically.";
            reference
              "RFC 3261: SIP: Session Initiation Protocol";

            leaf-list src-geographic-location pkt-sec-src-voice-id {
              type uint32; string;
              description
                  "This is mapped
                "The security policy rule according to ip address. We can acquire
                 a source region through ip address stored the
                   database."; voice ID for VoIP and VoLTE.";
            }

            leaf-list pkt-sec-dest-voice-id {
              type string;
              description
                "The security policy rule according to
                 a destination voice ID for VoIP and VoLTE.";
            }

            leaf-list dest-geographic-location pkt-sec-user-agent {
              type uint32; string;
              description
                  "This is mapped
                "The security policy rule according to ip address. We can acquire
                   destination region through ip address stored
                   the database.";
              }
            }
          }
                 an user agent for VoIP and VoLTE.";
            }

          }

          container action-clause-container packet-security-ddos-condition {
            description "TBD";
        list action-clause-list {
        key eca-object-id;
        uses i2nsf-eca-object-type {
          refine entity-class
              "Condition for DDoS attack.";

            leaf pkt-sec-alert-rate {
            default ECA-ACTION-TYPE;
              type uint32;
              description
                "The alert rate of flood detect for
                 same packets.";
            }
          }
        }

        container action-clause-container {
          description
            "An action is used to control and monitor aspects of
             flow-based NSFs when the event and condition clauses
             are satisfied. NSFs provide security functions by
             executing various Actions. Examples of I2NSF Actions
             include providing intrusion detection and/or protection,
             web and flow filtering, and deep packet inspection
             for packets and flows.";

          leaf rule-log {
            type boolean;
            description
              "True is enable
               False is not enable.";
          }
          leaf session-log {
            type boolean;
            description
              "True is enable
               False is not enable.";
          }
          container ingress-action {
            description
              "TBD";
            leaf ingress-description {
              type string;
              description
                "This is description for ingress action.
                Vendors can write instructions
          reference
            "RFC 8329: Framework for ingress action
                that vendor made";
            }
            leaf ingress-action-type {
              type ingress-action;
              description
                "Ingress action type: permit, deny, Interface to Network Security
             Functions - I2NSF Flow Security Policy Structure
             draft-ietf-i2nsf-capability-04: Information Model
             of NSFs Capabilities - Design Principles and mirror.";
            }
          }
          container egress-action {
            description
              "TBD"; ECA Policy
             Model Overview";

          leaf egress-description action-clause-description {
            type string;
            description
                "This is description for egress action.
                Vendors can write instructions
              "Description for egress an action
                that vendor made";
            }
            leaf egress-action-type {
              type egress-action;
              description
                "Egress-action-type: invoke-signaling,
                 tunnel-encapsulation, and forwarding.";
            } clause.";
          }

          container apply-profile {
            description
              "TBD";
            leaf profile-description packet-action {
              type string;
              description
                "This is
            description
              "Action for apply profile action.
                Vendors can write instructions packets";
            reference
              "RFC 8329: Framework for apply
                profile action that vendor made";
            }
              container content-security-control {
                description
                 "Content security control is another category of
                 security capabilities applied Interface to application layer.
                 Through detecting the contents carried over the
                 traffic in application layer, these capabilities
                 can realize various security purposes, such as
                 defending against intrusion, inspecting virus,
                 filtering malicious URL or junk email, and blocking
                 illegal web access or data retrieval.";

                container content-security-control-types {
                  description
                   "Content Network Security types: Antivirus, IPS, IDS,
                    url-filtering, data-filtering, mail-filtering,
                    file-blocking, file-isolate, pkt-capture,
                    application-control, and voip-volte.";

                  leaf antivirus {
                      type string;
                      description
                        "Additional inspection of antivirus.";
                  }

                  leaf ips {
                      type string;
                      description
                        "Additional inspection of IPS.";
                  }

                  leaf ids {
                      type string;
                      description
                        "Additional inspection of IDS.";
                  }

                  leaf url-filtering {
                      type string;
                      description
                        "Additional inspection of URL filtering.";
                  }

