draft-ietf-i2nsf-nsf-facing-interface-dm-15.txt   draft-ietf-i2nsf-nsf-facing-interface-dm-16.txt 
I2NSF Working Group J. Kim, Ed. I2NSF Working Group J. Kim, Ed.
Internet-Draft J. Jeong, Ed. Internet-Draft J. Jeong, Ed.
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: 7 April 2022 J. Park Expires: 17 May 2022 J. Park
ETRI ETRI
S. Hares S. Hares
Q. Lin Q. Lin
Huawei Huawei
4 October 2021 13 November 2021
I2NSF Network Security Function-Facing Interface YANG Data Model I2NSF Network Security Function-Facing Interface YANG Data Model
draft-ietf-i2nsf-nsf-facing-interface-dm-15 draft-ietf-i2nsf-nsf-facing-interface-dm-16
Abstract Abstract
This document defines a YANG data model for configuring security This document defines a YANG data model for configuring security
policy rules on Network Security Functions (NSF) in the Interface to policy rules on Network Security Functions (NSF) in the Interface to
Network Security Functions (I2NSF) framework. The YANG data model in Network Security Functions (I2NSF) framework. The YANG data model in
this document corresponds to the information model for NSF-Facing this document corresponds to the information model for NSF-Facing
Interface in the I2NSF framework. Interface in the I2NSF framework.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 7 April 2022. This Internet-Draft will expire on 17 May 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 13, line 13 skipping to change at page 13, line 13
mitigation in Section 5. mitigation in Section 5.
4.1. YANG Module of NSF-Facing Interface 4.1. YANG Module of NSF-Facing Interface
This section describes a YANG module of NSF-Facing Interface. This This section describes a YANG module of NSF-Facing Interface. This
document provides identities in the data model for the configuration document provides identities in the data model for the configuration
of an NSF. The identity has the same concept with the corresponding of an NSF. The identity has the same concept with the corresponding
identity in [I-D.ietf-i2nsf-consumer-facing-interface-dm] This YANG identity in [I-D.ietf-i2nsf-consumer-facing-interface-dm] This YANG
module imports from [RFC6991]. It makes references to [RFC0768] module imports from [RFC6991]. It makes references to [RFC0768]
[RFC0791] [RFC0792] [RFC2474] [RFC3261] [RFC4340] [RFC4443] [RFC4960] [RFC0791] [RFC0792] [RFC2474] [RFC3261] [RFC4340] [RFC4443] [RFC4960]
[RFC5595] [RFC6335] [RFC8200] [RFC8329] [RFC8335] [RFC8344] [RFC5595] [RFC6335] [RFC8075] [RFC8200] [RFC8329] [RFC8335] [RFC8344]
[IEEE-802.3] [ISO-Country-Codes] [IANA-Protocol-Numbers] [IEEE-802.3] [ISO-Country-Codes] [IANA-Protocol-Numbers]
[IANA-ICMP-Parameters] [I-D.ietf-tcpm-rfc793bis] [IANA-ICMP-Parameters] [IANA-ICMPv6-Parameters]
[I-D.ietf-i2nsf-capability-data-model] [I-D.ietf-tcpm-rfc793bis] [I-D.ietf-i2nsf-capability-data-model]
[I-D.ietf-i2nsf-nsf-monitoring-data-model]. [I-D.ietf-i2nsf-nsf-monitoring-data-model].
<CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2021-10-04.yang" <CODE BEGINS> file "ietf-i2nsf-policy-rule-for-nsf@2021-11-13.yang"
module ietf-i2nsf-policy-rule-for-nsf { module ietf-i2nsf-policy-rule-for-nsf {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf";
prefix prefix
nsfintf; nsfintf;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference reference
skipping to change at page 14, line 28 skipping to change at page 14, line 28
without modification, is permitted pursuant to, and subject to without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices."; for full legal notices.";
revision "2021-10-04"{ revision "2021-11-13"{
description "The latest revision."; description "The latest revision.";
reference reference
"RFC XXXX: I2NSF Network Security Function-Facing Interface "RFC XXXX: I2NSF Network Security Function-Facing Interface
YANG Data Model"; YANG Data Model";
} }
/* /*
* Identities * Identities
*/ */
skipping to change at page 15, line 12 skipping to change at page 15, line 12
identity priority-by-number { identity priority-by-number {
base priority-usage; base priority-usage;
description description
"Identity for priority by number"; "Identity for priority by number";
} }
identity event { identity event {
description description
"Base identity for policy events"; "Base identity for policy events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF
Monitoring YANG Data Model - Event"; Monitoring YANG Data Model - Event";
} }
identity system-event { identity system-event {
base event; base event;
description description
"Identity for system events"; "Identity for system events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF
Monitoring YANG Data Model - System event"; Monitoring YANG Data Model - System event";
} }
identity system-alarm { identity system-alarm {
base event; base event;
description description
"Identity for system alarms"; "Identity for system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF
Monitoring YANG Data Model - System alarm"; Monitoring YANG Data Model - System alarm";
} }
identity access-violation { identity access-violation {
base system-event; base system-event;
description description
"Identity for access violation "Identity for access violation
system events"; system events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF
Monitoring YANG Data Model - System event for access Monitoring YANG Data Model - System event for access
violation"; violation";
} }
identity configuration-change { identity configuration-change {
base system-event; base system-event;
description description
"Identity for configuration change "Identity for configuration change
system events"; system events";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF
Monitoring YANG Data Model - System event for configuration Monitoring YANG Data Model - System event for configuration
change"; change";
} }
identity memory-alarm { identity memory-alarm {
base system-alarm; base system-alarm;
description description
"Identity for memory alarm "Identity for memory alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF
Monitoring YANG Data Model - System alarm for memory"; Monitoring YANG Data Model - System alarm for memory";
} }
identity cpu-alarm { identity cpu-alarm {
base system-alarm; base system-alarm;
description description
"Identity for CPU alarm "Identity for CPU alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF
Monitoring YANG Data Model - System alarm for CPU"; Monitoring YANG Data Model - System alarm for CPU";
} }
identity disk-alarm { identity disk-alarm {
base system-alarm; base system-alarm;
description description
"Identity for disk alarm "Identity for disk alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF
Monitoring YANG Data Model - System alarm for disk"; Monitoring YANG Data Model - System alarm for disk";
} }
identity hardware-alarm { identity hardware-alarm {
base system-alarm; base system-alarm;
description description
"Identity for hardware alarm "Identity for hardware alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF
Monitoring YANG Data Model - System alarm for hardware"; Monitoring YANG Data Model - System alarm for hardware";
} }
identity interface-alarm { identity interface-alarm {
base system-alarm; base system-alarm;
description description
"Identity for interface alarm "Identity for interface alarm
system alarms"; system alarms";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF
Monitoring YANG Data Model - System alarm for interface"; Monitoring YANG Data Model - System alarm for interface";
} }
identity fragmentation-flags { identity fragmentation-flags {
description description
"Base identity for fragmentation flags type"; "Base identity for fragmentation flags type";
reference reference
"RFC 791: Internet Protocol - Fragmentation Flags"; "RFC 791: Internet Protocol - Fragmentation Flags";
} }
skipping to change at page 21, line 41 skipping to change at page 21, line 41
"Identity for 'Finish' TCP flag"; "Identity for 'Finish' TCP flag";
reference reference
"draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol
(TCP) Specification - Flags"; (TCP) Specification - Flags";
} }
identity target-device { identity target-device {
description description
"Base identity for target devices"; "Base identity for target devices";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model"; I2NSF Capability YANG Data Model";
} }
identity computer { identity computer {
base target-device; base target-device;
description description
"Identity for computer such as personal computer (PC) "Identity for computer such as personal computer (PC)
and server"; and server";
} }
skipping to change at page 23, line 7 skipping to change at page 23, line 7
data through the Internet"; data through the Internet";
} }
