[Search] [txt|pdfized|bibtex] [Tracker] [Email] [Nits]
Versions: 00 01 02 03                                                   
Network Working Group                                           J. Jeong
Internet-Draft                                                    J. Kim
Intended status: Standards Track                                 D. Hyun
Expires: January 5, 2017                         Sungkyunkwan University
                                                                 J. Park
                                                                    ETRI
                                                                  T. Ahn
                                                           Korea Telecom
                                                            July 4, 2016


 YANG Data Model of Interface to Network Security Functions Capability
                               Interface
           draft-jeong-i2nsf-capability-interface-yang-00.txt

Abstract

   This document defines a data model corresponding to the information
   model for Interface to Network Security Functions (I2NSF) capability
   interface.  It describes a data model for three security capabilities
   (i.e., security functions), such as network security control, content
   security control, and attack mitigation control, as defined in the
   information model for the I2NSF capability interface.

Status of This Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 5, 2017.

Copyright Notice



Jeong, et al.            Expires January 5, 2017                [Page 1]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Requirements Language  . . . . . . . . . . . . . . . . . . . .  3
   3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
     3.1.  Tree Diagrams  . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Information Model Structure  . . . . . . . . . . . . . . . . .  4
   5.  YANG Model . . . . . . . . . . . . . . . . . . . . . . . . . . 11
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 45
   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 45
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 45
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 45
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 45

























Jeong, et al.            Expires January 5, 2017                [Page 2]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


1.  Introduction

   This document defines a YANG [RFC6020] model for security services
   with the information model of Interface to Network Security Functions
   (I2NSF) capability interface.  It provides a specific information
   model and the corresponding data model for three security
   capabilities (i.e., security functions), such as network security
   control, content security control, and attack mitigation control, as
   defined in [i2nsf-cap-interface-im].

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  Terminology

   This document uses the terminology described in
   [i2nsf-cap-interface-im][i2rs-rib-data-model]
   [supa-policy-info-model].  Especially, the following terms are from
   [supa-policy-info-model]:

   o  Data Model: A data model is a representation of concepts of
      interest to an environment in a form that is dependent on data
      repository, data definition language, query language,
      implementation language, and protocol.

   o  Information Model: An information model is a representation of
      concepts of interest to an environment in a form that is
      independent of data repository, data definition language, query
      language, implementation language, and protocol.

3.1.  Tree Diagrams

   A simplified graphical representation of the data model is used in
   this document.  The meaning of the symbols in these diagrams
   [i2rs-rib-data-model] is as follows:

   o  Brackets "[" and "]" enclose list keys.

   o  Abbreviations before data node names: "rw" means configuration
      (read-write) and "ro" state data (read-only).

   o  Symbols after data node names: "?" means an optional node and "*"
      denotes a "list" and "leaf-list".





Jeong, et al.            Expires January 5, 2017                [Page 3]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


   o  Parentheses enclose choice and case nodes, and case nodes are also
      marked with a colon (":").

   o  Ellipsis ("...") stands for contents of subtrees that are not
      shown.

4.  Information Model Structure

   Figure 1 shows an overview of a structure tree of network security
   control, content security control, and attack mitigation control, as
   defined in the [i2nsf-cap-interface-im].

Module : ietf-i2nsf-capability-interface
  +--rw policy
    +--rw policy-name  string
    +--rw policy-id  string
    +--rw rule  *[rule-id]
      +--rw rule-name  string
      +--rw rule-id  uint 8
      +--rw event
      |  +--rw time-event-list?  *[time-id]
      |  |  +--rw event-time?  yang:date-and-time
      |  |  +--rw time-id  uint 8
      |  +--rw user-action?
      |     +--rw login  boolean
      |     +--rw logoff  boolean
      |     +--rw originating  boolean
      |     +--rw terminating  boolean
      +--rw condition
      |  +--rw packet-content-values
      |  |  +--rw layer-234-packet-header *[packet-header-id]
      |  |  |  +--rw packet-header-id uint 8
      |  |  |  +--rw address-scope?
      |  |  |  |  +--rw (route-type)?
      |  |  |  |  |  +--: (ipv4)
      |  |  |  |  |  |  +--rw (ip-route-match-type)?
      |  |  |  |  |  |     +--: (dest-ipv4-address)
      |  |  |  |  |  |     |  +--rw dest-ipv4-prefix  inet:ipv4-prefix
      |  |  |  |  |  |     +--: (src-ipv4-address)
      |  |  |  |  |  |     |  +--rw src-ipv4-prefix  inet:ipv4-prefix
      |  |  |  |  |  |     +--: (dest-src-ipv4-address)
      |  |  |  |  |  |        +--rw dest-src-ipv4-address
      |  |  |  |  |  |           +--rw dest-ipv4-prefix inet:ipv4-prefix
      |  |  |  |  |  |           +--rw src-ipv4-prefix inet:ipv4-prefix
      |  |  |  |  |  +--: (ipv6)
      |  |  |  |  |  |  +--rw (ip-route-match-type)?
      |  |  |  |  |  |     +--: (dest-ipv6-address)
      |  |  |  |  |  |     |  +--rw dest-ipv6-prefix inet:ipv6-prefix



Jeong, et al.            Expires January 5, 2017                [Page 4]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


      |  |  |  |  |  |     +--: (src-ipv6-address)
      |  |  |  |  |  |     |  +--rw src-ipv6-prefix inet:ipv6-prefix
      |  |  |  |  |  |     +--: (dest-src-ipv6-address)
      |  |  |  |  |  |        +--rw dest-src-ipv6-address
      |  |  |  |  |  |           +--rw dest-ipv6-prefix inet:ipv6-prefix
      |  |  |  |  |  |           +--rw src-ipv6-prefix inet:ipv6-prefix
      |  |  |  |  |  +--: (mpls-route)
      |  |  |  |  |  |  +--rw mpls-label uint32
      |  |  |  |  |  +--: (mac-route)
      |  |  |  |  |  |  +--rw mac-address uint32
      |  |  |  |  |  +--: (interface-route)
      |  |  |  |  |  |  +--rw interface-identifier if:interface-ref
      |  |  |  +--rw (layer-type)?
      |  |  |     +--: (layer-2-header)
      |  |  |     |  +--rw src-mac-address yang:phys-address
      |  |  |     |  +--rw dest-mac-address yang:phys-address
      |  |  |     +--: (layer-3-header)
      |  |  |     |  +--rw (packet-type)?
      |  |  |     |    +--: (ipv4)
      |  |  |     |    |  +--rw src-ipv4-address inet:ipv4-address
      |  |  |     |    |  +--rw dest-ipv4-address inet:ipv4-address
      |  |  |     |    |  +--rw protocol uint 8
      |  |  |     |    |  +--rw ttl uint 8
      |  |  |     |    |  +--rw dscp uint 8
      |  |  |     |    +--: (ipv6)
      |  |  |     |    |  +--rw src-ipv6-address inet:ipv6-address
      |  |  |     |    |  +--rw dest-ipv6-address inet:ipv6-address
      |  |  |     |    |  +--rw next-header uint 8
      |  |  |     |    |  +--rw traffic-class uint 8
      |  |  |     |    |  +--rw flow-label uint 16
      |  |  |     |    |  +--rw hop-limit uint 8
      |  |  |     +--: (layer-4-header)
      |  |  |       +--rw src-port inet:port-number
      |  |  |       +--rw dest-port inet:port-number
      |  |  +--rw packet-payload *[packet-payload-id]
      |  |    +--rw packet-payload-id uint 8
      |  +--rw context-values
      |     +--rw user *[user-id]
      |     |  +--rw user-id uint 8
      |     |  +--rw (user-name)?
      |     |     +--: (tenant)
      |     |     |  +--rw tenant uint 8
      |     |     +--: (vn-id)
      |     |        +--rw vn-id uint 8
      |     +--rw schedule
      |     |  +--rw name string
      |     |  +--rw (schedule-type)?
      |     |  |  +--: (once)



