Network Working Group J. Kim
Internet-Draft J. Jeong
Intended status: Standards Track Sungkyunkwan University
Expires: September 13, 2017 J. Park
ETRI
S. Hares
L. Xia
Huawei
March 12, 2017
I2NSF Network Security Functions Facing Interface YANG Data Model
draft-kim-i2nsf-nsf-facing-interface-data-model-01
Abstract
This document defines a YANG data model corresponding to the
information model for Network Security Functions (NSF) facing
interface in Interface to Network Security Functions (I2NSF). It
describes a data model for three security capabilities (i.e., network
security functions), such as network security control, content
security control, and attack mitigation control, as defined in the
information model for the I2NSF NSF capabilities.
Status of This Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 13, 2017.
Copyright Notice
Kim, et al. Expires September 13, 2017 [Page 1]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
4. Information Model Structure . . . . . . . . . . . . . . . . . 4
5. YANG Model . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6. Security Considerations . . . . . . . . . . . . . . . . . . . 65
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 65
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.1. Normative References . . . . . . . . . . . . . . . . . . . 65
8.2. Informative References . . . . . . . . . . . . . . . . . . 66
Appendix A. Changes from
draft-kim-i2nsf-nsf-facing-interface-data-model-00 . 66
Kim, et al. Expires September 13, 2017 [Page 2]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
1. Introduction
This document defines a YANG [RFC6020] data model for security
services with the information model for Network Security Functions
(NSF) facing interface in Interface to Network Security Functions
(I2NSF). It provides a specific information model and the
corresponding data models for three security capabilities (i.e.,
network security functions), such as network security control,
content security control, and attack mitigation control, as defined
in [i2nsf-cap-interface-im]. With these data model, I2NSF controller
can control the capabilities of NSFs.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Terminology
This document uses the terminology described in
[i2nsf-cap-interface-im][i2rs-rib-data-model]
[supa-policy-info-model]. Especially, the following terms are from
[supa-policy-info-model]:
o Data Model: A data model is a representation of concepts of
interest to an environment in a form that is dependent on data
repository, data definition language, query language,
implementation language, and protocol.
o Information Model: An information model is a representation of
concepts of interest to an environment in a form that is
independent of data repository, data definition language, query
language, implementation language, and protocol.
3.1. Tree Diagrams
A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these diagrams
[i2rs-rib-data-model] is as follows:
o Brackets "[" and "]" enclose list keys.
o Abbreviations before data node names: "rw" means configuration
(read-write) and "ro" state data (read-only).
o Symbols after data node names: "?" means an optional node and "*"
denotes a "list" and "leaf-list".
Kim, et al. Expires September 13, 2017 [Page 3]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not
shown.
4. Information Model Structure
Figure 1 shows an overview of a structure tree of network security
control, content security control, and attack mitigation control, as
defined in the [i2nsf-cap-interface-im].
module : ietf-i2nsf-nsf-facing-interface
+--rw cfg-network-security-control
| +--rw policy
| +--rw policy-name string
| +--rw policy-id string
| +--rw rules* [rule-id]
| +--rw rule-name string
| +--rw rule-id uint 8
| +--rw rule-msg string
| +--rw rule-rev uint 8
| +--rw rule-gid uint 8
| +--rw rule-class-type string
| +--rw rule-reference string
| +--rw rule-priority uint 8
| +--rw event
| | +--rw user-security-event* [usr-sec-event-id]
| | | +--rw usr-sec-event-id uint 8
| | | +--rw usr-sec-event-content string
| | | +--rw usr-sec-event-format uint 8
| | | +--rw usr-sec-event-type uint 8
| | +--rw device-security-event* [dev-sec-event-id]
| | | +--rw dev-sec-event-id uint 8
| | | +--rw dev-sec-event-content string
| | | +--rw dev-sec-event-format uint 8
| | | +--rw dev-sec-event-type uint 8
| | | +--rw dev-sec-event-type-severity uint 8
| | +--rw system-security-event* [sys-sec-event-id]
| | | +--rw sys-sec-event-id uint 8
| | | +--rw sys-sec-event-content string
| | | +--rw sys-sec-event-format uint 8
| | | +--rw sys-sec-event-type uint 8
| | +--rw time-security-event* [time-sec-event-id]
| | | +--rw time-sec-event-id uint 8
| | | +--rw time-sec-event-period-begin yang:date-and-time
| | | +--rw time-sec-event-period-end yang:date-and-time
| | | +--rw time-sec-evnet-time-zone string
Kim, et al. Expires September 13, 2017 [Page 4]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
| +--rw condition
| | +--rw packet-security-condition* [pkt-security-id]
| | | +--rw pkt-security-id uint 8
| | | +--rw packet-security-mac-condition
| | | | +--rw pkt-sec-cond-mac-dest* inet:port-number
| | | | +--rw pkt-sec-cond-mac-src* inet:port-number
| | | | +--rw pkt-sec-cond-mac-8021q* string
| | | | +--rw pkt-sec-cond-mac-ether-type* string
| | | | +--rw pkt-sec-cond-mac-tci* string
| | | +--rw packet-security-ipv4-condition
| | | | +--rw pkt-sec-cond-ipv4-header-length* uint 8
| | | | +--rw pkt-sec-cond-ipv4-tos* uint 8
| | | | +--rw pkt-sec-cond-ipv4-total-length* uint 16
| | | | +--rw pkt-sec-cond-ipv4-id* uint 16
| | | | +--rw pkt-sec-cond-ipv4-fragment* uint 8
| | | | +--rw pkt-sec-cond-ipv4-fragment-offset* uint 16
| | | | +--rw pkt-sec-cond-ipv4-ttl* uint 8
| | | | +--rw pkt-sec-cond-ipv4-protocol* uint 8
| | | | +--rw pkt-sec-cond-ipv4-src* inet:ipv4-address
| | | | +--rw pkt-sec-cond-ipv4-dest* inet:ipv4-address
| | | | +--rw pkt-sec-cond-ipv4-ipopts string
| | | | +--rw pkt-sec-cond-ipv4-sameip boolean
| | | | +--rw pkt-sec-cond-ipv4-geoip* string