                  leaf data-filtering {
                     type string;
                     description
                       "Additional inspection
               Functions - I2NSF Flow Security Policy Structure
               draft-ietf-i2nsf-capability-04: Information Model
               of data filtering.";
                  } NSFs Capabilities - Design Principles and ECA
               Policy Model Overview";

            leaf mail-filtering ingress-action {
              type string; identityref {
                base ingress-action;
              }
              description
                      "Additional inspection of mail filtering.";
                "Action: pass, drop, reject, alert, and mirror.";
            }

            leaf file-blocking egress-action {
              type string; identityref {
                base egress-action;
              }
              description
                      "Additional inspection of file blocking.";
                "Egress action: pass, drop, reject, alert, mirror,
                 invoke-signaling, tunnel-encapsulation,
                 forwarding, and redirection.";
              }

            leaf file-isolate log-action {
              type string; identityref {
                base log-action;
              }
              description
                      "Additional inspection of file isolate.";
                "Log action: rule log and session log";
            }

                  leaf pkt-capture

          }

          container advanced-action {
                    type string;
            description
                      "Additional inspection of
              "If the packet capture.";
                  }

                  leaf application-control need be additionally inspected,
               the packet are passed to advanced network
               security functions according to the profile.";
            reference
              "RFC 8329: Framework for Interface to Network Security
               Functions - Differences from ACL Data Models";

            leaf-list content-security-control {
                type string; identityref {
                  base content-security-control;
                }
                description
                      "Additional inspection of app control.";
                  "The Profile is divided into content security
                   control and attack-mitigation-control.
                   Content security control: antivirus, ips, ids,
                   url filtering, mail filtering, file blocking,
                   file isolate, packet capture, application control,
                   voip and volte.";
            }

                  leaf voip-volte
            leaf-list attack-mitigation-control {
                type string; identityref {
                  base attack-mitigation-control;
                }
                description
                      "Additional inspection of VoIP/VoLTE.";
                  "The Profile is divided into content security
                   control and attack-mitigation-control.
                   Attack mitigation control: syn flood, udp flood,
                   icmp flood, ip frag flood, ipv6 related, http flood,
                   https flood, dns flood, dns amp flood, ssl ddos,
                   ip sweep, port scanning, ping of death, teardrop,
                   oversized icmp, tracert.";
            }
          }
        }

              container attack-mitigation-control {
                description
                  "This category
      }
    }
  }
}

<CODE ENDS>

         Figure 5: YANG Data Module of security capabilities I2NSF NSF-Facing-Interface

6.  IANA Considerations

   This document requests IANA to register the following URI in the
   "IETF XML Registry" [RFC3688]:

      URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf

      Registrant Contact: The IESG.

      XML: N/A; the requested URI is
                   specially used an XML namespace.

   This document requests IANA to register the following YANG module in
   the "YANG Module Names" registry [RFC7950].

      name: ietf-i2nsf-policy-rule-for-nsf

      namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-
      nsf

      prefix: iiprfn

      reference: RFC XXXX

7.  Security Considerations

   The YANG module specified in this document defines a data schema
   designed to be accessed through network management protocols such as
   NETCONF [RFC6241] or RESTCONF [RFC8040].  The lowest NETCONF layer is
   the secure transport layer, and the required transport secure
   transport is Secure Shell (SSH) [RFC6242].  The lowest RESTCONF layer
   is HTTPS, and the required transport secure transport is TLS
   [RFC8446].

   The NETCONF access control model [RFC8341] provides a means of
   restricting access to specific NETCONF or RESTCONF users to a
   preconfigured subset of all available NETCONF or RESTCONF protocol
   operations and content.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to detect Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC6020]  Bjorklund, M., "YANG - A Data Modeling Language for the
              Network Configuration Protocol (NETCONF)", RFC 6020,
              October 2010.

   [RFC6087]  Bierman, A., "Guidelines for Authors and mitigate various
                   types Reviewers of network attacks.";

                  container ddos-attack {
                    description
                      "A distributed-denial-of-service (DDoS) is
                       where YANG
              Data Model Documents", RFC 6087, DOI 10.17487/RFC6087,
              January 2011, <https://www.rfc-editor.org/info/rfc6087>.