Jeong, et al.            Expires January 5, 2017                [Page 5]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


      |     |  |  |  +--rw once boolean
      |     |  |  +--: (periodic)
      |     |  |  |  +--rw periodic boolean
      |     |  +--rw start-time? yang:date-and-time
      |     |  +--rw end-time? yang:date-and-time
      |     |  +--rw weekly-validity-time yang:date-and-time
      |     +--rw region *[ip-address-region]
      |     |  +--rw ip-address-region uint 8
      |     +--rw target
      |     |  +--rw service
      |     |  |  +--rw name string
      |     |  |  +--rw id uint 8
      |     |  |  +--rw protocol
      |     |  |  |  +--rw TCP? boolean
      |     |  |  |  +--rw UDP? boolean
      |     |  |  |  +--rw ICMP? boolean
      |     |  |  |  +--rw ICMPv6? boolean
      |     |  |  |  +--rw IP? boolean
      |     |  |  +--rw src-port? inet:port-number
      |     |  |  +--rw dest-port? inet:port-number
      |     |  +--rw application
      |     |     +--rw name string
      |     |     +--rw id uint 8
      |     |     +--rw category
      |     |     |  +--rw business-system?  boolean
      |     |     |  +--rw entertainment?  boolean
      |     |     |  +--rw internet?  boolean
      |     |     |  +--rw network?  boolean
      |     |     |  +--rw general?  boolean
      |     |     +--rw subcategory
      |     |     |  +--rw finance?  boolean
      |     |     |  +--rw email?  boolean
      |     |     |  +--rw game?  boolean
      |     |     |  +--rw media-sharing?  boolean
      |     |     |  +--rw social-network?  boolean
      |     |     |  +--rw web-posting?  boolean
      |     |     +--rw data-transmission-model
      |     |     |  +--rw client-server?  boolean
      |     |     |  +--rw browser-based?  boolean
      |     |     |  +--rw networking?  boolean
      |     |     |  +--rw peer-to-peer?  boolean
      |     |     |  +--rw unassigned?  boolean
      |     |     +--rw risk-level
      |     |        +--rw exploitable?  boolean
      |     |        +--rw productivity-loss?  boolean
      |     |        +--rw evasive?  boolean
      |     |        +--rw data-loss?  boolean
      |     |        +--rw malware-vehicle?  boolean



Jeong, et al.            Expires January 5, 2017                [Page 6]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


      |     |        +--rw bandwidth-consuming?  boolean
      |     |        +--rw tunneling?  boolean
      |     +--rw device
      |     |  +--rw pc?  boolean
      |     |  +--rw mobile-phone?  boolean
      |     |  +--rw tablet?  boolean
      |     |  +--rw voip-phone  boolean
      |     +--rw (state)?
      |     |  +--: (session-state)
      |     |  +--rw tcp-session-state
      |     |  |     +--rw new?  boolean
      |     |  |     +--rw established?  boolean
      |     |  |     +--rw related?  boolean
      |     |  |     +--rw invalid?  boolean
      |     |  |     +--rw untracked?  boolean
      |     |  +--: (session-aaa-state)
      |     |  |  +--rw session-sip-state
      |     |  |     +--rw auth-state?  boolean
      |     |  |     +--rw call-state?  boolean
      |     |  +--: (access-mode)
      |     |  |  +--rw access-mode  string
      |     +--rw direction
      |        +--rw request?  boolean
      |        +--rw response?  boolean
      +--rw action
         +--rw (action-type)?
            +--: (ingress-action)
            |  +--rw permit?  boolean
            |  +--rw deny?  boolean
            |  +--rw mirror?  boolean
            +--: (egress-action)
            |  +--rw invoke signaling?  boolean
            |  +--rw tunnel encapsulation?  boolean
            |  +--rw forwarding?  boolean
            +--: (advanced-action)
               +--rw (advanced-action-type)?
                 +--: (content-security-control)
                 |  +--rw (content-security-control-type)?
                 |     +--: (antivirus)
                 |     |  +--rw antivirus?  boolean
                 |     +--: (ips)
                 |     |  +--rw ips?  boolean
                 |     +--: (url-filtering)
                 |     |  +--rw url-filtering?  boolean
                 |     +--: (file-blocking)
                 |     |  +--rw file-blocking?  boolean
                 |     +--: (data-filtering)
                 |     |  +--rw data-filtering?  boolean



Jeong, et al.            Expires January 5, 2017                [Page 7]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                 |     +--: (application-control)
                 |     |  +--rw application-control?  boolean
                 |     +--: (voip-volte)
                 |        +--rw voip-volte-rule  *[voip-volte-rule-id]
                 |           +--rw voip-volte-rule-id  uint 8
                 |              +--rw event
                 |              |  +--rw called-voip  boolean
                 |              |  +--rw called-volte  boolean
                 |              +--rw condition
                 |              |  +--rw sip-header?  *[sip-header-uri]
                 |              |  |  +--rw sip-header-uri uint 32
                 |              |  |  +--rw sip-header-method string
                 |              |  |  +--rw sip-header-expire-time
                 |              |  |  +--rw sip-header-user-agent uint32
                 |              |  +--rw cell-region? *[cell-id-region]
                 |              |     +--rw cell-id-region uint 32
                 |              +--rw action
                 |                 +--rw (action-type)?
                 |                    +--: (ingress-action)
                 |                    |  +--rw permit? boolean
                 |                    |  +--rw deny? boolean
                 |                    |  +--rw mirror? boolean
                 |                    +--: (egress-action)
                 |                       +--rw redirection? boolean
                 +--: (attack-mitigation-control)
                    +--rw (attack-mitigation-control-type)?
                       +--: (ddos-attack)
                       |  +--rw (ddos-attack-type)?
                       |     +--: (network-layer-ddos-attack)
                       |     |  +--rw (network-layer-ddos-attack-type)?
                       |     |     +--: (syn-flood-attack)
                       |     |     |  +--rw syn-flood    boolean
                       |     |     +--: (udp-flood-attack)
                       |     |     |  +--rw udp-flood    boolean
                       |     |     +--: (icmp-flood-attack)
                       |     |     |  +--rw icmp-flood    boolean
                       |     |     +--: (ip-fragment-flood-attack)
                       |     |     |  +--rw ip-fragment-flood boolean
                       |     |     +--: (ipv6-related-attacks)
                       |     |        +--rw ipv6-related    boolean
                       |     +--: (app-layer-ddos-attack)
                       |        +--rw (app-layer-ddos-attack-type)?
                       |           +--: (http-flood-attack)
                       |           |  +--rw http-flood    boolean
                       |           +--: (https-flood-attack)
                       |           |  +--rw https-flood    boolean
                       |           +--: (dns-flood-attack)
                       |           |  +--rw dns-flood    boolean



