draft-ietf-i2nsf-nsf-facing-interface-dm-13.txt   draft-ietf-i2nsf-nsf-facing-interface-dm-14.txt 
I2NSF Working Group J. Kim, Ed. I2NSF Working Group J. Kim, Ed.
Internet-Draft J. Jeong, Ed. Internet-Draft J. Jeong, Ed.
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: 16 February 2022 J. Park Expires: 19 March 2022 J. Park
ETRI ETRI
S. Hares S. Hares
Q. Lin Q. Lin
Huawei Huawei
15 August 2021 15 September 2021
I2NSF Network Security Function-Facing Interface YANG Data Model I2NSF Network Security Function-Facing Interface YANG Data Model
draft-ietf-i2nsf-nsf-facing-interface-dm-13 draft-ietf-i2nsf-nsf-facing-interface-dm-14
Abstract Abstract
This document defines a YANG data model for configuring security This document defines a YANG data model for configuring security
policy rules on Network Security Functions (NSF) in the Interface to policy rules on Network Security Functions (NSF) in the Interface to
Network Security Functions (I2NSF) framework. The YANG data model in Network Security Functions (I2NSF) framework. The YANG data model in
this document corresponds to the information model for NSF-Facing this document corresponds to the information model for NSF-Facing
Interface in the I2NSF framework. Interface in the I2NSF framework.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 16 February 2022. This Internet-Draft will expire on 19 March 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 6, line 22 skipping to change at page 6, line 22
This section shows a YANG tree diagram for a condition clause for a This section shows a YANG tree diagram for a condition clause for a
general I2NSF security policy rule for generic network security general I2NSF security policy rule for generic network security
functions. functions.
module: ietf-i2nsf-policy-rule-for-nsf module: ietf-i2nsf-policy-rule-for-nsf
+--rw i2nsf-security-policy* [system-policy-name] +--rw i2nsf-security-policy* [system-policy-name]
... ...
+--rw rules* [rule-name] +--rw rules* [rule-name]
| ... | ...
| +--rw event | +--rw event
| ... | ...
| +--rw condition | +--rw condition
| | +--rw condition-clause-description? string | | +--rw condition-clause-description? string
| | +--rw mac | | +--rw ethernet
| | | +--rw mac-description? string | | | +--rw ethernet-description? string
| | | +--rw source-address* yang:mac-address | | | +--rw source-address* yang:mac-address
| | | +--rw destination-address* yang:mac-address | | | +--rw destination-address* yang:mac-address
| | | +--rw ether-type* uint16 | | | +--rw ether-type* uint16
| | +--rw ipv4 | | +--rw ipv4
| | | +--rw description? string | | | +--rw description? string
| | | +--rw header-length* [start end] | | | +--rw header-length* [start end]
| | | | +--rw start uint8 | | | | +--rw start uint8
| | | | +--rw end uint8 | | | | +--rw end uint8
| | | +--rw dscp* inet:dscp | | | +--rw dscp* inet:dscp
| | | +--rw total-length* [start end] | | | +--rw total-length* [start end]
| | | | +--rw start uint16 | | | | +--rw start uint16
| | | | +--rw end uint16 | | | | +--rw end uint16
| | | +--rw identification* uint16 | | | +--rw identification* uint16
skipping to change at page 7, line 4 skipping to change at page 7, line 4
| | | | +--rw start uint16 | | | | +--rw start uint16
| | | | +--rw end uint16 | | | | +--rw end uint16
| | | +--rw ttl* [start end] | | | +--rw ttl* [start end]
| | | | +--rw start uint8 | | | | +--rw start uint8
| | | | +--rw end uint8 | | | | +--rw end uint8
| | | +--rw protocol* uint8 | | | +--rw protocol* uint8
| | | +--rw source-address | | | +--rw source-address
| | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | +--:(prefix) | | | | +--:(prefix)
| | | | | +--rw ipv4-prefix* [ipv4] | | | | | +--rw ipv4-prefix* [ipv4]
| | | | | +--rw ipv4 inet:ipv4-address | | | | | +--rw ipv4 inet:ipv4-address-no-zone
| | | | | +--rw (subnet)? | | | | | +--rw (subnet)?
