draft-ietf-i2nsf-nsf-facing-interface-dm-05.txt   draft-ietf-i2nsf-nsf-facing-interface-dm-06.txt 
I2NSF Working Group J. Kim I2NSF Working Group J. Kim
Internet-Draft J. Jeong Internet-Draft J. Jeong
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: September 29, 2019 J. Park Expires: December 14, 2019 J. Park
ETRI ETRI
S. Hares S. Hares
Q. Lin Q. Lin
Huawei Huawei
March 28, 2019 June 12, 2019
I2NSF Network Security Function-Facing Interface YANG Data Model I2NSF Network Security Function-Facing Interface YANG Data Model
draft-ietf-i2nsf-nsf-facing-interface-dm-05 draft-ietf-i2nsf-nsf-facing-interface-dm-06
Abstract Abstract
This document defines a YANG data model for configuring security This document defines a YANG data model for configuring security
policy rules on network security functions. The YANG data model in policy rules on Network Security Functions (NSF). The YANG data
this document is corresponding to the information model for Network model in this document corresponds to the information model for NSF-
Security Functions (NSF)-Facing Interface in Interface to Network Facing Interface in Interface to Network Security Functions (I2NSF).
Security Functions (I2NSF).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 29, 2019. This Internet-Draft will expire on December 14, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 15 skipping to change at page 2, line 14
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4
4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6
4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7 4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7
4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14
4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15 4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15
5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 15 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 15
5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 15 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89
7. Security Considerations . . . . . . . . . . . . . . . . . . . 90 7. Security Considerations . . . . . . . . . . . . . . . . . . . 89
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 90 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 90
8.1. Normative References . . . . . . . . . . . . . . . . . . 90 8.1. Normative References . . . . . . . . . . . . . . . . . . 90
8.2. Informative References . . . . . . . . . . . . . . . . . 91 8.2. Informative References . . . . . . . . . . . . . . . . . 91
Appendix A. Configuration Examples . . . . . . . . . . . . . . . 93 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 93
A.1. Security Requirement 1: Block SNS Access during Business A.1. Security Requirement 1: Block SNS Access during Business
Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 93
A.2. Security Requirement 2: Block Malicious VoIP/VoLTE A.2. Security Requirement 2: Block Malicious VoIP/VoLTE
Packets Coming to the Company . . . . . . . . . . . . . . 96 Packets Coming to the Company . . . . . . . . . . . . . . 96
A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood
Attacks on a Company Web Server . . . . . . . . . . . . . 99 Attacks on a Company Web Server . . . . . . . . . . . . . 99
Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-
dm-04 . . . . . . . . . . . . . . . . . . . . . . . 102 dm-05 . . . . . . . . . . . . . . . . . . . . . . . 102
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 102 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 102
Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 102 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 102
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 103 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 103
1. Introduction 1. Introduction
This document defines a YANG [RFC6020][RFC7950] data model for This document defines a YANG [RFC6020][RFC7950] data model for
security policy rule configuration of network security devices. The security policy rule configuration of Network Security Functions
YANG data model is corresponding to the information model (NSF). The YANG data model corresponds to the information model
[i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing [i2nsf-nsf-cap-im] for NSF-Facing Interface in Interface to Network
interface in Interface to Network Security Functions (I2NSF). The Security Functions (I2NSF). The YANG data model in this document
YANG data model in this document focuses on security policy focuses on security policy configuration for generic network security
configuration for generic network security functions. Note that functions. Note that security policy configuration for advanced
security policy configuration for advanced network security functions network security functions are written in [i2nsf-advanced-nsf-dm].
are written in [i2nsf-advanced-nsf-dm].
This YANG data model uses an "Event-Condition-Action" (ECA) policy This YANG data model uses an "Event-Condition-Action" (ECA) policy
model that is used as the basis for the design of I2NSF Policy model that is used as the basis for the design of I2NSF Policy
described in [RFC8329] and [i2nsf-nsf-cap-im]. Rules. described in [RFC8329] and [i2nsf-nsf-cap-im].
