draft-ietf-i2nsf-nsf-facing-interface-dm-06.txt   draft-ietf-i2nsf-nsf-facing-interface-dm-07.txt 
I2NSF Working Group J. Kim I2NSF Working Group J. Kim
Internet-Draft J. Jeong Internet-Draft J. Jeong
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: December 14, 2019 J. Park Expires: January 26, 2020 J. Park
ETRI ETRI
S. Hares S. Hares
Q. Lin Q. Lin
Huawei Huawei
June 12, 2019 July 25, 2019
I2NSF Network Security Function-Facing Interface YANG Data Model I2NSF Network Security Function-Facing Interface YANG Data Model
draft-ietf-i2nsf-nsf-facing-interface-dm-06 draft-ietf-i2nsf-nsf-facing-interface-dm-07
Abstract Abstract
This document defines a YANG data model for configuring security This document defines a YANG data model for configuring security
policy rules on Network Security Functions (NSF). The YANG data policy rules on Network Security Functions (NSF) in the Interface to
model in this document corresponds to the information model for NSF- Network Security Functions (I2NSF) framework. The YANG data model in
Facing Interface in Interface to Network Security Functions (I2NSF). this document corresponds to the information model for NSF-Facing
Interface in the I2NSF framework.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 14, 2019. This Internet-Draft will expire on January 26, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 15
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4
4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6
4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7 4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 7
4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14
4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15 4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15
5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 15 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 15
5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 15 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 87
7. Security Considerations . . . . . . . . . . . . . . . . . . . 89 7. Security Considerations . . . . . . . . . . . . . . . . . . . 87
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 90 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 88
8.1. Normative References . . . . . . . . . . . . . . . . . . 90 8.1. Normative References . . . . . . . . . . . . . . . . . . 88
8.2. Informative References . . . . . . . . . . . . . . . . . 91 8.2. Informative References . . . . . . . . . . . . . . . . . 90
Appendix A. Configuration Examples . . . . . . . . . . . . . . . 93 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 91
A.1. Security Requirement 1: Block SNS Access during Business A.1. Security Requirement 1: Block SNS Access during Business
Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 91
A.2. Security Requirement 2: Block Malicious VoIP/VoLTE A.2. Security Requirement 2: Block Malicious VoIP/VoLTE
Packets Coming to the Company . . . . . . . . . . . . . . 96 Packets Coming to the Company . . . . . . . . . . . . . . 94
A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood
Attacks on a Company Web Server . . . . . . . . . . . . . 99 Attacks on a Company Web Server . . . . . . . . . . . . . 97
Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-
dm-05 . . . . . . . . . . . . . . . . . . . . . . . 102 dm-06 . . . . . . . . . . . . . . . . . . . . . . . 100
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 102 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 100
Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 102 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 100
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 103 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101
1. Introduction 1. Introduction
This document defines a YANG [RFC6020][RFC7950] data model for This document defines a YANG [RFC6020][RFC7950] data model for
security policy rule configuration of Network Security Functions security policy rule configuration of Network Security Functions
(NSF). The YANG data model corresponds to the information model (NSF). The YANG data model corresponds to the information model
[i2nsf-nsf-cap-im] for NSF-Facing Interface in Interface to Network [draft-ietf-i2nsf-capability] for NSF-Facing Interface in Interface
Security Functions (I2NSF). The YANG data model in this document to Network Security Functions (I2NSF). The YANG data model in this
focuses on security policy configuration for generic network security document focuses on security policy configuration for generic network
functions. Note that security policy configuration for advanced security functions. Note that security policy configuration for
network security functions are written in [i2nsf-advanced-nsf-dm]. advanced network security functions are defined in
[draft-dong-i2nsf-asf-config].
This YANG data model uses an "Event-Condition-Action" (ECA) policy This YANG data model uses an "Event-Condition-Action" (ECA) policy
model that is used as the basis for the design of I2NSF Policy model that is used as the basis for the design of I2NSF Policy
described in [RFC8329] and [i2nsf-nsf-cap-im]. described in [RFC8329] and [draft-ietf-i2nsf-capability].
The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this
document provides the following features. document provides the following features.
o Configuration for general security policy rule of generic network o Configuration of general security policy rule for generic network
security function. security functions.
o Configuration for an event clause of generic network security o Configuration of event clause for generic network security
function. functions.
o Configuration for a condition clause of generic network security o Configuration of condition clause for generic network security
function. functions.
o Configuration for an action clause of generic network security o Configuration of action clause for generic network security
function. functions.
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119][RFC8174]. document are to be interpreted as described in [RFC2119][RFC8174].
3. Terminology 3. Terminology
This document uses the terminology described in This document uses the terminology described in [draft-ietf-i2nsf-cap
[i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the ability][RFC8431][draft-ietf-supa-generic-policy-info-model].
following terms are from [supa-policy-info-model]: Especially, the following terms are from
[draft-ietf-supa-generic-policy-info-model]:
o Data Model: A data model is a representation of concepts of o Data Model: A data model is a representation of concepts of
interest to an environment in a form that is dependent on data interest to an environment in a form that is dependent on data
repository, data definition language, query language, repository, data definition language, query language,
implementation language, and protocol. implementation language, and protocol.
o Information Model: An information model is a representation of o Information Model: An information model is a representation of
concepts of interest to an environment in a form that is concepts of interest to an environment in a form that is
independent of data repository, data definition language, query independent of data repository, data definition language, query
language, implementation language, and protocol. language, implementation language, and protocol.
3.1. Tree Diagrams 3.1. Tree Diagrams
A simplified graphical representation of the data model is used in A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these diagrams this document. The meaning of the symbols in these diagrams is
[RFC8340] is as follows: referred from [RFC8340].
o Brackets "[" and "]" enclose list keys.
o Abbreviations before data node names: "rw" means configuration
(read-write) and "ro" state data (read-only).
o Symbols after data node names: "?" means an optional node and "*"
denotes a "list" and "leaf-list".
o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not
shown.
4. YANG Tree Diagram 4. YANG Tree Diagram
This section shows a YANG tree diagram of generic network security This section shows a YANG tree diagram of generic network security
functions. Note that a detailed data model for the configuration of functions. Note that a detailed data model for the configuration of
the advanced network security functions is described in the advanced network security functions is described in
[i2nsf-advanced-nsf-dm]. The section describes the following [draft-dong-i2nsf-asf-config]. The section describes the following
subjects: subjects:
o General I2NSF security policy rule of generic network security o General I2NSF security policy rule of the generic network security
function. function.
o An event clause of generic network security function. o An event clause of the generic network security function.
o A condition clause of generic network security function. o A condition clause of the generic network security function.
o An action clause of generic network security function. o An action clause of the generic network security function.
4.1. General I2NSF Security Policy Rule 4.1. General I2NSF Security Policy Rule
This section shows the YANG tree diagram for general I2NSF security This section shows the YANG tree diagram for general I2NSF security
policy rule. policy rules.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| +--rw system-policy* [system-policy-name] | +--rw system-policy* [system-policy-name]
| +--rw system-policy-name string | +--rw system-policy-name string
| +--rw priority-usage? identityref | +--rw priority-usage? identityref
| +--rw resolution-strategy? identityref | +--rw resolution-strategy? identityref
| +--rw default-action? identityref | +--rw default-action? identityref
| +--rw rules* [rule-name] | +--rw rules* [rule-name]
| | +--rw rule-name string | | +--rw rule-name string
| | +--rw rule-description? string | | +--rw rule-description? string
| | +--rw rule-priority? uint8 | | +--rw rule-priority? uint8
| | +--rw rule-enable? boolean | | +--rw rule-enable? boolean
| | +--rw rule-session-aging-time? uint16 | | +--rw rule-session-aging-time? uint16
| | +--rw rule-long-connection | | +--rw rule-long-connection
| | | +--rw enable? boolean | | | +--rw enable? boolean
| | | +--rw during? uint16 | | | +--rw during? uint16
| | +--rw time-zone | | +--rw time-intervals
| | | +--rw absolute-time-zone | | | +--rw absolute-time-interval
| | | | +--rw start-time? start-time-type | | | | +--rw start-time? start-time-type
| | | | +--rw end-time? end-time-type | | | | +--rw end-time? end-time-type
| | | +--rw periodic-time-zone | | | +--rw periodic-time-interval
| | | +--rw day | | | +--rw day
| | | | +--rw every-day? boolean | | | | +--rw every-day? boolean
| | | | +--rw specific-day* day-type | | | | +--rw specific-day* day-type
| | | +--rw month | | | +--rw month
| | | +--rw every-month? boolean | | | +--rw every-month? boolean
| | | +--rw specific-month* month-type | | | +--rw specific-month* month-type
| | +--rw event-clause-container | | +--rw event-clause-container
| | | ... | | | ...
| | +--rw condition-clause-container | | +--rw condition-clause-container
| | | ... | | | ...
skipping to change at page 6, line 5 skipping to change at page 6, line 5
| +--rw group-name string | +--rw group-name string
| +--rw rule-range | +--rw rule-range
| | +--rw start-rule? string | | +--rw start-rule? string
| | +--rw end-rule? string | | +--rw end-rule? string
| +--rw enable? boolean | +--rw enable? boolean
| +--rw description? string | +--rw description? string
+--rw i2nsf-ipsec? identityref +--rw i2nsf-ipsec? identityref
Figure 1: YANG Tree Diagram for Network Security Policy Figure 1: YANG Tree Diagram for Network Security Policy
This YANG tree diagram shows general I2NSF security policy rule for This YANG tree diagram shows the general I2NSF security policy rule
generic network security functions. for generic network security functions.
The system policy represents there could be multiple system policies The system policy provides for multiple system policies in one NSF,
in one NSF, and each system policy is used by one virtual instance of and each system policy is used by one virtual instance of the NSF/
the NSF/device. The system policy includes system policy name, device. The system policy includes system policy name, priority
priority usage, resolutation strategy, default action, and rules. usage, resolutation strategy, default action, and rules.
A resolution strategy is used to decide how to resolve conflicts that A resolution strategy is used to decide how to resolve conflicts that
occur between the actions of the same or different policy rules that occur between the actions of the same or different policy rules that
are matched and contained in this particular NSF. The resolution are matched and contained in a particular NSF. The resolution
strategy is defined as First Matching Rule (FMR), Last Matching Rule strategy is defined as First Matching Rule (FMR), Last Matching Rule
(LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and
Prioritized Matching Rule with No Errors (PMRN). The resolution Prioritized Matching Rule with No Errors (PMRN). The resolution
strategy can be extended according to specific vendor action strategy can be extended according to specific vendor action
features. The resolution strategy is described in detail in features. The resolution strategy is described in detail in
[i2nsf-nsf-cap-im]. [draft-ietf-i2nsf-capability].
A default action is used to execute I2NSF policy rule when no rule A default action is used to execute I2NSF policy rule when no rule
matches a packet. The default action is defined as pass, drop, matches a packet. The default action is defined as pass, drop,
reject, alert, and mirror. The default action can be extended reject, alert, and mirror. The default action can be extended
according to specific vendor action features. The default action is according to specific vendor action features. The default action is
described in detail in [i2nsf-nsf-cap-im]. described in detail in [draft-ietf-i2nsf-capability].
The rules include rule name, rule description, rule priority, rule The rules include rule name, rule description, rule priority, rule
enable, time zone, event clause container, condition clause enable, time zone, event clause container, condition clause
container, and action clause container. container, and action clause container.