| | | | | +--:(prefix-length) | | | | | +--:(prefix-length)
| | | | | | +--rw prefix-length? uint8 | | | | | | +--rw prefix-length? uint8
| | | | | +--:(netmask) | | | | | +--:(netmask)
| | | | | +--rw netmask? yang:dotted-quad | | | | | +--rw netmask? yang:dotted-quad
| | | | +--:(range) | | | | +--:(range)
| | | | +--rw ipv4-range* [start end] | | | | +--rw ipv4-range* [start end]
| | | | +--rw start inet:ipv4-address | | | | +--rw start inet:ipv4-address-no-zone
| | | | +--rw end inet:ipv4-address | | | | +--rw end inet:ipv4-address-no-zone
| | | +--rw destination-address | | | +--rw destination-address
| | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | +--:(prefix) | | | | +--:(prefix)
| | | | | +--rw ipv4-prefix* [ipv4] | | | | | +--rw ipv4-prefix* [ipv4]
| | | | | +--rw ipv4 inet:ipv4-address | | | | | +--rw ipv4 inet:ipv4-address-no-zone
| | | | | +--rw (subnet)? | | | | | +--rw (subnet)?
| | | | | +--:(prefix-length) | | | | | +--:(prefix-length)
| | | | | | +--rw prefix-length? uint8 | | | | | | +--rw prefix-length? uint8
| | | | | +--:(netmask) | | | | | +--:(netmask)
| | | | | +--rw netmask? yang:dotted-quad | | | | | +--rw netmask? yang:dotted-quad
| | | | +--:(range) | | | | +--:(range)
| | | | +--rw ipv4-range* [start end] | | | | +--rw ipv4-range* [start end]
| | | | +--rw start inet:ipv4-address | | | | +--rw start inet:ipv4-address-no-zone
| | | | +--rw end inet:ipv4-address | | | | +--rw end inet:ipv4-address-no-zone
| | | +--rw ipopts* identityref | | | +--rw ipopts* identityref
| | +--rw ipv6 | | +--rw ipv6
| | | +--rw description? string | | | +--rw description? string
| | | +--rw dscp* inet:dscp | | | +--rw dscp* inet:dscp
| | | +--rw flow-label* [start end] | | | +--rw flow-label* [start end]
| | | | +--rw start inet:ipv6-flow-label | | | | +--rw start inet:ipv6-flow-label
| | | | +--rw end inet:ipv6-flow-label | | | | +--rw end inet:ipv6-flow-label
| | | +--rw payload-length* [start end] | | | +--rw payload-length* [start end]
| | | | +--rw start uint16 | | | | +--rw start uint16
| | | | +--rw end uint16 | | | | +--rw end uint16
| | | +--rw next-header* uint8 | | | +--rw next-header* uint8
| | | +--rw hop-limit* [start end] | | | +--rw hop-limit* [start end]
| | | | +--rw start uint8 | | | | +--rw start uint8
| | | | +--rw end uint8 | | | | +--rw end uint8
| | | +--rw source-address | | | +--rw source-address
| | | | +--rw (match-type)? | | | | +--rw (match-type)?
| | | | +--:(prefix) | | | | +--:(prefix)
| | | | | +--rw ipv6-prefix* [ipv6] | | | | | +--rw ipv6-prefix* [ipv6]
| | | | | +--rw ipv6 inet:ipv6-address | | | | | +--rw ipv6 inet:ipv6-address-no-zone
| | | | | +--rw prefix-length? uint8 | | | | | +--rw prefix-length? uint8
| | | | +--:(range) | | | | +--:(range)
| | | | +--rw ipv6-range* [start end] | | | | +--rw ipv6-range* [start end]
| | | | +--rw start inet:ipv6-address | | | | +--rw start inet:ipv6-address-no-zone
| | | | +--rw end inet:ipv6-address | | | | +--rw end inet:ipv6-address-no-zone
| | | +--rw destination-address | | | +--rw destination-address
| | | +--rw (match-type)? | | | +--rw (match-type)?