The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this
document provides the following features. document provides the following features.
o Configuration for general security policy rule of generic network o Configuration for general security policy rule of generic network
security function. security function.
o Configuration for an event clause of generic network security o Configuration for an event clause of generic network security
function. function.
skipping to change at page 4, line 27 skipping to change at page 4, line 19
denotes a "list" and "leaf-list". denotes a "list" and "leaf-list".
o Parentheses enclose choice and case nodes, and case nodes are also o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":"). marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not o Ellipsis ("...") stands for contents of subtrees that are not
shown. shown.
4. YANG Tree Diagram 4. YANG Tree Diagram
This section shows an YANG tree diagram of generic network security This section shows a YANG tree diagram of generic network security
functions. Note that a detailed data model for the configuration of functions. Note that a detailed data model for the configuration of
the advanced network security functions is described in the advanced network security functions is described in
[i2nsf-advanced-nsf-dm]. The section describes the following [i2nsf-advanced-nsf-dm]. The section describes the following
subjects: subjects:
o General I2NSF security policy rule of generic network security o General I2NSF security policy rule of generic network security
function. function.
o An event clause of generic network security function. o An event clause of generic network security function.
o A condition clause of generic network security function. o A condition clause of generic network security function.
o An action clause of generic network security function. o An action clause of generic network security function.
4.1. General I2NSF Security Policy Rule 4.1. General I2NSF Security Policy Rule
This section shows YANG tree diagram for general I2NSF security This section shows the YANG tree diagram for general I2NSF security
policy rule. policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| +--rw system-policy* [system-policy-name] | +--rw system-policy* [system-policy-name]
| +--rw system-policy-name string | +--rw system-policy-name string
| +--rw priority-usage? identityref | +--rw priority-usage? identityref
| +--rw resolution-strategy? identityref | +--rw resolution-strategy? identityref
| +--rw default-action? identityref | +--rw default-action? identityref
| +--rw rules* [rule-name] | +--rw rules* [rule-name]
skipping to change at page 5, line 46 skipping to change at page 5, line 46
| | +--rw action-clause-container | | +--rw action-clause-container
| | ... | | ...
| +--rw rule-group | +--rw rule-group
| +--rw groups* [group-name] | +--rw groups* [group-name]
| +--rw group-name string | +--rw group-name string
| +--rw rule-range | +--rw rule-range
| | +--rw start-rule? string | | +--rw start-rule? string
| | +--rw end-rule? string | | +--rw end-rule? string
| +--rw enable? boolean | +--rw enable? boolean
| +--rw description? string | +--rw description? string
+--rw i2nsf-ipsec +--rw i2nsf-ipsec? identityref
...
Figure 1: YANG Tree Diagram for Network Security Policy Figure 1: YANG Tree Diagram for Network Security Policy
This YANG tree diagram shows general I2NSF security policy rule for This YANG tree diagram shows general I2NSF security policy rule for
generic network security functions. generic network security functions.
The system policy represents there could be multiple system policies The system policy represents there could be multiple system policies
in one NSF, and each system policy is used by one virtual instance of in one NSF, and each system policy is used by one virtual instance of
the NSF/device. The system policy includes system policy name, the NSF/device. The system policy includes system policy name,
priority usage, resolutation strategy, default action, and rules. priority usage, resolutation strategy, default action, and rules.
skipping to change at page 6, line 35 skipping to change at page 6, line 35
reject, alert, and mirror. The default action can be extended reject, alert, and mirror. The default action can be extended
according to specific vendor action features. The default action is according to specific vendor action features. The default action is
described in detail in [i2nsf-nsf-cap-im]. described in detail in [i2nsf-nsf-cap-im].
The rules include rule name, rule description, rule priority, rule The rules include rule name, rule description, rule priority, rule
enable, time zone, event clause container, condition clause enable, time zone, event clause container, condition clause
container, and action clause container. container, and action clause container.