4.2. Event Clause 4.2. Event Clause
This section shows the YANG tree diagram for an event clause of I2NSF This section shows the YANG tree diagram for an event clause for
security policy rule. I2NSF security policy rules.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| +--rw system-policy* [system-policy-name] | +--rw system-policy* [system-policy-name]
| ... | ...
| +--rw rules* [rule-name] | +--rw rules* [rule-name]
| | ... | | ...
| | +--rw event-clause-container | | +--rw event-clause-container
| | | +--rw event-clause-description? string | | | +--rw event-clause-description? string
| | | +--rw event-clauses | | | +--rw event-clauses
skipping to change at page 7, line 26 skipping to change at page 7, line 26
| | +--rw condition-clause-container | | +--rw condition-clause-container
| | | ... | | | ...
| | +--rw action-clause-container | | +--rw action-clause-container
| | ... | | ...
| +--rw rule-group | +--rw rule-group
| ... | ...
+--rw i2nsf-ipsec? identityref +--rw i2nsf-ipsec? identityref
Figure 2: YANG Tree Diagram for an Event Clause Figure 2: YANG Tree Diagram for an Event Clause
This YANG tree diagram shows an event clause of I2NSF security policy This YANG tree diagram shows an event clause of an I2NSF security
rule for generic network security functions. An event clause is any policy rule for generic network security functions. An event clause
important occurrence in time of a change in the system being managed, is any important occurrence at a specific time of a change in the
and/or in the environment of the system being managed. An event system being managed, and/or in the environment of the system being
clause is used to trigger the evaluation of the condition clause of managed. An event clause is used to trigger the evaluation of the
the I2NSF Policy Rule. The event clause is defined as system event condition clause of the I2NSF Policy Rule. The event clause is
and system alarm. The event clause can be extended according to defined as a system event and system alarm. The event clause can be
specific vendor event features. The event clause is described in extended according to specific vendor event features. The event
detail in [i2nsf-nsf-cap-im]. clause is described in detail in [draft-ietf-i2nsf-capability].
4.3. Condtion Clause 4.3. Condition Clause
This section shows the YANG tree diagram for a condition clause of This section shows the YANG tree diagram for a condition clause of
I2NSF security policy rule. I2NSF security policy rules.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| ... | ...
| +--rw rules* [rule-name] | +--rw rules* [rule-name]
| | ... | | ...
| | +--rw event-clause-container | | +--rw event-clause-container
| | | ... | | | ...
| | +--rw condition-clause-container | | +--rw condition-clause-container
| | | +--rw condition-clause-description? string | | | +--rw condition-clause-description? string
skipping to change at page 12, line 35 skipping to change at page 12, line 35
| | | | +--rw pkt-sec-dest-voice-id* string | | | | +--rw pkt-sec-dest-voice-id* string
| | | | +--rw pkt-sec-user-agent* string | | | | +--rw pkt-sec-user-agent* string
| | | +--rw packet-security-ddos-condition | | | +--rw packet-security-ddos-condition
| | | | +--rw ddos-description? string | | | | +--rw ddos-description? string
| | | | +--rw pkt-sec-alert-rate? uint32 | | | | +--rw pkt-sec-alert-rate? uint32
| | | +--rw packet-security-payload-condition | | | +--rw packet-security-payload-condition
| | | | +--rw packet-payload-description? string | | | | +--rw packet-payload-description? string
| | | | +--rw pkt-payload-content* string | | | | +--rw pkt-payload-content* string
| | | +--rw context-condition | | | +--rw context-condition
| | | +--rw context-description? string | | | +--rw context-description? string
| | | +--rw acl-number* uint32
| | | +--rw application-condition | | | +--rw application-condition
| | | | +--rw application-description? string | | | | +--rw application-description? string
| | | | +--rw application-object* string | | | | +--rw application-object* string
| | | | +--rw application-group* string | | | | +--rw application-group* string
| | | | +--rw application-label* string | | | | +--rw application-label* string
| | | | +--rw category | | | | +--rw category
| | | | +--rw application-category* | | | | +--rw application-category*
[name application-subcategory] [name application-subcategory]
| | | | +--rw name string | | | | +--rw name string
| | | | +--rw application-subcategory string | | | | +--rw application-subcategory string
skipping to change at page 13, line 30 skipping to change at page 13, line 29
| | | +--rw src-geographic-location* uint32 | | | +--rw src-geographic-location* uint32
| | | +--rw dest-geographic-location* uint32 | | | +--rw dest-geographic-location* uint32
| | +--rw action-clause-container | | +--rw action-clause-container
| | ... | | ...
| +--rw rule-group | +--rw rule-group
| ... | ...
+--rw i2nsf-ipsec? identityref +--rw i2nsf-ipsec? identityref
Figure 3: YANG Tree Diagram for a Condition Clause Figure 3: YANG Tree Diagram for a Condition Clause
This YANG tree diagram shows a condition clause of I2NSF security This YANG tree diagram shows a condition clause for an I2NSF security
policy rule for generic network security functions. A condition policy rule for generic network security functions. A condition
clause is defined as a set of attributes, features, and/or values clause is defined as a set of attributes, features, and/or values
that are to be compared with a set of known attributes, features, that are to be compared with a set of known attributes, features,
and/or values in order to determine whether or not the set of actions and/or values in order to determine whether or not the set of actions
in that (imperative) I2NSF policy rule can be executed or not. The in that (imperative) I2NSF policy rule can be executed or not. A
condition clause is classified as conditions of generic network condition clause is classified as a conditions of generic network
security functions, advanced network security functions, and context. security functions, advanced network security functions, or context.
The condition clause of generic network security functions is defined A condition clause of generic network security functions is defined
as packet security IPv4 condition, packet security IPv6 condition, as packet security IPv4 condition, packet security IPv6 condition,
packet security tcp condition, and packet security icmp condition. packet security tcp condition, and packet security icmp condition. A
The condition clause of advanced network security functions is condition clause of advanced network security functions is defined as
defined as packet security url category condition, packet security packet security url category condition, packet security voice
voice condition, packet security ddos condition, and packet security condition, packet security DDoS condition, or packet security payload
payload condition. The condition clause of context is defined as acl condition. A condition clause of context is defined as ACL number
number condition, application condition, target condition, users condition, application condition, target condition, user condition,
condition, and geography condition. Note that this document deals and geography condition. Note that this document deals only with
only with simple conditions of advanced network security functions. simple conditions of advanced network security functions. A
The condition clauses of advanced network security functions are condition clauses of advanced network security functions are
described in detail in [i2nsf-advanced-nsf-dm]. The condition clause described in detail in [draft-dong-i2nsf-asf-config]. A condition
can be extended according to specific vendor condition features. The clause can be extended according to specific vendor condition
condition clause is described in detail in [i2nsf-nsf-cap-im]. features. A condition clause is described in detail in
[draft-ietf-i2nsf-capability].
4.4. Action Clause 4.4. Action Clause
This section shows the YANG tree diagram for an action clause of This section shows the YANG tree diagram for an action clause of an
I2NSF security policy rule. I2NSF security policy rule.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| ... | ...
| +--rw rules* [rule-name] | +--rw rules* [rule-name]
| | ... | | ...
| | +--rw event-clause-container | | +--rw event-clause-container
| | | ... | | | ...
| | +--rw condition-clause-container | | +--rw condition-clause-container
skipping to change at page 14, line 36 skipping to change at page 14, line 36
| | | +--rw log-action? identityref | | | +--rw log-action? identityref
| | +--rw advanced-action | | +--rw advanced-action
| | +--rw content-security-control* identityref | | +--rw content-security-control* identityref
| | +--rw attack-mitigation-control* identityref | | +--rw attack-mitigation-control* identityref
| +--rw rule-group | +--rw rule-group
| ... | ...
+--rw i2nsf-ipsec? identityref +--rw i2nsf-ipsec? identityref
Figure 4: YANG Tree Diagram for an Action Clause Figure 4: YANG Tree Diagram for an Action Clause
This YANG tree diagram shows an action clause of I2NSF security This YANG tree diagram shows an action clause of an I2NSF security
policy rule for generic network security functions. An action is policy rule for generic network security functions. An action is
used to control and monitor aspects of flow-based NSFs when the event used to control and monitor aspects of flow-based NSFs when the
and condition clauses are satisfied. NSFs provide security services policy rule event and condition clauses are satisfied. NSFs provide
by executing various actions. The action clause is defined as security services by executing various actions. The action clause is
ingress action, egress action, and log action for packet action, and defined as ingress action, egress action, or log action for packet
advanced action for additional inspection. The action clause can be action, and advanced action for additional inspection. The action
extended according to specific vendor action features. The action clause can be extended according to specific vendor action features.
clause is described in detail in [i2nsf-nsf-cap-im]. The action clause is described in detail in
[draft-ietf-i2nsf-capability].
4.5. I2NSF Internet Key Exchange 4.5. I2NSF Internet Key Exchange
This section shows the YANG tree diagram for an I2NSF IPsec. This section shows the YANG tree diagram for an I2NSF IPsec.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| ... | ...
| +--rw rules* [rule-name] | +--rw rules* [rule-name]
| | ... | | ...
skipping to change at page 15, line 26 skipping to change at page 15, line 26
| | +--rw condition-clause-container | | +--rw condition-clause-container
| | | ... | | | ...
| | +--rw action-clause-container | | +--rw action-clause-container
| | ... | | ...
| +--rw rule-group | +--rw rule-group
| ... | ...
+--rw i2nsf-ipsec? identityref +--rw i2nsf-ipsec? identityref
Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage
This YANG tree diagram shows an I2NSF IPsec for an Internet key This YANG tree diagram shows an I2NSF IPsec specification for an
exchange. An I2NSF IPsec is used to define a method required to Internet Key Exchange IKE). An I2NSF IPsec specification is used to
manage IPsec parameters for creating IPsec Security Associations define a method required to manage IPsec parameters for creating
between two NSFs through either the IKEv2 protocol or the Security IPsec Security Associations (SAs) between two NSFs through either the
Controller [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec IKEv2 protocol or the Security Controller
considers two cases such as IKE case (i.e., IPsec through IKE) and [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec considers
IKEless case (i.e., IPsec not through IKE, but through a Security two cases, theIKE case (i.e., IPsec through IKE) and IKE-less case
Controller). Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection] (i.e., IPsec not through IKE, but through a Security Controller).
for the detailed description of the I2NSF IPsec. Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection] for the
detailed description of the I2NSF IPsec.
5. YANG Data Module 5. YANG Data Module
5.1. I2NSF NSF-Facing Interface YANG Data Module 5.1. I2NSF NSF-Facing Interface YANG Data Module
This section introduces an YANG data module for configuration of This section contains a YANG data module for configuration of
security policy rules on network security functions. security policy rules on network security functions.
<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2019-06-12.yang" <CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2019-07-25.yang"
module ietf-i2nsf-policy-rule-for-nsf { module ietf-i2nsf-policy-rule-for-nsf {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
prefix prefix
iiprfn; nsfintf;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference "RFC 6991"; reference "RFC 6991";
} }
import ietf-yang-types{ import ietf-yang-types{
prefix yang; prefix yang;
reference "RFC 6991"; reference "RFC 6991";
} }
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
WG Chair: Adrian Farrel
<mailto:Adrain@olddog.co.uk>
WG Chair: Linda Dunbar WG Chair: Linda Dunbar
<mailto:Linda.duhbar@huawei.com> <mailto:ldunbar@futurewei.com>
Editor: Jingyong Tim Kim WG Chair: Yoav Nir
<mailto:ynir.ietf@gmail.com>
Editor: Jingyong Tim Kim
<mailto:timkim@skku.edu> <mailto:timkim@skku.edu>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Susan Hares Editor: Susan Hares
<mailto:shares@ndzh.com>"; <mailto:shares@ndzh.com>";
description description
"This module defines a YANG data module for network security "This module defines a YANG data module for the Network Security
functions. Functions (NSF) facing interface.
