draft-ietf-i2nsf-nsf-facing-interface-dm-10.txt   draft-ietf-i2nsf-nsf-facing-interface-dm-11.txt 
I2NSF Working Group J. Kim, Ed. I2NSF Working Group J. Kim, Ed.
Internet-Draft J. Jeong, Ed. Internet-Draft J. Jeong, Ed.
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: March 1, 2021 J. Park Expires: August 6, 2021 J. Park
ETRI ETRI
S. Hares S. Hares
Q. Lin Q. Lin
Huawei Huawei
August 28, 2020 February 2, 2021
I2NSF Network Security Function-Facing Interface YANG Data Model I2NSF Network Security Function-Facing Interface YANG Data Model
draft-ietf-i2nsf-nsf-facing-interface-dm-10 draft-ietf-i2nsf-nsf-facing-interface-dm-11
Abstract Abstract
This document defines a YANG data model for configuring security This document defines a YANG data model for configuring security
policy rules on Network Security Functions (NSF) in the Interface to policy rules on Network Security Functions (NSF) in the Interface to
Network Security Functions (I2NSF) framework. The YANG data model in Network Security Functions (I2NSF) framework. The YANG data model in
this document corresponds to the information model for NSF-Facing this document corresponds to the information model for NSF-Facing
Interface in the I2NSF framework. Interface in the I2NSF framework.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 1, 2021. This Internet-Draft will expire on August 6, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3
4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 3.1. General I2NSF Security Policy Rule . . . . . . . . . . . 3
4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 3.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 5
4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 3.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 6
4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 7 3.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 12
4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14 4. YANG Data Model of NSF-Facing Interface . . . . . . . . . . . 13
4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15 4.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 14
5. YANG Data Model of NSF-Facing Interface . . . . . . . . . . . 15 5. XML Configuration Examples of Low-Level Security Policy Rules 85
5.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 16 5.1. Security Requirement 1: Block Social Networking Service
6. XML Configuration Examples of Low-Level Security Policy Rules 86 (SNS) Access during Business Hours . . . . . . . . . . . 85
6.1. Security Requirement 1: Block SNS Access during Business 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE
Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Packets Coming to a Company . . . . . . . . . . . . . . . 89
6.2. Security Requirement 2: Block Malicious VoIP/VoLTE 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood
Packets Coming to a Company . . . . . . . . . . . . . . . 91 Attacks on a Company Web Server . . . . . . . . . . . . . 92
6.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 95
Attacks on a Company Web Server . . . . . . . . . . . . . 94 7. Security Considerations . . . . . . . . . . . . . . . . . . . 95
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 97 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 96
8. Security Considerations . . . . . . . . . . . . . . . . . . . 97 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 97
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 98 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 98
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 98 10.1. Normative References . . . . . . . . . . . . . . . . . . 98
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 100 10.2. Informative References . . . . . . . . . . . . . . . . . 101
11.1. Normative References . . . . . . . . . . . . . . . . . . 100 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101
11.2. Informative References . . . . . . . . . . . . . . . . . 102
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 103
1. Introduction 1. Introduction
This document defines a YANG [RFC6020][RFC7950] data model for This document defines a YANG [RFC6020][RFC7950] data model for
security policy rule configuration of Network Security Functions security policy rule configuration of Network Security Functions
(NSF). The YANG data model corresponds to the information model (NSF). The YANG data model in this document is based on the
[I-D.ietf-i2nsf-capability] for the NSF-Facing Interface in Interface information model in [I-D.ietf-i2nsf-capability-data-model] for the
to Network Security Functions (I2NSF) [RFC8329]. The YANG data model NSF-Facing Interface in the Interface to Network Security Functions
in this document focuses on security policy configuration for generic (I2NSF) architecture [RFC8329]. The YANG data model in this document
network security functions. Security policy configuration for focuses on security policy configuration for generic network security
advanced network security functions can be defined in future. functions (e.g., firewall, web filter, and Distributed-Denial-of-
Service (DDoS) attack mitigator)
[I-D.ietf-i2nsf-capability-data-model]. Security policy
configuration for advanced network security functions is out of the
scope of this document, such as Intrusion Prevention System (IPS) and
anti-virus [I-D.ietf-i2nsf-capability-data-model].
This YANG data model uses an "Event-Condition-Action" (ECA) policy This YANG data model uses an "Event-Condition-Action" (ECA) policy
model that is used as the basis for the design of I2NSF Policy model that is used as the basis for the design of I2NSF Policy
described in [RFC8329] and [I-D.ietf-i2nsf-capability]. described in [RFC8329] and [I-D.ietf-i2nsf-capability-data-model].
The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this
document provides the following features. document provides the configuration of the following features.
o Configuration of general security policy rule for generic network
security functions.
o Configuration of event clause for generic network security
functions.
o Configuration of condition clause for generic network security o A general security policy rule of a generic network security
functions. function.
o Configuration of action clause for generic network security o An event clause of a generic network security function.
functions.
2. Requirements Language o A condition clause of a generic network security function.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", o An action clause of a generic network security function.
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Terminology 2. Terminology
This document uses the terminology described in [RFC8329]. This document uses the terminology described in [RFC8329].
This document follows the guidelines of [RFC8407], uses the common This document follows the guidelines of [RFC8407], uses the common
YANG types defined in [RFC6991], and adopts the Network Management YANG types defined in [RFC6991], and adopts the Network Management
Datastore Architecture (NMDA). The meaning of the symbols in tree Datastore Architecture (NMDA). The meaning of the symbols in tree
diagrams is defined in [RFC8340]. diagrams is defined in [RFC8340].
4. YANG Tree Diagram 3. YANG Tree Diagram
This section shows a YANG tree diagram of generic network security This section shows a YANG tree diagram of generic network security
functions. Advanced network security functions can be defined in functions. Advanced network security functions can be defined in
future. The section describes the following subjects: future. Advanced network security functions is out of the scope of
this document can be defined in future, such as Intrusion Prevention
o A general I2NSF security policy rule of the generic network System (IPS), Distributed-Denial-of-Service (DDoS) attack mitigator,
security function. and anti-virus [I-D.ietf-i2nsf-capability-data-model].
o An event clause of the generic network security function.
o A condition clause of the generic network security function.
o An action clause of the generic network security function.
4.1. General I2NSF Security Policy Rule 3.1. General I2NSF Security Policy Rule
This section shows the YANG tree diagram for general I2NSF security This section shows a YANG tree diagram for a general I2NSF security
policy rules. policy rule for generic network security functions.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| +--rw system-policy* [system-policy-name] +--rw system-policy* [system-policy-name]
| +--rw system-policy-name string +--rw system-policy-name string
| +--rw priority-usage? identityref +--rw priority-usage? identityref
| +--rw resolution-strategy? identityref +--rw resolution-strategy? identityref
| +--rw default-action? identityref +--rw default-action? identityref
| +--rw rules* [rule-name] +--rw rules* [rule-name]
| | +--rw rule-name string | +--rw rule-name string
| | +--rw rule-description? string | +--rw rule-description? string
| | +--rw rule-priority? uint8 | +--rw rule-priority? uint8
| | +--rw rule-enable? boolean | +--rw rule-enable? boolean
| | +--rw rule-session-aging-time? uint16 | +--rw rule-session-aging-time? uint16
| | +--rw rule-long-connection | +--rw rule-long-connection
| | | +--rw enable? boolean | | +--rw enable? boolean
| | | +--rw duration? uint16 | | +--rw duration? uint16
| | +--rw time-intervals | +--rw time-intervals
| | | +--rw absolute-time-interval | | +--rw absolute-time-interval
| | | | +--rw start-time? start-time-type | | | +--rw start-time? start-time-type
| | | | +--rw end-time? end-time-type | | | +--rw end-time? end-time-type
| | | +--rw periodic-time-interval | | +--rw periodic-time-interval
| | | +--rw day | | +--rw day
| | | | +--rw every-day? boolean | | | +--rw every-day? boolean
| | | | +--rw specific-day* day-type | | | +--rw specific-day* day-type
| | | +--rw month | | +--rw month
| | | +--rw every-month? boolean | | +--rw every-month? boolean
| | | +--rw specific-month* month-type | | +--rw specific-month* month-type
| | +--rw event-clause-container | +--rw event-clause-container
| | | ... | | ...
| | +--rw condition-clause-container | +--rw condition-clause-container
| | | ... | | ...
| | +--rw action-clause-container | +--rw action-clause-container
| | ... | ...
| +--rw rule-group +--rw rule-group
| +--rw groups* [group-name] +--rw groups* [group-name]
| +--rw group-name string +--rw group-name string
| +--rw rule-range +--rw rule-range
| | +--rw start-rule? string | +--rw start-rule? string
| | +--rw end-rule? string | +--rw end-rule? string
| +--rw enable? boolean +--rw enable? boolean
| +--rw description? string +--rw description? string
+--rw i2nsf-ipsec? identityref
Figure 1: YANG Tree Diagram for Network Security Policy Figure 1: YANG Tree Diagram for Network Security Policy
This YANG tree diagram shows the general I2NSF security policy rule
for generic network security functions.
The system policy provides for multiple system policies in one NSF, The system policy provides for multiple system policies in one NSF,
and each system policy is used by one virtual instance of the NSF/ and each system policy is used by one virtual instance of the NSF/
device. The system policy includes system policy name, priority device. The system policy includes system policy name, priority
usage, resolutation strategy, default action, and rules. usage, resolution strategy, default action, and rules.
A resolution strategy is used to decide how to resolve conflicts that A resolution strategy is used to decide how to resolve conflicts that
occur between the actions of the same or different policy rules that occur between the actions of the same or different policy rules that
are matched and contained in a particular NSF. The resolution are matched and contained in a particular NSF. The resolution
strategy is defined as First Matching Rule (FMR), Last Matching Rule strategy is defined as First Matching Rule (FMR), Last Matching Rule
(LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and
Prioritized Matching Rule with No Errors (PMRN). The resolution Prioritized Matching Rule with No Errors (PMRN). The resolution
strategy can be extended according to specific vendor action strategy can be extended according to specific vendor action
features. The resolution strategy is described in detail in features. The resolution strategy is described in detail in
[I-D.ietf-i2nsf-capability]. [I-D.ietf-i2nsf-capability-data-model].
A default action is used to execute I2NSF policy rule when no rule A default action is used to execute I2NSF policy rule when no rule
matches a packet. The default action is defined as pass, drop, matches a packet. The default action is defined as pass, drop,
reject, alert, and mirror. The default action can be extended reject, alert, and mirror. The default action can be extended
according to specific vendor action features. The default action is according to specific vendor action features. The default action is
described in detail in [I-D.ietf-i2nsf-capability]. described in detail in [I-D.ietf-i2nsf-capability-data-model].
The rules include rule name, rule description, rule priority, rule The rules include rule name, rule description, rule priority, rule
enable, time zone, event clause container, condition clause enable, time zone, event clause container, condition clause
container, and action clause container. container, and action clause container.
4.2. Event Clause 3.2. Event Clause
This section shows the YANG tree diagram for an event clause for This section shows a YANG tree diagram for an event clause for a
I2NSF security policy rules. general I2NSF security policy rule for generic network security
functions.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| +--rw system-policy* [system-policy-name] +--rw system-policy* [system-policy-name]
| ... ...
| +--rw rules* [rule-name] +--rw rules* [rule-name]
| | ... | ...
| | +--rw event-clause-container | +--rw event-clause-container
| | | +--rw event-clause-description? string | | +--rw event-clause-description? string
| | | +--rw event-clauses | | +--rw event-clauses
| | | +--rw system-event* identityref | | +--rw system-event* identityref
| | | +--rw system-alarm* identityref | | +--rw system-alarm* identityref
| | +--rw condition-clause-container | +--rw condition-clause-container
| | | ... | | ...
| | +--rw action-clause-container | +--rw action-clause-container
| | ... | ...
| +--rw rule-group +--rw rule-group
| ... ...
+--rw i2nsf-ipsec? identityref
Figure 2: YANG Tree Diagram for an Event Clause Figure 2: YANG Tree Diagram for an Event Clause
This YANG tree diagram shows an event clause of an I2NSF security An event clause is any important occurrence at a specific time of a
policy rule for generic network security functions. An event clause change in the system being managed, and/or in the environment of the
is any important occurrence at a specific time of a change in the system being managed. An event clause is used to trigger the
system being managed, and/or in the environment of the system being evaluation of the condition clause of the I2NSF Policy Rule. The
managed. An event clause is used to trigger the evaluation of the event clause is defined as a system event and system alarm
condition clause of the I2NSF Policy Rule. The event clause is
defined as a system event and system alarm
[I-D.ietf-i2nsf-nsf-monitoring-data-model]. The event clause can be [I-D.ietf-i2nsf-nsf-monitoring-data-model]. The event clause can be
extended according to specific vendor event features. The event extended according to specific vendor event features. The event
clause is described in detail in [I-D.ietf-i2nsf-capability]. clause is described in detail in
[I-D.ietf-i2nsf-capability-data-model].