| | | +--:(prefix) | | | +--:(prefix)
| | | | +--rw ipv6-prefix* [ipv6] | | | | +--rw ipv6-prefix* [ipv6]
| | | | +--rw ipv6 inet:ipv6-address | | | | +--rw ipv6 inet:ipv6-address-no-zone
| | | | +--rw prefix-length? uint8 | | | | +--rw prefix-length? uint8
| | | +--:(range) | | | +--:(range)
| | | +--rw ipv6-range* [start end] | | | +--rw ipv6-range* [start end]
| | | +--rw start inet:ipv6-address | | | +--rw start inet:ipv6-address-no-zone
| | | +--rw end inet:ipv6-address | | | +--rw end inet:ipv6-address-no-zone
| | +--rw tcp | | +--rw tcp
| | | +--rw description? string | | | +--rw description? string
| | | +--rw source-port-number* [start end] | | | +--rw source-port-number* [start end]
| | | | +--rw start inet:port-number | | | | +--rw start inet:port-number
| | | | +--rw end inet:port-number | | | | +--rw end inet:port-number
| | | +--rw destination-port-number* [start end] | | | +--rw destination-port-number* [start end]
| | | | +--rw start inet:port-number | | | | +--rw start inet:port-number
| | | | +--rw end inet:port-number | | | | +--rw end inet:port-number
| | | +--rw flags* identityref | | | +--rw flags* identityref
| | +--rw udp | | +--rw udp
| | | +--rw description? string | | | +--rw description? string
| | | +--rw source-port-number | | | +--rw source-port-number
| | | | +--rw start? inet:port-number | | | | +--rw start? inet:port-number
| | | | +--rw end? inet:port-number | | | | +--rw end? inet:port-number
| | | +--rw destination-port-number | | | +--rw destination-port-number
| | | | +--rw start? inet:port-number | | | | +--rw start? inet:port-number
| | | | +--rw end? inet:port-number | | | | +--rw end? inet:port-number
| | | +--rw total-length* [start end] | | | +--rw total-length* [start end]
| | | +--rw start uint32 | | | +--rw start uint32
skipping to change at page 9, line 25 skipping to change at page 9, line 25
| | | +--rw description? string | | | +--rw description? string
| | | +--rw source-voice-id* string | | | +--rw source-voice-id* string
| | | +--rw destination-voice-id* string | | | +--rw destination-voice-id* string
| | | +--rw user-agent* string | | | +--rw user-agent* string
| | +--rw ddos | | +--rw ddos
| | | +--rw description? string | | | +--rw description? string
| | | +--rw alert-packet-rate? uint32 | | | +--rw alert-packet-rate? uint32
| | | +--rw alert-flow-rate? uint32 | | | +--rw alert-flow-rate? uint32
| | | +--rw alert-byte-rate? uint32 | | | +--rw alert-byte-rate? uint32
| | +--rw anti-virus | | +--rw anti-virus
| | | +--rw profile? string | | | +--rw profile* string
| | | +--rw exception-files? string | | | +--rw exception-files* string
| | +--rw payload | | +--rw payload
| | | +--rw packet-payload-description? string | | | +--rw packet-payload-description? string
| | | +--rw payload-content* string | | | +--rw payload-content* string
| | +--rw context | | +--rw context
| | +--rw context-description? string | | +--rw context-description? string
| | +--rw application | | +--rw application
| | | +--rw description? string | | | +--rw description? string
| | | +--rw object* string | | | +--rw object* string
| | | +--rw group* string | | | +--rw group* string
| | | +--rw label* string | | | +--rw label* string
skipping to change at page 12, line 48 skipping to change at page 12, line 48
firewall, web filter, VoIP/VoLTE security service, and DDoS-attack firewall, web filter, VoIP/VoLTE security service, and DDoS-attack
mitigation in Section 5. mitigation in Section 5.
4.1. YANG Module of NSF-Facing Interface 4.1. YANG Module of NSF-Facing Interface
This section describes a YANG module of NSF-Facing Interface. This This section describes a YANG module of NSF-Facing Interface. This
document provides identities in the data model for the configuration document provides identities in the data model for the configuration
of an NSF. The identity has the same concept with the corresponding of an NSF. The identity has the same concept with the corresponding
identity in [I-D.ietf-i2nsf-consumer-facing-interface-dm] This YANG identity in [I-D.ietf-i2nsf-consumer-facing-interface-dm] This YANG
module imports from [RFC6991]. It makes references to [RFC0768] module imports from [RFC6991]. It makes references to [RFC0768]
[RFC0791] [RFC0792] [RFC0793] [RFC2474] [RFC3261] [RFC4340] [RFC4960] [RFC0791] [RFC0792] [RFC0793] [RFC2474] [RFC3261] [RFC4340] [RFC4443]
[RFC6335] [RFC8200] [RFC8329] [RFC8335] [RFC8344] [IEEE-802.3] [RFC4960] [RFC5595] [RFC6335] [RFC8200] [RFC8329] [RFC8335] [RFC8344]
[ISO-Country-Codes] [IANA-Protocol-Numbers] [IANA-ICMP-Parameters] [IEEE-802.3] [ISO-Country-Codes] [IANA-Protocol-Numbers]
[I-D.ietf-i2nsf-capability-data-model] [IANA-ICMP-Parameters] [I-D.ietf-i2nsf-capability-data-model]
[I-D.ietf-i2nsf-nsf-monitoring-data-model]. [I-D.ietf-i2nsf-nsf-monitoring-data-model].