| | | +--rw packet-security-ipv6-condition
| | | | +--rw pkt-sec-cond-ipv6-dscp* string
| | | | +--rw pkt-sec-cond-ipv6-ecn* string
| | | | +--rw pkt-sec-cond-ipv6-traffic-class* uint 8
| | | | +--rw pkt-sec-cond-ipv6-flow-label* uint 32
| | | | +--rw pkt-sec-cond-ipv6-payload-length* uint 16
| | | | +--rw pkt-sec-cond-ipv6-next-header* uint 8
| | | | +--rw pkt-sec-cond-ipv6-hop-limit* uint 8
| | | | +--rw pkt-sec-cond-ipv6-src* inet:ipv6-address
| | | | +--rw pkt-sec-cond-ipv6-dest* inet:ipv6-address
| | | +--rw packet-security-tcp-condition
| | | | +--rw pkt-sec-cond-tcp-seq-num* uint 32
| | | | +--rw pkt-sec-cond-tcp-ack-num* uint 32
| | | | +--rw pkt-sec-cond-tcp-window-size* uint 16
| | | | +--rw pkt-sec-cond-tcp-falgs* uint 8
| | | +--rw packet-security-udp-condition
| | | | +--rw pkt-sec-cond-udp-length* string
| | | +--rw packet-security-icmp-condition
| | | +--rw pkt-sec-cond-icmp-type* uint 8
| | | +--rw pkt-sec-cond-icmp-code* uint 8
| | | +--rw pkt-sec-cond-icmp-seq-num* uint 32
| | +--rw packet-payload-security-condition* [pkt-payload-id]
| | | +--rw pkt-payload-id uint 8
| | | +--rw pkt-payload-content string
| | | +--rw pkt-payload-nocase boolean
Kim, et al. Expires September 13, 2017 [Page 5]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
| | | +--rw pkt-payload-depth uint 32
| | | +--rw pkt-payload-offset uint 32
| | | +--rw pkt-payload-distance uint 32
| | | +--rw pkt-payload-within uint 32
| | | +--rw pkt-payload-isdataat uint 32
| | | +--rw pkt-payload-dsize uint 32
| | | +--rw pkt-payload-replace string
| | | +--rw pkt-payload-pcre string
| | | +--rw pkt-payload-rpc
| | | +--rw pkt-payload-rpc-app-num uint 32
| | | +--rw pkt-payload-rpc-version-num uint 32
| | | +--rw pkt-payload-rpc-procedure-num uint 32
| | +--rw target-security-condition* [target-sec-cond-id]
| | | +--rw target-sec-cond-id uint 8
| | | +--rw service-sec-context-cond?
| | | | +--rw name string
| | | | +--rw protocol
| | | | | +--rw TCP? boolean
| | | | | +--rw UDP? boolean
| | | | | +--rw ICMP? boolean
| | | | | +--rw ICMPv6? boolean
| | | | | +--rw IP? boolean
| | | | +--rw src-port? inet:port-number
| | | | +--rw dest-port? inet:port-number
| | | +--rw application-sec-context-cond?
| | | | +--rw name string
| | | | +--rw category
| | | | | +--rw business-system? boolean
| | | | | +--rw entertainment? boolean
| | | | | +--rw internet? boolean
| | | | | +--rw network? boolean
| | | | | +--rw general? boolean
| | | | +--rw subcategory
| | | | | +--rw finance? boolean
| | | | | +--rw email? boolean
| | | | | +--rw game? boolean
| | | | | +--rw media-sharing? boolean
| | | | | +--rw social-network? boolean
| | | | | +--rw web-posting? boolean
| | | | +--rw data-transmission-model
| | | | | +--rw client-server? boolean
| | | | | +--rw browser-based? boolean
| | | | | +--rw networking? boolean
| | | | | +--rw peer-to-peer? boolean
| | | | | +--rw unassigned? boolean
| | | | +--rw risk-level
| | | | +--rw exploitable? boolean
| | | | +--rw productivity-loss? boolean
Kim, et al. Expires September 13, 2017 [Page 6]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
| | | | +--rw evasive? boolean
| | | | +--rw data-loss? boolean
| | | | +--rw malware-vehicle? boolean
| | | | +--rw bandwidth-consuming? boolean
| | | | +--rw tunneling? boolean
| | | +--rw device-sec-context-cond?
| | | +--rw pc? boolean
| | | +--rw mobile-phone? boolean
| | | +--rw tablet? boolean
| | | +--rw voip-phone boolean
| | +--rw user-security-cond* [usr-sec-cond-id]
| | | +--rw usr-sec-cond-id uint 8
| | | +--rw user
| | | | +--rw (user-name)?
| | | | +--: (tenant)
| | | | | +--rw tenant uint 8
| | | | +--: (vn-id)
| | | | +--rw vn-id uint 8
| | | +--rw group
| | | +--rw (group-name)?
| | | +--: (tenant)
| | | | +--rw tenant uint 8
| | | +--: (vn-id)
| | | +--rw vn-id uint 8
| | +--rw security-context-condition* [sec-context-cond-id]
| | | +--rw sec-context-cond-id uint 8
| | | +--rw (state)?
| | | | +--: (session-state)
| | | | | +--rw tcp-session-state
| | | | | +--rw new? boolean
| | | | | +--rw established? boolean
| | | | | +--rw related? boolean
| | | | | +--rw invalid? boolean
| | | | | +--rw untracked? boolean
| | | | +--: (session-aaa-state)
| | | | | +--rw session-sip-state
| | | | | +--rw auth-state? boolean
| | | | | +--rw call-state? boolean
| | | | +--: (access-mode)
| | | | | +--rw access-mode string
| | +--rw generic-context-condition* [gen-context-cond-id]
| | +--rw gen-context-cond-id uint 8
| | +--rw geographic-location
| | +--rw geographic-location-id* uint 8
| +--rw action
| +--rw (action-type)?
| +--: (ingress-action)
| | +--rw (ingress-action-type)?
Kim, et al. Expires September 13, 2017 [Page 7]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
| | +--: (pass)
| | | +--rw pass boolean
| | +--: (drop)
| | | +--rw drop boolan
| | +--: (reject)
| | | +--rw reject boolean
| | +--: (mirror)
| | +--rw mirror boolean
| +--: (egress-action)
| | +--rw (egress-action-type)?
| | +--: (invoke-signaling)
| | | +--rw invoke-signaling boolean
| | +--: (tunnel-encapsulation)
| | | +--rw tunnel-encapsulation boolean
| | +--: (forwarding)
| | +--rw forwarding boolean
| +--: (apply-profile-action)
| +--rw (apply-profile-action-type)?
| +--: (content-security-control)
| | +--rw content-security-control-types
| | +--rw antivirus
| | | +--rw antivirus-insp? boolean
| | +--rw ips
| | | +--rw ips-insp? boolean
| | +--rw ids
| | | +--rw ids-insp? boolean
| | +--rw url-filtering
| | | +--rw url-filtering-insp? boolean
| | +--rw data-filtering
| | | +--rw data-filtering-insp? boolean
| | +--rw mail-filtering
| | | +--rw mail-filtering-insp? boolean
| | +--rw file-blocking
| | | +--rw file-blocking-insp? boolean
| | +--rw file-isolate
| | | +--rw file-isolate-insp? boolean
| | +--rw pkt-capture
| | | +--rw pkt-capture-insp? boolean
| | +--rw application-control
| | | +--rw application-control-insp? boolean
| | +--rw voip-volte
| | +--rw voip-volte-insp? boolean
| +--: (attack-mitigation-control)
| +--rw (attack-mitigation-control-type)?