Jeong, et al.            Expires January 5, 2017                [Page 8]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                       |           +--: (dns-amp-flood-attack)
                       |           |  +--rw dns-amp-flood boolean
                       |           +--: (ssl-ddos-attack)
                       |              +--rw ssl-ddos    boolean
                       +--: (single-packet-attack)
                          +--rw (single-packet-attack-type)?
                             +--: (scan-and-sniff-attack)
                             |  +--rw (scan-and-sniff-attack-type)?
                             |  |  +--: (ip-sweep-attack)
                             |  |  |  +--rw ip-sweep    boolean
                             |  |  +--: (port-scanning-attack)
                             |  |  |  +--rw port-scanning    boolean
                             +--: (malformed-packet-attack)
                             |  +--rw (malformed-packet-attack-type)?
                             |  |  +--: (ping-of-death-attack)
                             |  |  |  +--rw ping-of-death    boolean
                             |  |  +--: (teardrop-attack)
                             |  |  |  +--rw teardrop    boolean
                             +--: (special-packet-attack)
                                +--rw (special-packet-attack-type)?
                                   +--: (oversized-icmp-attack)
                                   | +--rw oversized-icmp    boolean
                                   +--: (tracert-attack)
                                      +--rw tracert    boolean


         Figure 1: Information Model of I2NSF Capability Interface
























Jeong, et al.            Expires January 5, 2017                [Page 9]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


   rpcs:
     +---x time-event-add
     |  +---w input
     |  |  +---w event-time?  yang:date-and-time
     |  |  +---w time-id  uint 8
     |  +--ro output
     |     +--ro result  boolean
     |     +--ro reason  string
     |
     +---x time-event-delete
     |  +---w input
     |  |  +---w time-id  uint 8
     |  +--ro output
     |     +--ro result  boolean
     |     +--ro reason  string
     |
     +---x user-add
     |  +---w input
     |  |  +---w user-id  uint 8
     |  |  +---w (user-name)?
     |  |  |  +--: (tenant)
     |  |  |  |  +---w tenant  uint 8
     |  |  |  +--: (vn-id)
     |  |  |    +---w vn-id  uint 8
     |  +--ro output
     |     +--ro result  boolean
     |     +--ro reason  string
     |
     +---x user-delete
     |  +---w input
     |  |  +---w user-id  uint 8
     |  +--ro output
     |     +--ro result  boolean
     |     +--ro reason  string
     |
     +---x region-add
     |  +---w input
     |  |  +---w ip-address-region  uint 8
     |  +--ro output
     |     +--ro result  boolean
     |     +--ro reason  string
     |
     +---x region-delete
        +---w input
        |  +---w ip-address-region  uint 8
        +--ro output
           +--ro result  boolean
           +--ro reason  string



Jeong, et al.            Expires January 5, 2017               [Page 10]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


           Figure 2: Information Model of Remote Procedure Calls

5.  YANG Model

   This section introduces a YANG model for the information model of
   network security functions, as defined in the
   [i2nsf-cap-interface-im].

<CODE BEGINS> file ietf-i2nsf-capability-interface-yang@2016-07-04.yang

Module ietf-i2nsf-capability-interface {
  namespace
    "urn:ietf:params:xml:ns:yang:ietf-i2nsf-yang-capability-interface";
  prefix
    "capability-interface"

  import ietf-inet-types{
    prefix inet;
  }
  import ietf-yang-types{
    prefix yang;
  }
  import ietf-interfaces{
    prefix if;
  }

  organization
    "IETF I2NSF (Interface to Network Security Functions)
     Working Group";

  contact
    "WG Web: <http://tools.ietf.org/wg/i2nsf>
     WG List: <mailto:i2nsf@ietf.org>

     WG Chair: Adrian Farrel
     <mailto:Adrain@olddog.co.uk>

     WG Chair: Linda Dunbar
     <mailto:Linda.duhbar@huawei.com>

     Editor: Jaehoon Paul Jeong
     <mailto:pauljeong@skku.edu>";

  description
    "This module defines a YANG data module for network security
     functions.";
  revision "2016-07-04"{
    description "Initial revision";



Jeong, et al.            Expires January 5, 2017               [Page 11]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


    reference
      "draft-xia-i2nsf-capability-interface-im-05";
  }

  //Groupings
  grouping policy {
    description
      "content."

      leaf policy-name {
        type string;
        mandatory true;
        description
          "The name of the policy.
           This must be unique.";
      }
      leaf policy-id {
        type string;
        mandatory true;
        description
          "The ID of the policy.
           This must be unique.";
      }

      list rule {
        key "rule-id";
        description
          "This is rule for network security control.";

          leaf rule-name {
            type string;
            mandatory true;
            description
              "The name of the rule
               This must be unique.";
          }

          leaf rule-id {
            type uint 8;
            mandatory true;
            description
              "The ID of the rule
               This is key for rule-list.
               This must be unique.";
          }

          container event {
            description



Jeong, et al.            Expires January 5, 2017               [Page 12]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


              " An Event is defined as any important occurrence in time
                of a change in the system being managed, and/or in the
                environment of the system being managed. When used in
                the context of policy rules for a flow-based NSF, it is
                used to determine whether the Condition clause of the
                Policy Rule can be evaluated or not. Examples of an
                I2NSF Event include time and user actions (e.g., logon,
                logoff, and actions that violate any ACL.);

              list time-event-list {
                key "time-id";
                description
                  "TBD";

                leaf event-time {
                  type yang:date-and-time;
                  mandatory true;
                  description
                    "TBD";
                }

                leaf time-id {
                  type uint 8;
                  mandatory true;
                  description
                    "The ID of the time-event.
                     This is key for time-event-list.
                     This must be unique.";
                }
              }

              container user-action {
                description
                  "User related actions such as login, logoff,
                   and etc.";
                leaf login {
                  type boolean;
                  description
                    "When users login, this event occurs.";
                }
                leaf logoff {
                  type boolean;
                  description
                    "When users logoff, this event occurs.";
                }
                leaf originating {
                  type boolean;
                  description



Jeong, et al.            Expires January 5, 2017               [Page 13]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                    "When users originate voip-volte,
                     this event occurs.";
                }
                leaf terminating {
                  type boolean;
                  description
                    "When users terminate voip-volte,
                     this event occurs.";
                }
              }
          }

          container condition {
            description
              "A set of attributes, features, and/or values that are
               to be compared with a set of known attributes, features,
               and/or values in order to make a decision. When used in
               the context of policy rules for flow-based NSFs, it is
               used to determine whether or not the set of Actions in
               that Policy Rule can be executed or not. The following
               contents (which are not exhausted) of the received
               packets can be used in the Condition.";

            container packet-content-values {
              description
                "Refer to the kind of information or
                 attributes acquired directly from the packet headers
                 or payloads that can be used in the security policy
                 directly. It can be any fields or attributes in the
                 packet L2/L3/L4 header, or special segment of bytes
                 in the packet payload.";

              list layer-234-packet-header {
                key "packet-header-id";
                description
                  "all meaningful and useful attributes in
                   L2/L3/L4 packet header, for example:
                   src/dest address, or src/dest port.";

                leaf packet-header-id {
                  type uint 8;
                  mandatory true;
                  description
                    "The ID of the packet-header.
                     This is key for packet-header-list.
                     This must be unique.";
                }
                container address-scope {