<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2021-08-15.yang" <CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2021-09-15.yang"
module ietf-i2nsf-policy-rule-for-nsf { module ietf-i2nsf-policy-rule-for-nsf {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
prefix prefix
nsfintf; nsfintf;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference reference
skipping to change at page 13, line 29 skipping to change at page 13, line 29
prefix yang; prefix yang;
reference reference
"Section 3 of RFC 6991"; "Section 3 of RFC 6991";
} }
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <https://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
Editor: Jinyong Tim Kim Editor: Jinyong Tim Kim
<mailto:timkim@skku.edu> <mailto:timkim@skku.edu>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>"; <mailto:pauljeong@skku.edu>";
description description
"This module is a YANG module for Network Security Functions "This module is a YANG module for Network Security Functions
(NSF)-Facing Interface. (NSF)-Facing Interface.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
skipping to change at page 14, line 14 skipping to change at page 14, line 14
without modification, is permitted pursuant to, and subject to without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices."; for full legal notices.";
revision "2021-08-15"{ revision "2021-09-15"{
description "The latest revision."; description "The latest revision.";
reference reference
"RFC XXXX: I2NSF Network Security Function-Facing Interface "RFC XXXX: I2NSF Network Security Function-Facing Interface
YANG Data Model"; YANG Data Model";
} }
/* /*
* Identities * Identities
*/ */
skipping to change at page 14, line 46 skipping to change at page 14, line 46
identity priority-by-number { identity priority-by-number {
base priority-usage; base priority-usage;
description description
"Identity for priority by number"; "Identity for priority by number";
} }
identity event { identity event {
description description
"Base identity for policy events"; "Base identity for policy events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF
Monitoring YANG Data Model - Event"; Monitoring YANG Data Model - Event";
} }
identity system-event { identity system-event {
base event; base event;
description description
"Identity for system events"; "Identity for system events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF
Monitoring YANG Data Model - System event"; Monitoring YANG Data Model - System event";
} }
identity system-alarm { identity system-alarm {
base event; base event;
description description
"Identity for system alarms"; "Identity for system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF
Monitoring YANG Data Model - System alarm"; Monitoring YANG Data Model - System alarm";
} }
identity access-violation { identity access-violation {
base system-event; base system-event;
description description
"Identity for access violation "Identity for access violation
system events"; system events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF
Monitoring YANG Data Model - System event for access Monitoring YANG Data Model - System event for access
violation"; violation";
} }
identity configuration-change { identity configuration-change {
base system-event; base system-event;
description description
"Identity for configuration change "Identity for configuration change
system events"; system events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF
Monitoring YANG Data Model - System event for configuration Monitoring YANG Data Model - System event for configuration
change"; change";
} }
identity memory-alarm { identity memory-alarm {
base system-alarm; base system-alarm;
description description
"Identity for memory alarm "Identity for memory alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF
Monitoring YANG Data Model - System alarm for memory"; Monitoring YANG Data Model - System alarm for memory";
} }
identity cpu-alarm { identity cpu-alarm {
base system-alarm; base system-alarm;
description description
"Identity for CPU alarm "Identity for CPU alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF
Monitoring YANG Data Model - System alarm for CPU"; Monitoring YANG Data Model - System alarm for CPU";
} }
identity disk-alarm { identity disk-alarm {
base system-alarm; base system-alarm;
description description
"Identity for disk alarm "Identity for disk alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF
Monitoring YANG Data Model - System alarm for disk"; Monitoring YANG Data Model - System alarm for disk";
} }
identity hardware-alarm { identity hardware-alarm {
base system-alarm; base system-alarm;
description description
"Identity for hardware alarm "Identity for hardware alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF
Monitoring YANG Data Model - System alarm for hardware"; Monitoring YANG Data Model - System alarm for hardware";