| +--: (ddos-attack)
| | +--rw (ddos-attack-type)?
| | +--: (network-layer-ddos-attack)
| | | +--rw network-layer-ddos-attack-types
Kim, et al. Expires September 13, 2017 [Page 8]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
| | | +--rw syn-flood-attack
| | | | +--rw syn-flood-insp boolean
| | | +--rw udp-flood-attack
| | | | +--rw udp-flood-insp boolean
| | | +--rw icmp-flood-attack
| | | | +--rw icmp-flood-insp boolean
| | | +--rw ip-frag-flood-attack
| | | | +--rw ip-frag-flood-insp boolean
| | | +--rw ipv6-related-attacks
| | | +--rw ipv6-related-insp boolean
| | +--: (app-layer-ddos-attack)
| | +--rw app-layer-ddos-attack-types
| | +--rw http-flood-attack
| | | +--rw http-flood-insp boolean
| | +--rw https-flood-attack
| | | +--rw https-flood-insp boolean
| | +--rw dns-flood-attack
| | | +--rw dns-flood-insp boolean
| | +--rw dns-amp-flood-attack
| | | +--rw dns-amp-flood-insp boolean
| | +--rw ssl-ddos-attack
| | +--rw ssl-ddos-insp boolean
| +--: (single-packet-attack)
| +--rw (single-packet-attack-type)?
| +--: (scan-and-sniff-attack)
| | +--rw scan-and-sniff-attack-types
| | +--rw ip-sweep-attack
| | | +--rw ip-sweep-insp boolean
| | +--rw port-scanning-attack
| | +--rw port-scanning-insp boolean
| +--: (malformed-packet-attack)
| | +--rw malformed-packet-attack-types
| | +--rw ping-of-death-attack
| | | +--rw ping-of-death-insp boolean
| | +--rw teardrop-attack
| | +--rw teardrop-insp boolean
| +--: (special-packet-attack)
| +--rw special-packet-attack-types
| +--rw oversized-icmp-attack
| | +--rw oversized-icmp-insp boolean
| +--rw tracert-attack
| +--rw tracert-insp boolean
+--rw cfg-content-security-control
| +--rw (cfg-content-security-control-type)?
| +--: (cfg-antivirus)
| | +--rw antivirus-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-ips)
Kim, et al. Expires September 13, 2017 [Page 9]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
| | +--rw ips-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-ids)
| | +--rw ids-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-url-filter)
| | +--rw url-filter-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-data-filter)
| | +--rw data-filter-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-mail-filter)
| | +--rw mail-filter-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-file-blocking)
| | +--rw file-blocking-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-file-isolate)
| | +--rw file-isolate-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-pkt-capture)
| | +--rw pkt-capture-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-app-control)
| | +--rw app-control-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-voip-volte)
| +--rw voip-volte-rule* [rule-id]
| +--rw rule-id uint 8
| +--rw event
| | +--rw called-voip boolean
| | +--rw called-volte boolean
| +--rw condition
| | +--rw sip-header* [sip-header-uri]
| | | +--rw sip-header-uri string
| | | +--rw sip-header-method string
| | | +--rw expire-time yang:date-and-time
| | | +--rw sip-header-user-agent uint32
| | +--rw cell-region?* [cell-id-region]
| | +--rw cell-id-region uint 32
| +--rw action
| +--rw (action-type)?
| +--: (ingress-action)
| | +--rw (ingress-action-type)?
| | +--: (pass)
| | | +--rw pass boolean
| | +--: (drop)
| | | +--rw drop boolean
Kim, et al. Expires September 13, 2017 [Page 10]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
| | +--: (reject)
| | | +--rw reject boolean
| | +--: (alert)
| | | +--rw alert boolean
| | +--: (mirror)
| | +--rw mirror boolean
| +--: (egress-action)
| +--: (egress-action-type)?
| +--: (redirection)
| +--rw redirection? boolean
+--rw cfg-attack-mitigation-control
+--rw (cfg-attack-mitigation-control-type)?
+--: (cfg-ddos-attack)
| +--rw (cfg-ddos-attack-type)?
| +--: (cfg-network-layer-ddos-attack)
| | +--rw (cfg-network-layer-ddos-attack-type)?
| | +--: (cfg-syn-flood-attack)
| | | +--rw syn-flood-attack-rule* [rule-id]
| | | +--rw rule-id uint8
| | +--: (cfg-udp-flood-attack)
| | | +--rw udp-flood-attack-rule* [rule-id]
| | | +--rw rule-id uint8
| | +--: (cfg-icmp-flood-attack)
| | | +--rw icmp-flood-attack-rule* [rule-id]
| | | +--rw rule-id uint8
| | +--: (cfg-ip-frag-flood-attack)
| | | +--rw ip-frag-flood-attack-rule* [rule-id]
| | | +--rw rule-id uint8
| | +--: (cfg-ipv6-related-attacks)
| | +--rw ipv6-related-attacks-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-app-layer-ddos-attack)
| +--rw (cfg-app-layer-ddos-attack-type)?
| +--: (cfg-http-flood-attack)
| | +--rw http-flood-attack-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-https-flood-attack)
| | +--rw https-flood-attack-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-dns-flood-attack)
| | +--rw dns-flood-attack-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-dns-amp-flood-attack)
| | +--rw dns-amp-flood-attack-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-ssl-ddos-attack)
| +--rw ssl-ddos-attack-rule* [rule-id]
| +--rw rule-id uint8
Kim, et al. Expires September 13, 2017 [Page 11]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
+--: (cfg-single-packet-attack)
+--rw (cfg-single-packet-attack-type)?
+--: (cfg-scan-and-sniff-attack)
| +--rw (cfg-scan-and-sniff-attack-type)?
| +--: (cfg-ip-sweep-attack)
| | +--rw ip-sweep-attack-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-port-scanning-attack)
| +--rw prot-scanning-attack-rule* [rule-id]
| +--rw rule-id uint8
+--: (cfg-malformed-packet-attack)
| +--rw (cfg-malformed-packet-attack-type)?
| +--: (cfg-ping-of-death-attack)
| | +--rw ping-of-death-attack-rule* [rule-id]
| | +--rw rule-id uint8
| +--: (cfg-teardrop-attack)
| +--rw teardrop-attack-rule* [rule-id]
| +--rw rule-id uint8
+--: (cfg-special-packet-attack)
+--rw (cfg-special-packet-attack-type)?