4.3. Condition Clause 3.3. Condition Clause
This section shows the YANG tree diagram for a condition clause of This section shows a YANG tree diagram for a condition clause for a
I2NSF security policy rules. general I2NSF security policy rule for generic network security
functions.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| ... ...
| +--rw rules* [rule-name] +--rw rules* [rule-name]
| | ... | ...
| | +--rw event-clause-container | +--rw event-clause-container
| | | ... | | ...
| | +--rw condition-clause-container | +--rw condition-clause-container
| | | +--rw condition-clause-description? string | | +--rw condition-clause-description? string
| | | +--rw packet-security-ipv4-condition | | +--rw packet-security-ipv4-condition
| | | | +--rw ipv4-description? string | | | +--rw ipv4-description? string
| | | | +--rw pkt-sec-ipv4-header-length | | | +--rw pkt-sec-ipv4-header-length
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw ipv4-header-length* uint8 | | | | | +--rw ipv4-header-length* uint8
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-ipv4-header-length* | | | | +--rw range-ipv4-header-length*
[start-ipv4-header-length end-ipv4-header-length] [start-ipv4-header-length end-ipv4-header-length]
| | | | | +--rw start-ipv4-header-length uint8 | | | | +--rw start-ipv4-header-length uint8
| | | | | +--rw end-ipv4-header-length uint8 | | | | +--rw end-ipv4-header-length uint8
| | | | +--rw pkt-sec-ipv4-tos* identityref | | | +--rw pkt-sec-ipv4-tos* identityref
| | | | +--rw pkt-sec-ipv4-total-length | | | +--rw pkt-sec-ipv4-total-length
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw ipv4-total-length* uint16 | | | | | +--rw ipv4-total-length* uint16
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-ipv4-total-length* | | | | +--rw range-ipv4-total-length*
[start-ipv4-total-length end-ipv4-total-length] [start-ipv4-total-length end-ipv4-total-length]
| | | | | +--rw start-ipv4-total-length uint16 | | | | +--rw start-ipv4-total-length uint16
| | | | | +--rw end-ipv4-total-length uint16 | | | | +--rw end-ipv4-total-length uint16
| | | | +--rw pkt-sec-ipv4-id* uint16 | | | +--rw pkt-sec-ipv4-id* uint16
| | | | +--rw pkt-sec-ipv4-fragment-flags* identityref | | | +--rw pkt-sec-ipv4-fragment-flags* identityref
| | | | +--rw pkt-sec-ipv4-fragment-offset | | | +--rw pkt-sec-ipv4-fragment-offset
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw ipv4-fragment-offset* uint16 | | | | | +--rw ipv4-fragment-offset* uint16
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-ipv4-fragment-offset* | | | | +--rw range-ipv4-fragment-offset*
[start-ipv4-fragment-offset end-ipv4-fragment-offset] [start-ipv4-fragment-offset end-ipv4-fragment-offset]
| | | | | +--rw start-ipv4-fragment-offset uint16 | | | | +--rw start-ipv4-fragment-offset uint16
| | | | | +--rw end-ipv4-fragment-offset uint16 | | | | +--rw end-ipv4-fragment-offset uint16
| | | | +--rw pkt-sec-ipv4-ttl | | | +--rw pkt-sec-ipv4-ttl
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw ipv4-ttl* uint8 | | | | | +--rw ipv4-ttl* uint8
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-ipv4-ttl* | | | | +--rw range-ipv4-ttl*
[start-ipv4-ttl end-ipv4-ttl] [start-ipv4-ttl end-ipv4-ttl]
| | | | | +--rw start-ipv4-ttl uint8 | | | | +--rw start-ipv4-ttl uint8
| | | | | +--rw end-ipv4-ttl uint8 | | | | +--rw end-ipv4-ttl uint8
| | | | +--rw pkt-sec-ipv4-protocol* identityref | | | +--rw pkt-sec-ipv4-protocol* identityref
| | | | +--rw pkt-sec-ipv4-src | | | +--rw pkt-sec-ipv4-src
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw ipv4-address* [ipv4] | | | | | +--rw ipv4-address* [ipv4]
| | | | | | +--rw ipv4 inet:ipv4-address | | | | | +--rw ipv4 inet:ipv4-address
| | | | | | +--rw (subnet)? | | | | | +--rw (subnet)?
| | | | | | +--:(prefix-length) | | | | | +--:(prefix-length)
| | | | | | | +--rw prefix-length? uint8 | | | | | | +--rw prefix-length? uint8
| | | | | | +--:(netmask) | | | | | +--:(netmask)
| | | | | | +--rw netmask? yang:dotted-quad | | | | | +--rw netmask? yang:dotted-quad
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-ipv4-address* | | | | +--rw range-ipv4-address*
[start-ipv4-address end-ipv4-address] [start-ipv4-address end-ipv4-address]
| | | | | +--rw start-ipv4-address inet:ipv4-address | | | | +--rw start-ipv4-address inet:ipv4-address
| | | | | +--rw end-ipv4-address inet:ipv4-address | | | | +--rw end-ipv4-address inet:ipv4-address
| | | | +--rw pkt-sec-ipv4-dest | | | +--rw pkt-sec-ipv4-dest
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw ipv4-address* [ipv4] | | | | | +--rw ipv4-address* [ipv4]
| | | | | | +--rw ipv4 inet:ipv4-address | | | | | +--rw ipv4 inet:ipv4-address
| | | | | | +--rw (subnet)? | | | | | +--rw (subnet)?
| | | | | | +--:(prefix-length) | | | | | +--:(prefix-length)
| | | | | | | +--rw prefix-length? uint8 | | | | | | +--rw prefix-length? uint8
| | | | | | +--:(netmask) | | | | | +--:(netmask)
| | | | | | +--rw netmask? yang:dotted-quad | | | | | +--rw netmask? yang:dotted-quad
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-ipv4-address* | | | | +--rw range-ipv4-address*
[start-ipv4-address end-ipv4-address] [start-ipv4-address end-ipv4-address]
| | | | | +--rw start-ipv4-address inet:ipv4-address | | | | +--rw start-ipv4-address inet:ipv4-address
| | | | | +--rw end-ipv4-address inet:ipv4-address | | | | +--rw end-ipv4-address inet:ipv4-address
| | | | +--rw pkt-sec-ipv4-ipopts* identityref | | | +--rw pkt-sec-ipv4-ipopts* identityref
| | | | +--rw pkt-sec-ipv4-sameip? boolean | | | +--rw pkt-sec-ipv4-same-ip? boolean
| | | | +--rw pkt-sec-ipv4-geoip* string | | | +--rw pkt-sec-ipv4-geo-ip* string
| | | +--rw packet-security-ipv6-condition | | +--rw packet-security-ipv6-condition
| | | | +--rw ipv6-description? string | | | +--rw ipv6-description? string
| | | | +--rw pkt-sec-ipv6-traffic-class* identityref | | | +--rw pkt-sec-ipv6-traffic-class* identityref
| | | | +--rw pkt-sec-ipv6-flow-label | | | +--rw pkt-sec-ipv6-flow-label
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw ipv6-flow-label* uint32 | | | | | +--rw ipv6-flow-label* uint32
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-ipv6-flow-label* | | | | +--rw range-ipv6-flow-label*
[start-ipv6-flow-label end-ipv6-flow-label] [start-ipv6-flow-label end-ipv6-flow-label]
| | | | | +--rw start-ipv6-flow-label uint32 | | | | +--rw start-ipv6-flow-label uint32
| | | | | +--rw end-ipv6-flow-label uint32 | | | | +--rw end-ipv6-flow-label uint32
| | | | +--rw pkt-sec-ipv6-payload-length | | | +--rw pkt-sec-ipv6-payload-length
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw ipv6-payload-length* uint16 | | | | | +--rw ipv6-payload-length* uint16
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-ipv6-payload-length* | | | | +--rw range-ipv6-payload-length*
[start-ipv6-payload-length end-ipv6-payload-length] [start-ipv6-payload-length end-ipv6-payload-length]
| | | | | +--rw start-ipv6-payload-length uint16 | | | | +--rw start-ipv6-payload-length uint16
| | | | | +--rw end-ipv6-payload-length uint16 | | | | +--rw end-ipv6-payload-length uint16
| | | | +--rw pkt-sec-ipv6-next-header* identityref | | | +--rw pkt-sec-ipv6-next-header* identityref
| | | | +--rw pkt-sec-ipv6-hop-limit | | | +--rw pkt-sec-ipv6-hop-limit
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw ipv6-hop-limit* uint8 | | | | | +--rw ipv6-hop-limit* uint8
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-ipv6-hop-limit* | | | | +--rw range-ipv6-hop-limit*
[start-ipv6-hop-limit end-ipv6-hop-limit] [start-ipv6-hop-limit end-ipv6-hop-limit]
| | | | | +--rw start-ipv6-hop-limit uint8 | | | | +--rw start-ipv6-hop-limit uint8
| | | | | +--rw end-ipv6-hop-limit uint8 | | | | +--rw end-ipv6-hop-limit uint8
| | | | +--rw pkt-sec-ipv6-src | | | +--rw pkt-sec-ipv6-src
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw ipv6-address* [ipv6] | | | | | +--rw ipv6-address* [ipv6]
| | | | | | +--rw ipv6 inet:ipv6-address | | | | | +--rw ipv6 inet:ipv6-address
| | | | | | +--rw prefix-length? uint8 | | | | | +--rw prefix-length? uint8
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-ipv6-address* | | | | +--rw range-ipv6-address*
[start-ipv6-address end-ipv6-address] [start-ipv6-address end-ipv6-address]
| | | | | +--rw start-ipv6-address inet:ipv6-address | | | | +--rw start-ipv6-address inet:ipv6-address
| | | | | +--rw end-ipv6-address inet:ipv6-address | | | | +--rw end-ipv6-address inet:ipv6-address
| | | | +--rw pkt-sec-ipv6-dest | | | +--rw pkt-sec-ipv6-dest
| | | | +--rw (match-type)? | | | +--rw (match-type)?
| | | | +--:(exact-match) | | | +--:(exact-match)
| | | | | +--rw ipv6-address* [ipv6] | | | | +--rw ipv6-address* [ipv6]
| | | | | +--rw ipv6 inet:ipv6-address | | | | +--rw ipv6 inet:ipv6-address
| | | | | +--rw prefix-length? uint8 | | | | +--rw prefix-length? uint8
| | | | +--:(range-match) | | | +--:(range-match)
| | | | +--rw range-ipv6-address* | | | +--rw range-ipv6-address*
[start-ipv6-address end-ipv6-address] [start-ipv6-address end-ipv6-address]
| | | | +--rw start-ipv6-address inet:ipv6-address | | | +--rw start-ipv6-address inet:ipv6-address
| | | | +--rw end-ipv6-address inet:ipv6-address | | | +--rw end-ipv6-address inet:ipv6-address
| | | +--rw packet-security-tcp-condition | | +--rw packet-security-tcp-condition
| | | | +--rw tcp-description? string | | | +--rw tcp-description? string
| | | | +--rw pkt-sec-tcp-src-port-num | | | +--rw pkt-sec-tcp-src-port-num
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw port-num* inet:port-number | | | | | +--rw port-num* inet:port-number
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-port-num* | | | | +--rw range-port-num*
[start-port-num end-port-num] [start-port-num end-port-num]
| | | | | +--rw start-port-num inet:port-number | | | | +--rw start-port-num inet:port-number
| | | | | +--rw end-port-num inet:port-number | | | | +--rw end-port-num inet:port-number
| | | | +--rw pkt-sec-tcp-dest-port-num | | | +--rw pkt-sec-tcp-dest-port-num
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw port-num* inet:port-number | | | | | +--rw port-num* inet:port-number
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-port-num* | | | | +--rw range-port-num*
[start-port-num end-port-num] [start-port-num end-port-num]
| | | | | +--rw start-port-num inet:port-number | | | | +--rw start-port-num inet:port-number
| | | | | +--rw end-port-num inet:port-number | | | | +--rw end-port-num inet:port-number
| | | | +--rw pkt-sec-tcp-seq-num | | | +--rw pkt-sec-tcp-flags* identityref
| | | | | +--rw (match-type)? | | +--rw packet-security-udp-condition
| | | | | +--:(exact-match) | | | +--rw udp-description? string
| | | | | | +--rw tcp-seq-num* uint32 | | | +--rw pkt-sec-udp-src-port-num
| | | | | +--:(range-match) | | | | +--rw (match-type)?
| | | | | +--rw range-tcp-seq-num* | | | | +--:(exact-match)
[start-tcp-seq-num end-tcp-seq-num] | | | | | +--rw port-num* inet:port-number
| | | | | +--rw start-tcp-seq-num uint32 | | | | +--:(range-match)
| | | | | +--rw end-tcp-seq-num uint32 | | | | +--rw range-port-num*
| | | | +--rw pkt-sec-tcp-ack-num
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw tcp-ack-num* uint32
| | | | | +--:(range-match)
| | | | | +--rw range-tcp-ack-num*
[start-tcp-ack-num end-tcp-ack-num]
| | | | | +--rw start-tcp-ack-num uint32
| | | | | +--rw end-tcp-ack-num uint32
| | | | +--rw pkt-sec-tcp-window-size
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw tcp-window-size* uint16
| | | | | +--:(range-match)
| | | | | +--rw range-tcp-window-size*
[start-tcp-window-size end-tcp-window-size]
| | | | | +--rw start-tcp-window-size uint16
| | | | | +--rw end-tcp-window-size uint16
| | | | +--rw pkt-sec-tcp-flags* identityref
| | | +--rw packet-security-udp-condition
| | | | +--rw udp-description? string
| | | | +--rw pkt-sec-udp-src-port-num
| | | | | +--rw (match-type)?
| | | | | +--:(exact-match)
| | | | | | +--rw port-num* inet:port-number
| | | | | +--:(range-match)
| | | | | +--rw range-port-num*
[start-port-num end-port-num] [start-port-num end-port-num]
| | | | | +--rw start-port-num inet:port-number | | | | +--rw start-port-num inet:port-number
| | | | | +--rw end-port-num inet:port-number | | | | +--rw end-port-num inet:port-number
| | | | +--rw pkt-sec-udp-dest-port-num | | | +--rw pkt-sec-udp-dest-port-num
| | | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | | +--:(exact-match) | | | | +--:(exact-match)
| | | | | | +--rw port-num* inet:port-number | | | | | +--rw port-num* inet:port-number
| | | | | +--:(range-match) | | | | +--:(range-match)
| | | | | +--rw range-port-num* | | | | +--rw range-port-num*
[start-port-num end-port-num] [start-port-num end-port-num]
| | | | | +--rw start-port-num inet:port-number | | | | +--rw start-port-num inet:port-number
| | | | | +--rw end-port-num inet:port-number | | | | +--rw end-port-num inet:port-number
| | | | +--rw pkt-sec-udp-total-length | | | +--rw pkt-sec-udp-total-length
| | | | +--rw (match-type)? | | | +--rw (match-type)?
| | | | +--:(exact-match) | | | +--:(exact-match)
| | | | | +--rw udp-total-length* uint32 | | | | +--rw udp-total-length* uint32
| | | | +--:(range-match) | | | +--:(range-match)
| | | | +--rw range-udp-total-length* | | | +--rw range-udp-total-length*
[start-udp-total-length end-udp-total-length] [start-udp-total-length end-udp-total-length]
| | | | +--rw start-udp-total-length uint32 | | | +--rw start-udp-total-length uint32
| | | | +--rw end-udp-total-length uint32 | | | +--rw end-udp-total-length uint32
| | | +--rw packet-security-icmp-condition | | +--rw packet-security-sctp-condition
| | | | +--rw icmp-description? string | | | +--rw sctp-description? string
| | | | +--rw pkt-sec-icmp-type-and-code* identityref | | | +--rw pkt-sec-sctp-src-port-num
| | | +--rw packet-security-url-category-condition | | | | +--rw (match-type)?