Jeong, et al.            Expires January 5, 2017               [Page 14]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                  description
                    "Address Scope.";
                  choice route-type {
                    description
                     "Route types: IPv4, IPv6, MPLS, MAC etc.";
                    case ipv4 {
                      description
                        "IPv4 route case.";
                      container ipv4 {
                        description
                          "IPv4 route match.";
                        choice ip-route-match-type {
                          description
                            "IP route match type options:
                             match source, or
                             match destination, or
                             match source and destination.";
                          case dest-ipv4-address {
                            leaf dest-ipv4-prefix {
                              type inet:ipv4-prefix;
                              mandatory true;
                              description
                                "An IPv4 destination address
                                 as the match.";
                            }
                          }
                          case src-ipv4-address {
                            leaf src-ipv4-prefix {
                              type inet:ipv4-prefix;
                              mandatory true;
                              description
                                "An IPv4 source address as the match.";
                            }
                          }
                          case dest-src-ipv4-address {
                            container dest-src-ipv4-address {
                              description
                                "A combination of an IPv4 source and
                                 an IPv4 destination address
                                 as the match.";
                              leaf dest-ipv4-prefix {
                                type inet:ipv4-prefix;
                                mandatory true;
                                description
                                  "An IPv4 destination address of
                                   the match.";
                              }
                              leaf src-ipv4-prefix {



Jeong, et al.            Expires January 5, 2017               [Page 15]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                                type inet:ipv4-prefix;
                                mandatory true;
                                description
                                  "An IPv4 destination address of
                                   the match.";
                              }
                            }
                          }
                        }
                      }
                    }
                    case ipv6 {
                      description
                        "IPv6 route case.";
                      container ipv6 {
                        description
                          "IPv6 route match.";
                        choice ip-route-match-type {
                          description
                            "IP route match type options:
                             match source, or
                             match destination, or
                             match source and destination.";
                          case dest-ipv6-address {
                            leaf dest-ipv6-prefix {
                              type inet:ipv6-prefix;
                              mandatory true;
                              description
                                "An IPv6 destination address
                                 as the match.";
                            }
                          }
                          case src-ipv6-address {
                            leaf src-ipv6-prefix {
                              type inet:ipv6-prefix;
                              mandatory true;
                              description
                                "An IPv6 source address
                                 as the match.";
                            }
                          }
                          case dest-src-ipv6-address {
                            container dest-src-ipv6-address {
                              description
                                "A combination of an IPv6 source and
                                 an IPv6 destination address as the
                                 match.";
                              leaf dest-ipv6-prefix {



Jeong, et al.            Expires January 5, 2017               [Page 16]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                                type inet:ipv6-prefix;
                                mandatory true;
                                description
                                  "An IPv6 destination address of
                                   the match.";
                              }
                              leaf src-ipv6-prefix {
                                type inet:ipv6-prefix;
                                mandatory true;
                                description
                                  "An IPv6 destination address of
                                   the match.";
                              }
                            }
                          }
                        }
                      }
                    }
                    case mpls-route {
                      description
                        "MPLS route case."
                      leaf mpls-label {
                        type uint 32;
                        mandatory true;
                        description
                          "The label used for matching.";
                      }
                    }
                    case mac-route {
                      description
                        "MAC route case."
                      leaf mac-address {
                        type uint 32;
                        mandatory true;
                        description
                          "The MAC address used for matching.";
                      }
                    }
                    case interface-route {
                      description
                        "Interface route case."
                      leaf interface-identifier {
                        type if:interface-ref;
                        mandatory true;
                        description
                          "The interface used for matching.";
                      }
                    }



Jeong, et al.            Expires January 5, 2017               [Page 17]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                  }
                }
                choice layer-type {
                  description
                    "Layer Types: Layer 2, Layer 3, and Layer 4.";
                  case layer-2-header {
                    description
                      "A header about Layer 2.";
                    leaf src-mac-address {
                      type yang:phys-address;
                      mandatory true;
                      description
                        "Source MAC Address.";
                    }
                    leaf dest-mac-address {
                      type yang:phys-address;
                      mandatory true;
                      description
                        "Destination MAC Address.";
                    }
                  }
                  case layer-3-header {
                    description
                      "A header about Layer 3.";
                    choice packet-type {
                      case ipv4 {
                        uses ipv4-header;
                      }
                      case ipv6{
                        uses ipv6-header;
                      }
                    }
                  }
                  case layer-4-header {
                    description
                      "A header about Layer 4.";
                    leaf src-port {
                      type inet:port-number;
                      mandatory true;
                      description
                        "source port number.";
                    }
                    leaf dest-port {
                      type inet:port-number;
                      mandatory true;
                      description
                        "destination port number.";
                    }



Jeong, et al.            Expires January 5, 2017               [Page 18]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                  }
                }
              list packet-payload {
                key "packet-payload-id";
                description
                  "TBD.";

                leaf packet-payload-id {
                  type uint 8;
                  mandatory true;
                  description
                    "TBD.";
                }
              }
              container context-values {
                description
                  "Refer to the context information for the
                   received packets."
                list user{
                  key "user-id";
                  description
                    "The user (or user group) information to which
                     network flow is associated: User has many
                     attributes such as name, id, password, type,
                     authentication mode and so on. Name/id is often
                     used in the security policy to identify the user.
                     Besides, NSF is aware of the IP address of the
                     user provided by unified user management system
                     via network. Based on name-address association,
                     NSF is able to enforce the security functions
                     over the given user (or user group);

                  leaf user-id {
                    type uint 8;
                    mandatory true;
                    description
                      "The ID of the user.
                       This is key for user-list.
                       This must be unique.";
                  }
                  choice user-name {
                    description
                      "The name of the user.
                       This must be unique.";
                    case tenant {
                      description
                        "Tenant information";
                      leaf tenant {



Jeong, et al.            Expires January 5, 2017               [Page 19]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                        type uint 8;
                        mandatory true;
                        description
                          "User's tenant information";
                      }
                    }
                    case vn-id {
                      description
                        "VN-ID information";
                      leaf vn-id {
                        type uint 8;
                        mandatory true;
                        description
                          "User's VN-ID information";
                      }
                    }
                  }
                container schedule {
                  description
                    "A schedule defines time range. A rule can
                     reference a schedule to filter traffic that
                     passes through the NSF within the schedule.
                     A schedule can be a periodic schedule, or a
                     one-time schedule.";
                  leaf name {
                    type string;
                    mandatory true;
                    description
                      "The name of the schedule.
                       This must be unique.";
                  }
                  choice schedule-type {
                    description
                      "We can configure a schedule either once or
                       periodic.";
                    case once {
                      description
                        "If we need to configure only once rule,
                         we can use the once option.";
                      leaf once {
                        type boolean;
                        mandatory true;
                        description
                          "The once option of a schedule.";
                      }
                    }
                    case periodic {
                      description