4.2. Event Clause 4.2. Event Clause
This section shows YANG tree diagram for an event clause of I2NSF This section shows the YANG tree diagram for an event clause of I2NSF
security policy rule. security policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| +--rw system-policy* [system-policy-name] | +--rw system-policy* [system-policy-name]
| ... | ...
| +--rw rules* [rule-name] | +--rw rules* [rule-name]
| | ... | | ...
| | +--rw event-clause-container | | +--rw event-clause-container
| | | +--rw event-clause-description? string | | | +--rw event-clause-description? string
| | | +--rw event-clauses | | | +--rw event-clauses
| | | +--rw system-event* identityref | | | +--rw system-event* identityref
| | | +--rw system-alarm* identityref | | | +--rw system-alarm* identityref
| | +--rw condition-clause-container | | +--rw condition-clause-container
| | | ... | | | ...
| | +--rw action-clause-container | | +--rw action-clause-container
| | ... | | ...
| +--rw rule-group | +--rw rule-group
| ... | ...
+--rw i2nsf-ipsec +--rw i2nsf-ipsec? identityref
...
Figure 2: YANG Tree Diagram for an Event Clause Figure 2: YANG Tree Diagram for an Event Clause
This YANG tree diagram shows an event clause of I2NSF security policy This YANG tree diagram shows an event clause of I2NSF security policy
rule for generic network security functions. An event clause is any rule for generic network security functions. An event clause is any
important occurrence in time of a change in the system being managed, important occurrence in time of a change in the system being managed,
and/or in the environment of the system being managed. An event and/or in the environment of the system being managed. An event
clause is used to trigger the evaluation of the condition clause of clause is used to trigger the evaluation of the condition clause of
the I2NSF Policy Rule. The event clause is defined as system event the I2NSF Policy Rule. The event clause is defined as system event
and system alarm. The event clause can be extended according to and system alarm. The event clause can be extended according to
specific vendor event features. The event clause is described in specific vendor event features. The event clause is described in
detail in [i2nsf-nsf-cap-im]. detail in [i2nsf-nsf-cap-im].
4.3. Condtion Clause 4.3. Condtion Clause
This section shows YANG tree diagram for a condition clause of I2NSF This section shows the YANG tree diagram for a condition clause of
security policy rule. I2NSF security policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| ... | ...
| +--rw rules* [rule-name] | +--rw rules* [rule-name]
| | ... | | ...
| | +--rw event-clause-container | | +--rw event-clause-container
| | | ... | | | ...
| | +--rw condition-clause-container | | +--rw condition-clause-container
| | | +--rw condition-clause-description? string | | | +--rw condition-clause-description? string
skipping to change at page 13, line 27 skipping to change at page 13, line 26
| | | | +--rw security-grup string | | | | +--rw security-grup string
| | | +--rw gen-context-condition | | | +--rw gen-context-condition
| | | +--rw gen-context-description? string | | | +--rw gen-context-description? string
| | | +--rw geographic-location | | | +--rw geographic-location
| | | +--rw src-geographic-location* uint32 | | | +--rw src-geographic-location* uint32
| | | +--rw dest-geographic-location* uint32 | | | +--rw dest-geographic-location* uint32
| | +--rw action-clause-container | | +--rw action-clause-container
| | ... | | ...
| +--rw rule-group | +--rw rule-group
| ... | ...
+--rw i2nsf-ipsec +--rw i2nsf-ipsec? identityref
...