| | | | +--rw url-category-description? string | | | | +--:(exact-match)
| | | | +--rw pre-defined-category* string | | | | | +--rw port-num* inet:port-number
| | | | +--rw user-defined-category* string | | | | +--:(range-match)
| | | +--rw packet-security-voice-condition | | | | +--rw range-port-num*
| | | | +--rw voice-description? string [start-port-num end-port-num]
| | | | +--rw pkt-sec-src-voice-id* string | | | | +--rw start-port-num inet:port-number
| | | | +--rw pkt-sec-dest-voice-id* string | | | | +--rw end-port-num inet:port-number
| | | | +--rw pkt-sec-user-agent* string | | | +--rw pkt-sec-sctp-dest-port-num
| | | +--rw packet-security-ddos-condition | | | | +--rw (match-type)?
| | | | +--rw ddos-description? string | | | | +--:(exact-match)
| | | | +--rw pkt-sec-alert-rate? uint32 | | | | | +--rw port-num* inet:port-number
| | | +--rw packet-security-payload-condition | | | | +--:(range-match)
| | | | +--rw packet-payload-description? string | | | | +--rw range-port-num*
| | | | +--rw pkt-payload-content* string [start-port-num end-port-num]
| | | +--rw context-condition | | | | +--rw start-port-num inet:port-number
| | | +--rw context-description? string | | | | +--rw end-port-num inet:port-number
| | | +--rw application-condition | | | +--rw pkt-sec-sctp-verification-tag* uint32
| | | | +--rw application-description? string | | | +--rw pkt-sec-sctp-chunk-type* uint8
| | | | +--rw application-object* string | | +--rw packet-security-dccp-condition
| | | | +--rw application-group* string | | | +--dccp-description? string
| | | | +--rw application-label* string | | | +--rw pkt-sec-dccp-src-port-num
| | | | +--rw category | | | | +--rw (match-type)?
| | | | +--rw application-category* | | | | +--:(exact-match)
| | | | | +--rw port-num* inet:port-number
| | | | +--:(range-match)
| | | | +--rw range-port-num*
[start-port-num end-port-num]
| | | | +--rw start-port-num inet:port-number
| | | | +--rw end-port-num inet:port-number
| | | +--rw pkt-sec-dccp-dest-port-num
| | | | +--rw (match-type)?
| | | | +--:(exact-match)
| | | | | +--rw port-num* inet:port-number
| | | | +--:(range-match)
| | | | +--rw range-port-num*
[start-port-num end-port-num]
| | | | +--rw start-port-num inet:port-number
| | | | +--rw end-port-num inet:port-number
| | | +--rw pkt-sec-dccp-service-code* uint32
| | +--rw packet-security-icmp-condition
| | | +--rw icmp-description? string
| | | +--rw pkt-sec-icmp-type-and-code* identityref
| | +--rw packet-security-url-category-condition
| | | +--rw url-category-description? string
| | | +--rw pre-defined-category* string
| | | +--rw user-defined-category* string
| | +--rw packet-security-voice-condition
| | | +--rw voice-description? string
| | | +--rw pkt-sec-src-voice-id* string
| | | +--rw pkt-sec-dest-voice-id* string
| | | +--rw pkt-sec-user-agent* string
| | +--rw packet-security-ddos-condition
| | | +--rw ddos-description? string
| | | +--rw pkt-sec-alert-packet-rate? uint32
| | | +--rw pkt-sec-alert-flow-rate? uint32
| | | +--rw pkt-sec-alert-byte-rate? uint32
| | +--rw packet-security-payload-condition
| | | +--rw packet-payload-description? string
| | | +--rw pkt-payload-content* string
| | +--rw context-condition
| | +--rw context-description? string
| | +--rw application-condition
| | | +--rw application-description? string
| | | +--rw application-object* string
| | | +--rw application-group* string
| | | +--rw application-label* string
| | | +--rw category
| | | +--rw application-category*
[name application-subcategory] [name application-subcategory]
| | | | +--rw name string | | | +--rw name string
| | | | +--rw application-subcategory string | | | +--rw application-subcategory string
| | | +--rw target-condition | | +--rw target-condition
| | | | +--rw target-description? string | | | +--rw target-description? string
| | | | +--rw device-sec-context-cond | | | +--rw device-sec-context-cond
| | | | +--rw target-device* identityref | | | +--rw target-device* identityref
| | | +--rw users-condition | | +--rw users-condition
| | | | +--rw users-description? string | | | +--rw users-description? string
| | | | +--rw user | | | +--rw user [user-name user-id]
| | | | | +--rw (user-name)? | | | +--rw user-name* string
| | | | | +--:(tenant) | | | +--rw user-id* uint32
| | | | | | +--rw tenant uint8 | | | +--rw group [group-name group-id]
| | | | | +--:(vn-id) | | | +--rw group-name string
| | | | | +--rw vn-id uint8 | | | +--rw group-id uint32
| | | | +--rw group | | | +--rw security-group string
| | | | | +--rw (group-name)? | | +--rw geography-context-condition
| | | | | +--:(tenant) | | +--rw geography-context-description? string
| | | | | | +--rw tenant uint8 | | +--rw geography-location
| | | | | +--:(vn-id) | | +--rw src-geography-location* string
| | | | | +--rw vn-id uint8 | | +--rw dest-geography-location* string
| | | | +--rw security-group string | +--rw action-clause-container
| | | +--rw gen-context-condition | ...
| | | +--rw gen-context-description? string +--rw rule-group
| | | +--rw geographic-location ...
| | | +--rw src-geographic-location* uint32
| | | +--rw dest-geographic-location* uint32
| | +--rw action-clause-container
| | ...
| +--rw rule-group
| ...
+--rw i2nsf-ipsec? identityref
Figure 3: YANG Tree Diagram for a Condition Clause Figure 3: YANG Tree Diagram for a Condition Clause
This YANG tree diagram shows a condition clause for an I2NSF security A condition clause is defined as a set of attributes, features, and/
policy rule for generic network security functions. A condition or values that are to be compared with a set of known attributes,
clause is defined as a set of attributes, features, and/or values features, and/or values in order to determine whether or not the set
that are to be compared with a set of known attributes, features, of actions in that (imperative) I2NSF policy rule can be executed or
and/or values in order to determine whether or not the set of actions not. A condition clause is classified as a condition of generic
in that (imperative) I2NSF policy rule can be executed or not. A network security functions, advanced network security functions, or
condition clause is classified as a conditions of generic network context. A condition clause of generic network security functions is
security functions, advanced network security functions, or context. defined as packet security IPv4 condition, packet security IPv6
A condition clause of generic network security functions is defined condition, packet security tcp condition, and packet security icmp
as packet security IPv4 condition, packet security IPv6 condition, condition. A condition clause of advanced network security functions
packet security tcp condition, and packet security icmp condition. A is defined as packet security url category condition, packet security
condition clause of advanced network security functions is defined as voice condition, packet security DDoS condition, or packet security
packet security url category condition, packet security voice payload condition. A condition clause of context is defined as
condition, packet security DDoS condition, or packet security payload application condition, target condition, users condition, and
condition. A condition clause of context is defined as ACL number geography condition. Note that this document deals only with
condition, application condition, target condition, user condition, conditions of several advanced network security functions such as url
and geography condition. Note that this document deals only with filter (i.e., web filter), VoIP/VoLTE security, and DDoS-attack
simple conditions of advanced network security functions. A mitigator. A condition clause of other advanced network security
condition clause of more advanced network security functions can be functions such as Intrusion Prevention System (IPS) and Data Loss
defined as an extension in future. A condition clause can be Prevention (DLP) can be defined as an extension in future. A
extended according to specific vendor condition features. A condition clause can be extended according to specific vendor
condition clause is described in detail in condition features. A condition clause is described in detail in
[I-D.ietf-i2nsf-capability]. [I-D.ietf-i2nsf-capability-data-model].
4.4. Action Clause 3.4. Action Clause
This section shows the YANG tree diagram for an action clause of an This section shows a YANG tree diagram for an action clause for a
I2NSF security policy rule. general I2NSF security policy rule for generic network security
functions.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy +--rw i2nsf-security-policy
| ... ...
| +--rw rules* [rule-name] +--rw rules* [rule-name]
| | ... | ...
| | +--rw event-clause-container | +--rw event-clause-container
| | | ... | | ...
| | +--rw condition-clause-container | +--rw condition-clause-container
| | | ... | | ...
| | +--rw action-clause-container | +--rw action-clause-container
| | +--rw action-clause-description? string | +--rw action-clause-description? string
| | +--rw packet-action | +--rw packet-action
| | | +--rw ingress-action? identityref | | +--rw ingress-action? identityref
| | | +--rw egress-action? identityref | | +--rw egress-action? identityref
| | | +--rw log-action? identityref | | +--rw log-action? identityref
| | +--rw advanced-action | +--rw flow-action
| | +--rw content-security-control* identityref | | +--rw ingress-action? identityref
| | +--rw attack-mitigation-control* identityref | | +--rw egress-action? identityref
| +--rw rule-group | | +--rw log-action? identityref
| ... | +--rw advanced-action
+--rw i2nsf-ipsec? identityref | +--rw content-security-control* identityref
| +--rw attack-mitigation-control* identityref
+--rw rule-group
...
Figure 4: YANG Tree Diagram for an Action Clause Figure 4: YANG Tree Diagram for an Action Clause
This YANG tree diagram shows an action clause of an I2NSF security An action is used to control and monitor aspects of flow-based NSFs
policy rule for generic network security functions. An action is when the policy rule event and condition clauses are satisfied. NSFs
used to control and monitor aspects of flow-based NSFs when the provide security services by executing various actions. The action
policy rule event and condition clauses are satisfied. NSFs provide clause is defined as ingress action, egress action, or log action for
security services by executing various actions. The action clause is packet action, flow action, and advanced action for additional
defined as ingress action, egress action, or log action for packet inspection. The packet action is an action for an individual packet
action, and advanced action for additional inspection. The action such as an IP datagram. The flow action is an action of a traffic
clause can be extended according to specific vendor action features. flow such as the packets of a TCP session (e.g., an HTTP/HTTPS
The action clause is described in detail in session). The advanced action is an action of an advanced action
[I-D.ietf-i2nsf-capability]. (e.g., web filter and DDoS-attack mitigator) for either a packet or a
traffic flow. The action clause can be extended according to
4.5. I2NSF Internet Key Exchange specific vendor action features. The action clause is described in
detail in [I-D.ietf-i2nsf-capability-data-model].
This section shows the YANG tree diagram for an I2NSF IPsec.
module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy
| ...
| +--rw rules* [rule-name]
| | ...
| | +--rw event-clause-container
| | | ...
| | +--rw condition-clause-container
| | | ...
| | +--rw action-clause-container
| | ...
| +--rw rule-group
| ...
+--rw i2nsf-ipsec? identityref
Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage
This YANG tree diagram shows an I2NSF IPsec specification for an
Internet Key Exchange IKE). An I2NSF IPsec specification is used to
define a method required to manage IPsec parameters for creating
IPsec Security Associations (SAs) between two NSFs through either the
IKEv2 protocol or the Security Controller
[I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec considers
two cases, the IKE case (i.e., IPsec through IKE) and IKE-less case
(i.e., IPsec not through IKE, but through a Security Controller).
Refer to [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for the detailed
description of the I2NSF IPsec.
5. YANG Data Model of NSF-Facing Interface 4. YANG Data Model of NSF-Facing Interface
The main objective of this data model is to provide both an The main objective of this data model is to provide both an
information model and the corresponding YANG data model of I2NSF NSF- information model and the corresponding YANG data model of I2NSF NSF-
Facing Interface. This interface can be used to deliver control and Facing Interface. This interface can be used to deliver control and
management messages between Security Controller and NSFs for the management messages between Security Controller and NSFs for the
I2NSF low-level security policies. I2NSF low-level security policies.
The semantics of the data model must be aligned with the information
model of the NSF-Facing Interface. The transformation of the
information model is performed so that this YANG data model can
facilitate the efficient delivery of the control or management
messages.
This data model is designed to support the I2NSF framework that can This data model is designed to support the I2NSF framework that can
be extended according to the security needs. In other words, the be extended according to the security needs. In other words, the
model design is independent of the content and meaning of specific model design is independent of the content and meaning of specific
policies as well as the implementation approach. policies as well as the implementation approach.
With the YANG data model of I2NSF NSF-Facing Interface, this document With the YANG data model of I2NSF NSF-Facing Interface, this document
suggests use cases for security policy rules such as time-based suggests use cases for security policy rules such as time-based
firewall, web filter, VoIP/VoLTE security service, and DDoS-attack firewall, web filter, VoIP/VoLTE security service, and DDoS-attack
mitigation in Section 6. mitigation in Section 5.
5.1. YANG Module of NSF-Facing Interface 4.1. YANG Module of NSF-Facing Interface
This section describes a YANG module of NSF-Facing Interface. This This section describes a YANG module of NSF-Facing Interface. This
YANG module imports from [RFC6991]. It makes references to [RFC0768] YANG module imports from [RFC6991]. It makes references to [RFC0768]
[RFC0791][RFC0792][RFC0793][RFC1700][RFC3232][RFC3261][RFC4443][RFC81 [RFC0791][RFC0792][RFC0793][RFC3261][RFC4443][RFC8200][RFC8329][RFC83
77][RFC8200][RFC8329][RFC8335][RFC8344]. 35][RFC8344][ISO-Country-Codes][IANA-Protocol-Numbers].
<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2020-08-28.yang" <CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2021-02-02.yang"
module ietf-i2nsf-policy-rule-for-nsf { module ietf-i2nsf-policy-rule-for-nsf {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
prefix prefix
nsfintf; nsfintf;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference "RFC 6991"; reference "RFC 6991";
} }
import ietf-yang-types{ import ietf-yang-types{
prefix yang; prefix yang;
reference "RFC 6991"; reference "RFC 6991";
} }
import ietf-key-chain{
prefix key-chain;
reference "RFC 8177";
}
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
Editor: Jingyong Tim Kim Editor: Jingyong Tim Kim
skipping to change at page 17, line 4 skipping to change at page 14, line 49
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
Editor: Jingyong Tim Kim Editor: Jingyong Tim Kim
<mailto:timkim@skku.edu> <mailto:timkim@skku.edu>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>"; <mailto:pauljeong@skku.edu>";
description description
"This module is a YANG module for Network Security Functions "This module is a YANG module for Network Security Functions
(NSF)-Facing Interface. (NSF)-Facing Interface.