Copyright (c) 2018 IETF Trust and the persons Copyright (c) 2018 IETF Trust and the persons
identified as authors of the code. All rights reserved. identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
skipping to change at page 16, line 50 skipping to change at page 17, line 4
Copyright (c) 2018 IETF Trust and the persons Copyright (c) 2018 IETF Trust and the persons
identified as authors of the code. All rights reserved. identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8341; see This version of this YANG module is part of RFC 8341; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2019-06-12"{ revision "2019-07-25"{
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Network Security Function-Facing Interface "RFC XXXX: I2NSF Network Security Function-Facing Interface
YANG Data Model"; YANG Data Model";
} }
/* /*
* Identities * Identities
*/ */
skipping to change at page 17, line 35 skipping to change at page 17, line 37
} }
identity priority-by-number { identity priority-by-number {
base priority-usage-type; base priority-usage-type;
description description
"Identity for priority by number"; "Identity for priority by number";
} }
identity event { identity event {
description description
"Base identity for event of policy."; "Base identity for policy events";
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-ietf-i2nsf-nsf-monitoring-data-model-01
- Event"; - Event";
} }
identity system-event { identity system-event {
base event; base event;
description description
"Identity for system event"; "Identity for system events";
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-ietf-i2nsf-nsf-monitoring-data-model-01
- System event"; - System event";
} }
identity system-alarm { identity system-alarm {
base event; base event;
description description
"Identity for system alarm"; "Identity for system alarms";
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-ietf-i2nsf-nsf-monitoring-data-model-01
- System alarm"; - System alarm";
} }
identity access-violation { identity access-violation {
base system-event; base system-event;
description description
"Identity for access violation "Identity for access violation
among system events"; system events";
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-ietf-i2nsf-nsf-monitoring-data-model-01
- System event"; - System event";
} }
identity configuration-change { identity configuration-change {
base system-event; base system-event;
description description
"Identity for configuration change "Identity for configuration change
among system events"; system events";
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-ietf-i2nsf-nsf-monitoring-data-model-01
- System event"; - System event";
} }
identity memory-alarm { identity memory-alarm {
base system-alarm; base system-alarm;
description description
"Identity for memory alarm "Identity for memory alarm
among system alarms"; system alarms";
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-ietf-i2nsf-nsf-monitoring-data-model-01
- System alarm"; - System alarm";
} }
identity cpu-alarm { identity cpu-alarm {
base system-alarm; base system-alarm;
description description
"Identity for cpu alarm "Identity for CPU alarm
among system alarms"; system alarms";
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-ietf-i2nsf-nsf-monitoring-data-model-01
- System alarm"; - System alarm";
} }
identity disk-alarm { identity disk-alarm {
base system-alarm; base system-alarm;
description description
"Identity for disk alarm "Identity for disk alarm
among system alarms"; system alarms";
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-ietf-i2nsf-nsf-monitoring-data-model-01
- System alarm"; - System alarm";
} }
identity hardware-alarm { identity hardware-alarm {
base system-alarm; base system-alarm;
description description
"Identity for hardware alarm "Identity for hardware alarm
among system alarms"; system alarms";
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-ietf-i2nsf-nsf-monitoring-data-model-01
- System alarm"; - System alarm";
} }
identity interface-alarm { identity interface-alarm {
base system-alarm; base system-alarm;
description description
"Identity for interface alarm "Identity for interface alarm
among system alarms"; system alarms";
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-ietf-i2nsf-nsf-monitoring-data-model-01
- System alarm"; - System alarm";
} }
identity type-of-service { identity type-of-service {
description description
"Base identity for type of service of IPv4"; "Base identity for type of service of IPv4";
reference reference
"RFC 791: Internet Protocol - Type of Service"; "RFC 791: Internet Protocol - Type of Service";
} }
identity traffic-class { identity traffic-class {
description description
"Base identity for traffic-class of IPv6"; "Base identity for traffic-class of IPv6";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class"; Specification - Traffic Class";
} }
identity normal { identity normal {
base type-of-service; base type-of-service;
base traffic-class; base traffic-class;
description description
"Identity for normal"; "Identity for normal IPv4 TOS and IPv6 Traffic Class";
reference reference
"RFC 791: Internet Protocol - Type of Service "RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class"; Specification - Traffic Class";
} }
identity minimize-cost { identity minimize-cost {
base type-of-service; base type-of-service;
base traffic-class; base traffic-class;
description description
"Identity for minimize cost"; "Identity for 'minimize monetary cost' IPv4 TOS and
IPv6 Traffic Class";
reference reference
"RFC 791: Internet Protocol - Type of Service "RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class"; Specification - Traffic Class";
} }
identity maximize-reliability { identity maximize-reliability {
base type-of-service; base type-of-service;
base traffic-class; base traffic-class;
description description
"Identity for maximize reliability"; "Identity for 'maximize reliability' IPv4 TOS and
IPv6 Traffic Class";
reference reference
"RFC 791: Internet Protocol - Type of Service "RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class"; Specification - Traffic Class";
} }
identity maximize-throughput { identity maximize-throughput {
base type-of-service; base type-of-service;
base traffic-class; base traffic-class;
description description
"Identity for maximize throughput"; "Identity for 'maximize throughput' IPv4 TOS and
IPv6 Traffic Class";
reference reference
"RFC 791: Internet Protocol - Type of Service "RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class"; Specification - Traffic Class";
} }
identity minimize-delay { identity minimize-delay {
base type-of-service; base type-of-service;
base traffic-class; base traffic-class;
description description
"Identity for minimize delay"; "Identity for 'minimize delay' IPv4 TOS and
IPv6 Traffic Class";
reference reference
"RFC 791: Internet Protocol - Type of Service "RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class"; Specification - Traffic Class";
} }
identity maximize-security { identity maximize-security {
base type-of-service; base type-of-service;
base traffic-class; base traffic-class;
description description
"Identity for maximize security"; "Identity for 'maximize security' IPv4 TOS and
IPv6 Traffic Class";
reference reference
"RFC 791: Internet Protocol - Type of Service "RFC 791: Internet Protocol - Type of Service
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class"; Specification - Traffic Class";
} }
identity fragmentation-flags-type { identity fragmentation-flags-type {
description description
"Base identity for fragmentation flags type"; "Base identity for fragmentation flags type";
reference reference
"RFC 791: Internet Protocol - Fragmentation Flags"; "RFC 791: Internet Protocol - Fragmentation Flags";
} }
identity fragment { identity fragment {
base fragmentation-flags-type; base fragmentation-flags-type;
description description
"Identity for fragment"; "Identity for 'More fragment' flag";
reference reference
"RFC 791: Internet Protocol - Fragmentation Flags"; "RFC 791: Internet Protocol - Fragmentation Flags";
} }
identity no-fragment { identity no-fragment {
base fragmentation-flags-type; base fragmentation-flags-type;
description description
"Identity for no fragment"; "Identity for 'Do not fragment' flag";
reference reference
"RFC 791: Internet Protocol - Fragmentation Flags"; "RFC 791: Internet Protocol - Fragmentation Flags";
} }
identity reserved { identity reserved {
base fragmentation-flags-type; base fragmentation-flags-type;
description description
"Identity for reserved"; "Identity for reserved flags";
reference reference
"RFC 791: Internet Protocol - Fragmentation Flags"; "RFC 791: Internet Protocol - Fragmentation Flags";
} }
identity protocol { identity protocol {
description description
"Base identity for protocol of IPv4"; "Base identity for protocol of IPv4";
reference reference
"RFC 790: Assigned numbers - Assigned Internet "RFC 790: Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Protocol"; RFC 791: Internet Protocol - Protocol";
} }
identity next-header { identity next-header {
description description
"Base identity for next header of IPv6"; "Base identity for IPv6 next header";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity icmp { identity icmp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for icmp"; "Identity for ICMP IPv4 protocol and
IPv6 nett header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity igmp { identity igmp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for igmp"; "Identity for IGMP IPv4 protocol and
IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity tcp { identity tcp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for tcp"; "Identity for TCP protocol";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity igrp { identity igrp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for igrp"; "Identity for IGRP IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity udp { identity udp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for udp"; "Identity for UDP IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity gre { identity gre {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for gre"; "Identity for GRE IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity esp { identity esp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for esp"; "Identity for ESP IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity ah { identity ah {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for ah"; "Identity for AH IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity mobile { identity mobile {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for mobile"; "Identity for mobile IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity tlsp { identity tlsp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for tlsp"; "Identity for TLSP IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity skip { identity skip {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for skip"; "Identity for skip IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity ipv6-icmp { identity ipv6-icmp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for IPv6 icmp "; "Identity for IPv6 ICMP next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 8200: Internet Protocol, Version 6 (IPv6)
RFC 2460: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity eigrp { identity eigrp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for eigrp"; "Identity for EIGRP IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity ospf { identity ospf {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for ospf"; "Identity for OSPF IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity l2tp { identity l2tp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for l2tp"; "Identity for L2TP IPv4 protocol
and IPv6 next header";
reference reference
"RFC 790: - Assigned numbers - Assigned Internet "RFC 790: - Assigned numbers - Assigned Internet
Protocol Number Protocol Number
RFC 791: Internet Protocol - Type of Service RFC 791: Internet Protocol - Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity ipopts { identity ipopts {
description description
"Base identity for IP options"; "Base identity for IP options";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity rr { identity rr {
base ipopts; base ipopts;
description description
"Identity for record route"; "Identity for 'Record Route' IP Option";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity eol { identity eol {
base ipopts; base ipopts;
description description
"Identity for end of list"; "Identity for 'End of List' IP Option";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity nop { identity nop {
base ipopts; base ipopts;
description description
"Identity for no operation"; "Identity for 'No Operation' IP Option";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity ts { identity ts {
base ipopts; base ipopts;
description description
"Identity for time stamp"; "Identity for 'Timestamp' IP Option";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity sec { identity sec {
base ipopts; base ipopts;
description description
"Identity for IP security"; "Identity for 'IP security' IP Option";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity esec { identity esec {
base ipopts; base ipopts;
description description
"Identity for IP extended security"; "Identity for 'IP extended security' IP Option";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity lsrr { identity lsrr {
base ipopts; base ipopts;
description description
"Identity for loose source routing"; "Identity for 'Loose Source Routing' IP Option";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity ssrr { identity ssrr {
base ipopts; base ipopts;
description description
"Identity for strict source routing"; "Identity for 'Strict Source Routing' IP Option";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity satid { identity satid {
base ipopts; base ipopts;
description description
"Identity for stream identifier"; "Identity for 'Stream Identifier' IP Option";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity any { identity any {
base ipopts; base ipopts;
description description
"Identity for which any IP options are set"; "Identity for 'any IP options
included in IPv4 packet";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
identity tcp-flags { identity tcp-flags {
description description
"Base identity for tcp flags"; "Base identity for TCP flags";
reference reference
"RFC 793: Transmission Control Protocol - Flags"; "RFC 793: Transmission Control Protocol - Flags";
} }
identity cwr { identity cwr {
base tcp-flags; base tcp-flags;
description description
"Identity for congestion window reduced"; "Identity for 'Congestion Window Reduced' TCP flag";