Figure 3: YANG Tree Diagram for a Condition Clause Figure 3: YANG Tree Diagram for a Condition Clause
This YANG tree diagram shows an condition clause of I2NSF security This YANG tree diagram shows a condition clause of I2NSF security
policy rule for generic network security functions. A condition policy rule for generic network security functions. A condition
clause is defined as a set of attributes, features, and/or values clause is defined as a set of attributes, features, and/or values
that are to be compared with a set of known attributes, features, that are to be compared with a set of known attributes, features,
and/or values in order to determine whether or not the set of actions and/or values in order to determine whether or not the set of actions
in that (imperative) I2NSF policy rule can be executed or not. The in that (imperative) I2NSF policy rule can be executed or not. The
condition clause is classified as conditions of generic network condition clause is classified as conditions of generic network
security functions, advanced network security functions, and context. security functions, advanced network security functions, and context.
The condition clause of generic network security functions is defined The condition clause of generic network security functions is defined
as packet security IPv4 condition, packet security IPv6 condition, as packet security IPv4 condition, packet security IPv6 condition,
packet security tcp condition, and packet security icmp condition. packet security tcp condition, and packet security icmp condition.
skipping to change at page 14, line 10 skipping to change at page 14, line 9
number condition, application condition, target condition, users number condition, application condition, target condition, users
condition, and geography condition. Note that this document deals condition, and geography condition. Note that this document deals
only with simple conditions of advanced network security functions. only with simple conditions of advanced network security functions.
The condition clauses of advanced network security functions are The condition clauses of advanced network security functions are
described in detail in [i2nsf-advanced-nsf-dm]. The condition clause described in detail in [i2nsf-advanced-nsf-dm]. The condition clause
can be extended according to specific vendor condition features. The can be extended according to specific vendor condition features. The
condition clause is described in detail in [i2nsf-nsf-cap-im]. condition clause is described in detail in [i2nsf-nsf-cap-im].
4.4. Action Clause 4.4. Action Clause
This section shows YANG tree diagram for an action clause of I2NSF This section shows the YANG tree diagram for an action clause of
security policy rule. I2NSF security policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| ... | ...
| +--rw rules* [rule-name] | +--rw rules* [rule-name]
| | ... | | ...
| | +--rw event-clause-container | | +--rw event-clause-container
| | | ... | | | ...
| | +--rw condition-clause-container | | +--rw condition-clause-container
| | | ... | | | ...
skipping to change at page 14, line 33 skipping to change at page 14, line 32
| | +--rw action-clause-description? string | | +--rw action-clause-description? string
| | +--rw packet-action | | +--rw packet-action
| | | +--rw ingress-action? identityref | | | +--rw ingress-action? identityref
| | | +--rw egress-action? identityref | | | +--rw egress-action? identityref
| | | +--rw log-action? identityref | | | +--rw log-action? identityref
| | +--rw advanced-action | | +--rw advanced-action
| | +--rw content-security-control* identityref | | +--rw content-security-control* identityref
| | +--rw attack-mitigation-control* identityref | | +--rw attack-mitigation-control* identityref
| +--rw rule-group | +--rw rule-group
| ... | ...
+--rw i2nsf-ipsec +--rw i2nsf-ipsec? identityref
...
Figure 4: YANG Tree Diagram for an Action Clause Figure 4: YANG Tree Diagram for an Action Clause
This YANG tree diagram shows an action clause of I2NSF security This YANG tree diagram shows an action clause of I2NSF security
policy rule for generic network security functions. An action is policy rule for generic network security functions. An action is
used to control and monitor aspects of flow-based NSFs when the event used to control and monitor aspects of flow-based NSFs when the event
and condition clauses are satisfied. NSFs provide security services and condition clauses are satisfied. NSFs provide security services
by executing various actions. The action clause is defined as by executing various actions. The action clause is defined as
ingress action, egress action, and log action for packet action, and ingress action, egress action, and log action for packet action, and
advanced action for additional inspection. The action clause can be advanced action for additional inspection. The action clause can be
extended according to specific vendor action features. The action extended according to specific vendor action features. The action
clause is described in detail in [i2nsf-nsf-cap-im]. clause is described in detail in [i2nsf-nsf-cap-im].