Copyright (c) 2020 IETF Trust and the persons identified as Copyright (c) 2021 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
http://trustee.ietf.org/license-info). http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2020-08-28"{ revision "2021-02-02"{
description "The latest revision."; description "The latest revision.";
reference reference
"RFC XXXX: I2NSF Network Security Function-Facing Interface "RFC XXXX: I2NSF Network Security Function-Facing Interface
YANG Data Model"; YANG Data Model";
} }
/* /*
* Identities * Identities
*/ */
skipping to change at page 18, line 4 skipping to change at page 15, line 48
identity priority-by-order { identity priority-by-order {
base priority-usage-type; base priority-usage-type;
description description
"Identity for priority by order"; "Identity for priority by order";
} }
identity priority-by-number { identity priority-by-number {
base priority-usage-type; base priority-usage-type;
description description
"Identity for priority by number"; "Identity for priority by number";
} }
identity event { identity event {
description description
"Base identity for policy events"; "Base identity for policy events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - Event"; Monitoring YANG Data Model - Event";
} }
identity system-event { identity system-event {
base event; base event;
description description
"Identity for system events"; "Identity for system events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System event"; Monitoring YANG Data Model - System event";
} }
identity system-alarm { identity system-alarm {
base event; base event;
description description
"Identity for system alarms"; "Identity for system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm"; Monitoring YANG Data Model - System alarm";
} }
identity access-violation { identity access-violation {
base system-event; base system-event;
description description
"Identity for access violation "Identity for access violation
system events"; system events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System event for access Monitoring YANG Data Model - System event for access
violation"; violation";
} }
identity configuration-change { identity configuration-change {
base system-event; base system-event;
description description
"Identity for configuration change "Identity for configuration change
system events"; system events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System event for configuration Monitoring YANG Data Model - System event for configuration
change"; change";
} }
identity memory-alarm { identity memory-alarm {
base system-alarm; base system-alarm;
description description
"Identity for memory alarm "Identity for memory alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for memory"; Monitoring YANG Data Model - System alarm for memory";
} }
identity cpu-alarm { identity cpu-alarm {
base system-alarm; base system-alarm;
description description
"Identity for CPU alarm "Identity for CPU alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for CPU"; Monitoring YANG Data Model - System alarm for CPU";
} }
identity disk-alarm { identity disk-alarm {
base system-alarm; base system-alarm;
description description
"Identity for disk alarm "Identity for disk alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for disk"; Monitoring YANG Data Model - System alarm for disk";
} }
identity hardware-alarm { identity hardware-alarm {
base system-alarm; base system-alarm;
description description
"Identity for hardware alarm "Identity for hardware alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for hardware"; Monitoring YANG Data Model - System alarm for hardware";
} }
identity interface-alarm { identity interface-alarm {
base system-alarm; base system-alarm;
description description
"Identity for interface alarm "Identity for interface alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for interface"; Monitoring YANG Data Model - System alarm for interface";
} }
identity type-of-service { identity type-of-service {
description description
"Base identity for type of service of IPv4"; "Base identity for type of service of IPv4";
reference reference
"RFC 791: Internet Protocol - Type of Service"; "RFC 791: Internet Protocol - Type of Service";
} }
skipping to change at page 22, line 32 skipping to change at page 20, line 27
description description
"Identity for reserved flags"; "Identity for reserved flags";
reference reference
"RFC 791: Internet Protocol - Fragmentation Flags"; "RFC 791: Internet Protocol - Fragmentation Flags";
} }
identity protocol { identity protocol {
description description
"Base identity for protocol of IPv4"; "Base identity for protocol of IPv4";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database RFC 791: Internet Protocol - Protocol";
RFC 791: Internet Protocol - Protocol";
} }
identity next-header { identity next-header {
description description
"Base identity for IPv6 next header"; "Base identity for IPv6 next header";
reference reference
"RFC 8200: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity icmp { identity icmp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for ICMP IPv4 protocol and "Identity for ICMP IPv4 protocol and
IPv6 nett header"; IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity igmp { identity igmp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for IGMP IPv4 protocol and "Identity for IGMP IPv4 protocol and
IPv6 next header"; IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity tcp { identity tcp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for TCP protocol"; "Identity for TCP protocol";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity igrp { identity igrp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for IGRP IPv4 protocol "Identity for IGRP IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity udp { identity udp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for UDP IPv4 protocol "Identity for UDP IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity gre { identity gre {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for GRE IPv4 protocol "Identity for GRE IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity esp { identity esp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for ESP IPv4 protocol "Identity for ESP IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity ah { identity ah {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for AH IPv4 protocol "Identity for AH IPv4 protocol
skipping to change at page 25, line 4 skipping to change at page 22, line 39
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity ah { identity ah {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for AH IPv4 protocol "Identity for AH IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity mobile { identity mobile {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for mobile IPv4 protocol "Identity for mobile IPv4 protocol
skipping to change at page 25, line 19 skipping to change at page 23, line 4
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity mobile { identity mobile {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for mobile IPv4 protocol "Identity for mobile IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity tlsp { identity tlsp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for TLSP IPv4 protocol "Identity for TLSP IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity skip { identity skip {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for skip IPv4 protocol "Identity for skip IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity ipv6-icmp { identity ipv6-icmp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for IPv6 ICMP next header"; "Identity for IPv6 ICMP next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 4443: Internet Control Message Protocol (ICMPv6) RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6) Specification for the Internet Protocol Version 6 (IPv6) Specification
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity eigrp { identity eigrp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for EIGRP IPv4 protocol "Identity for EIGRP IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity ospf { identity ospf {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for OSPF IPv4 protocol "Identity for OSPF IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity l2tp { identity l2tp {
base protocol; base protocol;
base next-header; base next-header;
description description
"Identity for L2TP IPv4 protocol "Identity for L2TP IPv4 protocol
and IPv6 next header"; and IPv6 next header";
reference reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an "IANA: Assigned Internet Protocol Numbers
On-line Database
RFC 791: Internet Protocol - Protocol RFC 791: Internet Protocol - Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Next Header"; Specification - Next Header";
} }
identity ipopts { identity ipopts {
description description
"Base identity for IP options"; "Base identity for IP options";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
skipping to change at page 40, line 35 skipping to change at page 38, line 16
in extended echo reply types"; in extended echo reply types";
reference reference
"RFC 792: Internet Control Message Protocol "RFC 792: Internet Control Message Protocol
RFC 8335: PROBE: A Utility for Probing Interfaces"; RFC 8335: PROBE: A Utility for Probing Interfaces";
} }
identity target-device { identity target-device {
description description
"Base identity for target devices"; "Base identity for target devices";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities"; I2NSF Capability YANG Data Model";
} }
identity pc { identity computer {
base target-device; base target-device;
description description
"Identity for pc"; "Identity for computer such as personal computer (PC)
and server";
} }
identity mobile-phone { identity mobile-phone {
base target-device; base target-device;
description description
"Identity for mobile-phone"; "Identity for mobile-phone such as smartphone and
cellphone";
} }
identity voip-volte-phone { identity voip-volte-phone {
base target-device; base target-device;
description description
"Identity for voip-volte-phone"; "Identity for voip-volte-phone";
} }
identity tablet { identity tablet {
base target-device; base target-device;
description description
"Identity for tablet"; "Identity for tablet";
} }
identity network-infrastructure-device {
base target-device;
description
"Identity for network infrastructure devices
such as switch, router, and access point";
}
identity iot { identity iot {
base target-device; base target-device;
description description
"Identity for IoT"; "Identity for IoT (Internet of Things)";
} }
identity vehicle { identity vehicle {
base target-device; base target-device;
description description
"Identity for vehicle"; "Identity for vehicle that connects to and shares
data through the Internet";
} }
identity content-security-control { identity content-security-control {
description description
"Base identity for content security control"; "Base identity for content security control";
reference reference
"RFC 8329: Framework for Interface to "RFC 8329: Framework for Interface to
Network Security Functions - Differences Network Security Functions - Flow-Based
from ACL Data Models NSF Capability Characterization
draft-ietf-i2nsf-capability-05: Information Model draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities"; I2NSF Capability YANG Data Model";
}
identity firewall {
base content-security-control;
description
"Identity for firewall that monitors
incoming and outgoing network traffic
and permits or blocks data packets based
on a set of security rules.";
} }
identity antivirus { identity antivirus {
base content-security-control; base content-security-control;
description description
"Identity for antivirus"; "Identity for antivirus that prevents,
scans, detects and deletes viruses
from a computer";
} }
identity ips { identity ips {
base content-security-control; base content-security-control;
description description
"Identity for ips"; "Identity for IPS (Intrusion Prevention System)
that prevents malicious activity within a network";
} }
identity ids { identity ids {
base content-security-control; base content-security-control;
description description
"Identity for ids"; "Identity for IDS (Intrusion Detection System)
that detects malicious activity within a network";
} }
identity url-filtering { identity url-filtering {
base content-security-control; base content-security-control;
description description
"Identity for url filtering"; "Identity for url filtering that
limits access by comparing the web traffic's URL
with the URLs for web filtering in a database";
} }
identity mail-filtering { identity mail-filtering {
base content-security-control; base content-security-control;
description description
"Identity for mail filtering"; "Identity for mail filtering that
filters out a malicious email message by
comparing its sender email address with the email
addresses of malicious users in a database";
} }
identity file-blocking { identity file-blocking {
base content-security-control; base content-security-control;
description description
"Identity for file blocking"; "Identity for file blocking that blocks the
} download or upload of malicious files with the
information of suspicious files in a database";
identity file-isolate {
base content-security-control;
description
"Identity for file isolate";
} }
identity pkt-capture { identity pkt-capture {
base content-security-control; base content-security-control;
description description
"Identity for packet capture"; "Identity for packet capture that
intercepts a packet that is crossing or moving
over a specific network.";
} }
identity application-control { identity application-control {
base content-security-control; base content-security-control;
description description
"Identity for application control"; "Identity for application control that
filters out the packets of malicious applications
with the information of those applications in a
database";
} }
identity voip-volte { identity voip-volte {
base content-security-control; base content-security-control;
description description
"Identity for voip and volte"; "Identity for VoIP/VoLTE security service that
filters out the packets of malicious users
with a blacklist of malicious users in a database";
} }
identity attack-mitigation-control { identity attack-mitigation-control {
description description
"Base identity for attack mitigation control"; "Base identity for attack mitigation control";
reference reference
"RFC 8329: Framework for Interface to "RFC 8329: Framework for Interface to
Network Security Functions - Differences Network Security Functions - Flow-Based
from ACL Data Models NSF Capability Characterization
draft-ietf-i2nsf-capability-05: Information Model draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities"; I2NSF Capability YANG Data Model";
} }
identity syn-flood { identity syn-flood {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for syn flood"; "Identity for syn flood
that weakens the SYN flood attack";
} }
identity udp-flood { identity udp-flood {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for udp flood"; "Identity for udp flood
that weakens the UDP flood attack";
} }
identity icmp-flood { identity icmp-flood {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for icmp flood"; "Identity for icmp flood
that weakens the ICMP flood attack";
} }
identity ip-frag-flood { identity ip-frag-flood {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for ip frag flood"; "Identity for ip frag flood
that weakens the IP fragmentation flood attack";
} }
identity ipv6-related { identity http-and-https-flood {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for ipv6 related"; "Identity for http and https flood
that weakens the HTTP and HTTPS flood attack";
} }
identity http-and-https-flood { identity dns-flood {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for http and https flood"; "Identity for dns flood
that weakens the DNS flood attack";
} }
identity dns-flood { identity dns-amp-flood {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for dns flood"; "Identity for dns amp flood
that weakens the DNS amplification flood attack";
} }
identity dns-amp-flood { identity ntp-amp-flood {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for dns amp flood"; "Identity for ntp amp flood
that weakens the NTP amplification flood attack";
} }
identity ssl-ddos { identity ssl-ddos {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for ssl ddos"; "Identity for ssl ddos
that weakens the SSL DDoS attack";
} }
identity ip-sweep { identity ip-sweep {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for ip sweep"; "Identity for ip sweep
that weakens the IP sweep attack";
} }
identity port-scanning { identity port-scanning {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for port scanning"; "Identity for port scanning
that weakens the port scanning attack";
} }
identity ping-of-death { identity ping-of-death {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for ping of death"; "Identity for ping-of-death
that weakens the ping-of-death attack";
} }
identity teardrop { identity teardrop {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for teardrop"; "Identity for teardrop
that weakens the teardrop attack";
} }
identity oversized-icmp { identity oversized-icmp {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for oversized icmp"; "Identity for oversized icmp
that weakens the oversized icmp attack";
} }
identity tracert { identity tracert {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for tracert"; "Identity for tracert
that weakens the tracert attack";
} }
identity ingress-action { identity ingress-action {
description description
"Base identity for action"; "Base identity for action";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Ingress Action"; I2NSF Capability YANG Data Model - Ingress Action";
} }
identity egress-action { identity egress-action {
description description
"Base identity for egress action"; "Base identity for egress action";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Egress action"; I2NSF Capability YANG Data Model - Egress Action";
} }
identity default-action { identity default-action {
description description
"Base identity for default action"; "Base identity for default action";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Default action"; I2NSF Capability YANG Data Model - Default Action";
} }
identity pass { identity pass {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for pass"; "Identity for pass";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Actions and I2NSF Capability YANG Data Model - Actions and
default action"; Default Action";
} }
identity drop { identity drop {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for drop"; "Identity for drop";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Actions and I2NSF Capability YANG Data Model - Actions and
default action"; Default Action";
} }
identity reject { identity reject {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for reject"; "Identity for reject";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Actions and I2NSF Capability YANG Data Model - Actions and
default action"; Default Action";
} }
identity alert { identity alert {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for alert"; "Identity for alert";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Actions and
default action"; I2NSF Capability YANG Data Model - Actions and
Default Action";
} }
identity mirror { identity mirror {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for mirror"; "Identity for mirror";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Actions and I2NSF Capability YANG Data Model - Actions and
default action"; Default Action";
} }
identity log-action { identity log-action {
description description
"Base identity for log action"; "Base identity for log action";
} }
identity rule-log { identity rule-log {
base log-action; base log-action;
description description
skipping to change at page 47, line 42 skipping to change at page 46, line 18
base egress-action; base egress-action;
description description
"Identity for redirection"; "Identity for redirection";
} }
identity resolution-strategy { identity resolution-strategy {
description description
"Base identity for resolution strategy"; "Base identity for resolution strategy";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity fmr { identity fmr {
base resolution-strategy; base resolution-strategy;
description description
"Identity for First Matching Rule (FMR)"; "Identity for First Matching Rule (FMR)";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity lmr { identity lmr {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Last Matching Rule (LMR)"; "Identity for Last Matching Rule (LMR)";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity pmr { identity pmr {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule (PMR)"; "Identity for Prioritized Matching Rule (PMR)";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity pmre { identity pmre {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule "Identity for Prioritized Matching Rule
with Errors (PMRE)"; with Errors (PMRE)";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity pmrn { identity pmrn {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule "Identity for Prioritized Matching Rule
with No Errors (PMRN)"; with No Errors (PMRN)";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity i2nsf-ipsec { /*
description * Typedefs
"Internet Key Exchnage (IKE) for NSFs */
in the I2NSF framework";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: Software-Defined
Networking (SDN)-based IPsec Flow Protection - IPsec method
types can be selected.";
} typedef start-time-type {
type union {
type string {
pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
+ '(Z|[\+\-]\d{2}:\d{2})';
}
identity ike { type enumeration {
base i2nsf-ipsec; enum right-away {
description description
"IKE case: IPsec with IKE in the NSF"; "Immediate rule execution
reference in the system.";
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: Software-Defined }
Networking (SDN)-based IPsec Flow Protection - IPsec method }
type with IKE is selected."; }
}
identity ikeless { description
base i2nsf-ipsec; "Start time when the rules are applied.";
description }
"IKEless case: IPsec without IKEv2 in the NSF";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: Software-Defined
Networking (SDN)-based IPsec Flow Protection - IPsec method
type without IKE is selected.";
}
/* typedef end-time-type {
* Typedefs type union {
*/ type string {
pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
+ '(Z|[\+\-]\d{2}:\d{2})';
}
type enumeration {
enum infinitely {
description
"Infinite rule execution
in the system.";
}
}
}
description
"End time when the rules are applied.";
}
typedef day-type { typedef day-type {
type enumeration { type enumeration {
enum sunday { enum sunday {
description description
"Sunday for periodic day"; "Sunday for periodic day";
} }
enum monday { enum monday {
description description
"Monday for periodic day"; "Monday for periodic day";
skipping to change at page 55, line 33 skipping to change at page 54, line 16
including a set of security rules according to certain logic, including a set of security rules according to certain logic,
i.e., their similarity or mutual relations, etc. The network i.e., their similarity or mutual relations, etc. The network
security policy can be applied to both the unidirectional security policy can be applied to both the unidirectional
and bidirectional traffic across the NSF. and bidirectional traffic across the NSF.