reference reference
"RFC 793: Transmission Control Protocol - Flags"; "RFC 793: Transmission Control Protocol - Flags";
} }
identity ecn { identity ecn {
base tcp-flags; base tcp-flags;
description description
"Identity for explicit congestion notification"; "Identity for 'Explicit Congestion Notification'
TCP flag";
reference reference
"RFC 793: Transmission Control Protocol - Flags"; "RFC 793: Transmission Control Protocol - Flags";
} }
identity urg { identity urg {
base tcp-flags; base tcp-flags;
description description
"Identity for urgent"; "Identity for 'Urgent' TCP flag";
reference reference
"RFC 793: Transmission Control Protocol - Flags"; "RFC 793: Transmission Control Protocol - Flags";
} }
identity ack { identity ack {
base tcp-flags; base tcp-flags;
description description
"Identity for acknowledgement"; "Identity for 'acknowledgement' TCP flag";
reference reference
"RFC 793: Transmission Control Protocol - Flags"; "RFC 793: Transmission Control Protocol - Flags";
} }
identity psh { identity psh {
base tcp-flags; base tcp-flags;
description description
"Identity for push"; "Identity for 'Push' TCP flag";
reference reference
"RFC 793: Transmission Control Protocol - Flags"; "RFC 793: Transmission Control Protocol - Flags";
} }
identity rst { identity rst {
base tcp-flags; base tcp-flags;
description description
"Identity for reset"; "Identity for 'Reset' TCP flag";
reference reference
"RFC 793: Transmission Control Protocol - Flags"; "RFC 793: Transmission Control Protocol - Flags";
} }
identity syn { identity syn {
base tcp-flags; base tcp-flags;
description description
"Identity for synchronize"; "Identity for 'Synchronize' TCP flag";
reference reference
"RFC 793: Transmission Control Protocol - Flags"; "RFC 793: Transmission Control Protocol - Flags";
} }
identity fin { identity fin {
base tcp-flags; base tcp-flags;
description description
"Identity for finish"; "Identity for 'Finish' TCP flag";
reference reference
"RFC 793: Transmission Control Protocol - Flags"; "RFC 793: Transmission Control Protocol - Flags";
} }
identity icmp-type { identity icmp-type {
description description
"Base identity for icmp types"; "Base identity for ICMP Message types";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity echo-reply { identity echo-reply {
base icmp-type; base icmp-type;
description description
"Identity for echo reply"; "Identity for 'Echo Reply' ICMP message type";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity destination-unreachable { identity destination-unreachable {
base icmp-type; base icmp-type;
description description
"Identity for destination unreachable"; "Identity for 'Destination Unreachable'
reference ICMP message type";
"RFC 792: Internet Control Message Protocol";
}
identity source-quench {
base icmp-type;
description
"Identity for source quench";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity redirect { identity redirect {
base icmp-type; base icmp-type;
description description
"Identity for redirect"; "Identity for 'Redirect' ICMP message type";
reference
"RFC 792: Internet Control Message Protocol";
}
identity alternate-host-address {
base icmp-type;
description
"Identity for alternate host address";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity echo { identity echo {
base icmp-type; base icmp-type;
description description
"Identity for echo"; "Identity for 'Echo' ICMP message type";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity router-advertisement { identity router-advertisement {
base icmp-type; base icmp-type;
description description
"Identity for router advertisement"; "Identity for 'Router Advertisement'
ICMP message type";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity router-solicitation { identity router-solicitation {
base icmp-type; base icmp-type;
description description
"Identity for router solicitation"; "Identity for 'Router Solicitation'
ICMP message type";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity time-exceeded { identity time-exceeded {
base icmp-type; base icmp-type;
description description
"Identity for time exceeded"; "Identity for 'Time exceeded' ICMP message type";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity parameter-problem { identity parameter-problem {
base icmp-type; base icmp-type;
description description
"Identity for parameter problem"; "Identity for 'Parameter Problem'
ICMP message type";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity timestamp { identity timestamp {
base icmp-type; base icmp-type;
description description
"Identity for timestamp"; "Identity for 'Timestamp' ICMP message type";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity timestamp-reply { identity timestamp-reply {
base icmp-type; base icmp-type;
description description
"Identity for timestamp reply"; "Identity for 'Timestamp Reply'
reference ICMP message type";
"RFC 792: Internet Control Message Protocol";
}
identity information-request {
base icmp-type;
description
"Identity for information request";
reference
"RFC 792: Internet Control Message Protocol";
}
identity information-reply {
base icmp-type;
description
"Identity for information reply";
reference
"RFC 792: Internet Control Message Protocol";
}
identity address-mask-request {
base icmp-type;
description
"Identity for address mask request";
reference
"RFC 792: Internet Control Message Protocol";
}
identity address-mask-reply {
base icmp-type;
description
"Identity for address mask reply";
reference
"RFC 792: Internet Control Message Protocol";
}
identity traceroute {
base icmp-type;
description
"Identity for traceroute";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity datagram-conversion-error { identity datagram-conversion-error {
base icmp-type; base icmp-type;
description description
"Identity for datagram conversion error"; "Identity for 'Datagram Conversion Error'
reference ICMP message type";
"RFC 792: Internet Control Message Protocol";
}
identity mobile-host-redirect {
base icmp-type;
description
"Identity for mobile host redirect";
reference
"RFC 792: Internet Control Message Protocol";
}
identity ipv6-where-are-you {
base icmp-type;
description
"Identity for IPv6 where are you";
reference
"RFC 792: Internet Control Message Protocol";
}
identity ipv6-i-am-here {
base icmp-type ;
description
"Identity for IPv6 i am here";
reference
"RFC 792: Internet Control Message Protocol";
}
identity mobile-registration-request {
base icmp-type;
description
"Identity for mobile registration request";
reference
"RFC 792: Internet Control Message Protocol";
}
identity mobile-registration-reply {
base icmp-type;
description
"Identity for mobile registration reply";
reference
"RFC 792: Internet Control Message Protocol";
}
identity domain-name-request {
base icmp-type;
description
"Identity for domain name request";
reference
"RFC 792: Internet Control Message Protocol";
}
identity domain-name-reply {
base icmp-type;
description
"Identity for domain name reply";
reference
"RFC 792: Internet Control Message Protocol";
}
identity iskip {
base icmp-type;
description
"Identity for icmp skip";
reference
"RFC 792: Internet Control Message Protocol";
}
identity photuris {
base icmp-type;
description
"Identity for photuris";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity experimental-mobility-protocols { identity experimental-mobility-protocols {
base icmp-type; base icmp-type;
description description
"Identity for experimental mobility protocols"; "Identity for 'Experimental Mobility Protocols'
ICMP message type";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity extended-echo-request { identity extended-echo-request {
base icmp-type; base icmp-type;
description description
"Identity for extended echo request"; "Identity for 'Extended Echo Request'
ICMP message type";
reference reference
"RFC 792: Internet Control Message Protocol "RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces"; RFC 8335: PROBE: A Utility for Probing Interfaces";
} }
identity extended-echo-reply { identity extended-echo-reply {
base icmp-type; base icmp-type;
description description
"Identity for extended echo reply"; "Identity for 'Extended Echo Reply'
ICMP message type";
reference reference
"RFC 792: Internet Control Message Protocol "RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces"; RFC 8335: PROBE: A Utility for Probing Interfaces";
} }
identity net-unreachable { identity net-unreachable {
base icmp-type; base icmp-type;
description description
"Identity for net unreachable "Identity for net unreachable
in destination unreachable types"; in destination unreachable types";
skipping to change at page 42, line 22 skipping to change at page 40, line 21
in extended echo reply types"; in extended echo reply types";
reference reference
"RFC 792: Internet Control Message Protocol "RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces"; RFC 8335: PROBE: A Utility for Probing Interfaces";
} }
identity target-device { identity target-device {
description description
"Base identity for target devices"; "Base identity for target devices";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities"; of NSFs Capabilities";
} }
identity pc { identity pc {
base target-device; base target-device;
description description
"Identity for pc"; "Identity for pc";
} }
identity mobile-phone { identity mobile-phone {
skipping to change at page 43, line 21 skipping to change at page 41, line 20
"Identity for vehicle"; "Identity for vehicle";
} }
identity content-security-control { identity content-security-control {
description description
"Base identity for content security control"; "Base identity for content security control";
reference reference
"RFC 8329: Framework for Interface to "RFC 8329: Framework for Interface to
Network Security Functions - Differences Network Security Functions - Differences
from ACL Data Models from ACL Data Models
draft-ietf-i2nsf-capability-04: Information Model draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities"; of NSFs Capabilities";
} }
identity antivirus { identity antivirus {
base content-security-control; base content-security-control;
description description
"Identity for antivirus"; "Identity for antivirus";
} }
identity ips { identity ips {
skipping to change at page 44, line 44 skipping to change at page 42, line 41
"Identity for voip and volte"; "Identity for voip and volte";
} }
identity attack-mitigation-control { identity attack-mitigation-control {
description description
"Base identity for attack mitigation control"; "Base identity for attack mitigation control";
reference reference
"RFC 8329: Framework for Interface to "RFC 8329: Framework for Interface to
Network Security Functions - Differences Network Security Functions - Differences
from ACL Data Models from ACL Data Models
draft-ietf-i2nsf-capability-04: Information Model draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities"; of NSFs Capabilities";
} }
identity syn-flood { identity syn-flood {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for syn flood"; "Identity for syn flood";
} }
identity udp-flood { identity udp-flood {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for udp flood"; "Identity for udp flood";
} }
identity icmp-flood { identity icmp-flood {
base attack-mitigation-control; base attack-mitigation-control;
skipping to change at page 46, line 47 skipping to change at page 44, line 43
identity tracert { identity tracert {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for tracert"; "Identity for tracert";
} }
identity ingress-action { identity ingress-action {
description description
"Base identity for action"; "Base identity for action";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Ingress Action"; of NSFs Capabilities - Ingress Action";
} }
identity egress-action { identity egress-action {
description description
"Base identity for egress action"; "Base identity for egress action";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Egress action"; of NSFs Capabilities - Egress action";
} }
identity default-action { identity default-action {
description description
"Base identity for default action"; "Base identity for default action";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Default action"; of NSFs Capabilities - Default action";
} }
identity pass { identity pass {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for pass"; "Identity for pass";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Actions and of NSFs Capabilities - Actions and
default action"; default action";
} }
identity drop { identity drop {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for drop"; "Identity for drop";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Actions and of NSFs Capabilities - Actions and
default action"; default action";
} }
identity reject { identity reject {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for reject"; "Identity for reject";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Actions and of NSFs Capabilities - Actions and
default action"; default action";
} }
identity alert { identity alert {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for alert"; "Identity for alert";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Actions and of NSFs Capabilities - Actions and
default action"; default action";
} }
identity mirror { identity mirror {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for mirror"; "Identity for mirror";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Actions and of NSFs Capabilities - Actions and
default action"; default action";
} }
identity log-action { identity log-action {
description description
"Base identity for log action"; "Base identity for log action";
} }
identity rule-log { identity rule-log {
skipping to change at page 49, line 27 skipping to change at page 47, line 25
base egress-action; base egress-action;
description description
"Identity for redirection"; "Identity for redirection";
} }
identity resolution-strategy { identity resolution-strategy {
description description
"Base identity for resolution strategy"; "Base identity for resolution strategy";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Resolution Strategy"; of NSFs Capabilities - Resolution Strategy";
} }
identity fmr { identity fmr {
base resolution-strategy; base resolution-strategy;
description description
"Identity for First Matching Rule (FMR)"; "Identity for First Matching Rule (FMR)";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Resolution Strategy"; of NSFs Capabilities - Resolution Strategy";
} }
identity lmr { identity lmr {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Last Matching Rule (LMR)"; "Identity for Last Matching Rule (LMR)";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Resolution Strategy"; of NSFs Capabilities - Resolution Strategy";