identity advanced-nsf { identity advanced-nsf {
description description
"Base identity for advanced Network Security Function (NSF) "Base identity for advanced Network Security Function (NSF)
capability. This can be used for advanced NSFs such as capability. This can be used for advanced NSFs such as
Anti-DDoS Attack, IPS, URL-Filtering, Antivirus, Anti-DDoS Attack, IPS, URL-Filtering, Antivirus,
and VoIP/VoLTE Filter."; and VoIP/VoLTE Filter.";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model"; I2NSF Capability YANG Data Model";
} }
identity content-security-control { identity content-security-control {
base advanced-nsf; base advanced-nsf;
description description
"Base identity for content security control"; "Base identity for content security control";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model"; I2NSF Capability YANG Data Model";
} }
identity ips { identity ips {
base content-security-control; base content-security-control;
description description
"Identity for IPS (Intrusion Prevention System) "Identity for IPS (Intrusion Prevention System)
that prevents malicious activity within a network"; that prevents malicious activity within a network";
} }
skipping to change at page 24, line 7 skipping to change at page 24, line 7
"Identity for VoIP/VoLTE security service that filters out the "Identity for VoIP/VoLTE security service that filters out the
packets or flows of malicious users with a deny list of packets or flows of malicious users with a deny list of
malicious users in a database"; malicious users in a database";
} }
identity attack-mitigation-control { identity attack-mitigation-control {
base advanced-nsf; base advanced-nsf;
description description
"Base identity for attack mitigation control"; "Base identity for attack mitigation control";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model"; I2NSF Capability YANG Data Model";
} }
identity anti-ddos { identity anti-ddos {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Identity for advanced NSF Anti-DDoS or DDoS Mitigator "Identity for advanced NSF Anti-DDoS or DDoS Mitigator
capability."; capability.";
} }
identity action { identity action {
description description
"Base identity for action"; "Base identity for action";
} }
identity ingress-action { identity ingress-action {
base action; base action;
description description
"Base identity for ingress action"; "Base identity for ingress action";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Ingress Action"; I2NSF Capability YANG Data Model - Ingress Action";
} }
identity egress-action { identity egress-action {
base action; base action;
description description
"Base identity for egress action"; "Base identity for egress action";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Egress Action"; I2NSF Capability YANG Data Model - Egress Action";
} }
identity default-action { identity default-action {
base action; base action;
description description
"Base identity for default action"; "Base identity for default action";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Default Action"; I2NSF Capability YANG Data Model - Default Action";
} }
identity pass { identity pass {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for pass"; "Identity for pass";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Actions and I2NSF Capability YANG Data Model - Actions and
Default Action"; Default Action";
} }
identity drop { identity drop {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for drop"; "Identity for drop";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Actions and I2NSF Capability YANG Data Model - Actions and
Default Action"; Default Action";
} }
identity mirror { identity mirror {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for mirror"; "Identity for mirror";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Actions and I2NSF Capability YANG Data Model - Actions and
Default Action"; Default Action";
} }
identity rate-limit { identity rate-limit {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for rate limiting action"; "Identity for rate limiting action";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Actions and I2NSF Capability YANG Data Model - Actions and
Default Action"; Default Action";
} }
identity log-action { identity log-action {
base action; base action;
description description
"Base identity for log action"; "Base identity for log action";
} }
skipping to change at page 26, line 23 skipping to change at page 26, line 23
identity session-log { identity session-log {
base log-action; base log-action;
description description
"Identity for session log"; "Identity for session log";
} }
identity invoke-signaling { identity invoke-signaling {
base egress-action; base egress-action;
description description
"Identity for invoke signaling"; "Identity for invoke signaling. This action conveys
information of the event triggering this action to a
monitoring entity.";
} }
identity tunnel-encapsulation { identity tunnel-encapsulation {
base egress-action; base egress-action;
description description
"Identity for tunnel encapsulation"; "Identity for tunnel encapsulation. This action encapsulates
the packet to be tunneled across the network to enable
a secure connection.";
} }
identity forwarding { identity forwarding {
base egress-action; base egress-action;
description description
"Identity for forwarding"; "Identity for forwarding. This action forwards the packet to
another node in the network.";
} }
identity transformation { identity transformation {
base egress-action; base egress-action;
description description
"Identity for transformation"; "Identity for transformation. This action transforms the
packet by modifying its protocol header such as HTTP-to-CoAP
translation.";
reference
"RFC 8075: Guidelines for Mapping Implementations: HTTP to the