The I2NSF security policies use the Event-Condition-Action The I2NSF security policies use the Event-Condition-Action
(ECA) policy model "; (ECA) policy model ";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-05: Information Model draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Design Principles and ECA Policy Model I2NSF Capability YANG Data Model - Design Principles and
Overview"; ECA Policy Model Overview";
list system-policy { list system-policy {
key "system-policy-name"; key "system-policy-name";
description description
"The system-policy represents there could be multiple system "The system-policy represents there could be multiple system
policies in one NSF, and each system policy is used by policies in one NSF, and each system policy is used by
one virtual instance of the NSF/device."; one virtual instance of the NSF/device.";
leaf system-policy-name { leaf system-policy-name {
type string; type string;
skipping to change at page 56, line 26 skipping to change at page 55, line 10
base resolution-strategy; base resolution-strategy;
} }
default fmr; default fmr;
description description
"The resolution strategies that can be used to "The resolution strategies that can be used to
specify how to resolve conflicts that occur between specify how to resolve conflicts that occur between
actions of the same or different policy rules that actions of the same or different policy rules that
are matched and contained in this particular NSF"; are matched and contained in this particular NSF";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Resolution strategy"; I2NSF Capability YANG Data Model - Resolution strategy";
} }
leaf default-action { leaf default-action {
type identityref { type identityref {
base default-action; base default-action;
} }
default alert; default alert;
description description
"This default action can be used to specify a predefined "This default action can be used to specify a predefined
action when no other alternative action was matched action when no other alternative action was matched
by the currently executing I2NSF Policy Rule. An analogy by the currently executing I2NSF Policy Rule. An analogy
is the use of a default statement in a C switch statement."; is the use of a default statement in a C switch statement.";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model "draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Default action"; I2NSF Capability YANG Data Model - Default Action";
} }
list rules { list rules {
key "rule-name"; key "rule-name";
description description
"This is a rule for network security functions."; "This is a rule for network security functions.";
leaf rule-name { leaf rule-name {
type string; type string;
description description
skipping to change at page 57, line 24 skipping to change at page 56, line 6
"This description gives more information about "This description gives more information about
rules."; rules.";
} }
leaf rule-priority { leaf rule-priority {
type uint8 { type uint8 {
range "1..255"; range "1..255";
} }
description description
"The priority keyword comes with a mandatory "The priority keyword comes with a mandatory
numeric value which can range from 1 till 255."; numeric value which can range from 1 till 255.
Note that a higher number means a higher priority";
} }
leaf rule-enable { leaf rule-enable {
type boolean; type boolean;
description description
"True is enable. "True is enable.
False is not enable."; False is not enable.";
} }
leaf session-aging-time { leaf session-aging-time {
type uint16; type uint16;
units "second";
description description
"This is session aging time."; "This is session aging time.";
} }
container long-connection { container long-connection {
description description
"This is long-connection"; "This is long-connection";
leaf enable { leaf enable {
type boolean; type boolean;
description description
"True is enable. "True is enable.
False is not enbale."; False is not enable.";
} }
leaf duration { leaf duration {
type uint16; type uint16;
description description
"This is the duration of the long-connection."; "This is the duration of the long-connection.";
} }
} }
container time-intervals { container time-intervals {
description description
"Time zone when the rules are applied"; "Time zone when the rules are applied";
container absolute-time-interval { container absolute-time-interval {
description description
"Rule execution according to the absolute time. "Rule execution according to the absolute time.
The absolute time interval means the exact time to The absolute time interval means the exact time to
start or end."; start or end.";
container start-time { leaf start-time {
uses "key-chain:lifetime"; type start-time-type;
default right-away;
description description
"Start time when the rules are applied"; "Start time when the rules are applied";
reference
"RFC 8177: YANG Data Model for Key Chains
- lifetime";
} }
container end-time { leaf end-time {
uses "key-chain:lifetime"; type end-time-type;
default infinitely;
description description
"End time when the rules are applied"; "End time when the rules are applied";
reference
"RFC 8177: YANG Data Model for Key Chains
- lifetime";
} }
} }
container periodic-time-interval { container periodic-time-interval {
description description
"Rule execution according to the periodic time. "Rule execution according to the periodic time.
The periodic time interval means the repeated time The periodic time interval means the repeated time
such as a day, week, or month."; such as a day, week, or month.";
container day { container day {
skipping to change at page 59, line 49 skipping to change at page 58, line 30
managed. When used in the context of policy rules for managed. When used in the context of policy rules for
a flow-based NSF, it is used to determine whether the a flow-based NSF, it is used to determine whether the
Condition clause of the Policy Rule can be evaluated Condition clause of the Policy Rule can be evaluated
or not. Examples of an I2NSF event include time and or not. Examples of an I2NSF event include time and
user actions (e.g., logon, logoff, and actions that user actions (e.g., logon, logoff, and actions that
violate any ACL.)."; violate any ACL.).";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-05: Information Model draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Design Principles and ECA I2NSF Capability YANG Data Model - Design Principles and
Policy Model Overview ECA Policy Model Overview
draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF
NSF Monitoring YANG Data Model - Alarms, Events, Logs, NSF Monitoring YANG Data Model - Alarms, Events, Logs,
and Counters"; and Counters";
leaf event-clause-description { leaf event-clause-description {
type string; type string;
description description
"Description for an event clause"; "Description for an event clause";
} }
container event-clauses { container event-clauses {
description description
"System Event Clause - either a system event or "System Event Clause - either a system event or
system alarm"; system alarm";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-05: Information Model draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Design Principles and ECA Policy I2NSF Capability YANG Data Model - Design Principles and
Model Overview ECA Policy Model Overview
draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF
NSF Monitoring YANG Data Model - Alarms, Events, Logs, NSF Monitoring YANG Data Model - Alarms, Events, Logs,
and Counters"; and Counters";
leaf-list system-event { leaf-list system-event {
type identityref { type identityref {
base system-event; base system-event;
} }
description description
"The security policy rule according to "The security policy rule according to
system events."; system events.";
skipping to change at page 61, line 15 skipping to change at page 59, line 43
compared with a set of known attributes, features, compared with a set of known attributes, features,
and/or values in order to determine whether or not the and/or values in order to determine whether or not the
set of Actions in that (imperative) I2NSF Policy Rule set of Actions in that (imperative) I2NSF Policy Rule
can be executed or not. Examples of I2NSF Conditions can be executed or not. Examples of I2NSF Conditions
include matching attributes of a packet or flow, and include matching attributes of a packet or flow, and
comparing the internal state of an NSF to a desired comparing the internal state of an NSF to a desired
state."; state.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-05: Information Model draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Design Principles and ECA Policy I2NSF Capability YANG Data Model - Design Principles and
Model Overview"; ECA Policy Model Overview";
leaf condition-clause-description { leaf condition-clause-description {
type string; type string;
description description
"Description for a condition clause."; "Description for a condition clause.";
} }
container packet-security-ipv4-condition { container packet-security-ipv4-condition {
description description
"The purpose of this container is to represent IPv4 "The purpose of this container is to represent IPv4
packet header information to determine if the set packet header information to determine if the set
of policy actions in this ECA policy rule should be of policy actions in this ECA policy rule should be
executed or not."; executed or not.";
reference reference
"RFC 791: Internet Protocol"; "RFC 791: Internet Protocol";
leaf ipv4-description { leaf ipv4-description {
skipping to change at page 61, line 37 skipping to change at page 60, line 16
"The purpose of this container is to represent IPv4 "The purpose of this container is to represent IPv4
packet header information to determine if the set packet header information to determine if the set
of policy actions in this ECA policy rule should be of policy actions in this ECA policy rule should be
executed or not."; executed or not.";
reference reference
"RFC 791: Internet Protocol"; "RFC 791: Internet Protocol";
leaf ipv4-description { leaf ipv4-description {
type string; type string;
description description
"ipv4 condition texual description."; "ipv4 condition textual description.";
} }
container pkt-sec-ipv4-header-length { container pkt-sec-ipv4-header-length {
choice match-type { choice match-type {
description description
"Security policy IPv4 Header length match - "Security policy IPv4 Header length match -
exact match and range match."; exact match and range match.";
case exact-match { case exact-match {
leaf-list ipv4-header-length { leaf-list ipv4-header-length {
type uint8 { type uint8 {
skipping to change at page 66, line 42 skipping to change at page 65, line 19
"The security policy rule according to "The security policy rule according to
IPv4 options."; IPv4 options.";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
} }
leaf pkt-sec-ipv4-same-ip { leaf pkt-sec-ipv4-same-ip {
type boolean; type boolean;
description description
"Match on packets with the same IPv4 source "Match on packets with the same IPv4 source
and IPv4 destination address."; and IPv4 destination address.";
} }
leaf-list pkt-sec-ipv4-geo-ip { leaf-list pkt-sec-ipv4-geo-ip {
type string; type string;
description description
"The geo-ip keyword enables you to match on "The geo-ip keyword enables you to match on
the source, destination or source and destination source and destination IP addresses of network
IP addresses of network traffic and to see to traffic and to see to which country it belongs.";
which country it belongs. To do this, Suricata reference
uses GeoIP API with MaxMind database format."; "ISO 3166: Codes for the representation of
names of countries and their subdivisions";
} }
} }
container packet-security-ipv6-condition { container packet-security-ipv6-condition {
description description
"The purpose of this container is to represent "The purpose of this container is to represent
IPv6 packet header information to determine IPv6 packet header information to determine
if the set of policy actions in this ECA policy if the set of policy actions in this ECA policy
rule should be executed or not."; rule should be executed or not.";
reference reference
"RFC 8200: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification"; Specification";
leaf ipv6-description { leaf ipv6-description {
type string; type string;
description description
"This is description for ipv6 condition."; "This is description for ipv6 condition.";
} }
leaf-list pkt-sec-ipv6-traffic-class { leaf-list pkt-sec-ipv6-traffic-class {
type identityref { type identityref {
base traffic-class; base traffic-class;
skipping to change at page 71, line 37 skipping to change at page 70, line 17
container pkt-sec-tcp-dest-port-num { container pkt-sec-tcp-dest-port-num {
uses pkt-sec-port-number; uses pkt-sec-port-number;
description description
"The security policy rule according to "The security policy rule according to
tcp destination port number."; tcp destination port number.";
reference reference
"RFC 793: Transmission Control Protocol "RFC 793: Transmission Control Protocol
- Port number"; - Port number";
} }
container pkt-sec-tcp-seq-num {
choice match-type {
description
"There are two types to configure a security
policy for tcp sequence number,
such as exact match and range match.";
case exact-match {
leaf-list tcp-seq-num {
type uint32;
description
"Exact match for an tcp sequence number.";
}
}
case range-match {
list range-tcp-seq-num {
key "start-tcp-seq-num end-tcp-seq-num";
leaf start-tcp-seq-num {
type uint32;
description
"Start tcp sequence number for a range match.";
}
leaf end-tcp-seq-num {
type uint32;
description
"End tcp sequence number for a range match.";
}
description
"Range match for a tcp sequence number.";
}
}
}
description
"The security policy rule according to
tcp sequence number.";
reference
"RFC 793: Transmission Control Protocol
- Sequence number";
}
container pkt-sec-tcp-ack-num {
choice match-type {
description
"There are two types to configure a security
policy for tcp acknowledgement number,
such as exact match and range match.";
case exact-match {
leaf-list tcp-ack-num {
type uint32;
description
"Exact match for an tcp acknowledgement number.";
}
}
case range-match {
list range-tcp-ack-num {
key "start-tcp-ack-num end-tcp-ack-num";
leaf start-tcp-ack-num {
type uint32;
description
"Start tcp acknowledgement number
for a range match.";
}
leaf end-tcp-ack-num {
type uint32;
description
"End tcp acknowledgement number
for a range match.";
}
description
"Range match for a tcp acknowledgement number.";
}
}
}
description
"The security policy rule according to
tcp acknowledgement number.";
reference
"RFC 793: Transmission Control Protocol
- Acknowledgement number";
}
container pkt-sec-tcp-window-size {
choice match-type {
description
"There are two types to configure a security
policy for tcp window size,
such as exact match and range match.";
case exact-match {
leaf-list tcp-window-size {
type uint16;
description
"Exact match for an tcp window size.";
}
}
case range-match {
list range-tcp-window-size {
key "start-tcp-window-size end-tcp-window-size";
leaf start-tcp-window-size {
type uint16;
description
"Start tcp window size for a range match.";
}
leaf end-tcp-window-size {
type uint16;
description
"End tcp window size for a range match.";
}
description
"Range match for a tcp window size.";
}
}
}
description
"The security policy rule according to
tcp window size.";
reference
"RFC 793: Transmission Control Protocol
- Window size";
}
leaf-list pkt-sec-tcp-flags { leaf-list pkt-sec-tcp-flags {
type identityref { type identityref {
base tcp-flags; base tcp-flags;
} }
description description
"The security policy rule according to "The security policy rule according to
tcp flags."; tcp flags.";
reference reference
"RFC 793: Transmission Control Protocol "RFC 793: Transmission Control Protocol
- Flags"; - Flags";
skipping to change at page 74, line 48 skipping to change at page 70, line 51
description description
"This is description for udp condition."; "This is description for udp condition.";
} }
container pkt-sec-udp-src-port-num { container pkt-sec-udp-src-port-num {
uses pkt-sec-port-number; uses pkt-sec-port-number;
description description
"The security policy rule according to "The security policy rule according to
udp source port number."; udp source port number.";
reference reference
"RFC 793: Transmission Control Protocol "RFC 768: User Datagram Protocol
- Port number"; - Total Length";
} }