+--: (cfg-oversized-icmp-attack)
| +--rw oversized-icmp-attack-rule* [rule-id]
| +--rw rule-id uint8
+--: (cfg-tracert-attack)
+--rw tracert-attack-rule* [rule-id]
+--rw rule-id uint8
Figure 1: Information Model of I2NSF NSF Facing Interface
5. YANG Model
This section introduces a YANG model for the information model of
network security functions, as defined in the
[i2nsf-cap-interface-im].
<CODE BEGINS> file "ietf-i2nsf-nsf-facing-interface@2017-03-12.yang"
module ietf-i2nsf-nsf-facing-interface {
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-facing-interface";
prefix
nsf-facing-interface;
import ietf-inet-types{
prefix inet;
}
import ietf-yang-types{
Kim, et al. Expires September 13, 2017 [Page 12]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
prefix yang;
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
WG Chair: Adrian Farrel
<mailto:Adrain@olddog.co.uk>
WG Chair: Linda Dunbar
<mailto:Linda.duhbar@huawei.com>
Editor: Jingyong Tim Kim
<mailto:wlsdyd0930@nate.com>
Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>
Editor: Susan Hares
<mailto:shares@ndzh.com>";
description
"This module defines a YANG data module for network security
functions.";
revision "2017-03-12"{
description "Initial revision";
reference
"draft-xibassnez-i2nsf-capability-00
draft-kim-i2nsf-nsf-facing-interface-data-model-01";
}
//Groupings
grouping cfg-network-security-conrol {
description
"Configuration for Network Security Control.";
container policy {
description
"policy is a grouping
including a set of security rules according to certain logic,
i.e., their similarity or mutual relations, etc. The network
security policy is able to apply over both the unidirectional
Kim, et al. Expires September 13, 2017 [Page 13]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
and bidirectional traffic across the NSF.";
leaf policy-name {
type string;
mandatory true;
description
"The name of the policy.
This must be unique.";
}
leaf policy-id {
type string;
mandatory true;
description
"The ID of the policy.
This must be unique.";
}
list rules {
key "rule-id";
description
"This is a rule for network security control.";
leaf rule-name {
type string;
mandatory true;
description
"The name of the rule.
This must be unique.";
}
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule.
This is key for rule-list.
This must be unique.";
}
leaf rule-msg {
type string;
mandatory true;
description
"The keyword msg gives more information about
the signature and the possible alert.";
}
leaf rule-rev {
Kim, et al. Expires September 13, 2017 [Page 14]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
type uint8;
mandatory true;
description
"The sid keyword is almost every time
accompanied by reb.";
}
leaf rule-gid {
type uint8;
mandatory true;
description
"The gid keyword can be used to give different
groups of signatures another id value
(like in sid)..";
}
leaf rule-class-type {
type string;
mandatory true;
description
"The classtype keyword gives information about
the classification of rules and alerts.";
}
leaf rule-reference {
type string;
mandatory true;
description
"The reference keywords direct to places where
information about the signature and about
the problem the signature tries to address,
can be found.";
}
leaf rule-priority {
type uint8;
mandatory true;
description
"The priority keyword comes with a mandatory
numeric value which can range from 1 till 255.";
}
container event {
description
" An Event is defined as any important occurrence in time
of a change in the system being managed, and/or in the
environment of the system being managed. When used in
the context of policy rules for a flow-based NSF, it is
Kim, et al. Expires September 13, 2017 [Page 15]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
used to determine whether the Condition clause of the
Policy Rule can be evaluated or not. Examples of an
I2NSF Event include time and user actions (e.g., logon,
logoff, and actions that violate any ACL.).";
list user-security-event {
key usr-sec-event-id;
description
"The purpose of this class is to represent Events that
are initiated by a user, such as logon and logoff
Events. Information in this Event may be used as part
of a test to determine if the Condition clause in
this ECA Policy Rule should be evaluated or not.
Examples include user identification data and the
type of connection used by the user.";
leaf usr-sec-event-id {
type uint8;
mandatory true;
description
"The ID of the usr-sec-event.
This is key for usr-sec-event-list.
This must be unique.";
}
leaf usr-sec-event-content {
type string;
mandatory true;
description
"This is a mandatory string that contains the content
of the UserSecurityEvent. The format of the content
is specified in the usrSecEventFormat class
attribute, and the type of Event is defined in the
usrSecEventType class attribute. An example of the
usrSecEventContent attribute is a string hrAdmin,
with the usrSecEventFormat set to 1 (GUID) and the
usrSecEventType attribute set to 5 (new logon).";
}
leaf usr-sec-event-format {
type uint8;
mandatory true;
description
"This is a mandatory uint 8 enumerated integer,which
is used to specify the data type of the
usrSecEventContent attribute. The content is
specified in the usrSecEventContent class attribute,
and the type of Event is defined in the
usrSecEventType class attribute. An example of the
Kim, et al. Expires September 13, 2017 [Page 16]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
usrSecEventContent attribute is string hrAdmin,
with the usrSecEventFormat attribute set to 1 (GUID)
and the usrSecEventType attribute set to 5
(new logon).";
}
leaf usr-sec-event-type {
type uint8;
mandatory true;
description
"This is a mandatory uint 8 enumerated integer, which
is used to specify the type of Event that involves
this user. The content and format are specified in
the usrSecEventContent and usrSecEventFormat class
attributes, respectively. An example of the
usrSecEventContent attribute is string hrAdmin,
with the usrSecEventFormat attribute set to 1 (GUID)
and the usrSecEventType attribute set to 5
(new logon).";
}
}
list device-security-event {
key dev-sec-event-id;
description
"The purpose of a DeviceSecurityEvent is to represent
Events that provide information from the Device that
are important to I2NSF Security. Information in this
Event may be used as part of a test to determine if
the Condition clause in this ECA Policy Rule should be
evaluated or not. Examples include alarms and various
device statistics (e.g., a type of threshold that was
exceeded), which may signal the need for further
action.";
leaf dev-sec-event-id {
type uint8;
mandatory true;
description
"The ID of the dev-sec-event.
This is key for dev-sec-event-list.