Constrained Application Protocol (CoAP) - Translation between
HTTP and CoAP.";
} }
identity redirection { identity redirection {
base egress-action; base egress-action;
description description
"Identity for redirection"; "Identity for redirection";
} }
identity resolution-strategy { identity resolution-strategy {
description description
"Base identity for resolution strategy"; "Base identity for resolution strategy";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity fmr { identity fmr {
base resolution-strategy; base resolution-strategy;
description description
"Identity for First Matching Rule (FMR)"; "Identity for First Matching Rule (FMR)";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity lmr { identity lmr {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Last Matching Rule (LMR)"; "Identity for Last Matching Rule (LMR)";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity pmr { identity pmr {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule (PMR)"; "Identity for Prioritized Matching Rule (PMR)";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity pmre { identity pmre {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule "Identity for Prioritized Matching Rule
with Errors (PMRE)"; with Errors (PMRE)";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity pmrn { identity pmrn {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule "Identity for Prioritized Matching Rule
with No Errors (PMRN)"; with No Errors (PMRN)";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity day { identity day {
description description
"This represents the base for days."; "This represents the base for days.";
} }
identity monday { identity monday {
base day; base day;
skipping to change at page 33, line 36 skipping to change at page 33, line 48
including a set of security rules according to certain logic, including a set of security rules according to certain logic,
i.e., their similarity or mutual relations, etc. The network i.e., their similarity or mutual relations, etc. The network
security policy can be applied to both the unidirectional security policy can be applied to both the unidirectional
and bidirectional traffic across the NSF. and bidirectional traffic across the NSF.
The I2NSF security policies use the Event-Condition-Action The I2NSF security policies use the Event-Condition-Action
(ECA) policy model "; (ECA) policy model ";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17: draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Design Principles and I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview"; ECA Policy Model Overview";
leaf system-policy-name { leaf system-policy-name {
type string; type string;
description description
"The name of the policy. "The name of the policy.
This must be unique."; This must be unique.";
} }
skipping to change at page 34, line 21 skipping to change at page 34, line 32
base resolution-strategy; base resolution-strategy;
} }
default fmr; default fmr;
description description
"The resolution strategies that can be used to "The resolution strategies that can be used to
specify how to resolve conflicts that occur between specify how to resolve conflicts that occur between
actions of the same or different policy rules that actions of the same or different policy rules that
are matched and contained in this particular NSF"; are matched and contained in this particular NSF";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Resolution strategy"; I2NSF Capability YANG Data Model - Resolution strategy";
} }
leaf default-action { leaf default-action {
type identityref { type identityref {
base default-action; base default-action;
} }
default mirror; default mirror;
description description
"This default action can be used to specify a predefined "This default action can be used to specify a predefined
action when no other alternative action was matched action when no other alternative action was matched
by the currently executing I2NSF Policy Rule. An analogy by the currently executing I2NSF Policy Rule. An analogy
is the use of a default statement in a C switch statement."; is the use of a default statement in a C switch statement.";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Default Action"; I2NSF Capability YANG Data Model - Default Action";
} }
list rules { list rules {
key "rule-name"; key "rule-name";
description description
"This is a rule for network security functions."; "This is a rule for network security functions.";
leaf rule-name { leaf rule-name {
type string; type string;
skipping to change at page 36, line 23 skipping to change at page 36, line 35
managed. When used in the context of policy rules for managed. When used in the context of policy rules for
a flow-based NSF, it is used to determine whether the a flow-based NSF, it is used to determine whether the
Condition clause of the Policy Rule can be evaluated Condition clause of the Policy Rule can be evaluated
or not. Examples of an I2NSF event include time and or not. Examples of an I2NSF event include time and
user actions (e.g., logon, logoff, and actions that user actions (e.g., logon, logoff, and actions that
violate any ACL.)."; violate any ACL.).";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17: draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Design Principles and I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview ECA Policy Model Overview
draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF
NSF Monitoring YANG Data Model - Alarms, Events, Logs, NSF Monitoring YANG Data Model - Alarms, Events, Logs,
and Counters"; and Counters";
leaf event-clause-description { leaf event-clause-description {
type string; type string;
description description
"Description for an event clause"; "Description for an event clause";
} }