4.5. I2NSF Internet Key Exchange 4.5. I2NSF Internet Key Exchange
This section shows YANG tree diagram for an I2NSF IPsec. This section shows the YANG tree diagram for an I2NSF IPsec.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| ... | ...
| +--rw rules* [rule-name] | +--rw rules* [rule-name]
| | ... | | ...
| | +--rw event-clause-container | | +--rw event-clause-container
| | | ... | | | ...
| | +--rw condition-clause-container | | +--rw condition-clause-container
| | | ... | | | ...
| | +--rw action-clause-container | | +--rw action-clause-container
| | ... | | ...
| +--rw rule-group | +--rw rule-group
| ... | ...
+--rw i2nsf-ipsec +--rw i2nsf-ipsec? identityref
+--rw ike
+--rw ikeless
Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage
This YANG tree diagram shows an I2NSF IPsec for an Internet key This YANG tree diagram shows an I2NSF IPsec for an Internet key
exchange. An I2NSF IPsec is used to define a method required to exchange. An I2NSF IPsec is used to define a method required to
manage IPsec parameters for creating IPsec Security Associations manage IPsec parameters for creating IPsec Security Associations
between two NSFs through either the IKEv2 protocol or the Security between two NSFs through either the IKEv2 protocol or the Security
Controller [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec Controller [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec
considers two cases such as IKE case (i.e., IPsec through IKE) and considers two cases such as IKE case (i.e., IPsec through IKE) and
IKEless case (i.e., IPsec not through IKE, but through a Security IKEless case (i.e., IPsec not through IKE, but through a Security
Controller). Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection] Controller). Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection]
for the detailed description of the I2NSF IPsec. for the detailed description of the I2NSF IPsec.
5. YANG Data Module 5. YANG Data Module
5.1. I2NSF NSF-Facing Interface YANG Data Module 5.1. I2NSF NSF-Facing Interface YANG Data Module
This section introduces an YANG data module for configuration of This section introduces an YANG data module for configuration of
security policy rules on network security functions. security policy rules on network security functions.
<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2019-03-28.yang" <CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2019-06-12.yang"
module ietf-i2nsf-policy-rule-for-nsf { module ietf-i2nsf-policy-rule-for-nsf {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
prefix prefix
iiprfn; iiprfn;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference "RFC 6991"; reference "RFC 6991";
} }
import ietf-yang-types{ import ietf-yang-types{
prefix yang; prefix yang;
reference "RFC 6991"; reference "RFC 6991";
skipping to change at page 16, line 17 skipping to change at page 16, line 14
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference "RFC 6991"; reference "RFC 6991";
} }
import ietf-yang-types{ import ietf-yang-types{
prefix yang; prefix yang;
reference "RFC 6991"; reference "RFC 6991";
} }
/*
import ietf-ipsec-ike {
prefix iii;
reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04";
}
import ietf-ipsec-ikeless {
prefix iiil;
reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04";
}
*/
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
WG Chair: Adrian Farrel WG Chair: Adrian Farrel
<mailto:Adrain@olddog.co.uk> <mailto:Adrain@olddog.co.uk>
skipping to change at page 17, line 22 skipping to change at page 17, line 5
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8341; see This version of this YANG module is part of RFC 8341; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2019-03-28"{ revision "2019-06-12"{
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Network Security Function-Facing Interface "RFC XXXX: I2NSF Network Security Function-Facing Interface
YANG Data Model"; YANG Data Model";
} }
/* /*
* Identities * Identities
*/ */
skipping to change at page 50, line 48 skipping to change at page 50, line 30
identity pmrn { identity pmrn {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule "Identity for Prioritized Matching Rule
with No Errors (PMRN)"; with No Errors (PMRN)";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Resolution Strategy"; of NSFs Capabilities - Resolution Strategy";