This must be unique.";
}
leaf dev-sec-event-content {
type string;
mandatory true;
description
Kim, et al. Expires September 13, 2017 [Page 17]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"This is a mandatory string that contains the content
of the DeviceSecurityEvent.The format of the content
is specified in the devSecEventFormat class
attribute, and the type of Event is defined in the
devSecEventType class attribute. An example of the
devSecEventContent attribute is alarm, with the
devSecEventFormat attribute set to 1 (GUID), the
devSecEventType attribute set to 5 (new logon).";
}
leaf dev-sec-event-format {
type uint8;
mandatory true;
description
"This is a mandatory uint 8 enumerated integer, which
is used to specify the data type of the
devSecEventContent attribute.";
}
leaf dev-sec-event-type {
type uint8;
mandatory true;
description
"This is a mandatory uint 8 enumerated integer, which
is used to specify the type of Event that was
generated by this device.";
}
leaf dev-sec-event-type-severity {
type uint8;
mandatory true;
description
"This is a mandatory uint 8 enumerated integer, which
is used to specify the perceived severity of the
Event generated by this Device.";
}
}
list system-security-event {
key sys-sec-event-id;
description
"The purpose of a SystemSecurityEvent is to represent
Events that are detected by the management system,
instead of Events that are generated by a user or a
device. Information in this Event may be used as part
of a test to determine if the Condition clause in
this ECA Policy Rule should be evaluated or not.
Examples include an event issued by an analytics
Kim, et al. Expires September 13, 2017 [Page 18]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
system that warns against a particular pattern of
unknown user accesses, or an Event issued by a
management system that represents a set of correlated
and/or filtered Events.";
leaf sys-sec-event-id {
type uint8;
mandatory true;
description
"The ID of the sys-sec-event.
This is key for sys-sec-event-list.
This must be unique.";
}
leaf sys-sec-event-content {
type string;
mandatory true;
description
"This is a mandatory string that contains a content
of the SystemSecurityEvent. The format of a content
is specified in a sysSecEventFormat class attribute,
and the type of Event is defined in the
sysSecEventType class attribute. An example of the
sysSecEventContent attribute is string sysadmin3,
with the sysSecEventFormat attribute set to 1(GUID),
and the sysSecEventType attribute set to 2
(audit log cleared).";
}
leaf sys-sec-event-format {
type uint8;
mandatory true;
description
"This is a mandatory uint 8 enumerated integer, which
is used to specify the data type of the
sysSecEventContent attribute.";
}
leaf sys-sec-event-type {
type uint8;
mandatory true;
description
"This is a mandatory uint 8 enumerated integer, which
is used to specify the type of Event that involves
this device.";
}
}
Kim, et al. Expires September 13, 2017 [Page 19]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
list time-security-event {
key time-sec-event-id;
description
"Purpose of a TimeSecurityEvent is to represent Events
that are temporal in nature (e.g., the start or end of
a period of time). Time events signify an individual
occurrence, or a time period, in which a significant
event happened. Information in the Event may be used as
part of a test to determine if the Condition clause in
this ECA Rule should be evaluated or not. Examples
include issuing an Event at a specific time to indicate
that a particular resource should not be accessed, or
that different authentication and authorization
mechanisms should now be used (e.g., because it is now
past regular business hours).";
leaf time-sec-event-id {
type uint8;
mandatory true;
description
"The ID of the time-sec-event.
This is key for time-sec-event-list.
This must be unique.";
}
leaf time-sec-event-period-begin {
type yang:date-and-time;
mandatory true;
description
"This is a mandatory DateTime attribute, and
represents the beginning of a time period.
It has a value that has a date and/or a time
component (as in the Java or Python libraries).";
}
leaf time-sec-event-period-end {
type yang:date-and-time;
mandatory true;
description
"This is a mandatory DateTime attribute, and
represents the end of a time period. It has
a value that has a date and/or a time component
(as in the Java or Python libraries). If this is
a single Event occurrence, and not a time period
when the Event can occur, then the
timeSecEventPeriodEnd attribute may be ignored.";
}
Kim, et al. Expires September 13, 2017 [Page 20]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
leaf time-sec-event-time-zone {
type string;
mandatory true;
description
"This is a mandatory string attribute, and defines a
time zone that this Event occurred in using the
format specified in ISO8601.";
}
}
}
container condition {
description
"TBD";
list packet-security-condition {
key pkt-security-id;
description
"The purpose of this Class is to represent packet header
information that can be used as part of a test to
determine if the set of Policy Actions in this ECA
Policy Rule should be executed or not. This class is
abstract, and serves as the superclass of more detailed
conditions that involve different types of packet
formats.";
leaf pkt-security-id {
type uint8;
mandatory true;
description
"The ID of the packet-security-condition.";
}
container packet-security-mac-condition {
description
"The purpose of this Class is to represent packet MAC
packet header information that can be used as part of
a test to determine if the set of Policy Actions in
this ECA Policy Rule should be execute or not.";
leaf-list pkt-sec-cond-mac-dest {
type inet:port-number;
description
"The MAC destination address (6 octets long).";
}
leaf-list pkt-sec-cond-mac-src {
type inet:port-number;
description
Kim, et al. Expires September 13, 2017 [Page 21]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"The MAC source address (6 octets long).";
}
leaf-list pkt-sec-cond-mac-8021q {
type string;
description
"This is an optional string attribute, and defines
The 802.1Q tab value (2 octets long).";
}
leaf-list pkt-sec-cond-mac-ether-type {
type string;
description
"The EtherType field (2 octets long). Values up to
and including 1500 indicate the size of the payload
in octets; values of 1536 and above define which
protocol is encapsulated in the payload of the
frame.";
}
leaf-list pkt-sec-cond-mac-tci {
type string;
description
"This is an optional string attribute, and defines
the Tag Control Information. This consists of a 3
bit user priority field, a drop eligible indicator
(1 bit), and a VLAN identifier (12 bits).";
}
}
container packet-security-ipv4-condition {
description
"The purpose of this Class is to represent packet IPv4
packet header information that can be used as part of
a test to determine if the set of Policy Actions in