} }
identity pmr { identity pmr {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule (PMR)"; "Identity for Prioritized Matching Rule (PMR)";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Resolution Strategy"; of NSFs Capabilities - Resolution Strategy";
} }
identity pmre { identity pmre {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule "Identity for Prioritized Matching Rule
with Errors (PMRE)"; with Errors (PMRE)";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Resolution Strategy"; of NSFs Capabilities - Resolution Strategy";
} }
identity pmrn { identity pmrn {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule "Identity for Prioritized Matching Rule
with No Errors (PMRN)"; with No Errors (PMRN)";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Resolution Strategy"; of NSFs Capabilities - Resolution Strategy";
} }
identity i2nsf-ipsec { identity i2nsf-ipsec {
description description
"Internet Key Exchnage for NSFs "Internet Key Exchnage for NSFs
in the I2NSF framework"; in the I2NSF framework";
reference reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
- i2nsf-ipsec"; - i2nsf-ipsec";
skipping to change at page 51, line 16 skipping to change at page 49, line 13
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04
- ikeless"; - ikeless";
} }
/* /*
* Typedefs * Typedefs
*/ */
typedef start-time-type { typedef start-time-type {
type union { type union {
type string { type yang:date-and-time;
pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
+ '(Z|[\+\-]\d{2}:\d{2})';
}
type enumeration { type enumeration {
enum right-away { enum right-away {
description description
"Immediate rule execution "Immediate rule execution
in the system."; in the system.";
} }
} }
} }
description description
"Start time when the rules are applied."; "Start time when the rules are applied.";
} }
typedef end-time-type { typedef end-time-type {
type union { type union {
type string { type yang:date-and-time;
pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
+ '(Z|[\+\-]\d{2}:\d{2})';
}
type enumeration { type enumeration {
enum infinitely { enum infinitely {
description description
"Infinite rule execution "Infinite rule execution
in the system."; in the system.";
} }
} }
} }
description description
skipping to change at page 54, line 9 skipping to change at page 51, line 48
} }
/* /*
* Groupings * Groupings
*/ */
grouping ipv4 { grouping ipv4 {
list ipv4-address { list ipv4-address {
key "ipv4"; key "ipv4";
description description
"The list of IPv4 address."; "The list of IPv4 addresses.";
leaf ipv4 { leaf ipv4 {
type inet:ipv4-address; type inet:ipv4-address;
description description
"The value of IPv4 address."; "The value of IPv4 address.";
} }
choice subnet { choice subnet {
description description
"The subnet can be specified as a prefix length or "The subnet can be specified as a prefix length or
netmask."; netmask.";
skipping to change at page 54, line 46 skipping to change at page 52, line 37
reference reference
"RFC 791: Internet Protocol - IPv4 address "RFC 791: Internet Protocol - IPv4 address
RFC 8344: A YANG Data Model for IP Management"; RFC 8344: A YANG Data Model for IP Management";
} }
grouping ipv6 { grouping ipv6 {
list ipv6-address { list ipv6-address {
key "ipv6"; key "ipv6";
description description
"The list of IPv6 address."; "The list of IPv6 addresses.";
leaf ipv6 { leaf ipv6 {
type inet:ipv6-address; type inet:ipv6-address;
description description
"The value of IPv6 address."; "The value of IPv6 address.";
} }
leaf prefix-length { leaf prefix-length {
type uint8 { type uint8 {
range "0..128"; range "0..128";
} }
description description
"The length of the subnet prefix."; "The length of the subnet prefix.";
} }
} }
description description
"Grouping for an IPv6 address"; "Grouping for an IPv6 address";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address Specification - IPv6 address
RFC 8344: A YANG Data Model for IP Management"; RFC 8344: A YANG Data Model for IP Management";
} }
grouping pkt-sec-ipv4 { grouping pkt-sec-ipv4 {
choice match-type { choice match-type {
description description
"There are two types to configure a security policy "There are two types of security policy IPv4 address
for IPv4 address, such as exact match and range match."; matching - exact match and range match.";
case exact-match { case exact-match {
uses ipv4; uses ipv4;
description description
"Exact match for an IPv4 address."; "Exact match for an IPv4 address.";
} }
case range-match { case range-match {
list range-ipv4-address { list range-ipv4-address {
key "start-ipv4-address end-ipv4-address"; key "start-ipv4-address end-ipv4-address";
leaf start-ipv4-address { leaf start-ipv4-address {
type inet:ipv4-address; type inet:ipv4-address;
description description
"Start IPv4 address for a range match."; "Starting IPv4 address for a range match.";
} }
leaf end-ipv4-address { leaf end-ipv4-address {
type inet:ipv4-address; type inet:ipv4-address;
description description
"End IPv4 address for a range match."; "Ending IPv4 address for a range match.";
} }
description description
"Range match for an IPv4 address."; "Range match for an IPv4 address.";
} }
} }
} }
description description
"Grouping for an IPv4 address."; "Grouping for an IPv4 address.";
reference reference
"RFC 791: Internet Protocol - IPv4 address"; "RFC 791: Internet Protocol - IPv4 address";
} }
grouping pkt-sec-ipv6 { grouping pkt-sec-ipv6 {
choice match-type { choice match-type {
description description
"There are two types to configure a security policy "There are two types of security policy IPv6 address
for IPv6 address, such as exact match and range match."; matching - exact match and range match.";
case exact-match { case exact-match {
uses ipv6; uses ipv6;
description description
"Exact match for an IPv6 address."; "Exact match for an IPv6 address.";
} }
case range-match { case range-match {
list range-ipv6-address { list range-ipv6-address {
key "start-ipv6-address end-ipv6-address"; key "start-ipv6-address end-ipv6-address";
leaf start-ipv6-address { leaf start-ipv6-address {
type inet:ipv6-address; type inet:ipv6-address;
description description
"Start IPv6 address for a range match."; "Starting IPv6 address for a range match.";
} }
leaf end-ipv6-address { leaf end-ipv6-address {
type inet:ipv6-address; type inet:ipv6-address;
description description
"End IPv6 address for a range match."; "Ending IPv6 address for a range match.";
} }
description description
"Range match for an IPv6 address."; "Range match for an IPv6 address.";
} }
} }
} }
description description
"Grouping for IPv6 address."; "Grouping for IPv6 address.";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address"; Specification - IPv6 address";
} }
grouping pkt-sec-port-number { grouping pkt-sec-port-number {
choice match-type { choice match-type {
description description
"There are two types to configure a security policy "There are two types of security policy TCP/UDP port
for a port number, such as exact match and range match."; matching - exact match and range match.";
case exact-match { case exact-match {
leaf-list port-num { leaf-list port-num {
type inet:port-number; type inet:port-number;
description description
"Exact match for a port number."; "Exact match for a port number.";
} }
} }
case range-match { case range-match {
list range-port-num { list range-port-num {
key "start-port-num end-port-num"; key "start-port-num end-port-num";
leaf start-port-num { leaf start-port-num {
type inet:port-number; type inet:port-number;
description description
"Start port number for a range match."; "Starting port number for a range match.";
} }
leaf end-port-num { leaf end-port-num {
type inet:port-number; type inet:port-number;
description description
"Start port number for a range match."; "Ending port number for a range match.";
} }
description description
"Range match for a port number."; "Range match for a port number.";
} }
} }
} }
description description
"Grouping for port number."; "Grouping for port number.";
reference reference
skipping to change at page 57, line 44 skipping to change at page 55, line 38
/* /*
* Data nodes * Data nodes
*/ */
container i2nsf-security-policy { container i2nsf-security-policy {
description description
"Container for security policy "Container for security policy
including a set of security rules according to certain logic, including a set of security rules according to certain logic,
i.e., their similarity or mutual relations, etc. The network i.e., their similarity or mutual relations, etc. The network
security policy is able to apply over both the unidirectional security policy can be applied to both the unidirectional
and bidirectional traffic across the NSF. and bidirectional traffic across the NSF.
The I2NSF security policies use the Event-Condition-Action The I2NSF security policies use the Event-Condition-Action
(ECA) policy model "; (ECA) policy model ";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-04: Information Model draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Design Principles and ECA Policy Model of NSFs Capabilities - Design Principles and ECA Policy Model
Overview"; Overview";
list system-policy { list system-policy {
key "system-policy-name"; key "system-policy-name";
description description
"The system-policy represents there could be multiple system "The system-policy represents there could be multiple system
policies in one NSF, and each system policy is used by policies in one NSF, and each system policy is used by
one virtual instance of the NSF/device."; one virtual instance of the NSF/device.";
leaf system-policy-name { leaf system-policy-name {
type string; type string;
mandatory true;
description description
"The name of the policy. "The name of the policy.
This must be unique."; This must be unique.";
} }
leaf priority-usage { leaf priority-usage {
type identityref { type identityref {
base priority-usage-type; base priority-usage-type;
} }
default priority-by-order; default priority-by-order;
skipping to change at page 58, line 39 skipping to change at page 56, line 32
"Priority usage type for security policy rule: "Priority usage type for security policy rule:
priority by order and priority by number"; priority by order and priority by number";
} }
leaf resolution-strategy { leaf resolution-strategy {
type identityref { type identityref {
base resolution-strategy; base resolution-strategy;
} }
default fmr; default fmr;
description description
"The resolution strategies can be used to "The resolution strategies that can be used to
specify how to resolve conflicts that occur between specify how to resolve conflicts that occur between
the actions of the same or different policy rules that actions of the same or different policy rules that
are matched and contained in this particular NSF"; are matched and contained in this particular NSF";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Resolution strategy"; of NSFs Capabilities - Resolution strategy";
} }
leaf default-action { leaf default-action {
type identityref { type identityref {
base default-action; base default-action;
} }
default alert; default alert;
description description
"This default action can be used to specify a predefined "This default action can be used to specify a predefined
action when no other alternative action was matched action when no other alternative action was matched
by the currently executing I2NSF Policy Rule. An analogy by the currently executing I2NSF Policy Rule. An analogy
is the use of a default statement in a C switch statement."; is the use of a default statement in a C switch statement.";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Default action"; of NSFs Capabilities - Default action";
} }
list rules { list rules {
key "rule-name"; key "rule-name";
description description
"This is a rule for network security functions."; "This is a rule for network security functions.";
leaf rule-name { leaf rule-name {
type string; type string;
mandatory true;
description description
"The name of the rule. "The name of the rule.";
This must be unique.";
} }
leaf rule-description { leaf rule-description {
type string; type string;
description description
"This description gives more information about "This description gives more information about
rules."; rules.";
} }
leaf rule-priority { leaf rule-priority {
skipping to change at page 60, line 5 skipping to change at page 57, line 43
} }
description description
"The priority keyword comes with a mandatory "The priority keyword comes with a mandatory
numeric value which can range from 1 till 255."; numeric value which can range from 1 till 255.";
} }
leaf rule-enable { leaf rule-enable {
type boolean; type boolean;
description description
"True is enable. "True is enable.
False is not enbale."; False is not enable.";
} }
leaf session-aging-time { leaf session-aging-time {
type uint16; type uint16;
description description
"This is session aging time."; "This is session aging time.";
} }
container long-connection { container long-connection {
description description
"This is long-connection"; "This is long-connection";
leaf enable { leaf enable {
type boolean; type boolean;
description description
"True is enable. "True is enable.
False is not enbale."; False is not enbale.";
} }
skipping to change at page 60, line 28 skipping to change at page 58, line 18
leaf enable { leaf enable {
type boolean; type boolean;
description description
"True is enable. "True is enable.
False is not enbale."; False is not enbale.";
} }
leaf during { leaf during {
type uint16; type uint16;
description description
"This is during time."; "This has long-connection during a time.";
} }
} }
container time-zone { container time-intervals {
description description
"Time zone when the rules are applied"; "Time zone when the rules are applied";
container absolute-time-zone { container absolute-time-interval {
description description
"Rule execution according to absolute time"; "Rule execution according to absolute time.
The absolute time intervals mean the exact time to
start or end.";
leaf start-time { leaf start-time {
type start-time-type; type start-time-type;
default right-away; default right-away;
description description
"Start time when the rules are applied"; "Start time when the rules are applied";
} }
leaf end-time { leaf end-time {
type end-time-type; type end-time-type;
default infinitely; default infinitely;
description description
"End time when the rules are applied"; "End time when the rules are applied";
} }
} }
container periodic-time-zone {
container periodic-time-interval {
description description
"Rule execution according to periodic time"; "Rule execution according to periodic time.