Jeong, et al.            Expires January 5, 2017               [Page 20]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                        "If we need to configure periodic rule,
                         we can use the periodic option.";
                      leaf periodic {
                        type boolean;
                        mandatory true;
                        description
                          "The periodic option of a schedule.";
                      }
                    }
                  }
                  leaf start-time {
                    type yang:date-and-time;
                    mandatory true;
                    description
                      "This is start time to take effect rules.";
                  }
                  leaf end-time {
                    type yang:date-and-time;
                    mandatory true;
                    description
                      "This is end time to take effect rules.";
                  }
                  leaf weekly-validity-time {
                    type yang:date-and-time;
                    mandatory true;
                    description
                      "This is weekly validity time.";
                  }
                }

                list region {
                  key "ip-address-region";
                  description
                    "The location where network traffic is associated
                     with. The region can be the geographic location
                     such as country, province, and city as well,
                     as well as the logical network location such as
                     IP address, network section and network domain.";
                  leaf ip-address-region {
                    type uint 8;
                    mandatory true;
                    description
                      "This is mapped to ip address. We can acquire
                       region through ip address stored the database.";
                  }
                }

                container target {



Jeong, et al.            Expires January 5, 2017               [Page 21]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                  description
                    "Under the circumstances of network, it mainly
                     refers to the service, application, and device.;
                  container service{
                    description
                      "A service is an application identified by a
                       protocol type and port number, such as TCP,
                       UDP, ICMP, and IP.;
                    leaf name {
                      type string;
                      mandatory true;
                      description
                        "The name of the service.
                         This must be unique.";
                    }
                    leaf id {
                      type uint 8;
                      mandatory true;
                      description
                        "The ID of the service.
                         This must be unique.";
                    }
                    container protocol {
                      description
                        "Protocol types:
                          TCP, UDP, ICMP, ICMPv6, IP, and etc.";
                      leaf tcp  {
                        type boolean;
                        mandatory true;
                        description
                          "TCP protocol type.";
                      }
                      leaf udp {
                        type boolean;
                        mandatory true;
                        description
                          "UDP protocol type.";
                      }
                      leaf icmp {
                        type boolean;
                        mandatory true;
                        description
                          "ICMP protocol type.";
                      }
                      leaf icmpv6 {
                        type boolean;
                        mandatory true;
                        description



Jeong, et al.            Expires January 5, 2017               [Page 22]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                          "ICMPv6 protocol type.";
                      }
                      leaf ip {
                        type boolean;
                        mandatory true;
                        description
                          "IP protocol type.";
                      }
                    }
                    leaf src-port{
                      type inet:port-number;
                      description
                        "It can be used for finding programs.";
                    }
                    leaf dest-port{
                      type inet:port-number;
                      description
                        "It can be used for finding programs.";
                    }
                  }
                  container application {
                    description
                      "An application is a computer program for
                       a specific task or purpose. It provides
                       a finer granularity than service in matching
                       traffic.";
                    leaf name{
                      type string;
                      mandatory true;
                      description
                        "The name of the application.
                         This must be unique.";
                    }
                    leaf id{
                      type uint 8;
                      mandatory true;
                      description
                        "The ID of the application.
                         This must be unique.";
                    }
                    container category{
                      description
                        "Category types: Business system, Entertainment,
                         Interest, Network, General, and etc.";
                      leaf business-system {
                        type boolean;
                        description
                          "Business system category.";



Jeong, et al.            Expires January 5, 2017               [Page 23]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                      }
                      leaf entertainment {
                        type boolean;
                        description
                          "Entertainment category.";
                      }
                      leaf interest {
                        type boolean;
                        description
                          "Interest category.";
                      }
                      leaf network {
                        type boolean;
                        description
                          "Network category.";
                      }
                      leaf general {
                        type boolean;
                        description
                          "General category.";
                      }
                    }
                    container subcategory{
                      description
                        "Subcategory types: Finance, Email, Game,
                         Media sharing, Social network, Web posting,
                         and etc.";
                      leaf finance {
                        type boolean;
                        description
                          "Finance subcategory.";
                      }
                      leaf email {
                        type boolean;
                        description
                          "Email subcategory.";
                      }
                      leaf game {
                        type boolean;
                        description
                          "Game subcategory.";
                      }
                      leaf media-sharing {
                        type boolean;
                        description
                          "Media sharing subcategory.";
                      }
                      leaf social-network {



Jeong, et al.            Expires January 5, 2017               [Page 24]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                        type boolean;
                        description
                          "Social network subcategory.";
                      }
                      leaf web-posting {
                        type boolean;
                        description
                          "Web posting subcategory.";
                      }
                    }
                    container data-transmission-model{
                      description
                        "Data transmission model types: Client-server,
                         Browser-based, Networking, Peer-to-Peer,
                         Unassigned, and etc.";
                      leaf client-server {
                        type boolean;
                        description
                          "client-server data transmission model.";
                      }
                      leaf browser-based {
                        type boolean;
                        description
                          "Browser-based data transmission model.";
                      }
                      leaf networking {
                          type boolean;
                          description
                          "Networking data transmission model.";
                      }
                      leaf peer-to-peer {
                        type boolean;
                        description
                          "Peer-to-Peer data transmission model.";
                      }
                      leaf unassigned {
                        type boolean;
                        description
                          "Unassigned data transmission model.";
                      }
                    }
                    container risk-level{
                      description
                        "Risk level types: Exploitable,
                         Productivity loss, Evasive, Data loss,
                         Malware vehicle, Bandwidth consuming,
                         Tunneling, and etc.";
                      leaf exploitable {



Jeong, et al.            Expires January 5, 2017               [Page 25]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                        type boolean;
                        description
                          "Exploitable risk level.";
                      }
                      leaf productivity-loss {
                        type boolean;
                        description
                          "Productivity loss risk level.";
                      }
                      leaf evasive {
                        type boolean;
                        description
                          "Evasive risk level.";
                      }
                      leaf data-loss {
                        type boolean;
                        description
                          "Data loss risk level.";
                      }
                      leaf malware-vehicle {
                        type boolean;
                        description
                          "Malware vehicle risk level.";
                      }
                      leaf bandwidth-consuming {
                        type boolean;
                        description
                          "Bandwidth consuming risk level.";
                      }
                      leaf tunneling {
                        type boolean;
                        description
                          "Tunneling risk level.";
                      }
                    }
                  }
                  container device {
                    description
                      "The device attribute that can identify a device
                       include type (i.e., router, switch, pc, ios, or
                       android) and the device's owner as well.";
                    leaf pc {
                      type boolean;
                      description
                        "If type of a device is PC.";
                    }
                    leaf mobile-phone {
                      type boolean;



Jeong, et al.            Expires January 5, 2017               [Page 26]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                      description
                        "If type of a device is mobile-phone.";
                    }
                    leaf tablet {
                      type boolean;
                      description
                        "If type of a device is tablet.";
                    }
                    leaf voip-volte-phone {
                      type boolean;
                      description
                        "If type of a device is voip-volte-phone.";
                    }

                  }

                  choice state {
                    description
                      "It refers to various states to which the network
                       flow is associated. It can be either the TCP
                       session state (i.e., new, established, related,
                       invalid, or untracked), the session AAA state or
                       the access mode of the devices (i.e., wire,
                       wireless, or vpn).";
                    case session-state {
                      description "content.";
                      container tcp-session-state {
                        description "content.";
                        leaf new {
                        type boolean;
                        description "New state.";
                        }
                        leaf established {
                          type boolean;
                          description "Established state.";
                        }
                        leaf related {
                          type boolean;
                          description "Related state.";
                        }
                        leaf invalid {
                          type boolean;
                          description "Invalid state.";
                        }
                        leaf untracked {
                          type boolean;
                          description "untracked state.";
                        }



Jeong, et al.            Expires January 5, 2017               [Page 27]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                      }
                    }
                    case session-aaa-state {
                      description "TBD";
                      container session-sip-state {
                        description "TBD";
                        leaf auth-state {
                          type boolean;
                          description "untracked state.";
                        }
                        leaf call-state {
                          type boolean;
                          description "untracked state.";
                        }
                      }
                    }
                    case access-mode {
                      description "TBD";
                      leaf access-mode {
                        type string;
                        mandatory true;
                        description "TBD";
                      }
                    }
                  }

                  container direction {
                    description "the direction of the network flow.";
                    leaf request {
                      type boolean;
                      description "TBD.";
                    }
                    leaf response {
                      type boolean;
                      description "TBD.";
                    }
                  }
                }
              }
            }
          }

          choice action{
            description
              "The flow-based NSFs realize the security functions by
               executing various Actions, which at least includes
               ingress-action, egress-action, and advanced-action.";
            case ingress-action {