container time { container time {
skipping to change at page 39, line 4 skipping to change at page 39, line 15
a yearly basis. The policy will be repeated a yearly basis. The policy will be repeated
yearly until the end-date."; yearly until the end-date.";
} }
} }
default only-once; default only-once;
description description
"This represents how frequently the rule "This represents how frequently the rule
should be enforced."; should be enforced.";
} }
} }
container event-clauses { container event-clauses {
description description
"System Event Clause - either a system event or "System Event Clause - either a system event or
system alarm"; system alarm";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17: draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Design Principles and I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview ECA Policy Model Overview
draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF
NSF Monitoring YANG Data Model - Alarms, Events, Logs, NSF Monitoring YANG Data Model - Alarms, Events, Logs,
and Counters"; and Counters";
leaf-list system-event { leaf-list system-event {
type identityref { type identityref {
base system-event; base system-event;
} }
description description
"The security policy rule according to "The security policy rule according to
system events."; system events.";
skipping to change at page 40, line 4 skipping to change at page 40, line 16
compared with a set of known attributes, features, compared with a set of known attributes, features,
and/or values in order to determine whether or not the and/or values in order to determine whether or not the
set of Actions in that (imperative) I2NSF Policy Rule set of Actions in that (imperative) I2NSF Policy Rule
can be executed or not. Examples of I2NSF Conditions can be executed or not. Examples of I2NSF Conditions
include matching attributes of a packet or flow, and include matching attributes of a packet or flow, and
comparing the internal state of an NSF to a desired comparing the internal state of an NSF to a desired
state."; state.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17: draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Design Principles and I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview"; ECA Policy Model Overview";
leaf condition-clause-description { leaf condition-clause-description {
type string; type string;
description description
"Description for a condition clause."; "Description for a condition clause.";
} }
container ethernet { container ethernet {
skipping to change at page 61, line 25 skipping to change at page 61, line 35
"An action is used to control and monitor aspects of "An action is used to control and monitor aspects of
flow-based NSFs when the event and condition clauses flow-based NSFs when the event and condition clauses
are satisfied. NSFs provide security functions by are satisfied. NSFs provide security functions by
executing various Actions. Examples of I2NSF Actions executing various Actions. Examples of I2NSF Actions
include providing intrusion detection and/or protection, include providing intrusion detection and/or protection,
web and flow filtering, and deep packet inspection web and flow filtering, and deep packet inspection
for packets and flows."; for packets and flows.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17: draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Design Principles and I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview"; ECA Policy Model Overview";
leaf action-clause-description { leaf action-clause-description {
type string; type string;
description description
"Description for an action clause."; "Description for an action clause.";
} }
container packet-action { container packet-action {
description description
"Action for packets"; "Action for packets";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17: draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Design Principles and I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview"; ECA Policy Model Overview";
leaf ingress-action { leaf ingress-action {
type identityref { type identityref {
base ingress-action; base ingress-action;
} }
description description
"Ingress Action: pass, drop, rate-limit, and "Ingress Action: pass, drop, rate-limit, and
mirror."; mirror.";
skipping to change at page 62, line 33 skipping to change at page 62, line 43
} }
} }
container flow-action { container flow-action {
description description
"Action for flows"; "Action for flows";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
draft-ietf-i2nsf-capability-data-model-17: draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - Design Principles and I2NSF Capability YANG Data Model - Design Principles and
ECA Policy Model Overview"; ECA Policy Model Overview";
leaf ingress-action { leaf ingress-action {
type identityref { type identityref {
base ingress-action; base ingress-action;
} }
description description
"Action: pass, drop, rate-limit, and mirror."; "Action: pass, drop, rate-limit, and mirror.";
} }
leaf egress-action { leaf egress-action {
type identityref { type identityref {
base egress-action; base egress-action;
} }
description description
"Egress action: pass, drop, rate-limit, mirror, "Egress action: pass, drop, rate-limit, mirror,
invoke-signaling, tunnel-encapsulation, forwarding, invoke-signaling, tunnel-encapsulation, forwarding,
and redirection."; and redirection.";
skipping to change at page 63, line 27 skipping to change at page 63, line 37
description description
"If the packet needs to be additionally inspected, "If the packet needs to be additionally inspected,
the packet is passed to advanced network the packet is passed to advanced network
security functions according to the profile. security functions according to the profile.