The periodic time intervals mean repeated time like
day, week, or month.";
container day { container day {
description description
"Rule execution according to day."; "Rule execution according to day.";
leaf every-day { leaf every-day {
type boolean; type boolean;
default true; default true;
description description
"Rule execution every day"; "Rule execution every day";
} }
skipping to change at page 62, line 16 skipping to change at page 60, line 11
managed. When used in the context of policy rules for managed. When used in the context of policy rules for
a flow-based NSF, it is used to determine whether the a flow-based NSF, it is used to determine whether the
Condition clause of the Policy Rule can be evaluated Condition clause of the Policy Rule can be evaluated
or not. Examples of an I2NSF event include time and or not. Examples of an I2NSF event include time and
user actions (e.g., logon, logoff, and actions that user actions (e.g., logon, logoff, and actions that
violate any ACL.)."; violate any ACL.).";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-04: Information Model draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Design Principles and ECA of NSFs Capabilities - Design Principles and ECA
Policy Model Overview Policy Model Overview
draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG draft-ietf-i2nsf-nsf-monitoring-data-model-01: A YANG
Data Model for Monitoring I2NSF Network Security Data Model for Monitoring I2NSF Network Security
Functions - System Alarm and System Events"; Functions - System Alarm and System Events";
leaf event-clause-description { leaf event-clause-description {
type string; type string;
description description
"Description for an event clause"; "Description for an event clause";
} }
container event-clauses { container event-clauses {
description description
"It has two event types such as "System Event Clause - either a system event or
system event and system alarm."; system alarm";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-04: Information Model draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Design Principles and ECA Policy of NSFs Capabilities - Design Principles and ECA Policy
Model Overview Model Overview
draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG draft-ietf-i2nsf-nsf-monitoring-data-model-01: A YANG
Data Model for Monitoring I2NSF Network Security Data Model for Monitoring I2NSF Network Security
Functions - System Alarm and System Events"; Functions - System Alarm and System Events";
leaf-list system-event { leaf-list system-event {
type identityref { type identityref {
base system-event; base system-event;
} }
description description
"The security policy rule according to "The security policy rule according to
system events."; system events.";
skipping to change at page 63, line 29 skipping to change at page 61, line 24
compared with a set of known attributes, features, compared with a set of known attributes, features,
and/or values in order to determine whether or not the and/or values in order to determine whether or not the
set of Actions in that (imperative) I2NSF Policy Rule set of Actions in that (imperative) I2NSF Policy Rule
can be executed or not. Examples of I2NSF Conditions can be executed or not. Examples of I2NSF Conditions
include matching attributes of a packet or flow, and include matching attributes of a packet or flow, and
comparing the internal state of an NSF to a desired comparing the internal state of an NSF to a desired
state."; state.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-04: Information Model draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Design Principles and ECA Policy of NSFs Capabilities - Design Principles and ECA Policy
Model Overview"; Model Overview";
leaf condition-clause-description { leaf condition-clause-description {
type string; type string;
description description
"Description for a condition clause."; "Description for a condition clause.";
} }
container packet-security-ipv4-condition { container packet-security-ipv4-condition {
skipping to change at page 63, line 51 skipping to change at page 61, line 46
"The purpose of this container is to represent IPv4 "The purpose of this container is to represent IPv4
packet header information to determine if the set packet header information to determine if the set
of policy actions in this ECA policy rule should be of policy actions in this ECA policy rule should be
executed or not."; executed or not.";
reference reference
"RFC 791: Internet Protocol"; "RFC 791: Internet Protocol";
leaf ipv4-description { leaf ipv4-description {
type string; type string;
description description
"This is description for ipv4 condition."; "ipv4 condition texual description.";
} }
container pkt-sec-ipv4-header-length { container pkt-sec-ipv4-header-length {
choice match-type { choice match-type {
description description
"There are two types to configure a security "Security policy IPv4 Header length match -
policy for IPv4 header length, such as exact match exact match and range match.";
and range match.";
case exact-match { case exact-match {
leaf-list ipv4-header-length { leaf-list ipv4-header-length {
type uint8 { type uint8 {
range "5..15"; range "5..15";
} }
description description
"Exact match for an IPv4 header length."; "Exact match for an IPv4 header length.";
} }
} }
case range-match { case range-match {
list range-ipv4-header-length { list range-ipv4-header-length {
key "start-ipv4-header-length key "start-ipv4-header-length
end-ipv4-header-length"; end-ipv4-header-length";
leaf start-ipv4-header-length { leaf start-ipv4-header-length {
type uint8 { type uint8 {
range "5..15"; range "5..15";
} }
description description
"Start IPv4 header length for a range match."; "Starting IPv4 header length for a range match.";
} }
leaf end-ipv4-header-length { leaf end-ipv4-header-length {
type uint8 { type uint8 {
range "5..15"; range "5..15";
} }
description description
"End IPv4 header length for a range match."; "Ending IPv4 header length for a range match.";
} }
description description
"Range match for an IPv4 header length."; "Range match for an IPv4 header length.";
} }
} }
} }
description description
"The security policy rule according to "The security policy rule according to
IPv4 header length."; IPv4 header length.";
reference reference
skipping to change at page 65, line 4 skipping to change at page 62, line 45
"Range match for an IPv4 header length."; "Range match for an IPv4 header length.";
} }
} }
} }
description description
"The security policy rule according to "The security policy rule according to
IPv4 header length."; IPv4 header length.";
reference reference
"RFC 791: Internet Protocol - Header length"; "RFC 791: Internet Protocol - Header length";
} }
leaf-list pkt-sec-ipv4-tos { leaf-list pkt-sec-ipv4-tos {
type identityref { type identityref {
base type-of-service; base type-of-service;
} }
description description
"The security policy rule according to "The security policy rule according to
IPv4 type of service."; IPv4 type of service.";
reference reference
"RFC 791: Internet Protocol - Type of service"; "RFC 1394: Internet Protocol - Type of service";
} }
container pkt-sec-ipv4-total-length { container pkt-sec-ipv4-total-length {
choice match-type { choice match-type {
description description
"There are two types to configure a security "Security policy IPv4 total length matching
policy for IPv4 total length, such as exact match - exact match and range match.";
and range match.";
case exact-match { case exact-match {
leaf-list ipv4-total-length { leaf-list ipv4-total-length {
type uint16; type uint16;
description description
"Exact match for an IPv4 total length."; "Exact match for an IPv4 total length.";
} }
} }
case range-match { case range-match {
list range-ipv4-total-length { list range-ipv4-total-length {
key "start-ipv4-total-length end-ipv4-total-length"; key "start-ipv4-total-length end-ipv4-total-length";
leaf start-ipv4-total-length { leaf start-ipv4-total-length {
type uint16; type uint16;
description description
"Start IPv4 total length for a range match."; "Starting IPv4 total length for a range match.";
} }
leaf end-ipv4-total-length { leaf end-ipv4-total-length {
type uint16; type uint16;
description description
"End IPv4 total length for a range match."; "Ending IPv4 total length for a range match.";
} }
description description
"Range match for an IPv4 total length."; "Range match for an IPv4 total length.";
} }
} }
} }
description description
"The security policy rule according to "The security policy rule according to
IPv4 total length."; IPv4 total length.";
reference reference
skipping to change at page 66, line 48 skipping to change at page 64, line 42
} }
case range-match { case range-match {
list range-ipv4-fragment-offset { list range-ipv4-fragment-offset {
key "start-ipv4-fragment-offset key "start-ipv4-fragment-offset
end-ipv4-fragment-offset"; end-ipv4-fragment-offset";
leaf start-ipv4-fragment-offset { leaf start-ipv4-fragment-offset {
type uint16 { type uint16 {
range "0..16383"; range "0..16383";
} }
description description
"Start IPv4 fragment offset for a range match."; "Starting IPv4 fragment offset for a range match.";
} }
leaf end-ipv4-fragment-offset { leaf end-ipv4-fragment-offset {
type uint16 { type uint16 {
range "0..16383"; range "0..16383";
} }
description description
"End IPv4 fragment offset for a range match."; "Ending IPv4 fragment offset for a range match.";
} }
description description
"Range match for an IPv4 fragment offset."; "Range match for an IPv4 fragment offset.";
} }
} }
} }
description description
"The security policy rule according to "The security policy rule according to
IPv4 fragment offset."; IPv4 fragment offset.";
reference reference
skipping to change at page 67, line 40 skipping to change at page 65, line 34
description description
"Exact match for an IPv4 TTL."; "Exact match for an IPv4 TTL.";
} }
} }
case range-match { case range-match {
list range-ipv4-ttl { list range-ipv4-ttl {
key "start-ipv4-ttl end-ipv4-ttl"; key "start-ipv4-ttl end-ipv4-ttl";
leaf start-ipv4-ttl { leaf start-ipv4-ttl {
type uint8; type uint8;
description description
"Start IPv4 TTL for a range match."; "Starting IPv4 TTL for a range match.";
} }
leaf end-ipv4-ttl { leaf end-ipv4-ttl {
type uint8; type uint8;
description description
"End IPv4 TTL for a range match."; "Ending IPv4 TTL for a range match.";
} }
description description
"Range match for an IPv4 TTL."; "Range match for an IPv4 TTL.";
} }
} }
} }
description description
"The security policy rule according to "The security policy rule according to
IPv4 time-to-live (TTL)."; IPv4 time-to-live (TTL).";
reference reference
skipping to change at page 69, line 4 skipping to change at page 66, line 43
leaf-list pkt-sec-ipv4-ipopts { leaf-list pkt-sec-ipv4-ipopts {
type identityref { type identityref {
base ipopts; base ipopts;
} }
description description
"The security policy rule according to "The security policy rule according to
IPv4 options."; IPv4 options.";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
leaf pkt-sec-ipv4-sameip {
leaf pkt-sec-ipv4-same-ip {
type boolean; type boolean;
description description
"Every packet has a source IP-address and "Match on packets with the same IPv4 source
a destination IP-address. It can be that and IPv4 destination address.";
the source IP is the same as
the destination IP.";
} }
leaf-list pkt-sec-ipv4-geoip { leaf-list pkt-sec-ipv4-geo-ip {
type string; type string;
description description
"The geoip keyword enables you to match on "The geo-ip keyword enables you to match on
the source, destination or source and destination the source, destination or source and destination
IP addresses of network traffic and to see to IP addresses of network traffic and to see to
which country it belongs. To do this, Suricata which country it belongs. To do this, Suricata
uses GeoIP API with MaxMind database format."; uses GeoIP API with MaxMind database format.";
} }
} }
container packet-security-ipv6-condition { container packet-security-ipv6-condition {
description description
"The purpose of this container is to represent "The purpose of this container is to represent
IPv6 packet header information to determine IPv6 packet header information to determine
if the set of policy actions in this ECA policy if the set of policy actions in this ECA policy
rule should be executed or not."; rule should be executed or not.";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification"; Specification";
leaf ipv6-description { leaf ipv6-description {
type string; type string;
description description
"This is description for ipv6 condition."; "This is description for ipv6 condition.";
} }
leaf-list pkt-sec-ipv6-traffic-class { leaf-list pkt-sec-ipv6-traffic-class {
type identityref { type identityref {
base traffic-class; base traffic-class;
} }
description description
"The security policy rule according to "The security policy rule according to
IPv6 traffic class."; IPv6 traffic class.";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic class"; Specification - Traffic class";
} }
container pkt-sec-ipv6-flow-label { container pkt-sec-ipv6-flow-label {
choice match-type { choice match-type {
description description
"There are two types to configure a security "There are two types to configure a security
policy for IPv6 flow label, such as exact match policy for IPv6 flow label, such as exact match
and range match."; and range match.";
case exact-match { case exact-match {
leaf-list ipv6-flow-label { leaf-list ipv6-flow-label {
type uint32 { type uint32 {
range "0..1048575"; range "0..1048575";
skipping to change at page 70, line 27 skipping to change at page 68, line 18
} }
} }
case range-match { case range-match {
list range-ipv6-flow-label { list range-ipv6-flow-label {
key "start-ipv6-flow-label end-ipv6-flow-label"; key "start-ipv6-flow-label end-ipv6-flow-label";
leaf start-ipv6-flow-label { leaf start-ipv6-flow-label {
type uint32 { type uint32 {
range "0..1048575"; range "0..1048575";
} }
description description