Jeong, et al.            Expires January 5, 2017               [Page 28]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


              description
                "The ingress actions consist of permit, deny,
                 and mirror";
              leaf permit {
                type boolean;
                description
                  "Packet flow is permitted"
              }
              leaf deny {
                type boolean;
                description
                  "Packet flow is denied"
              }
              leaf mirror {
                type boolean;
                description
                  "Packet flow is mirrored"
              }
            }
            case egress-action {
              description
                "The egress actions consist of invoke-signaling,
                 tunnel-encapsulation, and forwarding";
              leaf invoke-signaling {
                type boolean;
                description
                  "TBD";
              }
              leaf tunnel-encapsulation {
                type boolean;
                description
                  "TBD";
              }
            }
            case advanced-action {
              description
                "Applying a specific Functional Profile or signature
                 - e.g., an IPS Profile, a signature file, an
                 anti-virus file, or a URL filtering file. The
                 functional profile or signature file corresponds to
                 the security capability for the content security
                 control and attack mitigation control which will be
                 described afterwards. It is one of the key properties
                 that determine the effectiveness of the NSF, and is
                 mostly vendor specific today. One goal of I2NSF is
                 to standardize the form and functional interface of
                 those security capabilities while supporting vendor-
                 specific implementations of each.";



Jeong, et al.            Expires January 5, 2017               [Page 29]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


              choice advanced-action-type {
                description
                  "Advanced action types: Content Security Control
                   and Attack Mitigation Control.";
                case content-security-control {
                  description
                    "Content security control is another category of
                    security capabilities applied to application layer.
                    Through detecting the contents carried over the
                    traffic in application layer, these capabilities
                    can realize various security purposes, such as
                    defending against intrusion, inspecting virus,
                    filtering malicious URL or junk email, blocking
                    illegal web access or data retrieve.";
                  choice content-security-control-type {
                    description
                     "Content Security types: Antivirus, IPS,
                      url-filtering file-blocking, data-filtering,
                      application-control, and voip-volte.";
                    case antivirus {
                      leaf antivirus {
                        type boolean;
                        description
                          "Antivirus is computer software used to
                           prevent, detect and remove malicious
                           software.";
                      }
                    }
                    case ips {
                      leaf ips {
                        type boolean;
                        description
                          "Intrusion prevention systems (IPS) are
                           network security appliances that monitor
                           network and/or system activities for
                           malicious activity.";
                      }
                    }
                    case url-filtering {
                      leaf url-filtering {
                        type boolean;
                        description
                          "URL filtering security service.";
                      }
                    }
                    case file-blocking {
                      leaf file-blocking {
                        type boolean;



Jeong, et al.            Expires January 5, 2017               [Page 30]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                        description
                          "File blocking security service.";
                      }
                    }
                    case data-filtering {
                      leaf data-filtering {
                        type boolean;
                        description
                          "Data filtering security service.";
                      }
                    }
                    case application-control {
                      leaf application-control {
                        type boolean;
                        description
                          "Application control security service.";
                      }
                    }
                    case voip-volte {
                      list voip-volte-rule {
                        key "voip-volte-rule-id";
                        description
                          "For the VoIP/VoLTE security system, a VoIP/
                           VoLTE security system can monitor each
                           VoIP/VoLTE flow and manage VoIP/VoLTE
                           security rules controlled by a centralized
                           server for VoIP/VoLTE security service
                           (called VoIP IPS). The VoIP/VoLTE security
                           system controls each switch for the
                           VoIP/VoLTE call flow management by
                           manipulating the rules that can be added,
                           deleted or modified dynamically.";
                        leaf voip-volte-rule-id {
                          type uint 8;
                          mandatory true;
                          description
                            "The ID of the voip-volte-rule
                             This is key for voip-volte-rule-list.
                             This must be unique.";
                        }
                        container event {
                          description
                            "content.";
                          leaf called-voip {
                            type boolean;
                            mandatory true;
                            description
                              "If content-security-control-type is



Jeong, et al.            Expires January 5, 2017               [Page 31]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                               voip.";
                          }
                          leaf called-volte {
                            type boolean;
                            mandatory true;
                            description
                              "If content-security-control-type is
                               volte.";
                          }
                        }
                        container condition {
                          description
                            "content.";
                          list sip-header {
                            key "sip-header-uri";
                            description
                              "content.";
                            leaf sip-header-uri {
                              type uint 32;
                              mandatory true;
                              description
                                "SIP header URI.";
                            }
                            leaf sip-header-method {
                              type string;
                              mandatory true;
                              description
                                "SIP header method.";
                            }
                            leaf sip-header-expire-time {
                              type yang:date-and-time
                              mandatory true;
                              description
                                "SIP header expire time.";
                            }
                            leaf sip-header-user-agent {
                              type uint 32;
                              mandatory true;
                              description
                                "SIP header user agent.";
                            }
                          }
                          list cell-region {
                            key "cell-id-region";
                            leaf cell-id-region {
                              type uint 32;
                              mandatory true;
                              description



Jeong, et al.            Expires January 5, 2017               [Page 32]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                                "Cell region.";
                            }
                          }
                        }
                        container action {
                          choice action-type {
                            description
                              "Action type: ingress action and
                               egress action.";
                            case ingress-action {
                              description
                                "The ingress actions consist of permit,
                                 deny, and mirror.";
                              leaf permit {
                                type boolean;
                                description
                                  "Packet flow is permitted"
                              }
                              leaf deny {
                                type boolean;
                                description
                                  "Packet flow is denied"
                                }
                              leaf mirror {
                                type boolean;
                                description
                                  "Packet flow is mirrored"
                              }
                            }
                            case egress-action {
                              leaf redirection {
                                type boolean;
                                mandatory true;
                                description "TBD.";
                              }
                            }
                          }
                        }
                      }
                    }
                  }
                }
                case attack-mitigation-control {
                  description
                    "This category of security capabilities is
                     specially used to detect and mitigate various
                     types of network attacks.";
                  choice attack-mitigation-control-type {



Jeong, et al.            Expires January 5, 2017               [Page 33]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                    description
                      "Attack-mitigation types: DDoS-attack and
                       Single-packet attack.";
                    case ddos-attack {
                      description
                        "A distributed-denial-of-service (DDoS) is
                         where the attack source is more than one,
                         often thousands of, unique IP addresses.";
                      choice ddos-attack-type {
                        description
                          "DDoS-attack types: Network Layer DDoS Attack
                           and Application Layer DDoS Attacks.";
                        case network-layer-ddos-attack {
                          description
                            "Network layer DDoS-attack."
                          choice network-layer-ddos-attack-type {
                            description
                              "Network layer DDoS attack types:
                               Syn Flood Attack, UDP Flood Attack,
                               ICMP Flood Attack, IP Fragment Flood,
                               IPv6 Related Attacks, and etc";
                            case syn-flood-attack {
                              description
                                "If the network layer DDoS-attack is
                                 a syn flood attack.";
                              leaf syn-flood {
                                type boolen;
                                mandatory true;
                                description
                                  "Syn Flood Attack.";
                              }
                            }
                            case udp-flood-attack {
                              description
                                "If the network layer DDoS-attack is
                                 a udp flood attack.";
                              leaf udp-flood {
                                type boolen;
                                mandatory true;
                                description
                                  "UDP Flood Attack.";
                              }
                            }
                            case icmp-flood-attack {
                              description
                                "If the network layer DDoS-attack is
                                 an icmp flood attack.";
                              leaf icmp-flood {