container pkt-sec-udp-dest-port-num { container pkt-sec-udp-dest-port-num {
uses pkt-sec-port-number; uses pkt-sec-port-number;
description description
"The security policy rule according to "The security policy rule according to
udp destination port number."; udp destination port number.";
reference reference
"RFC 768: User Datagram Protocol "RFC 768: User Datagram Protocol
- Total Length"; - Total Length";
} }
skipping to change at page 76, line 4 skipping to change at page 72, line 7
} }
} }
} }
description description
"The security policy rule according to "The security policy rule according to
udp total length."; udp total length.";
reference reference
"RFC 768: User Datagram Protocol "RFC 768: User Datagram Protocol
- Total Length"; - Total Length";
} }
}
container packet-security-sctp-condition {
description
"The purpose of this container is to represent
SCTP packet header information to determine
if the set of policy actions in this ECA policy
rule should be executed or not.";
leaf sctp-description {
type string;
description
"This is description for sctp condition.";
}
container pkt-sec-sctp-src-port-num {
uses pkt-sec-port-number;
description
"The security policy rule according to
sctp source port number.";
reference
"RFC 4960: Stream Control Transmission Protocol
- Port number";
}
container pkt-sec-sctp-dest-port-num {
uses pkt-sec-port-number;
description
"The security policy rule according to
sctp destination port number.";
reference
"RFC 4960: Stream Control Transmission Protocol
- Total Length";
}
leaf-list pkt-sec-sctp-verification-tag {
type uint32;
description
"The security policy rule according to
udp total length.";
reference
"RFC 4960: Stream Control Transmission Protocol
- Verification Tag";
}
leaf-list pkt-sec-sctp-chunk-type {
type uint8;
description
"The security policy rule according to
sctp chunk type ID Value.";
reference
"RFC 4960: Stream Control Transmission Protocol
- Chunk Type";
}
}
container packet-security-dccp-condition {
description
"The purpose of this container is to represent
DCCP packet header information to determine
if the set of policy actions in this ECA policy
rule should be executed or not.";
leaf dccp-description {
type string;
description
"This is description for dccp condition.";
}
container pkt-sec-dccp-src-port-num {
uses pkt-sec-port-number;
description
"The security policy rule according to
dccp source port number.";
reference
"RFC 4340: Datagram Congestion Control Protocol (DCCP)
- Port number";
}
container pkt-sec-dccp-dest-port-num {
uses pkt-sec-port-number;
description
"The security policy rule according to
dccp destination port number.";
reference
"RFC 4340: Datagram Congestion Control Protocol (DCCP)
- Port number";
}
leaf-list pkt-sec-dccp-service-code {
type uint32;
description
"The security policy rule according to
dccp service code.";
reference
"RFC 4340: Datagram Congestion Control Protocol (DCCP)
- Service Codes
RFC 5595: The Datagram Congestion Control Protocol (DCCP)
Service Codes
RFC 6335: Internet Assigned Numbers Authority (IANA)
Procedures for the Management of the Service Name and
Transport Protocol Port Number Registry - Service Code";
}
} }
container packet-security-icmp-condition { container packet-security-icmp-condition {
description description
"The purpose of this container is to represent "The purpose of this container is to represent
ICMP packet header information to determine ICMP packet header information to determine
if the set of policy actions in this ECA policy if the set of policy actions in this ECA policy
rule should be executed or not."; rule should be executed or not.";
reference reference
"RFC 792: Internet Control Message Protocol "RFC 792: Internet Control Message Protocol
skipping to change at page 76, line 42 skipping to change at page 74, line 51
RFC 8335: PROBE: A Utility for Probing Interfaces"; RFC 8335: PROBE: A Utility for Probing Interfaces";
} }
} }
container packet-security-url-category-condition { container packet-security-url-category-condition {
description description
"Condition for url category"; "Condition for url category";
leaf url-category-description { leaf url-category-description {
type string; type string;
description description
"This is description for url category condition. "This is description for the condition of a URL's
Vendors can write instructions for context condition category such as SNS sites, game sites, ecommerce
that vendor made"; sites, company sites, and university sites.";
} }
leaf-list pre-defined-category { leaf-list pre-defined-category {
type string; type string;
description description
"This is pre-defined-category."; "This is pre-defined-category.";
} }
leaf-list user-defined-category { leaf-list user-defined-category {
type string; type string;
description description
skipping to change at page 78, line 17 skipping to change at page 76, line 25
container packet-security-ddos-condition { container packet-security-ddos-condition {
description description
"Condition for DDoS attack."; "Condition for DDoS attack.";
leaf ddos-description { leaf ddos-description {
type string; type string;
description description
"This is description for ddos condition."; "This is description for ddos condition.";
} }
leaf pkt-sec-alert-rate { leaf pkt-sec-alert-packet-rate {
type uint32; type uint32;
units "pps";
description description
"The alert rate of flood detect for "The alert rate of flood detection for
same packets."; packets per second (PPS) of an IP address.";
}
leaf pkt-sec-alert-flow-rate {
type uint32;
description
"The alert rate of flood detection for
flows per second of an IP address.";
}
leaf pkt-sec-alert-byte-rate {
type uint32;
units "BPS";
description
"The alert rate of flood detection for
bytes per second of an IP address.";
} }
} }
container packet-security-payload-condition { container packet-security-payload-condition {
description description
"Condition for packet payload"; "Condition for packet payload";
leaf packet-payload-description { leaf packet-payload-description {
type string; type string;
description description
"This is description for payload condition. "This is description for payload condition.";
Vendors can write instructions for payload condition
that vendor made";
} }
leaf-list pkt-payload-content { leaf-list pkt-payload-content {
type string; type string;
description description
"The content keyword is very important in "This is a condition for packet payload content.";
signatures. Between the quotation marks you
can write on what you would like the
signature to match.";
} }
} }
container context-condition { container context-condition {
description description
"Condition for context"; "Condition for context";
leaf context-description { leaf context-description {
type string; type string;
description description
"This is description for context condition. "This is description for context condition.";
Vendors can write instructions for context condition
that vendor made";
} }
container application-condition { container application-condition {
description description
"Condition for application"; "Condition for application";
leaf application-description { leaf application-description {
type string; type string;
description description
"This is description for application condition."; "This is description for application condition.";
} }
skipping to change at page 80, line 37 skipping to change at page 79, line 6
} }
} }
} }
container users-condition { container users-condition {
description description
"Condition for users"; "Condition for users";
leaf users-description { leaf users-description {
type string; type string;
description description
"This is description for user condition. "This is the description for users' condition.";
Vendors can write instructions for user condition
that vendor made";
} }
container user{ list user{
description description
"The user (or user group) information with which "The user (or user group) information with which
network flow is associated: The user has many network flow is associated: The user has many
attributes such as name, id, password, type, attributes such as name, id, password, type,
authentication mode and so on. Name/id is often authentication mode and so on.
used in the security policy to identify the user. id is often used in the security policy to
Besides, NSF is aware of the IP address of the identify the user.
Besides, an NSF is aware of the IP address of the
user provided by a unified user management system user provided by a unified user management system
via network. Based on name-address association, via network. Based on name-address association,
NSF is able to enforce the security functions an NSF is able to enforce the security functions
over the given user (or user group)"; over the given user (or user group)";
key "user-id";
choice user-name { leaf user-id {
type uint32;
description
"The ID of the user.";
}
leaf user-name {
type string;
description description
"The name of the user."; "The name of the user.";
case tenant {
description
"Tenant information.";
leaf tenant {
type uint8;
description
"User's tenant information.";
}
}
case vn-id {
description
"VN-ID information.";
leaf vn-id {
type uint8;
description
"User's VN-ID information.";
}
}
} }
} }
list group {
container group {
description description
"The user (or user group) information with which "The user (or user group) information with which
network flow is associated: The user has many network flow is associated: The user has many
attributes such as name, id, password, type, attributes such as name, id, password, type,
authentication mode and so on. Name/id is often authentication mode and so on.
used in the security policy to identify the user. id is often used in the security policy to
Besides, NSF is aware of the IP address of the identify the user.
Besides, an NSF is aware of the IP address of the
user provided by a unified user management system user provided by a unified user management system
via network. Based on name-address association, via network. Based on name-address association,
NSF is able to enforce the security functions an NSF is able to enforce the security functions
over the given user (or user group)"; over the given user (or user group)";
key "group-id";
choice group-name { leaf group-id {
type uint32;
description description
"The name of the user."; "The ID of the group.";
}
case tenant { leaf group-name {
description type string;
"Tenant information."; description
"The name of the group.";
leaf tenant {
type uint8;
description
"User's tenant information.";
}
}
case vn-id {
description
"VN-ID information.";
leaf vn-id {
type uint8;
description
"User's VN-ID information.";
}
}
} }
} }
leaf security-group { leaf security-group {
type string; type string;
description description
"security-group."; "security-group.";
} }
} }
container gen-context-condition { container geography-context-condition {
description description
"Condition for generic context"; "Condition for generic context";
leaf gen-context-description { leaf geography-context-description {
type string; type string;
description description
"This is description for generic context condition. "This is description for generic context condition.
Vendors can write instructions for generic context Vendors can write instructions for generic context
condition that vendor made"; condition that vendor made";
} }
container geographic-location { container geography-location {
description description
"The location where network traffic is associated "The location which network traffic flow is associated
with. The region can be the geographic location with. The region can be the geographical location
such as country, province, and city, such as country, province, and city,
as well as the logical network location such as as well as the logical network location such as
IP address, network section, and network domain."; IP address, network section, and network domain.";
leaf-list src-geographic-location { leaf-list src-geography-location {
type uint32; type string;
description description
"This is mapped to ip address. We can acquire "The src-geography-location is a geographical
source region through ip address stored in the location mapped into an IP address. It matches the
database."; mapped IP address to the source IP address of the
traffic flow.";
reference
"ISO 3166: Codes for the representation of
names of countries and their subdivisions";
} }
leaf-list dest-geographic-location {
type uint32; leaf-list dest-geography-location {
type string;
description description
"This is mapped to ip address. We can acquire "The dest-geography-location is a geographical
destination region through ip address stored location mapped into an IP address. It matches the
in the database."; mapped IP address to the destination IP address of
the traffic flow.";
reference
"ISO 3166: Codes for the representation of
names of countries and their subdivisions";
} }
} }
} }
} }
} }
container action-clause-container { container action-clause-container {
description description
"An action is used to control and monitor aspects of "An action is used to control and monitor aspects of
flow-based NSFs when the event and condition clauses flow-based NSFs when the event and condition clauses
are satisfied. NSFs provide security functions by are satisfied. NSFs provide security functions by
executing various Actions. Examples of I2NSF Actions executing various Actions. Examples of I2NSF Actions
include providing intrusion detection and/or protection, include providing intrusion detection and/or protection,
web and flow filtering, and deep packet inspection web and flow filtering, and deep packet inspection
for packets and flows."; for packets and flows.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-05: Information Model draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Design Principles and ECA Policy I2NSF Capability YANG Data Model - Design Principles and
Model Overview"; ECA Policy Model Overview";
leaf action-clause-description { leaf action-clause-description {
type string; type string;
description description
"Description for an action clause."; "Description for an action clause.";
} }
container packet-action { container packet-action {
description description
"Action for packets"; "Action for packets";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-05: Information Model draft-ietf-i2nsf-capability-data-model-15:
of NSFs Capabilities - Design Principles and ECA I2NSF Capability YANG Data Model - Design Principles and
Policy Model Overview"; ECA Policy Model Overview";
leaf ingress-action {
type identityref {
base ingress-action;
}
description
"Action: pass, drop, reject, alert, and mirror.";
}
leaf egress-action {
type identityref {
base egress-action;
}
description
"Egress action: pass, drop, reject, alert, mirror,
invoke-signaling, tunnel-encapsulation,
forwarding, and redirection.";
}
leaf log-action {
type identityref {
base log-action;
}
description
"Log action: rule log and session log";
}
}
container flow-action {
description
"Action for flows";
reference
"RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-15:
I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview";
leaf ingress-action { leaf ingress-action {
type identityref { type identityref {
base ingress-action; base ingress-action;
} }
description description
"Action: pass, drop, reject, alert, and mirror."; "Action: pass, drop, reject, alert, and mirror.";
} }
leaf egress-action { leaf egress-action {
skipping to change at page 84, line 39 skipping to change at page 83, line 21
base log-action; base log-action;
} }
description description
"Log action: rule log and session log"; "Log action: rule log and session log";
} }
} }
container advanced-action { container advanced-action {
description description
"If the packet need be additionally inspected, "If the packet needs to be additionally inspected,
the packet are passed to advanced network the packet is passed to advanced network
security functions according to the profile."; security functions according to the profile.
The profile means the types of NSFs where the packet
will be forwarded in order to additionally
inspect the packet.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Differences from ACL Data Models"; Functions - Differences from ACL Data Models";
leaf-list content-security-control { leaf-list content-security-control {
type identityref { type identityref {
base content-security-control; base content-security-control;
} }
description description
"The Profile is divided into content security "Content-security-control is the NSFs that
inspect the payload of the packet.