"Start IPv6 flow label for a range match."; "Starting IPv6 flow label for a range match.";
} }
leaf end-ipv6-flow-label { leaf end-ipv6-flow-label {
type uint32 { type uint32 {
range "0..1048575"; range "0..1048575";
} }
description description
"End IPv6 flow label for a range match."; "Ending IPv6 flow label for a range match.";
} }
description description
"Range match for an IPv6 flow label."; "Range match for an IPv6 flow label.";
} }
} }
} }
description description
"The security policy rule according to "The security policy rule according to
IPv6 flow label."; IPv6 flow label.";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Flow label"; Specification - Flow label";
} }
container pkt-sec-ipv6-payload-length { container pkt-sec-ipv6-payload-length {
choice match-type { choice match-type {
description description
"There are two types to configure a security "There are two types to configure a security
policy for IPv6 payload length, such as policy for IPv6 payload length, such as
exact match and range match."; exact match and range match.";
case exact-match { case exact-match {
skipping to change at page 71, line 13 skipping to change at page 69, line 4
description description
"There are two types to configure a security "There are two types to configure a security
policy for IPv6 payload length, such as policy for IPv6 payload length, such as
exact match and range match."; exact match and range match.";
case exact-match { case exact-match {
leaf-list ipv6-payload-length { leaf-list ipv6-payload-length {
type uint16; type uint16;
description description
"Exact match for an IPv6 payload length."; "Exact match for an IPv6 payload length.";
} }
} }
case range-match { case range-match {
list range-ipv6-payload-length { list range-ipv6-payload-length {
key "start-ipv6-payload-length key "start-ipv6-payload-length
end-ipv6-payload-length"; end-ipv6-payload-length";
leaf start-ipv6-payload-length { leaf start-ipv6-payload-length {
type uint16; type uint16;
description description
"Start IPv6 payload length for a range match."; "Starting IPv6 payload length for a range match.";
} }
leaf end-ipv6-payload-length { leaf end-ipv6-payload-length {
type uint16; type uint16;
description description
"End IPv6 payload length for a range match."; "Ending IPv6 payload length for a range match.";
} }
description description
"Range match for an IPv6 payload length."; "Range match for an IPv6 payload length.";
} }
} }
} }
description description
"The security policy rule according to "The security policy rule according to
IPv6 payload length."; IPv6 payload length.";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Payload length"; Specification - Payload length";
} }
leaf-list pkt-sec-ipv6-next-header { leaf-list pkt-sec-ipv6-next-header {
type identityref { type identityref {
base next-header; base next-header;
} }
description description
"The security policy rule according to "The security policy rule according to
IPv6 next header."; IPv6 next header.";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next header"; Specification - Next header";
} }
container pkt-sec-ipv6-hop-limit { container pkt-sec-ipv6-hop-limit {
choice match-type { choice match-type {
description description
"There are two types to configure a security "There are two types to configure a security
policy for IPv6 hop limit, such as exact match policy for IPv6 hop limit, such as exact match
and range match."; and range match.";
case exact-match { case exact-match {
leaf-list ipv6-hop-limit { leaf-list ipv6-hop-limit {
type uint8; type uint8;
description description
skipping to change at page 72, line 39 skipping to change at page 70, line 31
} }
description description
"Range match for an IPv6 hop limit."; "Range match for an IPv6 hop limit.";
} }
} }
} }
description description
"The security policy rule according to "The security policy rule according to
IPv6 hop limit."; IPv6 hop limit.";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Hop limit"; Specification - Hop limit";
} }
container pkt-sec-ipv6-src { container pkt-sec-ipv6-src {
uses pkt-sec-ipv6; uses pkt-sec-ipv6;
description description
"The security policy rule according to "The security policy rule according to
IPv6 source address."; IPv6 source address.";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address"; Specification - IPv6 address";
} }
container pkt-sec-ipv6-dest { container pkt-sec-ipv6-dest {
uses pkt-sec-ipv6; uses pkt-sec-ipv6;
description description
"The security policy rule according to "The security policy rule according to
IPv6 destination address."; IPv6 destination address.";
reference reference
"RFC 2460: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address"; Specification - IPv6 address";
} }
} }
container packet-security-tcp-condition { container packet-security-tcp-condition {
description description
"The purpose of this container is to represent "The purpose of this container is to represent
TCP packet header information to determine TCP packet header information to determine
if the set of policy actions in this ECA policy if the set of policy actions in this ECA policy
skipping to change at page 81, line 22 skipping to change at page 79, line 15
description description
"Condition for context"; "Condition for context";
leaf context-description { leaf context-description {
type string; type string;
description description
"This is description for context condition. "This is description for context condition.
Vendors can write instructions for context condition Vendors can write instructions for context condition
that vendor made"; that vendor made";
} }
leaf-list acl-number {
type uint32;
description
"This is acl-number.";
}
container application-condition { container application-condition {
description description
"Condition for application"; "Condition for application";
leaf application-description { leaf application-description {
type string; type string;
description description
"This is description for application condition."; "This is description for application condition.";
} }
leaf-list application-object { leaf-list application-object {
type string; type string;
skipping to change at page 83, line 29 skipping to change at page 81, line 16
authentication mode and so on. Name/id is often authentication mode and so on. Name/id is often
used in the security policy to identify the user. used in the security policy to identify the user.
Besides, NSF is aware of the IP address of the Besides, NSF is aware of the IP address of the
user provided by a unified user management system user provided by a unified user management system
via network. Based on name-address association, via network. Based on name-address association,
NSF is able to enforce the security functions NSF is able to enforce the security functions
over the given user (or user group)"; over the given user (or user group)";
choice user-name { choice user-name {
description description
"The name of the user. "The name of the user.";
This must be unique.";
case tenant { case tenant {
description description
"Tenant information."; "Tenant information.";
leaf tenant { leaf tenant {
type uint8; type uint8;
mandatory true;
description description
"User's tenant information."; "User's tenant information.";
} }
} }
case vn-id { case vn-id {
description description
"VN-ID information."; "VN-ID information.";
leaf vn-id { leaf vn-id {
type uint8; type uint8;
mandatory true;
description description
"User's VN-ID information."; "User's VN-ID information.";
} }
} }
} }
} }
container group { container group {
description description
"The user (or user group) information with which "The user (or user group) information with which
skipping to change at page 84, line 25 skipping to change at page 82, line 9
authentication mode and so on. Name/id is often authentication mode and so on. Name/id is often
used in the security policy to identify the user. used in the security policy to identify the user.
Besides, NSF is aware of the IP address of the Besides, NSF is aware of the IP address of the
user provided by a unified user management system user provided by a unified user management system
via network. Based on name-address association, via network. Based on name-address association,
NSF is able to enforce the security functions NSF is able to enforce the security functions
over the given user (or user group)"; over the given user (or user group)";
choice group-name { choice group-name {
description description
"The name of the user. "The name of the user.";
This must be unique.";
case tenant { case tenant {
description description
"Tenant information."; "Tenant information.";
leaf tenant { leaf tenant {
type uint8; type uint8;
mandatory true;
description description
"User's tenant information."; "User's tenant information.";
} }
} }
case vn-id { case vn-id {
description description
"VN-ID information."; "VN-ID information.";
leaf vn-id { leaf vn-id {
type uint8; type uint8;
mandatory true;
description description
"User's VN-ID information."; "User's VN-ID information.";
} }
} }
} }
} }
leaf security-grup { leaf security-group {
type string; type string;
mandatory true;
description description
"security-grup."; "security-group.";
} }
} }
container gen-context-condition { container gen-context-condition {
description description
"Condition for generic context"; "Condition for generic context";
leaf gen-context-description { leaf gen-context-description {
type string; type string;
description description
"This is description for generic context condition. "This is description for generic context condition.
skipping to change at page 86, line 16 skipping to change at page 83, line 43
"An action is used to control and monitor aspects of "An action is used to control and monitor aspects of
flow-based NSFs when the event and condition clauses flow-based NSFs when the event and condition clauses
are satisfied. NSFs provide security functions by are satisfied. NSFs provide security functions by
executing various Actions. Examples of I2NSF Actions executing various Actions. Examples of I2NSF Actions
include providing intrusion detection and/or protection, include providing intrusion detection and/or protection,
web and flow filtering, and deep packet inspection web and flow filtering, and deep packet inspection
for packets and flows."; for packets and flows.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-04: Information Model draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Design Principles and ECA Policy of NSFs Capabilities - Design Principles and ECA Policy
Model Overview"; Model Overview";
leaf action-clause-description { leaf action-clause-description {
type string; type string;
description description
"Description for an action clause."; "Description for an action clause.";
} }
container packet-action { container packet-action {
description description
"Action for packets"; "Action for packets";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-04: Information Model draft-ietf-i2nsf-capability-05: Information Model
of NSFs Capabilities - Design Principles and ECA of NSFs Capabilities - Design Principles and ECA
Policy Model Overview"; Policy Model Overview";
leaf ingress-action { leaf ingress-action {
type identityref { type identityref {
base ingress-action; base ingress-action;
} }
description description
"Action: pass, drop, reject, alert, and mirror."; "Action: pass, drop, reject, alert, and mirror.";
} }
skipping to change at page 89, line 41 skipping to change at page 87, line 24
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950]. the "YANG Module Names" registry [RFC7950].
name: ietf-i2nsf-policy-rule-for-nsf name: ietf-i2nsf-policy-rule-for-nsf
namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for- namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-
nsf nsf
prefix: iiprfn prefix: nsfintf
reference: RFC XXXX reference: RFC XXXX
7. Security Considerations 7. Security Considerations
The YANG module specified in this document defines a data schema The YANG module specified in this document defines a data schema
designed to be accessed through network management protocols such as designed to be accessed through network management protocols such as
NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is
the secure transport layer, and the required secure transport is the secure transport layer, and the required secure transport is
Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS,
and the required secure transport is TLS [RFC8446]. and the required secure transport is TLS [RFC8446].
The NETCONF access control model [RFC8341] provides a means of The NETCONF access control model [RFC8341] provides a means of
restricting access to specific NETCONF or RESTCONF users to a restricting access to specific NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content. operations and content.
There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config)
to these data nodes without proper protection can have a negative
effect on network operations. These are the subtrees and data nodes
and their sensitivity/vulnerability:
o ietf-i2nsf-policy-rule-for-nsf: The attacker may provide incorrect
policy information of any target NSFs by illegally modifying this.
Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or
notification) to these data nodes. These are the subtrees and data
nodes and their sensitivity/vulnerability:
o ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the
security policy information of any target NSFs and misuse the
security policy information for subsequent attacks.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC1394] Robinson, P., "Relationship of Telex Answerback Codes to
Internet Domains", RFC 1394, DOI 10.17487/RFC1394, January
1993, <https://www.rfc-editor.org/info/rfc1394>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC768] Postel, J., "User Datagram Protocol", RFC 768, August
1980.
[RFC790] Postel, J., "Assigned Numbers", RFC 790, September 1981.
[RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981.
[RFC792] Postel, J., "Internet Control Message Protocol", RFC 792,
September 1981.