   [RFC6241]  Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
              and A. Bierman, Ed., "Network Configuration Protocol
              (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
              <https://www.rfc-editor.org/info/rfc6241>.

   [RFC6242]  Wasserman, M., "Using the attack source is more than one,
                       often thousands of unique IP addresses.";

                    container ddos-attack-type {
                      description
                        "DDoS-attack types: NETCONF Protocol over Secure
              Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
              <https://www.rfc-editor.org/info/rfc6242>.

   [RFC6991]  Schoenwaelder, J., Ed., "Common YANG Data Types",
              RFC 6991, DOI 10.17487/RFC6991, July 2013,
              <https://www.rfc-editor.org/info/rfc6991>.

   [RFC7950]  Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
              RFC 7950, DOI 10.17487/RFC7950, August 2016,
              <https://www.rfc-editor.org/info/rfc7950>.

   [RFC8040]  Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
              Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
              <https://www.rfc-editor.org/info/rfc8040>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8329]  Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
              Kumar, "Framework for Interface to Network Layer
                        DDoS Attacks Security
              Functions", RFC 8329, February 2018.

   [RFC8340]  Bjorklund, M. and Application Layer
                        DDoS Attacks.";

                      container network-layer-ddos-attack {
                        description
                          "Network layer DDoS-attack.";
                        container network-layer-ddos-attack-type {
                          description L. Berger, Ed., "YANG Tree Diagrams",
              BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
              <https://www.rfc-editor.org/info/rfc8340>.

   [RFC8341]  Bierman, A. and M. Bjorklund, "Network layer DDoS attack types:
                             Syn Flood Attack, UDP Flood Attack,
                             ICMP Flood Attack, IP Fragment Flood,
                             IPv6 Related Attacks, Configuration
              Access Control Model", STD 91, RFC 8341,
              DOI 10.17487/RFC8341, March 2018,
              <https://www.rfc-editor.org/info/rfc8341>.

   [RFC8431]  Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
              S., and etc";

                          leaf syn-flood {
                            type string;
                            description
                              "Additional Inspection of
                               Syn Flood Attack.";
                          }

                          leaf udp-flood {
                            type string;
                            description
                              "Additional Inspection of
                               UDP Flood Attack.";
                          }

                          leaf icmp-flood {
                            type string;
                            description
                              "Additional Inspection of
                               ICMP Flood Attack.";
                          }

                          leaf ip-frag-flood {
                            type string;
                            description
                              "Additional Inspection of
                               IP Fragment Flood.";
                          }

                          leaf ipv6-related {
                            type string;
                            description
                              "Additional Inspection of
                               IPv6 Related Attacks.";
                          }
                        }
                      }

                      container app-layer-ddos-attack {
                        description
                          "Application layer DDoS-attack.";

                        container app-ddos-attack-types {
                          description
                            "Application layer DDoS-attack types:
                             Http Flood Attack, Https Flood Attack,
                             DNS Flood Attack, N. Bahadur, "A YANG Data Model for Routing
              Information Base (RIB)", RFC RFC8431, September 2018.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

8.2.  Informative References

   [i2nsf-advanced-nsf-dm]
              Pan, W. and L. Xia, "Configuration of Advanced Security
              Functions with I2NSF Security Controller", draft-dong-
              i2nsf-asf-config-01 (work in progress), October 2018.

   [i2nsf-nsf-cap-dm]
              Hares, S., Jeong, J., Kim, J., Moskowitz, R., and
                             DNS Amplification Flood Attack,
                             SSL DDoS Attack, Q. Lin,
              "I2NSF Capability YANG Data Model", draft-ietf-i2nsf-
              capability-data-model-02 (work in progress), November
              2018.