The Profile is divided into content security
control and attack-mitigation-control. control and attack-mitigation-control.
Content security control: antivirus, ips, ids, Content security control: antivirus, ips, ids,
url filtering, mail filtering, file blocking, url filtering, mail filtering, file blocking,
file isolate, packet capture, application control, file isolate, packet capture, application control,
voip and volte."; voip and volte.";
} }
leaf-list attack-mitigation-control { leaf-list attack-mitigation-control {
type identityref { type identityref {
base attack-mitigation-control; base attack-mitigation-control;
} }
description description
"The Profile is divided into content security "Attack-mitigation-control is the NSFs that weaken
the attacks related to a denial of service
and reconnaissance.
The Profile is divided into content security
control and attack-mitigation-control. control and attack-mitigation-control.
Attack mitigation control: syn flood, udp flood, Attack mitigation control: syn flood, udp flood,
icmp flood, ip frag flood, ipv6 related, http flood, icmp flood, ip frag flood, ipv6 related, http flood,
https flood, dns flood, dns amp flood, ssl ddos, https flood, dns flood, dns amp flood, ssl ddos,
ip sweep, port scanning, ping of death, teardrop, ip sweep, port scanning, ping of death, teardrop,
oversized icmp, tracert."; oversized icmp, tracert.";
} }
} }
} }
} }
skipping to change at page 86, line 14 skipping to change at page 85, line 4
type string; type string;
description description
"This is a end rule"; "This is a end rule";
} }
} }
leaf enable { leaf enable {
type boolean; type boolean;
description description
"This is enable "This is enable
False is not enable."; False is not enable.";
} }
leaf description { leaf description {
type string; type string;
description description
"This is a desription for rule-group"; "This is a description for rule-group";
} }
} }
} }
} }
} }
leaf i2nsf-ipsec {
type identityref {
base i2nsf-ipsec;
}
description
"Internet Key Exchnage (IKE) for NSFs
in the I2NSF framework";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: Software-Defined
Networking (SDN)-based IPsec Flow Protection - IPsec method
types can be selected.";
}
} }
<CODE ENDS> <CODE ENDS>
Figure 6: YANG Data Module of I2NSF NSF-Facing-Interface Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface
6. XML Configuration Examples of Low-Level Security Policy Rules 5. XML Configuration Examples of Low-Level Security Policy Rules
This section shows XML configuration examples of low-level security This section shows XML configuration examples of low-level security
policy rules that are delivered from the Security Controller to NSFs policy rules that are delivered from the Security Controller to NSFs
over the NSF-Facing Interface. For security requirements, we assume over the NSF-Facing Interface. For security requirements, we assume
that the NSFs (i.e., General firewall, Time-based firewall, URL that the NSFs (i.e., General firewall, Time-based firewall, URL
filter, VoIP/VoLTE filter, and http and https flood mitigation ) filter, VoIP/VoLTE filter, and http and https flood mitigation )
described in Appendix A. Configuration Examples of described in Section Configuration Examples of
[I-D.ietf-i2nsf-capability-data-model] are registered in the I2NSF
[I-D.ietf-i2nsf-capability-data-model] are registered in I2NSF framework. With the registered NSFs, we show configuration examples
framework. With the registed NSFs, we show configuration examples
for security policy rules of network security functions according to for security policy rules of network security functions according to
the following three security requirements: (i) Block SNS access the following three security requirements: (i) Block Social
during business hours, (ii) Block malicious VoIP/VoLTE packets coming Networking Service (SNS) access during business hours, (ii) Block
to the company, and (iii) Mitigate http and https flood attacks on malicious VoIP/VoLTE packets coming to the company, and (iii)
company web server. Mitigate http and https flood attacks on company web server.
6.1. Security Requirement 1: Block SNS Access during Business Hours 5.1. Security Requirement 1: Block Social Networking Service (SNS)
Access during Business Hours
This section shows a configuration example for blocking SNS access This section shows a configuration example for blocking SNS access
during business hours in IPv4 networks [RFC5737] or IPv6 networks during business hours in IPv4 networks or IPv6 networks.
[RFC3849].
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>sns_access</system-policy-name> <system-policy-name>sns_access</system-policy-name>
<rules> <rules>
<rule-name>block_sns_access_during_operation_time</rule-name> <rule-name>block_sns_access_during_operation_time</rule-name>
<time-intervals> <time-intervals>
<absolute-time-interval> <absolute-time-interval>
<start-date-time>2019-08-01T09:00:00Z</start-date-time> <start-time>09:00:00Z</start-time>
<end-date-time>2019-12-31T18:00:00Z</end-date-time> <end-time>18:00:00Z</end-time>
</absolute-time-interval> </absolute-time-interval>
</time-intervals> </time-intervals>
<condition-clause-container> <condition-clause-container>
<packet-security-ipv4-condition> <packet-security-ipv4-condition>
<pkt-sec-ipv4-src> <pkt-sec-ipv4-src>
<range-ipv4-address> <range-ipv4-address>
<start-ipv4-address>192.0.2.11</start-ipv4-address> <start-ipv4-address>192.0.2.11</start-ipv4-address>
<end-ipv4-address>192.0.2.90</end-ipv4-address> <end-ipv4-address>192.0.2.90</end-ipv4-address>
</range-ipv4-address> </range-ipv4-address>
</pkt-sec-ipv4-src> </pkt-sec-ipv4-src>
skipping to change at page 88, line 36 skipping to change at page 86, line 36
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<advanced-action> <advanced-action>
<content-security-control>url-filtering</content-security-control> <content-security-control>url-filtering</content-security-control>
</advanced-action> </advanced-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 7: Configuration XML for Time-based Firewall to Block SNS Figure 6: Configuration XML for Time-based Firewall to Block SNS
Access during Business Hours in IPv4 Networks Access during Business Hours in IPv4 Networks
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>sns_access</system-policy-name> <system-policy-name>sns_access</system-policy-name>
<rules> <rules>
<rule-name>block_sns_access_during_operation_time</rule-name> <rule-name>block_sns_access_during_operation_time</rule-name>
<time-intervals> <time-intervals>
<absolute-time-interval> <absolute-time-interval>
<start-date-time>2019-08-01T09:00:00Z</start-date-time> <start-time>09:00:00Z</start-time>
<end-date-time>2019-12-31T18:00:00Z</end-date-time> <end-time>18:00:00Z</end-time>
</absolute-time-interval> </absolute-time-interval>
</time-intervals> </time-intervals>
<condition-clause-container> <condition-clause-container>
<packet-security-ipv6-condition> <packet-security-ipv6-condition>
<pkt-sec-ipv6-src> <pkt-sec-ipv6-src>
<range-ipv6-address> <range-ipv6-address>
<start-ipv6-address>2001:DB8:0:1::11</start-ipv6-address> <start-ipv6-address>2001:DB8:0:1::11</start-ipv6-address>
<end-ipv6-address>2001:DB8:0:1::90</end-ipv6-address> <end-ipv6-address>2001:DB8:0:1::90</end-ipv6-address>
</range-ipv6-address> </range-ipv6-address>
</pkt-sec-ipv6-src> </pkt-sec-ipv6-src>
skipping to change at page 89, line 36 skipping to change at page 87, line 36
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<advanced-action> <advanced-action>
<content-security-control>url-filtering</content-security-control> <content-security-control>url-filtering</content-security-control>
</advanced-action> </advanced-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 8: Configuration XML for Time-based Firewall to Block SNS Figure 7: Configuration XML for Time-based Firewall to Block SNS
Access during Business Hours in IPv6 Networks Access during Business Hours in IPv6 Networks
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>sns_access</system-policy-name> <system-policy-name>sns_access</system-policy-name>
<rules> <rules>
<rule-name>block_sns_access_during_operation_time</rule-name> <rule-name>block_sns_access_during_operation_time</rule-name>
<time-intervals>
<absolute-time-interval>
<start-time>09:00:00Z</start-time>
<end-time>18:00:00Z</end-time>
</absolute-time-interval>
</time-intervals>
<condition-clause-container> <condition-clause-container>
<packet-security-url-category-condition> <packet-security-url-category-condition>
<user-defined-category>facebook</user-defined-category> <user-defined-category>SNS_1</user-defined-category>
<user-defined-category>instagram</user-defined-category> <user-defined-category>SNS_2</user-defined-category>
</packet-security-url-category-condition> </packet-security-url-category-condition>
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<packet-action> <flow-action>
<egress-action>drop</egress-action> <egress-action>drop</egress-action>
</packet-action> </flow-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 9: Configuration XML for Web Filter to Block SNS Access during Figure 8: Configuration XML for Web Filter to Block SNS Access during
Business Hours Business Hours
Figure 7 (or Figure 8) and Figure 9 show the configuration XML Figure 6 (or Figure 7) and Figure 8 show the configuration XML
documents for time-based firewall and web filter to block SNS access documents for time-based firewall and web filter to block SNS access
during business hours in IPv4 networks (or IPv6 networks). For the during business hours in IPv4 networks (or IPv6 networks). For the
security requirement, two NSFs (i.e., a time-based firewall and a web security requirement, two NSFs (i.e., a time-based firewall and a web
filter) were used because one NSF cannot meet the security filter) were used because one NSF cannot meet the security
requirement. The instances of XML documents for the time-based requirement. The instances of XML documents for the time-based
firewall and the web filter are as follows: Note that a detailed data firewall and the web filter are as follows: Note that a detailed data
model for the configuration of the advanced network security function model for the configuration of the advanced network security function
(i.e., web filter) can be defined as an extension in future. (i.e., web filter) can be defined as an extension in future.
Time-based Firewall is as follows: Time-based Firewall is as follows:
skipping to change at page 91, line 16 skipping to change at page 89, line 23
5. If the outgoing packets match the rules above, the time-based 5. If the outgoing packets match the rules above, the time-based
firewall sends the packets to url filtering for additional firewall sends the packets to url filtering for additional
inspection because the time-based firewall can not inspect inspection because the time-based firewall can not inspect
contents of the packets for the SNS URL. contents of the packets for the SNS URL.
Web Filter is as follows: Web Filter is as follows:
1. The name of the system policy is sns_access. 1. The name of the system policy is sns_access.
2. The name of the rule is block_facebook_and_instagram. 2. The name of the rule is block_SNS_1_and_SNS_2.
3. The rule inspects URL address to block the access packets to the 3. The rule inspects URL address to block the access packets to the
facebook or the instagram. SNS_1 or the SNS_2.
4. If the outgoing packets match the rules above, the packets are 4. If the outgoing packets match the rules above, the packets are
blocked. blocked.
6.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming
to a Company to a Company
This section shows a configuration example for blocking malicious This section shows a configuration example for blocking malicious
VoIP/VoLTE packets coming to a company. VoIP/VoLTE packets coming to a company.
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>voip_volte_inspection</system-policy-name> <system-policy-name>voip_volte_inspection</system-policy-name>
<rules> <rules>
skipping to change at page 92, line 36 skipping to change at page 90, line 36
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<advanced-action> <advanced-action>
<content-security-control>voip-volte</content-security-control> <content-security-control>voip-volte</content-security-control>
</advanced-action> </advanced-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 10: Configuration XML for General Firewall to Block Malicious Figure 9: Configuration XML for General Firewall to Block Malicious
VoIP/VoLTE Packets Coming to a Company VoIP/VoLTE Packets Coming to a Company
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>voip_volte_inspection</system-policy-name> <system-policy-name>voip_volte_inspection</system-policy-name>
<rules> <rules>
<rule-name>block_malicious_voice_id</rule-name> <rule-name>block_malicious_voice_id</rule-name>
<condition-clause-container> <condition-clause-container>
<packet-security-voice-condition> <packet-security-voice-condition>
<pkt-sec-src-voice-id>11111@voip.black.com</pkt-sec-src-voice-id> <pkt-sec-src-voice-id>user1@voip.malicious.example.com</pkt-sec-src-voice-id>
<pkt-sec-src-voice-id>22222@voip.black.com</pkt-sec-src-voice-id> <pkt-sec-src-voice-id>user2@voip.malicious.example.com</pkt-sec-src-voice-id>
</packet-security-voice-condition> </packet-security-voice-condition>
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<packet-action> <flow-action>
<ingress-action>drop</ingress-action> <ingress-action>drop</ingress-action>
</packet-action> </flow-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 11: Configuration XML for VoIP/VoLTE Filter to Block Malicious Figure 10: Configuration XML for VoIP/VoLTE Filter to Block Malicious
VoIP/VoLTE Packets Coming to a Company VoIP/VoLTE Packets Coming to a Company
Figure 10 and Figure 11 show the configuration XML documents for Figure 9 and Figure 10 show the configuration XML documents for
general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE
packets coming to a company. For the security requirement, two NSFs packets coming to a company. For the security requirement, two NSFs
(i.e., a general firewall and a VoIP/VoLTE filter) were used because (i.e., a general firewall and a VoIP/VoLTE filter) were used because
one NSF can not meet the security requirement. The instances of XML one NSF can not meet the security requirement. The instances of XML
documents for the general firewall and the VoIP/VoLTE filter are as documents for the general firewall and the VoIP/VoLTE filter are as
follows: Note that a detailed data model for the configuration of the follows: Note that a detailed data model for the configuration of the
advanced network security function (i.e., VoIP/VoLTE filter) can be advanced network security function (i.e., VoIP/VoLTE filter) can be
described as an extension in future. described as an extension in future.
General Firewall is as follows: General Firewall is as follows:
skipping to change at page 94, line 17 skipping to change at page 92, line 17
inspection because the general firewall can not inspect contents inspection because the general firewall can not inspect contents
of the VoIP/VoLTE packets. of the VoIP/VoLTE packets.
VoIP/VoLTE Filter is as follows: VoIP/VoLTE Filter is as follows:
1. The name of the system policy is malicious_voice_id. 1. The name of the system policy is malicious_voice_id.
2. The name of the rule is block_malicious_voice_id. 2. The name of the rule is block_malicious_voice_id.
3. The rule inspects the voice id of the VoIP/VoLTE packets to block 3. The rule inspects the voice id of the VoIP/VoLTE packets to block
the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and the malicious VoIP/VoLTE packets (i.e.,
22222@voip.black.com). user1@voip.malicious.example.com and
user2@voip.malicious.example.com).
4. If the incoming packets match the rules above, the packets are 4. If the incoming packets match the rules above, the packets are
blocked. blocked.
6.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a
Company Web Server Company Web Server
This section shows a configuration example for mitigating http and This section shows a configuration example for mitigating http and
https flood attacks on a company web server. https flood attacks on a company web server.