The profile means the types of NSFs where the packet The profile means the types of NSFs where the packet
will be forwarded in order to additionally will be forwarded in order to additionally
inspect the packet. inspect the packet.
The advanced action activates Service Function The advanced action activates Service Function
Chaining (SFC) for further inspection of a packet."; Chaining (SFC) for further inspection of a packet.";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - YANG Tree I2NSF Capability YANG Data Model - YANG Tree
Diagram"; Diagram";
leaf-list content-security-control { leaf-list content-security-control {
type identityref { type identityref {
base content-security-control; base content-security-control;
} }
description description
"Content-security-control is the NSFs that "Content-security-control is the NSFs that
inspect the payload of the packet. inspect the payload of the packet.
The profile for the types of NSFs for mitigation is The profile for the types of NSFs for mitigation is
divided into content security control and divided into content security control and
attack-mitigation-control. attack-mitigation-control.
Content security control: ips, url filtering, Content security control: ips, url filtering,
anti-virus, and voip-volte-filter. This can be anti-virus, and voip-volte-filter. This can be
extended according to the provided NSFs."; extended according to the provided NSFs.";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - YANG Tree Diagram"; I2NSF Capability YANG Data Model - YANG Tree Diagram";
} }
leaf-list attack-mitigation-control { leaf-list attack-mitigation-control {
type identityref { type identityref {
base attack-mitigation-control; base attack-mitigation-control;
} }
description description
"Attack-mitigation-control is the NSFs that weaken "Attack-mitigation-control is the NSFs that weaken
the attacks related to a denial of service the attacks related to a denial of service
and reconnaissance. and reconnaissance.
The profile for the types of NSFs for mitigation is The profile for the types of NSFs for mitigation is
divided into content security control and divided into content security control and
attack-mitigation-control. attack-mitigation-control.
Attack mitigation control: Anti-DDoS or DDoS Attack mitigation control: Anti-DDoS or DDoS
mitigator. This can be extended according to the mitigator. This can be extended according to the
provided NSFs such as mitigators for ip sweep, provided NSFs such as mitigators for ip sweep,
port scanning, ping of death, teardrop, oversized port scanning, ping of death, teardrop, oversized
icmp, and tracert."; icmp, and tracert.";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-21:
I2NSF Capability YANG Data Model - YANG Tree Diagram"; I2NSF Capability YANG Data Model - YANG Tree Diagram";
} }
} }
} }
} }
container rule-group { container rule-group {
description description
"This is rule group"; "This is rule group";
list groups { list groups {
skipping to change at page 65, line 23 skipping to change at page 65, line 35
<CODE ENDS> <CODE ENDS>
Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface
5. XML Configuration Examples of Low-Level Security Policy Rules 5. XML Configuration Examples of Low-Level Security Policy Rules
This section shows XML configuration examples of low-level security This section shows XML configuration examples of low-level security
policy rules that are delivered from the Security Controller to NSFs policy rules that are delivered from the Security Controller to NSFs
over the NSF-Facing Interface. For security requirements, we assume over the NSF-Facing Interface. For security requirements, we assume
that the NSFs (i.e., General firewall, Time-based firewall, URL that the NSFs (i.e., General firewall, Time-based firewall, URL
filter, VoIP/VoLTE filter, and http and https flood mitigation ) filter, VoIP/VoLTE filter, and http and https flood mitigation)
described in of [I-D.ietf-i2nsf-capability-data-model] are registered described in Appendix A of [I-D.ietf-i2nsf-capability-data-model] are
in the I2NSF framework. With the registered NSFs, we show registered with the I2NSF framework. With the registered NSFs, we
configuration examples for security policy rules of network security show configuration examples for security policy rules of network
functions according to the following three security requirements: (i) security functions according to the following three security
Block Social Networking Service (SNS) access during business hours, requirements: (i) Block Social Networking Service (SNS) access during
(ii) Block malicious VoIP/VoLTE packets coming to the company, and business hours, (ii) Block malicious VoIP/VoLTE packets coming to the
(iii) Mitigate http and https flood attacks on company web server. company, and (iii) Mitigate http and https flood attacks on company
web server.