   [i2nsf-nsf-cap-im]
              Xia, L., Strassner, J., Basile, C., and etc.";

                          leaf http-flood {
                            type string;
                            description
                              "Additional Inspection D. Lopez,
              "Information Model of
                               Http Flood Attack.";
                          }

                          leaf https-flood {
                            type string;
                            description
                              "Additional Inspection NSFs Capabilities", draft-ietf-
              i2nsf-capability-04 (work in progress), October 2018.

   [supa-policy-info-model]
              Strassner, J., Halpern, J., and S. Meer, "Generic Policy
              Information Model for Simplified Use of
                               Https Flood Attack.";
                          }

                          leaf dns-flood {
                            type string;
                            description
                              "Additional Inspection Policy
              Abstractions (SUPA)", draft-ietf-supa-generic-policy-info-
              model-03 (work in progress), May 2017.

Appendix A.  Configuration Examples

   This section shows configuration examples of
                               DNS Flood Attack.";
                          }

                          leaf dns-amp-flood {
                            type string;
                            description
                              "Additional Inspection "ietf-i2nsf-policy-rule-
   for-nsf" module for security policy rules of
                               DNS Amplification Flood Attack.";
                          }

                          leaf ssl-ddos {
                            type string;
                            description
                              "Additional Inspection network security
   devices.  For security requirements, we assume that the NSFs (i.e.,
   General firewall, Time based firewall, Web filter, VoIP/VoLTE filter
   http and https flood mitigation ) described in Appendix A.
   Configuration Examples of
                               SSL Flood Attack.";
                          }
                        }
                      }
                    }
                  }

                  container single-packet-attack {
                    description
                      "Single Packet Attacks.";
                    container single-packet-attack-type {
                      description
                        "DDoS-attack types: Scanning Attack,
                         Sniffing Attack, Malformed Packet Attack,
                         Special Packet Attack, [i2nsf-nsf-cap-dm] are registered in I2NSF
   framework.  With the registed NSFs, we show configuration examples
   for security policy rules of network security functions according to
   the following three security requirements: (i) Block SNS access
   during business hours, (ii) Block malicious VoIP/VoLTE packets coming
   to the company, and etc.";

                      container scan-and-sniff-attack {
                        description
                          "Scanning (iii) Mitigate http and Sniffing Attack.";
                        container scan-and-sniff-attack-types {
                          description
                            "Scanning https flood attacks on
   company web server.

A.1.  Security Requirement 1: Block SNS Access during Business Hours

   This section shows a configuration example for blocking SNS access
   during business hours.

  <i2nsf-security-policy
  xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
  <system-policy>
   <system-policy-name>sns_access</system-policy-name>
   <rules>
    <rule-name>block_sns_access_during_operation_time</rule-name>
    <time-zone>
     <absolute-time-zone>
      <start-time>09:00:00Z</start-time>
      <end-time>18:00:00Z</end-time>
     </absolute-time-zone>
    </time-zone>
    <condition-clause-container>
     <packet-security-ipv4-condition>
      <pkt-sec-ipv4-src>
       <range-ipv4-address>
        <start-ipv4-address>221.159.112.1</start-ipv4-address>
        <end-ipv4-address>221.159.112.90</end-ipv4-address>
       </range-ipv4-address>
      </pkt-sec-ipv4-src>
     </packet-security-ipv4-condition>
    </condition-clause-container>
    <action-clause-container>
     <advanced-action>
      <content-security-control>url-filtering</content-security-control>
     </advanced-action>
    </action-clause-container>
   </rules>
  </system-policy>
  </i2nsf-security-policy>

     Figure 6: Configuration XML for Time based Firewall to Block SNS
                       Access during Business Hours

   <i2nsf-security-policy
   xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
   <system-policy>
    <system-policy-name>sns_access</system-policy-name>
    <rules>
     <rule-name>block_facebook_and_instgram</rule-name>
     <condition-clause-container>
      <packet-security-http-condition>
       <pkt-sec-url-content>facebook</pkt-sec-url-content>
       <pkt-sec-url-content>instagram</pkt-sec-url-content>
      </packet-security-http-condition>
     </condition-clause-container>
     <action-clause-container>
      <packet-action>
       <egress-action>drop</egress-action>
      </packet-action>
     </action-clause-container>
    </rules>
   </system-policy>
   </i2nsf-security-policy>