} }
identity interface-alarm { identity interface-alarm {
base system-alarm; base system-alarm;
description description
"Identity for interface alarm "Identity for interface alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF
Monitoring YANG Data Model - System alarm for interface"; Monitoring YANG Data Model - System alarm for interface";
} }
identity fragmentation-flags { identity fragmentation-flags {
description description
"Base identity for fragmentation flags type"; "Base identity for fragmentation flags type";
reference reference
"RFC 791: Internet Protocol - Fragmentation Flags"; "RFC 791: Internet Protocol - Fragmentation Flags";
} }
skipping to change at page 23, line 25 skipping to change at page 23, line 25
I2NSF Capability YANG Data Model"; I2NSF Capability YANG Data Model";
} }
identity anti-ddos { identity anti-ddos {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for advanced NSF Anti-DDoS or DDoS Mitigator "Identity for advanced NSF Anti-DDoS or DDoS Mitigator
capability."; capability.";
} }
identity ingress-action { identity action {
description description
"Base identity for action"; "Base identity for action";
}
identity ingress-action {
base action;
description
"Base identity for ingress action";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Ingress Action"; I2NSF Capability YANG Data Model - Ingress Action";
} }
identity egress-action { identity egress-action {
base action;
description description
"Base identity for egress action"; "Base identity for egress action";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Egress Action"; I2NSF Capability YANG Data Model - Egress Action";
} }
identity default-action { identity default-action {
base action;
description description
"Base identity for default action"; "Base identity for default action";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Default Action"; I2NSF Capability YANG Data Model - Default Action";
} }
identity pass { identity pass {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
skipping to change at page 24, line 50 skipping to change at page 25, line 10
base default-action; base default-action;
description description
"Identity for rate limiting action"; "Identity for rate limiting action";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Actions and I2NSF Capability YANG Data Model - Actions and
Default Action"; Default Action";
} }
identity log-action { identity log-action {
base action;
description description
"Base identity for log action"; "Base identity for log action";
} }
identity rule-log { identity rule-log {
base log-action; base log-action;
description description
"Identity for rule log"; "Identity for rule log";
} }
identity session-log { identity session-log {
base log-action; base log-action;
skipping to change at page 28, line 29 skipping to change at page 28, line 37
} }
/* /*
* Groupings * Groupings
*/ */
grouping ipv4-prefix { grouping ipv4-prefix {
description description
"The list of IPv4 addresses."; "The list of IPv4 addresses.";
leaf ipv4 { leaf ipv4 {
type inet:ipv4-address; type inet:ipv4-address-no-zone;
description description
"The value of IPv4 address."; "The value of IPv4 address.";
} }
choice subnet { choice subnet {
description description
"The subnet can be specified as a prefix length or "The subnet can be specified as a prefix length or
netmask."; netmask.";
leaf prefix-length { leaf prefix-length {
type uint8 { type uint8 {
range "0..32"; range "0..32";
skipping to change at page 29, line 4 skipping to change at page 29, line 13
} }
leaf netmask { leaf netmask {
type yang:dotted-quad; type yang:dotted-quad;
description description
"The subnet specified as a netmask."; "The subnet specified as a netmask.";
} }
} }
reference reference
"RFC 791: Internet Protocol - IPv4 address "RFC 791: Internet Protocol - IPv4 address
RFC 8344: A YANG Data Model for IP Management"; RFC 8344: A YANG Data Model for IP Management";
} }
grouping ipv6-prefix { grouping ipv6-prefix {
description description
"The list of IPv6 addresses."; "The list of IPv6 addresses.";
leaf ipv6 { leaf ipv6 {
type inet:ipv6-address; type inet:ipv6-address-no-zone;
description description
"The value of IPv6 address."; "The value of IPv6 address.";
} }
leaf prefix-length { leaf prefix-length {
type uint8 { type uint8 {
range "0..128"; range "0..128";
} }
description description
"The length of the subnet prefix."; "The length of the subnet prefix.";
} }
skipping to change at page 29, line 35 skipping to change at page 29, line 43
RFC 8344: A YANG Data Model for IP Management"; RFC 8344: A YANG Data Model for IP Management";
} }
grouping ipv4-range { grouping ipv4-range {
description description
"Range match for the IPv4 addresses. If only one value is "Range match for the IPv4 addresses. If only one value is
needed, then set both start and end to the same value. needed, then set both start and end to the same value.