} }
identity i2nsf-ipsec {
description
"Internet Key Exchnage for NSFs
in the I2NSF framework";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
- i2nsf-ipsec";
}
identity ike {
base i2nsf-ipsec;
description
"IKE case: IPsec with IKE in the NSF";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
- ike";
}
identity ikeless {
base i2nsf-ipsec;
description
"IKEless case: IPsec without IKEv2 in the NSF";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
- ikeless";
}
/* /*
* Typedefs * Typedefs
*/ */
typedef start-time-type { typedef start-time-type {
type union { type union {
type string { type string {
pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
+ '(Z|[\+\-]\d{2}:\d{2})'; + '(Z|[\+\-]\d{2}:\d{2})';
} }
skipping to change at page 89, line 4 skipping to change at page 89, line 4
} }
leaf description { leaf description {
type string; type string;
description description
"This is a desription for rule-group"; "This is a desription for rule-group";
} }
} }
} }
} }
} }
container i2nsf-ipsec { leaf i2nsf-ipsec {
type identityref {
base i2nsf-ipsec;
}
description description
"Internet Key Exchnage for NSFs "Internet Key Exchnage for NSFs
in the I2NSF framework"; in the I2NSF framework";
container ike { reference
description "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
"IKE case: IPsec with IKE in the NSF"; - i2nsf-ipsec";
/*
uses "iii:ikev2";
*/
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
- ike";
}
container ikeless {
description
"IKEless case: IPsec without IKEv2 in the NSF";
/*
uses "iiil:ietf-ipsec";
*/
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
- ikeless";
}
} }
} }
<CODE ENDS> <CODE ENDS>
Figure 6: YANG Data Module of I2NSF NSF-Facing-Interface Figure 6: YANG Data Module of I2NSF NSF-Facing-Interface
6. IANA Considerations 6. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
skipping to change at page 90, line 19 skipping to change at page 89, line 50
prefix: iiprfn prefix: iiprfn
reference: RFC XXXX reference: RFC XXXX
7. Security Considerations 7. Security Considerations
The YANG module specified in this document defines a data schema The YANG module specified in this document defines a data schema
designed to be accessed through network management protocols such as designed to be accessed through network management protocols such as
NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is
the secure transport layer, and the required transport secure the secure transport layer, and the required secure transport is
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS,
is HTTPS, and the required transport secure transport is TLS and the required secure transport is TLS [RFC8446].
[RFC8446].
The NETCONF access control model [RFC8341] provides a means of The NETCONF access control model [RFC8341] provides a means of
restricting access to specific NETCONF or RESTCONF users to a restricting access to specific NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content. operations and content.
8. References 8. References
8.1. Normative References 8.1. Normative References
skipping to change at page 92, line 13 skipping to change at page 91, line 44
protection-04 (work in progress), March 2019. protection-04 (work in progress), March 2019.
[i2nsf-advanced-nsf-dm] [i2nsf-advanced-nsf-dm]
Pan, W. and L. Xia, "Configuration of Advanced Security Pan, W. and L. Xia, "Configuration of Advanced Security
Functions with I2NSF Security Controller", draft-dong- Functions with I2NSF Security Controller", draft-dong-
i2nsf-asf-config-01 (work in progress), October 2018. i2nsf-asf-config-01 (work in progress), October 2018.
[i2nsf-nsf-cap-dm] [i2nsf-nsf-cap-dm]
Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin,
"I2NSF Capability YANG Data Model", draft-ietf-i2nsf- "I2NSF Capability YANG Data Model", draft-ietf-i2nsf-
capability-data-model-03 (work in progress), March 2019. capability-data-model-05 (work in progress), June 2019.
[i2nsf-nsf-cap-im] [i2nsf-nsf-cap-im]
Xia, L., Strassner, J., Basile, C., and D. Lopez, Xia, L., Strassner, J., Basile, C., and D. Lopez,
"Information Model of NSFs Capabilities", draft-ietf- "Information Model of NSFs Capabilities", draft-ietf-
i2nsf-capability-04 (work in progress), October 2018. i2nsf-capability-05 (work in progress), April 2019.