   Figure 7: Configuration XML for Web Filter to Block SNS Access during
                              Business Hours

   Figure 6 and sniffing attack types:
                             IP Sweep attack, Port Scanning, Figure 7 show the configuration XML documents for time
   based firewall and etc.";

                          leaf ip-sweep {
                            type string;
                            description
                              "Additional Inspection of
                               IP Sweep Attack.";
                          }

                          leaf port-scanning {
                            type string;
                            description
                              "Additional Inspection of
                               Port Scanning Attack.";
                          }
                        }
                      }

                      container malformed-packet-attack {
                        description
                          "Malformed Packet Attack.";
                        container malformed-packet-attack-types {
                          description
                            "Malformed packet attack types:
                             Ping of Death Attack, Teardrop Attack, web filter to block SNS access during business
   hours.  For the security requirement, two NSFs (i.e., a time based
   firewall and etc.";

                          leaf ping-of-death {
                            type string;
                            description
                              "Additional Inspection a web filter) were used because one NSF can not meet the
   security requirement.  The instances of
                               Ping XML documents for the time
   based firewall and the web filter are as follows: Note that a
   detailed data model for the configuration of Death Attack.";
                          }

                          leaf teardrop {
                            type string;
                            description
                              "Additional Inspection the advanced network
   security function (i.e., web filter) is described in
   [i2nsf-advanced-nsf-dm].

   Time based Firewall

   1.  The name of
                               Teardrop Attack.";
                          }
                        }
                      }

                      container special-packet-attack {
                        description
                          "special Packet Attack.";
                        container special-packet-attack-types {
                          description
                            "Special packet attack types:
                             Oversized ICMP Attack, Tracert Attack,
                             and etc.";

                          leaf oversized-icmp {
                            type string;
                            description
                              "Additional Inspection the system policy is sns_access.

   2.  The name of
                               Oversize ICMP Attack.";
                          }

                          leaf tracert {
                            type string;
                            description
                              "Additional Inspection the rule is block_sns_access_during_operation_time.

   3.  The rule is operated during the business hours (i.e., from 9 a.m.
       to 6 p.m.).

   4.  The rule inspects a source IPv4 address (i.e., from 221.159.112.1
       to 221.159.112.90) to inspect the outgoing packets of
                               Tracrt Attack.";
                          }
                        }
                      }
                    }
                  }
              }

          }
      }
    }

      }
        container resolution-strategy {
          description
            "The resolution strategies employees.

   5.  If the outgoing packets match the rules above, the time based
       firewall sends the packets to url filtering for additional
       inspection because the time based firewall can be not inspect
       contents of the packets for the SNS URL.

   Web Filter

   1.  The name of the system policy is sns_access.

   2.  The name of the rule is block_facebook_and_instagram.

   3.  The rule inspects URL address to block the access packets to the
       facebook or the instagram.

   4.  If the outgoing packets match the rules above, the packets are
       blocked.

A.2.  Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming
      to the Company

   This section shows a configuration example for blocking malicious
   VoIP/VoLTE packets coming to the company.

   <i2nsf-security-policy
   xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
   <system-policy>
    <system-policy-name>voip_volte_inspection</system-policy-name>
    <rules>
     <rule-name>block_malicious_voip_volte_packets</rule-name>
     <condition-clause-container>
      <packet-security-ipv4-condition>
       <pkt-sec-ipv4-dest>
        <range-ipv4-address>
         <start-ipv4-address>221.159.112.1</start-ipv4-address>
         <end-ipv4-address>221.159.112.90</end-ipv4-address>
        </range-ipv4-address>
       </pkt-sec-ipv4-dest>
      </packet-security-ipv4-condition>
      <packet-security-tcp-condition>
       <pkt-sec-tcp-dest-port-num>
        <port-num>5060</port-num>
        <port-num>5061</port-num>
       </pkt-sec-tcp-dest-port-num>
      </packet-security-tcp-condition>
     </condition-clause-container>
     <action-clause-container>
      <advanced-action>
       <content-security-control>voip-volte</content-security-control>
      </advanced-action>
     </action-clause-container>
    </rules>
   </system-policy>
   </i2nsf-security-policy>