this ECA Policy Rule should be executed or not.";
leaf-list pkt-sec-cond-ipv4-header-length {
type uint8;
description
"The IPv4 packet header consists of 14 fields,
of which 13 are required.";
}
leaf-list pkt-sec-cond-ipv4-tos {
type uint8;
description
"The ToS field could specify a datagram's priority
Kim, et al. Expires September 13, 2017 [Page 22]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
and request a route for low-delay, high-throughput,
or highly-reliable service..";
}
leaf-list pkt-sec-cond-ipv4-total-length {
type uint16;
description
"This 16-bit field defines the entire packet size,
including header and data, in bytes.";
}
leaf-list pkt-sec-cond-ipv4-id {
type uint8;
description
"This field is an identification field and is
primarily used for uniquely identifying
the group of fragments of a single IP datagram.";
}
leaf-list pkt-sec-cond-ipv4-fragment {
type uint8;
description
"IP fragmentation is an Internet Protocol (IP)
process that breaks datagrams into smaller pieces
(fragments), so that packets may be formed that
can pass through a link with a smaller maximum
transmission unit (MTU) than the original
datagram size.";
}
leaf-list pkt-sec-cond-ipv4-fragment-offset {
type uint16;
description
"Fragment offset field along with Don't Fragment
and More Fragment flags in the IP protocol
header are used for fragmentation and reassembly
of IP datagrams.";
}
leaf-list pkt-sec-cond-ipv4-ttl {
type uint8;
description
"The ttl keyword is used to check for a specific
IP time-to-live value in the header of
a packet.";
}
leaf-list pkt-sec-cond-ipv4-protocol {
Kim, et al. Expires September 13, 2017 [Page 23]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
type uint8;
description
"Internet Protocol version 4(IPv4) is the fourth
version of the Internet Protocol (IP).";
}
leaf-list pkt-sec-cond-ipv4-src {
type inet:ipv4-address;
description
"Defines the IPv4 Source Address.";
}
leaf-list pkt-sec-cond-ipv4-dest {
type inet:ipv4-address;
description
"Defines the IPv4 Destination Address.";
}
leaf pkt-sec-cond-ipv4-ipopts {
type string;
description
"With the ipopts keyword you can check if
a specific ip option is set. Ipopts has
to be used at the beginning of a rule.";
}
leaf pkt-sec-cond-ipv4-sameip {
type boolean;
description
"Every packet has a source IP-address and
a destination IP-address.It can be that
the source IP is the same as
the destination IP.";
}
leaf-list pkt-sec-cond-ipv4-geoip {
type string;
description
"The geoip keyword enables (you)to match on
the source, destination or source and destination
IP addresses of network traffic and to see to
which country it belongs To be able to do this,
Suricata uses GeoIP API of Max mind.";
}
}
container packet-security-ipv6-condition {
description
Kim, et al. Expires September 13, 2017 [Page 24]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"The purpose of this Class is to represent packet
IPv6 packet header information that can be used as
part of a test to determine if the set of Policy
Actions in this ECA Policy Rule should be executed
or not.";
leaf-list pkt-sec-cond-ipv6-dscp {
type string;
description
"Differentiated Services Code Point (DSCP)
of ipv6.";
}
leaf-list pkt-sec-cond-ipv6-ecn {
type string;
description
"ECN allows end-to-end notification of network
congestion without dropping packets.";
}
leaf-list pkt-sec-cond-ipv6-traffic-class {
type uint8;
description
"The bits of this field hold two values. The 6
most-significant bits are used for
differentiated services, which is used to
classify packets.";
}
leaf-list pkt-sec-cond-ipv6-flow-label {
type uint32;
description
"The flow label when set to a non-zero value
now werves as a hint to routers and switches
with multiple outbound paths that these
packets should stay on the same path so that
they will not be reordered.";
}
leaf-list pkt-sec-cond-ipv6-payload-length {
type uint16;
description
"The size of the payload in octets,
including any extension headers.";
}
leaf-list pkt-sec-cond-ipv6-next-header {
type uint8;
Kim, et al. Expires September 13, 2017 [Page 25]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
description
"Specifies the type of the next header.
This field usually specifies the transport
layer protocol used by a packet's payload.";
}
leaf-list pkt-sec-cond-ipv6-hop-limit {
type uint8;
description
"Replaces the time to live field of IPv4.";
}
leaf-list pkt-sec-cond-ipv6-src {
type inet:ipv6-address;
description
"The IPv6 address of the sending node.";
}
leaf-list pkt-sec-cond-ipv6-dest {
type inet:ipv6-address;
description
"The IPv6 address of the destination node(s).";
}
}
container packet-security-tcp-condition {
description
"The purpose of this Class is to represent packet
TCP packet header information that can be used as
part of a test to determine if the set of Policy
Actions in this ECA Policy Rule should be executed
or not.";
leaf-list pkt-sec-cond-tcp-seq-num {
type uint32;
description
"If the SYN flag is set (1), then this is the
initial sequence number.";
}
leaf-list pkt-sec-cond-tcp-ack-num {
type uint32;
description
"If the ACK flag is set then the value of this
field is the next sequence number that the sender
is expecting.";
}
Kim, et al. Expires September 13, 2017 [Page 26]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
leaf-list pkt-sec-cond-tcp-window-size {
type uint16;
description
"The size of the receive window, which specifies
the number of windows size units (by default,bytes)
(beyond the segment identified by the sequence
number in the acknowledgment field) that the sender
of this segment is currently willing to recive.";
}
leaf-list pkt-sec-cond-tcp-falgs {
type uint8;
description
"This is a mandatory string attribute, and defines
the nine Control bit flags (9 bits).";
}
}
container packet-security-udp-condition {
description
"The purpose of this Class is to represent packet UDP
packet header information that can be used as part
of a test to determine if the set of Policy Actions
in this ECA Policy Rule should be executed or not.";
leaf-list pkt-sec-cond-udp-length {
type string;
description
"This is a mandatory string attribute, and defines
the length in bytes of the UDP header and data
(16 bits).";
}
}
container packet-security-icmp-condition {
description
"The internet control message protocol condition.";
leaf-list pkt-sec-cond-icmp-type {
type uint8;
description
"ICMP type, see Control messages.";
}
leaf-list pkt-sec-cond-icmp-code {
type uint8;
description
"ICMP subtype, see Control messages.";
Kim, et al. Expires September 13, 2017 [Page 27]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
}
leaf-list pkt-sec-cond-icmp-seg-num {
type uint32;
description
"The icmp Sequence Number.";
}
}
}
list packet-payload-security-condition {
key "pkt-payload-id";
description
"The ID of the pkt-payload.
This is key for pkt-payload-list.
This must be unique.";
leaf pkt-payload-id {
type uint8;
mandatory true;
description
"The ID of the packet payload.