[supa-policy-info-model] [supa-policy-info-model]
Strassner, J., Halpern, J., and S. Meer, "Generic Policy Strassner, J., Halpern, J., and S. Meer, "Generic Policy
Information Model for Simplified Use of Policy Information Model for Simplified Use of Policy
Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- Abstractions (SUPA)", draft-ietf-supa-generic-policy-info-
model-03 (work in progress), May 2017. model-03 (work in progress), May 2017.
Appendix A. Configuration Examples Appendix A. Configuration Examples
This section shows configuration examples of "ietf-i2nsf-policy-rule- This section shows configuration examples of "ietf-i2nsf-policy-rule-
skipping to change at page 102, line 23 skipping to change at page 102, line 23
http_and_https_flood_attack_mitigation. http_and_https_flood_attack_mitigation.
2. The name of the rule is 100_per_second. 2. The name of the rule is 100_per_second.
3. The rule controls the http and https packets according to the 3. The rule controls the http and https packets according to the
amount of incoming packets. amount of incoming packets.
4. If the incoming packets match the rules above, the packets are 4. If the incoming packets match the rules above, the packets are
blocked. blocked.
Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-04 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-05
The following changes are made from draft-ietf-i2nsf-nsf-facing- The following changes are made from draft-ietf-i2nsf-nsf-facing-
interface-dm-04: interface-dm-05:
o We changed http fields to url category fields.
o We added fields for a context condition (e.g., acl number,
application, target, user, group, and geography).
o We added an I2NSF IPsec field for configuration and state data for o We added an I2NSF IPsec field for IPsec management (e.g., ike and
IPsec management. ikeless).
Appendix C. Acknowledgments Appendix C. Acknowledgments
This work was supported by Institute for Information & communications This work was supported by Institute for Information & communications
Technology Promotion (IITP) grant funded by the Korea government Technology Promotion (IITP) grant funded by the Korea government
(MSIP) (No.R-20160222-002755, Cloud based Security Intelligence (MSIP)(No. R-20160222-002755, Cloud based Security Intelligence
Technology Development for the Customized Security Service Technology Development for the Customized Security Service
Provisioning). Provisioning).
Appendix D. Contributors Appendix D. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document. The following are Many people actively contributed to this document. The following are
considered co-authors: considered co-authors:
o Hyoungshick Kim (Sungkyunkwan University) o Hyoungshick Kim (Sungkyunkwan University)
skipping to change at page 103, line 4 skipping to change at page 102, line 48
Appendix D. Contributors Appendix D. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document. The following are Many people actively contributed to this document. The following are
considered co-authors: considered co-authors:
o Hyoungshick Kim (Sungkyunkwan University) o Hyoungshick Kim (Sungkyunkwan University)
o Daeyoung Hyun (Sungkyunkwan University) o Daeyoung Hyun (Sungkyunkwan University)
o Dongjin Hong (Sungkyunkwan University) o Dongjin Hong (Sungkyunkwan University)
o Liang Xia (Huawei) o Liang Xia (Huawei)
o Tae-Jin Ahn (Korea Telecom) o Tae-Jin Ahn (Korea Telecom)
o Se-Hui Lee (Korea Telecom) o Se-Hui Lee (Korea Telecom)
Authors' Addresses Authors' Addresses
Jinyong Tim Kim Jinyong Tim Kim
Department of Computer Engineering Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
Phone: +82 10 8273 0930 Phone: +82 10 8273 0930
EMail: timkim@skku.edu EMail: timkim@skku.edu
Jaehoon Paul Jeong Jaehoon Paul Jeong
Department of Software Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
Phone: +82 31 299 4957 Phone: +82 31 299 4957
Fax: +82 31 290 7996 Fax: +82 31 290 7996
EMail: pauljeong@skku.edu EMail: pauljeong@skku.edu
URI: http://iotlab.skku.edu/people-jaehoon-jeong.php URI: http://iotlab.skku.edu/people-jaehoon-jeong.php
 End of changes. 40 change blocks. 
98 lines changed or deleted 82 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/