    Figure 8: Configuration XML for General Firewall to Block Malicious
                 VoIP/VoLTE Packets Coming to the Company

   <i2nsf-security-policy
   xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
   <system-policy>
    <system-policy-name>malicious_voice_id</system-policy-name>
    <rules>
     <rule-name>block_malicious_voice_id</rule-name>
     <condition-clause-container>
      <packet-security-voice-condition>
       <pkt-sec-src-voice-id>11111@voip.black.com</pkt-sec-src-voice-id>
       <pkt-sec-src-voice-id>22222@voip.black.com</pkt-sec-src-voice-id>
      </packet-security-voice-condition>
     </condition-clause-container>
     <action-clause-container>
      <packet-action>
       <ingress-action>drop</ingress-action>
      </packet-action>
     </action-clause-container>
    </rules>
   </system-policy>
   </i2nsf-security-policy>

   Figure 9: Configuration XML for VoIP/VoLTE Filter to Block Malicious
                 VoIP/VoLTE Packets Coming to the Company

   Figure 8 and Figure 9 show the configuration XML documents for
   general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE
   packets coming to the company.  For the security requirement, two
   NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used to
            specify how to resolve conflicts that occur between
   because one NSF can not meet the actions security requirement.  The instances
   of XML documents for the same or different policy rules that
            are matched general firewall and contained in this particular NSF";

          choice resolution-strategy-type {
            description
              "Vendors can use YANG the VoIP/VoLTE filter
   are as follows: Note that a detailed data model to configure rules";

            case fmr {
              leaf first-matching-rule {
                type boolean;
                description
                  "If for the resolution strategy configuration
   of the advanced network security function (i.e., VoIP/VoLTE filter)
   is first matching rule";
              }
            }
            case lmr {
              leaf last-matching-rule {
                type boolean;
                description
                  "If described in [i2nsf-advanced-nsf-dm].

   General Firewall

   1.  The name of the resolution strategy system policy is last matching rule";
              }
            }

          }
        }

        container default-action {
          description
            "This default action can be used voip_volte_inspection.

   2.  The name of the rule is block_malicious_voip_volte_packets.

   3.  The rule inspects a destination IPv4 address (i.e., from
       221.159.112.1 to specify 221.159.112.90) to inspect the packets coming
       into the company.

   4.  The rule inspects a predefined
            action when no other alternative action was matched
            by port number (i.e., 5060 and 5061) to inspect
       VoIP/VoLTE packet.

   5.  If the currently executing I2NSF Policy Rule. An analogy
            is incoming packets match the use rules above, the general
       firewall sends the packets to VoIP/VoLTE filter for additional
       inspection because the general firewall can not inspect contents
       of a default statement in a C switch statement.";

          leaf default-action-type {
            type boolean;
            description
              "True is permit
               False is deny.";
          }

        }

        container rule-group {
          description
            "This the VoIP/VoLTE packets.

   VoIP/VoLTE Filter

   1.  The name of the system policy is malicious_voice_id.

   2.  The name of the rule group";

          list groups {
            key "group-name";
            description
              "This is block_malicious_voice_id.

   3.  The rule inspects the voice id of the VoIP/VoLTE packets to block
       the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and
       22222@voip.black.com).

   4.  If the incoming packets match the rules above, the packets are
       blocked.

A.3.  Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a
      Company Web Server

   This section shows a configuration example for mitigating http and
   https flood attacks on a group company web server.