Jeong, et al.            Expires January 5, 2017               [Page 34]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                                type boolen;
                                mandatory true;
                                description
                                  "ICMP Flood Attack.";
                              }
                            }
                            case ip-fragment-flood-attack {
                              description
                                "If the network layer DDoS-attack is
                                 an ip fragment flood attack.";
                              leaf ip-fragment-flood {
                                type boolen;
                                mandatory true;
                                description
                                  "IP Fragment Flood.";
                              }
                            }
                            case ipv6-related-attacks {
                              description
                                "If the network layer DDoS-attack is
                                 ipv6 related attacks.";
                              leaf ipv6-related {
                                type boolen;
                                mandatory true;
                                description
                                  "IPv6 Related Attacks.";
                              }
                            }
                          }
                        }
                        case app-layer-ddos-attack {
                          description
                            "Application layer DDoS-attack."
                          choice app-ddos-attack-type {
                            description
                              "Application layer DDoS-attack types:
                               Http Flood Attack, Https Flood Attack,
                               DNS Flood Attack,
                               DNS Amplification Flood Attack,
                               SSL DDoS Attack, and etc";
                            case http-flood-attack {
                              description
                                "If the application layer DDoS-attack is
                                 a http flood attack.";
                              leaf http-flood {
                                type boolen;
                                mandatory true;
                                description



Jeong, et al.            Expires January 5, 2017               [Page 35]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                                  "Http Flood Attack.";
                              }
                            }
                            case https-flood-attack {
                              description
                                "If the application layer DDoS-attack is
                                 a https flood attack.";
                              leaf https-flood {
                                type boolen;
                                mandatory true;
                                description
                                  "Https Flood Attack.";
                              }
                            }
                            case dns-flood-attack {
                              description
                                "If the application layer DDoS-attack is
                                 a dns flood attack.";
                              leaf dns-flood {
                                type boolen;
                                mandatory true;
                                description
                                  "DNS Flood Attack.";
                              }
                            }
                            case dns-amp-flood-attack {
                              description
                                "If the application layer DDoS-attack is
                                 a dns amplification flood attack.";
                              leaf dns-amp-flood {
                                type boolen;
                                mandatory true;
                                description
                                  "DNS Amplification Flood Attack.";
                              }
                            }
                            case ssl-ddos-attack {
                              description
                                "If the application layer DDoS-attack is
                                 a ssl DDoS attack.";
                              leaf ssl-ddos {
                                type boolen;
                                mandatory true;
                                description
                                  "SSL Flood Attack.";
                              }
                            }
                          }



Jeong, et al.            Expires January 5, 2017               [Page 36]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                        }
                      }
                    }
                    case single-packet-attack {
                      description
                        "Single Packet Attacks.";
                      choice single-packet-attack-type {
                        description
                          "DDoS-attack types: Scanning Attack,
                           Sniffing Attack, Malformed Packet Attack,
                           Special Packet Attack, and etc.";
                        case scan-and-sniff-attack {
                          description
                            "Scanning and Sniffing Attack."
                          choice scan-and-sniff-attack-type {
                            description
                              "Scanning and sniffing attack types:
                               IP Sweep attack, Port Scanning,
                               and etc.";
                            case ip-sweep-attack {
                              description
                                "If the scanning and sniffing attack is
                                 an ip sweep attack.";
                              leaf ip-sweep {
                                type boolen;
                                mandatory true;
                                description
                                  "IP Sweep Attack.";
                              }
                            }
                            case port-scanning-attack {
                              description
                                "If the scanning and sniffing attack is
                                 a port scanning attack.";
                              leaf port-scanning {
                                type boolen;
                                mandatory true;
                                description
                                  "Port Scanning Attack.";
                              }
                            }
                          }
                        }
                        case malformed-packet-attack {
                          description
                            "Malformed Packet Attack."
                          choice malformed-packet-attack-type {
                            description



Jeong, et al.            Expires January 5, 2017               [Page 37]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                              "Malformed packet attack types:
                               Ping of Death Attack, Teardrop Attack,
                               and etc";
                            case ping-of-death-attack {
                              description
                                "If the malformed packet attack is
                                 a ping of death attack.";
                              leaf ping-of-death {
                                type boolen;
                                mandatory true;
                                description
                                  "Ping of Death Attack.";
                              }
                            }
                            case teardrop-attack {
                              description
                                "If the malformed packet attack is
                                 a teardrop attack.";
                              leaf teardrop {
                                type boolen;
                                mandatory true;
                                description
                                  "Teardrop Attack.";
                              }
                            }
                          }
                        }
                        case special-packet-attack {
                          description
                            "special Packet Attack."
                          choice special-packet-attack-type {
                            description
                              "Special packet attack types:
                               Oversized ICMP Attack, Tracert Attack,
                               and etc.";
                            case oversized-icmp-attack {
                              description
                                "If the special packet attack is
                                 a oversized icmp attack.";
                              leaf oversized-icmp {
                                type boolen;
                                mandatory true;
                                description
                                  "Oversize ICMP Attack.";
                              }
                            }
                            case tracert-attack {
                              description



Jeong, et al.            Expires January 5, 2017               [Page 38]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                                "If the special packet attack is
                                 a tracert attack.";
                              leaf tracert {
                                type boolen;
                                mandatory true;
                                description
                                  "Tracrt Attack.";
                              }
                            }
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
      }
  }

  //grouping
  grouping ipv4-header {
    description
      "The IPv4 header encapsulation information.";
    leaf src-ipv4-address {
      type inet:ipv4-address;
      mandatory true;
      description
        "The source ip address of the header.";
      }
      leaf dest-ipv4-address {
        type inet:ipv4-address;
        mandatory ture;
        description
          "The destination ip address of the header.";
      }
      leaf protocol {
        type uint 8;
        mandatory ture;
        description
          "The Protocol id of the header.";
      }
      leaf ttl {
        type uint 8;
        description
          "The TTL of the header.";
      }



Jeong, et al.            Expires January 5, 2017               [Page 39]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


  }

  grouping ipv6-header {
    description "The IPv6 header encapsulation information.";
    leaf src-ipv6-address {
      type inet:ipv6-address;
      mandatory true;
      description
        "The source ip address of the header.";
      }
      leaf dest-ipv6-address {
        type inet:ipv6-address;
        mandatory ture;
        description
          "The destination ip address of the header.";
      }
      leaf next-header {
        type uint 8;
        mandatory ture;
        description
          "The next header of the IPv6 header.";
      }
      leaf traffic-class {
        type uint 8;
        description
          "The traffic class value of the header.";
      }
      leaf flow-label {
        type uint 16;
        description
          "The flow label of the header.";
      }
      leaf hop-limit {
        type uint 8;
        description
          "The hop limit the header.";
      }
  }


  /*RPC Operations*/
  rpc time-event-add {
    description
      "To add a rule of time event or a list of time event.";
    input {
      leaf event-time {
        type yang:date-and-time;
        description



Jeong, et al.            Expires January 5, 2017               [Page 40]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