This must be unique.";
}
leaf pkt-payload-content {
type string;
mandatory true;
description
"The content keyword is very important in
signatures Between the quotation marks you
can write on what you would like the
signature to match.";
}
leaf pkt-payload-nocase {
type boolean;
mandatory true;
description
"If you do not want to make a distinction
between uppercase and lowercase characters,
you can use nocase.";
}
leaf pkt-payload-depth {
type uint32;
mandatory true;
description
"The depth keyword is a absolute content
modifier.";
Kim, et al. Expires September 13, 2017 [Page 28]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
}
leaf pkt-payload-offset {
type uint32;
mandatory true;
description
"The offset keyword designates from which byte
in the payload will be checked to fined to find
a match.";
}
leaf pkt-payload-distance {
type uint32;
mandatory true;
description
"The keyword distance is a relative content
modifier. This means it indicates a relation
between this content keyword and the content
preceding it.";
}
leaf pkt-payload-within {
type uint32;
mandatory true;
description
"The keyword within is relative to the preceding
match. The keyword within comes with a mandatory
numeric value.";
}
leaf pkt-payload-isdataat {
type uint32;
mandatory true;
description
"The purpose of the isdataat keyword is to
look if there is still data at a specific part
of the payload.";
}
leaf pkt-payload-dsize {
type uint32;
mandatory true;
description
"With the dsize keyword, you can match on the
size of the packet payload.";
}
leaf pkt-payload-replace {
Kim, et al. Expires September 13, 2017 [Page 29]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
type string;
mandatory true;
description
"The replace content modifier can only be used
in ips. It adjusts network traffic.";
}
leaf pkt-payload-pcre {
type string;
mandatory true;
description
"For information about pcre check the pcre
(Perl Compatible Regular Expressions)page.";
}
container pkt-payload-rpc{
description
"The rpc keyword can be used to match in the
SUNRPC CALL on the RPC procedure numbers and
the RPC version.";
leaf pkt-payload-rpc-app-num {
type uint32;
mandatory true;
description
"<application number>.";
}
leaf pkt-payload-rpc-version-num {
type uint32;
mandatory true;
description
"<version number>|*.";
}
leaf pkt-payload-rpc-procedure-num {
type uint32;
mandatory true;
description
"<procedure number>|*.";
}
}
}
list target-security-condition {
key "target-sec-cond-id";
description
"Under the circumstances of network, it mainly
refers to the service, application, and device.";
leaf target-sec-cond-id {
Kim, et al. Expires September 13, 2017 [Page 30]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
type uint8;
mandatory true;
description
"The ID of the target.
This must be unique.";
}
container service-sec-context-cond{
description
"A service is an application identified by a
protocol type and port number, such as TCP,
UDP, ICMP, and IP.";
leaf name {
type string;
mandatory true;
description
"The name of the service.
This must be unique.";
}
leaf id {
type uint8;
mandatory true;
description
"The ID of the service.
This must be unique.";
}
container protocol {
description
"Protocol types:
TCP, UDP, ICMP, ICMPv6, IP, and etc.";
leaf tcp {
type boolean;
mandatory true;
description
"TCP protocol type.";
}
leaf udp {
type boolean;
mandatory true;
description
"UDP protocol type.";
}
leaf icmp {
type boolean;
mandatory true;
description
"ICMP protocol type.";
}
leaf icmpv6 {
Kim, et al. Expires September 13, 2017 [Page 31]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
type boolean;
mandatory true;
description
"ICMPv6 protocol type.";
}
leaf ip {
type boolean;
mandatory true;
description
"IP protocol type.";
}
}
leaf src-port{
type inet:port-number;
description
"It can be used for finding programs.";
}
leaf dest-port{
type inet:port-number;
description
"It can be used for finding programs.";
}
}
container application-sec-context-cond {
description
"An application is a computer program for
a specific task or purpose. It provides
a finer granularity than service in matching
traffic.";
leaf name{
type string;
mandatory true;
description
"The name of the application.
This must be unique.";
}
leaf id{
type uint8;
mandatory true;
description
"The ID of the application.
This must be unique.";
}
container category{
description
"Category types: Business system, Entertainment,
Interest, Network, General, and etc.";
leaf business-system {
Kim, et al. Expires September 13, 2017 [Page 32]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
type boolean;
description
"Business system category.";
}
leaf entertainment {
type boolean;
description
"Entertainment category.";
}
leaf interest {
type boolean;
description
"Interest category.";
}
leaf network {
type boolean;
description
"Network category.";
}
leaf general {
type boolean;
description
"General category.";
}
}
container subcategory{
description
"Subcategory types: Finance, Email, Game,
Media sharing, Social network, Web posting,
and etc.";
leaf finance {
type boolean;
description
"Finance subcategory.";
}
leaf email {
type boolean;
description
"Email subcategory.";
}
leaf game {
type boolean;
description
"Game subcategory.";
}
leaf media-sharing {
type boolean;
description
Kim, et al. Expires September 13, 2017 [Page 33]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"Media sharing subcategory.";
}
leaf social-network {
type boolean;
description
"Social network subcategory.";
}
leaf web-posting {
type boolean;
description
"Web posting subcategory.";
}
}
container data-transmission-model{
description
"Data transmission model types: Client-server,
Browser-based, Networking, Peer-to-Peer,
Unassigned, and etc.";
leaf client-server {
type boolean;
description
"client-server data transmission model.";
}
leaf browser-based {
type boolean;
description
"Browser-based data transmission model.";
}
leaf networking {
type boolean;
description
"Networking data transmission model.";
}
leaf peer-to-peer {
type boolean;
description
"Peer-to-Peer data transmission model.";
}
leaf unassigned {
type boolean;
description
"Unassigned data transmission model.";
}
}
container risk-level{
description
"Risk level types: Exploitable,
Productivity loss, Evasive, Data loss,
Kim, et al. Expires September 13, 2017 [Page 34]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
Malware vehicle, Bandwidth consuming,
Tunneling, and etc.";
leaf exploitable {
type boolean;
description
"Exploitable risk level.";
}
leaf productivity-loss {
type boolean;
description
"Productivity loss risk level.";
}
leaf evasive {
type boolean;
description
"Evasive risk level.";
}
leaf data-loss {
type boolean;
description
"Data loss risk level.";
}
leaf malware-vehicle {
type boolean;
description
"Malware vehicle risk level.";
}
leaf bandwidth-consuming {
type boolean;
description
"Bandwidth consuming risk level.";
}
leaf tunneling {
type boolean;
description
"Tunneling risk level.";
}
}
}
container device-sec-context-cond {
description
"The device attribute that can identify a device,
including the device type (i.e., router, switch,
pc, ios, or android) and the device's owner as
well.";
leaf pc {
type boolean;
description
Kim, et al. Expires September 13, 2017 [Page 35]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"If type of a device is PC.";
}
leaf mobile-phone {
type boolean;
description
"If type of a device is mobile-phone.";
}
leaf tablet {
type boolean;
description
"If type of a device is tablet.";
}
leaf voip-volte-phone {
type boolean;
description
"If type of a device is voip-volte-phone.";
}
}
}
list user-security-cond {
key "usr-sec-cond-id";
description
"TBD";
leaf usr-sec-cond-id {
type uint8;
description
"The ID of the user-sec-cond.