The end IPv4 address MUST be equal or greater than the The end IPv4 address MUST be equal or greater than the
start IPv4 address."; start IPv4 address.";
leaf start { leaf start {
type inet:ipv4-address; type inet:ipv4-address-no-zone;
description description
"Starting IPv4 address for a range match."; "Starting IPv4 address for a range match.";
} }
leaf end { leaf end {
type inet:ipv4-address; type inet:ipv4-address-no-zone;
description description
"Ending IPv4 address for a range match."; "Ending IPv4 address for a range match.";
} }
reference reference
"RFC 791: Internet Protocol - IPv4 address"; "RFC 791: Internet Protocol - IPv4 address";
} }
grouping ipv6-range { grouping ipv6-range {
description description
"Range match for the IPv6 addresses. If only one value is "Range match for the IPv6 addresses. If only one value is
needed, then set both start and end to the same value. needed, then set both start and end to the same value.
The end IPv6 address number MUST be equal to or greater than The end IPv6 address number MUST be equal to or greater than
the start IPv6 address."; the start IPv6 address.";
leaf start { leaf start {
type inet:ipv6-address; type inet:ipv6-address-no-zone;
description description
"Starting IPv6 address for a range match."; "Starting IPv6 address for a range match.";
} }
leaf end { leaf end {
type inet:ipv6-address; type inet:ipv6-address-no-zone;
description description
"Ending IPv6 address for a range match."; "Ending IPv6 address for a range match.";
} }
reference reference
"RFC 8200: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 address"; Specification - IPv6 address";
} }
grouping ipv4-address { grouping ipv4-address {
description description
skipping to change at page 34, line 13 skipping to change at page 34, line 21
"This description gives more information about "This description gives more information about
rules."; rules.";
} }
leaf rule-priority { leaf rule-priority {
type uint8 { type uint8 {
range "1..255"; range "1..255";
} }
description description
"The priority keyword comes with a mandatory "The priority keyword comes with a mandatory
numeric value which can range from 1 till 255. numeric value which can range from 1 up to 255.
Note that a higher number means a higher priority"; Note that a higher number means a higher priority";
} }
leaf rule-enable { leaf rule-enable {
type boolean; type boolean;
description description
"True is enable. "True is enable.
False is not enable."; False is not enable.";
} }
leaf session-aging-time { leaf session-aging-time {
type uint16; type uint16;
units "second"; units "second";
description description
"This is session aging time."; "This is session aging time.";
} }
container long-connection { container long-connection {
description description
"This is long-connection"; "A container for long connection. A long connection is a
connection that is maintained after the socket connection
is established, regardless of whether it is used for data
traffic or not.";
leaf enable { leaf enable {
type boolean; type boolean;
description description
"True is enable. "True is enabled.