   <i2nsf-security-policy
   xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
   <system-policy>
    <system-policy-name>flood_attack_mitigation</system-policy-name>
    <rules>
     <rule-name>mitigate_http_and_https_flood_attack</rule-name>
     <condition-clause-container>
      <packet-security-ipv4-condition>
       <pkt-sec-ipv4-dest>
        <ipv4-address>
         <ipv4>221.159.112.95</ipv4>
        </ipv4-address>
       </pkt-sec-ipv4-dest>
      </packet-security-ipv4-condition>
      <packet-security-tcp-condition>
       <pkt-sec-tcp-dest-port-num>
        <port-num>80</port-num>
        <port-num>443</port-num>
       </pkt-sec-tcp-dest-port-num>
      </packet-security-tcp-condition>
     </condition-clause-container>
     <action-clause-container>
      <advanced-action>
       <attack-mitigation-control>http-and-https-flood
       </attack-mitigation-control>
      </advanced-action>
     </action-clause-container>
    </rules>
   </system-policy>
   </i2nsf-security-policy>

    Figure 10: Configuration XML for rules";

            leaf group-name {
              type string;
              description
                "This is General Firewall to Mitigate HTTP
              and HTTPS Flood Attacks on a group Company Web Server

   <i2nsf-security-policy
   xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
   <system-policy>
    <system-policy-name>http_and_https_flood_attack_mitigation
    </system-policy-name>
    <rules>
     <rule-name>100_per_second</rule-name>
     <condition-clause-container>
      <packet-security-ddos-condition>
       <pkt-sec-alert-rate>100</pkt-sec-alert-rate>
      </packet-security-ddos-condition>
     </condition-clause-container>
     <action-clause-container>
      <packet-action>
       <ingress-action>drop</ingress-action>
      </packet-action>
     </action-clause-container>
    </rules>
   </system-policy>
   </i2nsf-security-policy>

       Figure 11: Configuration XML for rules";
            }

            container rule-range {
              description
                "This is HTTP and HTTPS Flood Attack
   Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a rule range.";

              leaf start-rule {
                type string;
                description
                  "This is Company Web
                                  Server

   Figure 10 and Figure 11 show the configuration XML documents for
   general firewall and http and https flood attack mitigation to
   mitigate http and https flood attacks on a start rule";
              }
              leaf end-rule {
                type string;
                description
                  "This is company web server.  For
   the security requirement, two NSFs (i.e., a end rule";
              }
            }
            leaf enable {
              type boolean;
              description
                "This is enable
                 False is not enable.";
            }
            leaf description {
              type string;
              description
                "This is general firewall and a desription for rule-group";
            }
          }
        }
      }
      }
  }

  <CODE ENDS>

         Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface

7.  Security Considerations

   This document introduces no additional security threats
   http and SHOULD
   follow https flood attack mitigation) were used because one NSF can
   not meet the security requirements requirement.  The instances of XML documents
   for the general firewall and http and https flood attack mitigation
   are as stated in [RFC8329].

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words follows: Note that a detailed data model for use the configuration
   of the advanced network security function (i.e., http and https flood
   attack mitigation) is described in RFCs [i2nsf-advanced-nsf-dm].

   General Firewall

   1.  The name of the system policy is flood_attack_mitigation.

   2.  The name of the rule is mitigate_http_and_https_flood_attack.

   3.  The rule inspects a destination IPv4 address (i.e.,
       221.159.112.95) to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC6020]  Bjorklund, M., "YANG - A Data Modeling Language for inspect the
              Network Configuration Protocol (NETCONF)", RFC 6020,
              October 2010.

   [RFC8329]  Lopez, D., Lopez, E., Dunbar, L., Strassner, J., access packets coming into the
       company web server.

   4.  The rule inspects a port number (i.e., 80 and R.
              Kumar, "Framework for Interface 443) to inspect
       http and https packet.

   5.  If the packets match the rules above, the general firewall sends
       the packets to Network Security
              Functions", RFC 8329, February 2018.

   [RFC8431]  Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
              S., http and N. Bahadur, "A YANG Data Model https flood attack mitigation for Routing
              Information Base (RIB)", RFC RFC8431, September 2018.

8.2.  Informative References

   [i2nsf-advanced-nsf-dm]
              Pan, W. and L. Xia, "Configuration
       additional inspection because the general firewall can not contrl
       the amount of Advanced Security
              Functions with I2NSF Security Controller", draft-dong-
              i2nsf-asf-config-01 (work in progress), October 2018.