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>flood_attack_mitigation</system-policy-name> <system-policy-name>flood_attack_mitigation</system-policy-name>
<rules> <rules>
skipping to change at page 95, line 36 skipping to change at page 93, line 36
<action-clause-container> <action-clause-container>
<advanced-action> <advanced-action>
<attack-mitigation-control>http-and-https-flood <attack-mitigation-control>http-and-https-flood
</attack-mitigation-control> </attack-mitigation-control>
</advanced-action> </advanced-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 12: Configuration XML for General Firewall to Mitigate HTTP Figure 11: Configuration XML for General Firewall to Mitigate HTTP
and HTTPS Flood Attacks on a Company Web Server and HTTPS Flood Attacks on a Company Web Server
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy> <system-policy>
<system-policy-name>flood_attack_mitigation</system-policy-name> <system-policy-name>flood_attack_mitigation</system-policy-name>
<rules> <rules>
<rule-name>mitigate_http_and_https_flood_attack</rule-name> <rule-name>mitigate_http_and_https_flood_attack</rule-name>
<condition-clause-container> <condition-clause-container>
<packet-security-ddos-condition> <packet-security-ddos-condition>
<pkt-sec-alert-rate>100</pkt-sec-alert-rate> <pkt-sec-alert-packet-rate>100</pkt-sec-alert-packet-rate>
</packet-security-ddos-condition> </packet-security-ddos-condition>
</condition-clause-container> </condition-clause-container>
<action-clause-container> <action-clause-container>
<packet-action> <flow-action>
<ingress-action>drop</ingress-action> <ingress-action>drop</ingress-action>
</packet-action> </flow-action>
</action-clause-container> </action-clause-container>
</rules> </rules>
</system-policy> </system-policy>
</i2nsf-security-policy> </i2nsf-security-policy>
Figure 13: Configuration XML for HTTP and HTTPS Flood Attack Figure 12: Configuration XML for HTTP and HTTPS Flood Attack
Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web
Server Server
Figure 12 and Figure 13 show the configuration XML documents for Figure 11 and Figure 12 show the configuration XML documents for
general firewall and http and https flood attack mitigation to general firewall and http and https flood attack mitigation to
mitigate http and https flood attacks on a company web server. For mitigate http and https flood attacks on a company web server. For
the security requirement, two NSFs (i.e., a general firewall and a the security requirement, two NSFs (i.e., a general firewall and a
http and https flood attack mitigation) were used because one NSF can http and https flood attack mitigation) were used because one NSF can
not meet the security requirement. The instances of XML documents not meet the security requirement. The instances of XML documents
for the general firewall and http and https flood attack mitigation for the general firewall and http and https flood attack mitigation
are as follows: Note that a detailed data model for the configuration are as follows: Note that a detailed data model for the configuration
of the advanced network security function (i.e., http and https flood of the advanced network security function (i.e., http and https flood
attack mitigation) can be defined as an extension in future. attack mitigation) can be defined as an extension in future.
skipping to change at page 97, line 7 skipping to change at page 95, line 7
2. The name of the rule is mitigate_http_and_https_flood_attack. 2. The name of the rule is mitigate_http_and_https_flood_attack.
3. The rule inspects a destination IPv4 address (i.e., 192.0.2.11) 3. The rule inspects a destination IPv4 address (i.e., 192.0.2.11)
to inspect the access packets coming into the company web server. to inspect the access packets coming into the company web server.
4. The rule inspects a port number (i.e., 80 and 443) to inspect 4. The rule inspects a port number (i.e., 80 and 443) to inspect
http and https packet. http and https packet.
5. If the packets match the rules above, the general firewall sends 5. If the packets match the rules above, the general firewall sends
the packets to http and https flood attack mitigation for the packets to http and https flood attack mitigation for
additional inspection because the general firewall can not contrl additional inspection because the general firewall can not
the amount of packets for http and https packets. control the amount of packets for http and https packets.
HTTP and HTTPS Flood Attack Mitigation is as follows: HTTP and HTTPS Flood Attack Mitigation is as follows:
1. The name of the system policy is 1. The name of the system policy is
http_and_https_flood_attack_mitigation. http_and_https_flood_attack_mitigation.
2. The name of the rule is 100_per_second. 2. The name of the rule is 100_per_second.
3. The rule controls the http and https packets according to the 3. The rule controls the http and https packets according to the
amount of incoming packets. amount of incoming packets.
4. If the incoming packets match the rules above, the packets are 4. If the incoming packets match the rules above, the packets are
blocked. blocked.
7. IANA Considerations 6. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950][RFC8525]. the "YANG Module Names" registry [RFC7950][RFC8525].
name: ietf-i2nsf-policy-rule-for-nsf name: ietf-i2nsf-policy-rule-for-nsf
namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf
prefix: nsfintf prefix: nsfintf
reference: RFC XXXX reference: RFC XXXX
8. Security Considerations 7. Security Considerations
The YANG module specified in this document defines a data schema The YANG module specified in this document defines a data schema
designed to be accessed through network management protocols such as designed to be accessed through network management protocols such as
NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is
the secure transport layer, and the required secure transport is the secure transport layer, and the required secure transport is
Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS,
and the required secure transport is TLS [RFC8446]. and the required secure transport is TLS [RFC8446].
The NETCONF access control model [RFC8341] provides a means of The NETCONF access control model [RFC8341] provides a means of
restricting access to specific NETCONF or RESTCONF users to a restricting access to specific NETCONF or RESTCONF users to a
skipping to change at page 98, line 15 skipping to change at page 96, line 15
operations and content. operations and content.
There are a number of data nodes defined in this YANG module that are There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config) in some network environments. Write operations (e.g., edit-config)
to these data nodes without proper protection can have a negative to these data nodes without proper protection can have a negative
effect on network operations. These are the subtrees and data nodes effect on network operations. These are the subtrees and data nodes
and their sensitivity/vulnerability: and their sensitivity/vulnerability:
o ietf-i2nsf-policy-rule-for-nsf: The attacker may provide incorrect o ietf-i2nsf-policy-rule-for-nsf: Writing to almost any element of
policy information of any target NSFs by illegally modifying this. this YANG module would directly impact on the configuration of
NSFs, e.g., completely turning off security monitoring and
mitigation capabilities; altering the scope of this monitoring and
mitigation; creating an overwhelming logging volume to overwhelm
downstream analytics or storage capacity; creating logging
patterns which are confusing; or rendering useless trained
statistics or artificial intelligence models.
Some of the readable data nodes in this YANG module may be considered Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or important to control read access (e.g., via get, get-config, or
notification) to these data nodes. These are the subtrees and data notification) to these data nodes. These are the subtrees and data
nodes and their sensitivity/vulnerability: nodes and their sensitivity/vulnerability:
o ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the o ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the
security policy information of any target NSFs and misuse the security policy information of any target NSFs and misuse the
security policy information for subsequent attacks. security policy information for subsequent attacks.
9. Acknowledgments In this YANG data module, note that the identity information of users
can be exchanged for security policy configuration based on a user's
information. This implied that to improve the network security there
is a tradeoff between a user's information privacy and network
security. For container users-conditions in this YANG data module,
the identity information of users can be exchanged between Security
Controller and an NSF for security policy configuration based on
users' information. Thus, for this exchange of the identity
information of users, there is a proportional relationship between
the release level of a user's privacy information and the network
security strength of an NSF.
8. Acknowledgments
This work was supported by Institute of Information & Communications This work was supported by Institute of Information & Communications
Technology Planning & Evaluation (IITP) grant funded by the Korea Technology Planning & Evaluation (IITP) grant funded by the Korea
MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Security Intelligence Technology Development for the Customized Security Intelligence Technology Development for the Customized
Security Service Provisioning). This work was supported in part by Security Service Provisioning). This work was supported in part by
the IITP (2020-0-00395, Standard Development of Blockchain based the IITP (2020-0-00395, Standard Development of Blockchain based
Network Management Automation Technology). Network Management Automation Technology).
10. Contributors 9. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document, such as Acee Many people actively contributed to this document, such as Acee
Lindem. The authors sincerely appreciate their contributions. Lindem and Roman Danyliw. The authors sincerely appreciate their
contributions.
The following are co-authors of this document: The following are co-authors of this document:
Patrick Lingga
Department of Computer Science and Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
EMail: patricklink@skku.edu
Hyoungshick Kim Hyoungshick Kim
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seo-ro Jangan-gu 2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419 Suwon, Gyeonggi-do 16419
Republic of Korea Republic of Korea
EMail: hyoung@skku.edu EMail: hyoung@skku.edu
Daeyoung Hyun Daeyoung Hyun
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seo-ro Jangan-gu 2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419 Suwon, Gyeonggi-do 16419
Republic of Korea Republic of Korea
EMail: dyhyun@skku.edu EMail: dyhyun@skku.edu
skipping to change at page 100, line 5 skipping to change at page 98, line 32
EMail: taejin.ahn@kt.com EMail: taejin.ahn@kt.com
Se-Hui Lee Se-Hui Lee
Korea Telecom Korea Telecom
70 Yuseong-Ro, Yuseong-Gu 70 Yuseong-Ro, Yuseong-Gu
Daejeon, 305-811 Daejeon, 305-811
Republic of Korea Republic of Korea
EMail: sehuilee@kt.com EMail: sehuilee@kt.com
11. References 10. References
11.1. Normative References 10.1. Normative References
[I-D.ietf-i2nsf-capability-data-model]
Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin,
"I2NSF Capability YANG Data Model", draft-ietf-i2nsf-
capability-data-model-15 (work in progress), January 2021.
[I-D.ietf-i2nsf-sdn-ipsec-flow-protection]
Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "Software-Defined Networking (SDN)-based IPsec
Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-
protection-12 (work in progress), October 2020.
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
DOI 10.17487/RFC0768, August 1980, DOI 10.17487/RFC0768, August 1980,
<https://www.rfc-editor.org/info/rfc768>. <https://www.rfc-editor.org/info/rfc768>.
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
DOI 10.17487/RFC0791, September 1981, DOI 10.17487/RFC0791, September 1981,
<https://www.rfc-editor.org/info/rfc791>. <https://www.rfc-editor.org/info/rfc791>.
[RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, DOI 10.17487/RFC0792, September 1981, RFC 792, DOI 10.17487/RFC0792, September 1981,
<https://www.rfc-editor.org/info/rfc792>. <https://www.rfc-editor.org/info/rfc792>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC1700] Reynolds, J. and J. Postel, "Assigned Numbers", RFC 1700,
DOI 10.17487/RFC1700, October 1994,
<https://www.rfc-editor.org/info/rfc1700>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3232] Reynolds, J., Ed., "Assigned Numbers: RFC 1700 is Replaced
by an On-line Database", RFC 3232, DOI 10.17487/RFC3232,
January 2002, <https://www.rfc-editor.org/info/rfc3232>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>. <https://www.rfc-editor.org/info/rfc3261>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
Reserved for Documentation", RFC 3849,
DOI 10.17487/RFC3849, July 2004,
<https://www.rfc-editor.org/info/rfc3849>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", STD 89, Protocol Version 6 (IPv6) Specification", STD 89,
RFC 4443, DOI 10.17487/RFC4443, March 2006, RFC 4443, DOI 10.17487/RFC4443, March 2006,
<https://www.rfc-editor.org/info/rfc4443>. <https://www.rfc-editor.org/info/rfc4443>.
[RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks
Reserved for Documentation", RFC 5737,
DOI 10.17487/RFC5737, January 2010,
<https://www.rfc-editor.org/info/rfc5737>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
skipping to change at page 101, line 42 skipping to change at page 100, line 17
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8177] Lindem, A., Ed., Qu, Y., Yeung, D., Chen, I., and J.
Zhang, "YANG Data Model for Key Chains", RFC 8177,
DOI 10.17487/RFC8177, June 2017,
<https://www.rfc-editor.org/info/rfc8177>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200, (IPv6) Specification", STD 86, RFC 8200,
DOI 10.17487/RFC8200, July 2017, DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>. <https://www.rfc-editor.org/info/rfc8200>.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>.
[RFC8335] Bonica, R., Thomas, R., Linkova, J., Lenart, C., and M. [RFC8335] Bonica, R., Thomas, R., Linkova, J., Lenart, C., and M.
Boucadair, "PROBE: A Utility for Probing Interfaces", Boucadair, "PROBE: A Utility for Probing Interfaces",
RFC 8335, DOI 10.17487/RFC8335, February 2018, RFC 8335, DOI 10.17487/RFC8335, February 2018,
<https://www.rfc-editor.org/info/rfc8335>. <https://www.rfc-editor.org/info/rfc8335>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
skipping to change at page 102, line 42 skipping to change at page 101, line 5
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525, and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019, DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>. <https://www.rfc-editor.org/info/rfc8525>.
11.2. Informative References 10.2. Informative References
[I-D.ietf-i2nsf-capability] [I-D.ietf-i2nsf-nsf-monitoring-data-model]
Xia, L., Strassner, J., Basile, C., and D. Lopez, Jeong, J., Lingga, P., Hares, S., Xia, L., and H.
"Information Model of NSFs Capabilities", draft-ietf- Birkholz, "I2NSF NSF Monitoring YANG Data Model", draft-
i2nsf-capability-05 (work in progress), April 2019. ietf-i2nsf-nsf-monitoring-data-model-04 (work in
progress), September 2020.
[I-D.ietf-i2nsf-capability-data-model] [IANA-Protocol-Numbers]
Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, "Assigned Internet Protocol Numbers", Available:
"I2NSF Capability YANG Data Model", draft-ietf-i2nsf- https://www.iana.org/assignments/protocol-
capability-data-model-08 (work in progress), August 2020. numbers/protocol-numbers.xhtml, January 2021.
[I-D.ietf-i2nsf-nsf-monitoring-data-model] [ISO-Country-Codes]
Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, "Codes for the representation of names of countries and
"I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- their subdivisions", ISO 3166, September 2018.
nsf-monitoring-data-model-03 (work in progress), May 2020.
[I-D.ietf-i2nsf-sdn-ipsec-flow-protection] [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, Kumar, "Framework for Interface to Network Security
"Software-Defined Networking (SDN)-based IPsec Flow Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 <https://www.rfc-editor.org/info/rfc8329>.
(work in progress), June 2020.
Authors' Addresses Authors' Addresses
Jinyong Tim Kim (editor) Jinyong Tim Kim (editor)
Department of Electronic, Electrical and Computer Engineering Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
 End of changes. 266 change blocks. 
1074 lines changed or deleted 1074 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/