False is not enable."; False is not enabled.";
} }
leaf duration { leaf duration {
type uint16; type uint16;
units "second";
description description
"This is the duration of the long-connection."; "This is the duration of the long-connection.";
} }
} }
container event { container event {
description description
"An event is defined as any important "An event is defined as any important
occurrence in time of a change in the system being occurrence in time of a change in the system being
managed, and/or in the environment of the system being managed, and/or in the environment of the system being
skipping to change at page 35, line 19 skipping to change at page 35, line 30
or not. Examples of an I2NSF event include time and or not. Examples of an I2NSF event include time and
user actions (e.g., logon, logoff, and actions that user actions (e.g., logon, logoff, and actions that
violate any ACL.)."; violate any ACL.).";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17: draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Design Principles and I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview ECA Policy Model Overview
draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF
NSF Monitoring YANG Data Model - Alarms, Events, Logs, NSF Monitoring YANG Data Model - Alarms, Events, Logs,
and Counters"; and Counters";
leaf event-clause-description { leaf event-clause-description {
type string; type string;
description description
"Description for an event clause"; "Description for an event clause";
} }
container time { container time {
skipping to change at page 35, line 47 skipping to change at page 36, line 10
} }
leaf end-date-time { leaf end-date-time {
type yang:date-and-time; type yang:date-and-time;
description description
"This is the end date and time for a policy rule. The "This is the end date and time for a policy rule. The
policy rule will stop working after the specified policy rule will stop working after the specified
end-date-time."; end-date-time.";
} }
container period{ container period {
when when
"../frequency!='only-once'"; "../frequency!='only-once'";
description description
"This represents the repetition time. In the case "This represents the repetition time. In the case
where the frequency is weekly, the days can be set."; where the frequency is weekly, the days can be set.";
leaf start-time { leaf start-time {
type time; type time;
description description
"This is a period's start time for an event."; "This is a period's start time for an event.";
} }
skipping to change at page 38, line 8 skipping to change at page 38, line 19
container event-clauses { container event-clauses {
description description
"System Event Clause - either a system event or "System Event Clause - either a system event or
system alarm"; system alarm";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17: draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Design Principles and I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview ECA Policy Model Overview
draft-ietf-i2nsf-nsf-monitoring-data-model-08: I2NSF draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF
NSF Monitoring YANG Data Model - Alarms, Events, Logs, NSF Monitoring YANG Data Model - Alarms, Events, Logs,
and Counters"; and Counters";
leaf-list system-event { leaf-list system-event {
type identityref { type identityref {
base system-event; base system-event;
} }
description description
"The security policy rule according to "The security policy rule according to
system events."; system events.";
skipping to change at page 63, line 29 skipping to change at page 63, line 41
key "group-name"; key "group-name";
description description
"This is a group for rules"; "This is a group for rules";
leaf group-name { leaf group-name {
type string; type string;
description description
"This is a group for rules"; "This is a group for rules";
} }
container rule-range { leaf-list rule-name {
description type leafref {
"This is a rule range."; path
"../../../rules/rule-name";
leaf start-rule {
type string;
description
"This is a start rule";
}
leaf end-rule {
type string;
description
"This is a end rule";
} }
description
"The names of the rules to be grouped.";
} }
leaf enable { leaf enable {
type boolean; type boolean;
description description
"This is enable "True is enabled, and False is not enabled.";
False is not enable.";
} }
leaf description { leaf description {
type string; type string;
description description
"This is a description for rule-group"; "This is a description for rule-group";
} }
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
skipping to change at page 76, line 5 skipping to change at page 76, line 5
9. Contributors 9. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document, such as Acee Many people actively contributed to this document, such as Acee
Lindem and Roman Danyliw. The authors sincerely appreciate their Lindem and Roman Danyliw. The authors sincerely appreciate their
contributions. contributions.
The following are co-authors of this document: The following are co-authors of this document:
Patrick Lingga Department of Computer Science and Engineering Patrick Lingga Department of Electrical and Computer Engineering
Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do
16419 Republic of Korea EMail: patricklink@skku.edu 16419 Republic of Korea EMail: patricklink@skku.edu
Hyoungshick Kim Department of Computer Science and Engineering Hyoungshick Kim Department of Computer Science and Engineering
Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do
16419 Republic of Korea EMail: hyoung@skku.edu 16419 Republic of Korea EMail: hyoung@skku.edu
Daeyoung Hyun Department of Computer Science and Engineering Daeyoung Hyun Department of Computer Science and Engineering
Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do
16419 Republic of Korea EMail: dyhyun@skku.edu 16419 Republic of Korea EMail: dyhyun@skku.edu
skipping to change at page 77, line 31 skipping to change at page 77, line 31
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
Congestion Control Protocol (DCCP)", RFC 4340, Congestion Control Protocol (DCCP)", RFC 4340,
DOI 10.17487/RFC4340, March 2006, DOI 10.17487/RFC4340, March 2006,
<https://www.rfc-editor.org/info/rfc4340>. <https://www.rfc-editor.org/info/rfc4340>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", STD 89,
RFC 4443, DOI 10.17487/RFC4443, March 2006,
<https://www.rfc-editor.org/info/rfc4443>.
[RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol",
RFC 4960, DOI 10.17487/RFC4960, September 2007, RFC 4960, DOI 10.17487/RFC4960, September 2007,
<https://www.rfc-editor.org/info/rfc4960>. <https://www.rfc-editor.org/info/rfc4960>.