5.1. Security Requirement 1: Block Social Networking Service (SNS) 5.1. Security Requirement 1: Block Social Networking Service (SNS)
Access during Business Hours Access during Business Hours
This section shows a configuration example for blocking SNS access This section shows a configuration example for blocking SNS access
during business hours in IPv4 networks or IPv6 networks. during business hours in IPv4 networks or IPv6 networks.
<i2nsf-security-policy <i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf">
<system-policy-name>sns_access</system-policy-name> <system-policy-name>sns_access</system-policy-name>
skipping to change at page 75, line 27 skipping to change at page 75, line 27
6. IANA Considerations 6. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950][RFC8525]. the "YANG Module Names" registry [RFC7950][RFC8525]:
name: ietf-i2nsf-policy-rule-for-nsf name: ietf-i2nsf-policy-rule-for-nsf
namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf
prefix: nsfintf prefix: nsfintf
reference: RFC XXXX reference: RFC XXXX
7. Security Considerations 7. Security Considerations
The YANG module specified in this document defines a data schema The YANG module specified in this document defines a data schema
designed to be accessed through network management protocols such as designed to be accessed through network management protocols such as
skipping to change at page 79, line 24 skipping to change at page 79, line 24
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8075] Castellani, A., Loreto, S., Rahman, A., Fossati, T., and
E. Dijk, "Guidelines for Mapping Implementations: HTTP to
the Constrained Application Protocol (CoAP)", RFC 8075,
DOI 10.17487/RFC8075, February 2017,
<https://www.rfc-editor.org/info/rfc8075>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200, (IPv6) Specification", STD 86, RFC 8200,
DOI 10.17487/RFC8200, July 2017, DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>. <https://www.rfc-editor.org/info/rfc8200>.
[RFC8335] Bonica, R., Thomas, R., Linkova, J., Lenart, C., and M. [RFC8335] Bonica, R., Thomas, R., Linkova, J., Lenart, C., and M.
skipping to change at page 80, line 29 skipping to change at page 80, line 33
[I-D.ietf-tcpm-rfc793bis] [I-D.ietf-tcpm-rfc793bis]
Eddy, W. M., "Transmission Control Protocol (TCP) Eddy, W. M., "Transmission Control Protocol (TCP)
Specification", Work in Progress, Internet-Draft, draft- Specification", Work in Progress, Internet-Draft, draft-
ietf-tcpm-rfc793bis-25, 7 September 2021, ietf-tcpm-rfc793bis-25, 7 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-tcpm- <https://www.ietf.org/archive/id/draft-ietf-tcpm-
rfc793bis-25.txt>. rfc793bis-25.txt>.
[I-D.ietf-i2nsf-capability-data-model] [I-D.ietf-i2nsf-capability-data-model]
Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q.
Lin, "I2NSF Capability YANG Data Model", Work in Progress, Lin, "I2NSF Capability YANG Data Model", Work in Progress,
Internet-Draft, draft-ietf-i2nsf-capability-data-model-19, Internet-Draft, draft-ietf-i2nsf-capability-data-model-21,
28 September 2021, <https://www.ietf.org/archive/id/draft- 13 November 2021, <https://www.ietf.org/archive/id/draft-
ietf-i2nsf-capability-data-model-19.txt>. ietf-i2nsf-capability-data-model-21.txt>.
[I-D.ietf-i2nsf-nsf-monitoring-data-model] [I-D.ietf-i2nsf-nsf-monitoring-data-model]
Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H.
Birkholz, "I2NSF NSF Monitoring Interface YANG Data Birkholz, "I2NSF NSF Monitoring Interface YANG Data
Model", Work in Progress, Internet-Draft, draft-ietf- Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-monitoring-data-model-10, 15 September 2021, i2nsf-nsf-monitoring-data-model-11, 15 October 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
monitoring-data-model-10.txt>. monitoring-data-model-11.txt>.
10.2. Informative References 10.2. Informative References
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>. <https://www.rfc-editor.org/info/rfc8329>.
[I-D.ietf-i2nsf-consumer-facing-interface-dm] [I-D.ietf-i2nsf-consumer-facing-interface-dm]
Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares,
 End of changes. 62 change blocks. 
69 lines changed or deleted 89 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/