   [i2nsf-nsf-cap-im]
              Xia, L., Strassner, J., Basile, C., packets for http and D. Lopez,
              "Information Model https packets.

   HTTP and HTTPS Flood Attack Mitigation

   1.  The name of NSFs Capabilities", draft-ietf-
              i2nsf-capability-04 (work in progress), October 2018.

   [supa-policy-info-model]
              Strassner, J., Halpern, J., the system policy is
       http_and_https_flood_attack_mitigation.

   2.  The name of the rule is 100_per_second.

   3.  The rule controls the http and S. Meer, "Generic Policy
              Information Model for Simplified Use https packets according to the
       amount of Policy
              Abstractions (SUPA)", draft-ietf-supa-generic-policy-info-
              model-03 (work in progress), May 2017. incoming packets.

   4.  If the incoming packets match the rules above, the packets are
       blocked.

Appendix A. B.  Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-01 draft-ietf-i2nsf-nsf-facing-interface-dm-02

   The following changes are made from draft-ietf-i2nsf-nsf-facing-
   interface-dm-01:
   interface-dm-03:

   o  We added system policy which represents there could be multiple
      system policies in one NSF, revised this YANG data module according to guidelines for
      authors and each system policy is used by one
      virtual instance reviewers of YANG data model documents [RFC6087].

   o  We changed the NSF/device.  This is a very general
      feature structure of the overall YANG data model.

   o  We added exact-range type as well as range-based type for all the NSFs/devices.
      range policy rules.

   o  We changed policy name enumeration type to system policy name identity type for system policy. scalable
      components.

   o  We deleted policy-event-clause-agg-ptr, policy-condition-clause-
      agg-ptr, and policy-action-clause-agg-ptr. added a description for the YANG tree diagram of the YANG data
      module.

   o  We added priority-usage which represents priority revised overall sentences of policies by
      order or number. this YANG data model document.

   o  We added configuration examples to make it easier for reviewers to
      understand.

Appendix B. C.  Acknowledgments

   This work was supported by Institute for Information & communications
   Technology Promotion (IITP) grant funded by the Korea government
   (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence
   Technology Development for the Customized Security Service
   Provisioning).

Appendix C. D.  Contributors

   This document is made by the group effort of I2NSF working group.
   Many people actively contributed to this document.  The following are
   considered co-authors:

   o  Hyoungshick Kim (Sungkyunkwan University)

   o  Daeyoung Hyun (Sungkyunkwan University)

   o  Dongjin Hong (Sungkyunkwan University)

   o  Liang Xia (Huawei)

   o  Tae-Jin Ahn (Korea Telecom)

   o  Se-Hui Lee (Korea Telecom)

Authors' Addresses

   Jinyong Tim Kim
   Department of Computer Engineering
   Sungkyunkwan University
   2066 Seobu-Ro, Jangan-Gu
   Suwon, Gyeonggi-Do  16419
   Republic of Korea

   Phone: +82 10 8273 0930
   EMail: timkim@skku.edu
   Jaehoon Paul Jeong
   Department of Software
   Sungkyunkwan University
   2066 Seobu-Ro, Jangan-Gu
   Suwon, Gyeonggi-Do  16419
   Republic of Korea

   Phone: +82 31 299 4957
   Fax:   +82 31 290 7996
   EMail: pauljeong@skku.edu
   URI:   http://iotlab.skku.edu/people-jaehoon-jeong.php

   Jung-Soo Park
   Electronics and Telecommunications Research Institute
   218 Gajeong-Ro, Yuseong-Gu
   Daejeon  34129
   Republic of Korea

   Phone: +82 42 860 6514
   EMail: pjs@etri.re.kr

   Susan Hares
   Huawei
   7453 Hickory Hill
   Saline, MI  48176
   USA

   Phone: +1-734-604-0332
   EMail: shares@ndzh.com

   Qiushi Lin
   Huawei
   Huawei Industrial Base
   Shenzhen, Guangdong 518129
   China

   EMail: linqiushi@huawei.com