[RFC5595] Fairhurst, G., "The Datagram Congestion Control Protocol
(DCCP) Service Codes", RFC 5595, DOI 10.17487/RFC5595,
September 2009, <https://www.rfc-editor.org/info/rfc5595>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
skipping to change at page 79, line 30 skipping to change at page 79, line 39
Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q.
Lin, "I2NSF Capability YANG Data Model", Work in Progress, Lin, "I2NSF Capability YANG Data Model", Work in Progress,
Internet-Draft, draft-ietf-i2nsf-capability-data-model-17, Internet-Draft, draft-ietf-i2nsf-capability-data-model-17,
14 August 2021, <https://www.ietf.org/archive/id/draft- 14 August 2021, <https://www.ietf.org/archive/id/draft-
ietf-i2nsf-capability-data-model-17.txt>. ietf-i2nsf-capability-data-model-17.txt>.
[I-D.ietf-i2nsf-nsf-monitoring-data-model] [I-D.ietf-i2nsf-nsf-monitoring-data-model]
Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H.
Birkholz, "I2NSF NSF Monitoring Interface YANG Data Birkholz, "I2NSF NSF Monitoring Interface YANG Data
Model", Work in Progress, Internet-Draft, draft-ietf- Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-monitoring-data-model-08, 29 April 2021, i2nsf-nsf-monitoring-data-model-09, 24 August 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
monitoring-data-model-08.txt>. monitoring-data-model-09.txt>.
10.2. Informative References 10.2. Informative References
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>. <https://www.rfc-editor.org/info/rfc8329>.
[I-D.ietf-i2nsf-consumer-facing-interface-dm] [I-D.ietf-i2nsf-consumer-facing-interface-dm]
Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares,
"I2NSF Consumer-Facing Interface YANG Data Model", Work in "I2NSF Consumer-Facing Interface YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-consumer- Progress, Internet-Draft, draft-ietf-i2nsf-consumer-
facing-interface-dm-13, 8 March 2021, facing-interface-dm-14, 21 August 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-
consumer-facing-interface-dm-13.txt>. consumer-facing-interface-dm-14.txt>.
[ISO-Country-Codes] [ISO-Country-Codes]
"Codes for the representation of names of countries and "Codes for the representation of names of countries and
their subdivisions", ISO 3166, September 2018, their subdivisions", ISO 3166, September 2018,
<https://www.iso.org/iso-3166-country-codes.html>. <https://www.iso.org/iso-3166-country-codes.html>.
[IANA-Protocol-Numbers] [IANA-Protocol-Numbers]
Internet Assigned Numbers Authority (IANA), "Internet
Control Message Procotol (ICMP) Parameters", September
2020, <https://www.iana.org/assignments/icmp-parameters/
icmp-parameters.xhtml>.
[IANA-ICMP-Parameters]
Internet Assigned Numbers Authority (IANA), "Assigned Internet Assigned Numbers Authority (IANA), "Assigned
Internet Protocol Numbers", February 2021, Internet Protocol Numbers", September 2020,
<https://www.iana.org/assignments/protocol-numbers/ <https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml>. protocol-numbers.xhtml>.
[IANA-ICMP-Parameters]
Internet Assigned Numbers Authority (IANA), "Internet
Control Message Procotol (ICMP) Parameters", February
2021, <https://www.iana.org/assignments/icmp-parameters/
icmp-parameters.xhtml>.
[IANA-ICMPv6-Parameters]
Internet Assigned Numbers Authority (IANA), "Internet
Control Message Procotol version 6 (ICMPv6) Parameters",
February 2021, <https://www.iana.org/assignments/icmpv6-
parameters/icmpv6-parameters.xhtml>.
[IEEE-802.3] [IEEE-802.3]
Institute of Electrical and Electronics Engineers, "IEEE Institute of Electrical and Electronics Engineers, "IEEE
Standard for Ethernet", 2018, Standard for Ethernet", 2018,
<https://ieeexplore.ieee.org/document/8457469/>. <https://ieeexplore.ieee.org/document/8457469/>.
Authors' Addresses Authors' Addresses
Jinyong (Tim) Kim (editor) Jinyong (Tim) Kim (editor)
Department of Electronic, Electrical and Computer Engineering Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University Sungkyunkwan University
 End of changes. 78 change blocks. 
97 lines changed or deleted 118 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/