[RFC793] Postel, J., "Transmission Control Protocol", RFC 793,
September 1981.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200,
DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>. <https://www.rfc-editor.org/info/rfc8329>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
skipping to change at page 91, line 30 skipping to change at page 90, line 11
S., and N. Bahadur, "A YANG Data Model for the Routing S., and N. Bahadur, "A YANG Data Model for the Routing
Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431,
September 2018, <https://www.rfc-editor.org/info/rfc8431>. September 2018, <https://www.rfc-editor.org/info/rfc8431>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
8.2. Informative References 8.2. Informative References
[draft-ietf-i2nsf-sdn-ipsec-flow-protection] [draft-dong-i2nsf-asf-config]
Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "Software-Defined Networking (SDN)-based IPsec
Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-
protection-04 (work in progress), March 2019.
[i2nsf-advanced-nsf-dm]
Pan, W. and L. Xia, "Configuration of Advanced Security Pan, W. and L. Xia, "Configuration of Advanced Security
Functions with I2NSF Security Controller", draft-dong- Functions with I2NSF Security Controller", draft-dong-
i2nsf-asf-config-01 (work in progress), October 2018. i2nsf-asf-config-01 (work in progress), October 2018.
[i2nsf-nsf-cap-dm] [draft-ietf-i2nsf-capability]
Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin,
"I2NSF Capability YANG Data Model", draft-ietf-i2nsf-
capability-data-model-05 (work in progress), June 2019.
[i2nsf-nsf-cap-im]
Xia, L., Strassner, J., Basile, C., and D. Lopez, Xia, L., Strassner, J., Basile, C., and D. Lopez,
"Information Model of NSFs Capabilities", draft-ietf- "Information Model of NSFs Capabilities", draft-ietf-
i2nsf-capability-05 (work in progress), April 2019. i2nsf-capability-05 (work in progress), April 2019.
[supa-policy-info-model] [draft-ietf-i2nsf-capability-data-model]
Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin,
"I2NSF Capability YANG Data Model", draft-ietf-i2nsf-
capability-data-model-05 (work in progress), July 2019.
[draft-ietf-i2nsf-sdn-ipsec-flow-protection]
Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "Software-Defined Networking (SDN)-based IPsec
Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-
protection-05 (work in progress), July 2019.
[draft-ietf-supa-generic-policy-info-model]
Strassner, J., Halpern, J., and S. Meer, "Generic Policy Strassner, J., Halpern, J., and S. Meer, "Generic Policy
Information Model for Simplified Use of Policy Information Model for Simplified Use of Policy
Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- Abstractions (SUPA)", draft-ietf-supa-generic-policy-info-
model-03 (work in progress), May 2017. model-03 (work in progress), May 2017.
Appendix A. Configuration Examples Appendix A. Configuration Examples
This section shows configuration examples of "ietf-i2nsf-policy-rule- This section shows configuration examples of "ietf-i2nsf-policy-rule-
for-nsf" module for security policy rules of network security for-nsf" module for security policy rules of network security
devices. For security requirements, we assume that the NSFs (i.e., devices. For security requirements, we assume that the NSFs (i.e.,
General firewall, Time based firewall, URL filter, VoIP/VoLTE filter, General firewall, Time based firewall, URL filter, VoIP/VoLTE filter,
and http and https flood mitigation ) described in Appendix A. and http and https flood mitigation ) described in Appendix A.
Configuration Examples of [i2nsf-nsf-cap-dm] are registered in I2NSF Configuration Examples of [draft-ietf-i2nsf-capability-data-model]
framework. With the registed NSFs, we show configuration examples are registered in I2NSF framework. With the registed NSFs, we show
for security policy rules of network security functions according to configuration examples for security policy rules of network security
the following three security requirements: (i) Block SNS access functions according to the following three security requirements: (i)
during business hours, (ii) Block malicious VoIP/VoLTE packets coming Block SNS access during business hours, (ii) Block malicious VoIP/
to the company, and (iii) Mitigate http and https flood attacks on VoLTE packets coming to the company, and (iii) Mitigate http and
company web server. https flood attacks on company web server.
A.1. Security Requirement 1: Block SNS Access during Business Hours A.1. Security Requirement 1: Block SNS Access during Business Hours
This section shows a configuration example for blocking SNS access This section shows a configuration example for blocking SNS access
during business hours. during business hours.
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>sns_access</system-policy-name> <system-policy-name>sns_access</system-policy-name>
<rules> <rules>
<rule-name>block_sns_access_during_operation_time</rule-name> <rule-name>block_sns_access_during_operation_time</rule-name>
<time-zone> <time-intervals>
<absolute-time-zone> <absolute-time-interval>
<start-time>09:00:00Z</start-time> <start-time>09:00:00Z</start-time>
<end-time>18:00:00Z</end-time> <end-time>18:00:00Z</end-time>
</absolute-time-zone> </absolute-time-interval>
</time-zone> </time-intervals>
<condition-clause-container> <condition-clause-container>
<packet-security-ipv4-condition> <packet-security-ipv4-condition>
<pkt-sec-ipv4-src> <pkt-sec-ipv4-src>
<range-ipv4-address> <range-ipv4-address>
<start-ipv4-address>221.159.112.1</start-ipv4-address> <start-ipv4-address>221.159.112.1</start-ipv4-address>
<end-ipv4-address>221.159.112.90</end-ipv4-address> <end-ipv4-address>221.159.112.90</end-ipv4-address>
</range-ipv4-address> </range-ipv4-address>
</pkt-sec-ipv4-src> </pkt-sec-ipv4-src>
</packet-security-ipv4-condition> </packet-security-ipv4-condition>
</condition-clause-container> </condition-clause-container>
skipping to change at page 95, line 37 skipping to change at page 93, line 37
Business Hours Business Hours
Figure 7 and Figure 8 show the configuration XML documents for time Figure 7 and Figure 8 show the configuration XML documents for time
based firewall and web filter to block SNS access during business based firewall and web filter to block SNS access during business
hours. For the security requirement, two NSFs (i.e., a time based hours. For the security requirement, two NSFs (i.e., a time based
firewall and a web filter) were used because one NSF can not meet the firewall and a web filter) were used because one NSF can not meet the
security requirement. The instances of XML documents for the time security requirement. The instances of XML documents for the time
based firewall and the web filter are as follows: Note that a based firewall and the web filter are as follows: Note that a
detailed data model for the configuration of the advanced network detailed data model for the configuration of the advanced network
security function (i.e., web filter) is described in security function (i.e., web filter) is described in
[i2nsf-advanced-nsf-dm]. [draft-dong-i2nsf-asf-config].
Time based Firewall Time based Firewall
1. The name of the system policy is sns_access. 1. The name of the system policy is sns_access.
2. The name of the rule is block_sns_access_during_operation_time. 2. The name of the rule is block_sns_access_during_operation_time.
3. The rule is operated during the business hours (i.e., from 9 a.m. 3. The rule is operated during the business hours (i.e., from 9 a.m.
to 6 p.m.). to 6 p.m.).
skipping to change at page 98, line 37 skipping to change at page 96, line 37
VoIP/VoLTE Packets Coming to the Company VoIP/VoLTE Packets Coming to the Company
Figure 9 and Figure 10 show the configuration XML documents for Figure 9 and Figure 10 show the configuration XML documents for
general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE
packets coming to the company. For the security requirement, two packets coming to the company. For the security requirement, two
NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used
because one NSF can not meet the security requirement. The instances because one NSF can not meet the security requirement. The instances
of XML documents for the general firewall and the VoIP/VoLTE filter of XML documents for the general firewall and the VoIP/VoLTE filter
are as follows: Note that a detailed data model for the configuration are as follows: Note that a detailed data model for the configuration
of the advanced network security function (i.e., VoIP/VoLTE filter) of the advanced network security function (i.e., VoIP/VoLTE filter)
is described in [i2nsf-advanced-nsf-dm]. is described in [draft-dong-i2nsf-asf-config].
General Firewall General Firewall
1. The name of the system policy is voip_volte_inspection. 1. The name of the system policy is voip_volte_inspection.
2. The name of the rule is block_malicious_voip_volte_packets. 2. The name of the rule is block_malicious_voip_volte_packets.
3. The rule inspects a destination IPv4 address (i.e., from 3. The rule inspects a destination IPv4 address (i.e., from
221.159.112.1 to 221.159.112.90) to inspect the packets coming 221.159.112.1 to 221.159.112.90) to inspect the packets coming
into the company. into the company.
skipping to change at page 101, line 38 skipping to change at page 99, line 38
Figure 11 and Figure 12 show the configuration XML documents for Figure 11 and Figure 12 show the configuration XML documents for
general firewall and http and https flood attack mitigation to general firewall and http and https flood attack mitigation to
mitigate http and https flood attacks on a company web server. For mitigate http and https flood attacks on a company web server. For
the security requirement, two NSFs (i.e., a general firewall and a the security requirement, two NSFs (i.e., a general firewall and a
http and https flood attack mitigation) were used because one NSF can http and https flood attack mitigation) were used because one NSF can
not meet the security requirement. The instances of XML documents not meet the security requirement. The instances of XML documents
for the general firewall and http and https flood attack mitigation for the general firewall and http and https flood attack mitigation
are as follows: Note that a detailed data model for the configuration are as follows: Note that a detailed data model for the configuration
of the advanced network security function (i.e., http and https flood of the advanced network security function (i.e., http and https flood
attack mitigation) is described in [i2nsf-advanced-nsf-dm]. attack mitigation) is described in [draft-dong-i2nsf-asf-config].
General Firewall General Firewall
1. The name of the system policy is flood_attack_mitigation. 1. The name of the system policy is flood_attack_mitigation.
2. The name of the rule is mitigate_http_and_https_flood_attack. 2. The name of the rule is mitigate_http_and_https_flood_attack.
3. The rule inspects a destination IPv4 address (i.e., 3. The rule inspects a destination IPv4 address (i.e.,
221.159.112.95) to inspect the access packets coming into the 221.159.112.95) to inspect the access packets coming into the
company web server. company web server.
skipping to change at page 102, line 23 skipping to change at page 100, line 23
http_and_https_flood_attack_mitigation. http_and_https_flood_attack_mitigation.
2. The name of the rule is 100_per_second. 2. The name of the rule is 100_per_second.
3. The rule controls the http and https packets according to the 3. The rule controls the http and https packets according to the
amount of incoming packets. amount of incoming packets.
4. If the incoming packets match the rules above, the packets are 4. If the incoming packets match the rules above, the packets are
blocked. blocked.
Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-05 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-06
The following changes are made from draft-ietf-i2nsf-nsf-facing- The following changes are made from draft-ietf-i2nsf-nsf-facing-
interface-dm-05: interface-dm-06:
o We added an I2NSF IPsec field for IPsec management (e.g., ike and o The version is revised according to the comments from Acee Lindem
ikeless). who is a YANG doctor for review.
Appendix C. Acknowledgments Appendix C. Acknowledgments
This work was supported by Institute for Information & communications This work was supported by Institute of Information & Communications
Technology Promotion (IITP) grant funded by the Korea government Technology Planning & Evaluation (IITP) grant funded by the Korea
(MSIP)(No. R-20160222-002755, Cloud based Security Intelligence MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Technology Development for the Customized Security Service Security Intelligence Technology Development for the Customized
Provisioning). Security Service Provisioning).
Appendix D. Contributors Appendix D. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document. The following are Many people actively contributed to this document. The following are
considered co-authors: considered co-authors:
o Hyoungshick Kim (Sungkyunkwan University) o Hyoungshick Kim (Sungkyunkwan University)
o Daeyoung Hyun (Sungkyunkwan University) o Daeyoung Hyun (Sungkyunkwan University)
 End of changes. 288 change blocks. 
550 lines changed or deleted 467 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/