          "TBD";
      }
      leaf time-id {
        type uint 8;
        description
          "The ID of the time-event.
           This is key for time-event-list.
           This must be unique.";
      }
    }
    output {
      leaf result {
        type  boolean;
        description
          "Return the result of the time-event-add operation.
           true - success
           false - failed";
      }
      leaf reason {
        type   string;
        description
          "The specific reason that causes the failure.";
      }
    }
  }

  rpc time-event-delete {
    description
      "To delete rule of a user or a list of user.";
    input {
      leaf time-id {
        type  uint 8;
        description
          "The ID of the time-event.
           This is key for time-event-list.
           This must be unique.";
      }
    output {
      leaf result {
        type  boolean;
        description
          "Return the result of the time-event-delete operation.
           true - success
           false - failed";
      }
      leaf reason {
        type   string;
        description



Jeong, et al.            Expires January 5, 2017               [Page 41]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


          "The specific reason that causes the failure.";
      }
    }
  }

  rpc user-add {
    description
      "To add a rule of user or a list of user.";
    input {
      leaf user-id {
        type uint 8;
        mandatory true;
        description
          "The ID of the user.
           This is key for user-list.
           This must be unique.";
      }
      choice user-name {
        description
          "The name of the user.
           This must be unique.";
        case tenant {
          description
            "Tenant information";
          leaf tenant {
            type uint 8;
            mandatory true;
            description
              "User's tenant information";
          }
        }
        case vn-id {
          description
            "VN-ID information.";
          leaf vn-id {
            type uint 8;
            mandatory true;
            description
              "User's VN-ID information.";
           }
        }
      }
    }
    output {
      leaf result {
        type  boolean;
        description
          "Return the result of the user-add operation.



Jeong, et al.            Expires January 5, 2017               [Page 42]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


           true - success
           false - failed";
      }
      leaf reason {
        type   string;
        description
          "The specific reason that causes the failure.";
      }
    }
  }

  rpc user-delete {
    description
      "To delete a rule of user or a list of user.";
    input {
      leaf user-id {
        type  uint 8;
        description
          "The ID of the user.
           This is key for user-list.
           This must be unique.";
      }
    }
    output {
      leaf result {
        type  boolean;
        description
          "Return the result of the user-delete operation.
           true - success
           false - failed";
      }
      leaf reason {
        type   string;
        description
          "The specific reason that causes the failure.";
      }
    }
  }

  rpc region-add {
    description
      "To add a rule of region or a list of region.";
    input {
      leaf ip-address-region {
        type  uint 8;
        description
          "This is mapped to ip address.
           We can acquire region through ip address stored the



Jeong, et al.            Expires January 5, 2017               [Page 43]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


           database.";
      }
    }
    output {
      leaf result {
        type  boolean;
        description
          "Return the result of the region-add operation.
           true - success
           false - failed";
      }
      leaf reason {
        type   string;
        description
          "The specific reason that causes the failure.";
      }
    }
  }

  rpc region-delete {
    description
      "To delete a rule of region or a list of region.";
    input {
      leaf ip-address-region {
        type  uint 8;
        description
          "This is mapped to ip address.
           We can acquire region through ip address stored the
           database.";
      }
    }
    output {
      leaf result {
        type  boolean;
        description
          "Return the result of the region-delete operation.".
           true - success;
           false - failed";
      }
      leaf reason {
        type   string;
        description
          "The specific reason that causes the failure.";
      }
    }
  }
}




Jeong, et al.            Expires January 5, 2017               [Page 44]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


            Figure 3: Data Model of I2NSF Capability Interface

6.  Security Considerations

   This document introduces no additional security threats and SHOULD
   follow the security requirements as stated in [i2nsf-framework].

7.  Acknowledgements

   This work was supported by Institute for Information & communications
   Technology Promotion(IITP) grant funded by the Korea government(MSIP)
   (No.R-20160222-002755, Cloud based Security Intelligence Technology
   Development for the Customized Security Service Provisioning).

   This document has greatly benefited from inputs by Hyoungshick Kim
   and Se-Hui Lee.

8.  References

8.1.  Normative References

   [RFC2119]                 Bradner, S., "Key words for use in RFCs to
                             Indicate Requirement Levels", BCP 14,
                             RFC 2119, March 1997.

   [RFC6020]                 Bjorklund, M., "YANG - A Data Modeling
                             Language for the Network Configuration
                             Protocol (NETCONF)", RFC 6020,
                             October 2010.

8.2.  Informative References

   [i2nsf-cap-interface-im]  Xia, L., Strassner, J., Li, K., Zhang, D.,
                             Lopez, E., BOUTHORS, N., and L. Fang,
                             "Information Model of Interface to Network
                             Security Functions Capability Interface",
                             draft-xia-i2nsf-capability-interface-im-
                             05 , March 2016.

   [i2rs-rib-data-model]     Wang, L., Ananthakrishnan, H., Chen, M.,
                             Dass, A., Kini, S., and N. Bahadur, "A YANG
                             Data Model for Routing Information Base
                             (RIB)", draft-ietf-i2rs-rib-data-model-05 ,
                             March 2016.

   [supa-policy-info-model]  Strassner, J. and J. Halpern, "Generic
                             Policy Information Model for  Simplified
                             Use of Policy Abstractions (SUPA)", draft-



Jeong, et al.            Expires January 5, 2017               [Page 45]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


                             ietf-supa-generic-policy-info-model-00 ,
                             June 2016.

   [i2nsf-framework]         Lopez, E., Lopez, D., Dunbar, L.,
                             Strassner, J., Zhuang, X., Parrott, J.,
                             Krishnan, R., and S. Durbha, "Framework for
                             Interface to Network Security Functions",
                             draft-ietf-i2nsf-framework-00 , May 2016.

Authors' Addresses

   Jaehoon Paul Jeong
   Department of Software
   Sungkyunkwan University
   2066 Seobu-Ro, Jangan-Gu
   Suwon, Gyeonggi-Do  16419
   Republic of Korea

   Phone: +82 31 299 4957
   Fax:   +82 31 290 7996
   EMail: pauljeong@skku.edu
   URI:   http://iotlab.skku.edu/people-jaehoon-jeong.php


   Jin-Yong Kim
   Department of Computer Engineering
   Sungkyunkwan University
   2066 Seobu-Ro, Jangan-Gu
   Suwon, Gyeonggi-Do  16419
   Republic of Korea

   Phone: +82 10 8273 0930
   EMail: wlsdyd0930@nate.com


   Dae-Young Hyun
   Department of Software
   Sungkyunkwan University
   2066 Seobu-Ro, Jangan-Gu
   Suwon, Gyeonggi-Do  16419
   Republic of Korea

   Phone: +82 10 4776 5672
   EMail: guseodud1@naver.com







Jeong, et al.            Expires January 5, 2017               [Page 46]


Internet-Draft    I2NSF Capability Interface Data Model        July 2016


   Jung-Soo Park
   Electronics and Telecommunications Research Institute
   218 Gajeong-Ro, Yuseong-Gu
   Daejeon  305-700
   Republic of Korea

   Phone: +82 42 860 6514
   EMail: pjs@etri.re.kr


   Tae-Jin Ahn
   Korea Telecom
   70 Yuseong-Ro, Yuseong-Gu
   Daejeon  305-811
   Republic of Korea

   Phone: +82 42 870 8409
   EMail: taejin.ahn@kt.com

































Jeong, et al.            Expires January 5, 2017               [Page 47]