This is key for user-sec-cond-list.
This must be unique.";
}
container user{
description
"The user (or user group) information with which
network flow is associated: The user has many
attributes such as name, id, password, type,
authentication mode and so on. Name/id is often
used in the security policy to identify the user.
Besides, NSF is aware of the IP address of the
user provided by a unified user management system
via network. Based on name-address association,
NSF is able to enforce the security functions
over the given user (or user group)";
choice user-name {
description
"The name of the user.
This must be unique.";
case tenant {
description
Kim, et al. Expires September 13, 2017 [Page 36]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"Tenant information.";
leaf tenant {
type uint8;
mandatory true;
description
"User's tenant information.";
}
}
case vn-id {
description
"VN-ID information.";
leaf vn-id {
type uint8;
mandatory true;
description
"User's VN-ID information.";
}
}
}
}
container group {
description
"The user (or user group) information with which
network flow is associated: The user has many
attributes such as name, id, password, type,
authentication mode and so on. Name/id is often
used in the security policy to identify the user.
Besides, NSF is aware of the IP address of the
user provided by a unified user management system
via network. Based on name-address association,
NSF is able to enforce the security functions
over the given user (or user group)";
choice group-name {
description
"The name of the user.
This must be unique.";
case tenant {
description
"Tenant information.";
leaf tenant {
type uint8;
mandatory true;
description
"User's tenant information.";
}
}
case vn-id {
description
Kim, et al. Expires September 13, 2017 [Page 37]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"VN-ID information.";
leaf vn-id {
type uint8;
mandatory true;
description
"User's VN-ID information.";
}
}
}
}
}
list generic-context-condition {
key "gen-context-cond-id";
description
"TBD";
leaf gen-context-cond-id {
type uint8;
description
"The ID of the gen-context-cond.
This is key for gen-context-cond-list.
This must be unique.";
}
container geographic-location {
description
"The location where network traffic is associated
with. The region can be the geographic location
such as country, province, and city,
as well as the logical network location such as
IP address, network section, and network domain.";
leaf-list geographic-location {
type uint8;
description
"This is mapped to ip address. We can acquire
region through ip address stored the database.";
}
}
}
}
container action {
description
"TBD.";
choice action-type {
description
"The flow-based NSFs realize the network security
functions by executing various Actions, which at least
includes ingress-action, egress-action, and
advanced-action.";
case ingress-action {
Kim, et al. Expires September 13, 2017 [Page 38]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
description
"The ingress actions consist of permit, deny,
and mirror.";
choice ingress-action-type {
description
"Ingress action type: permit, deny, and mirror.";
case pass {
description
"Pass case.";
leaf pass {
type boolean;
mandatory true;
description
"Packet flow is passed.";
}
}
case drop {
description
"Drop case.";
leaf drop {
type boolean;
mandatory true;
description
"Packet flow is droped.";
}
}
case reject {
description
"Reject case.";
leaf reject {
type boolean;
mandatory true;
description
"Packet flow is rejected.";
}
}
case alert {
description
"Alert case.";
leaf alert {
type boolean;
mandatory true;
description
"Packet flow is alerted.";
}
}
case mirror {
description
Kim, et al. Expires September 13, 2017 [Page 39]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"Mirror case.";
leaf mirror {
type boolean;
mandatory true;
description
"Packet flow is mirroried.";
}
}
}
}
case egress-action {
description
"The egress actions consist of invoke-signaling,
tunnel-encapsulation, and forwarding.";
choice egress-action-type {
description
"Egress-action-type: invoke-signaling,
tunnel-encapsulation, and forwarding.";
case invoke-signaling {
description
"Invoke-signaling case.";
leaf invoke-signaling {
type boolean;
mandatory true;
description
"TBD.";
}
}
case tunnel-encapsulation {
description
"tunnel-encapsulation case.";
leaf tunnel-encapsulation {
type boolean;
mandatory true;
description
"TBD.";
}
}
case forwarding {
description
"forwarding case.";
leaf forwarding {
type boolean;
mandatory true;
description
"TBD.";
}
}
Kim, et al. Expires September 13, 2017 [Page 40]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
}
}
case apply-profile-action {
description
"Applying a specific Functional Profile or signature
- e.g., an IPS Profile, a signature file, an
anti-virus file, or a URL filtering file. The
functional profile or signature file corresponds to
the security capability for the content security
control and attack mitigation control which will be
described afterwards. It is one of the key properties
that determine the effectiveness of the NSF, and is
mostly vendor specific today. One goal of I2NSF is
to standardize the form and functional interface of
those security capabilities while supporting vendor-
specific implementations of each.";
choice apply-profile-action-type {
description
"Advanced action types: Content Security Control
and Attack Mitigation Control.";
case content-security-control {
description
"Content security control is another category of
security capabilities applied to application layer.
Through detecting the contents carried over the
traffic in application layer, these capabilities
can realize various security purposes, such as
defending against intrusion, inspecting virus,
filtering malicious URL or junk email, and blocking
illegal web access or data retrieval.";
container content-security-control-types {
description
"Content Security types: Antivirus, IPS, IDS,
url-filtering, data-filtering, mail-filtering,
file-blocking, file-isolate, pkt-capture,
application-control, and voip-volte.";
container antivirus {
description
"Antivirus is computer software used to
prevent, detect and remove malicious
software.";
leaf antivirus-insp {
type boolean;
description
"Additional inspection of antivirus.";
}
}
Kim, et al. Expires September 13, 2017 [Page 41]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
container ips {
description
"Intrusion prevention systems (IPS) are
network security appliances that monitor
network and/or system activities for
malicious activities.";
leaf ips-insp {
type boolean;
description
"Additional inspection of IPS.";
}
}
container ids {
description
"IDS security service.";
leaf ids-insp {
type boolean;
description
"Additional inspection of IDS.";
}
}
container url-filtering {
description
"URL filtering security service.";
leaf url-filtering-insp {
type boolean;
description
"Additional inspection of URL filtering.";
}
}
container data-filtering {
description
"Data filtering security service.";
leaf data-filtering-insp {
type boolean;
description
"Additional inspection of data filtering.";
}
}
container mail-filtering {
description
"Mail filtering security service.";
leaf mail-filtering-insp {
type boolean;
description
"Additional inspection of mail filtering.";
}
}
Kim, et al. Expires September 13, 2017 [Page 42]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
container file-blocking {
description
"File blocking security service.";
leaf file-blocking-insp {
type boolean;
description
"Additional inspection of file blocking.";
}
}
container file-isolate {
description
"File isolate security service.";
leaf file-isolate-insp {
type boolean;
description
"Additional inspection of file isolate.";
}
}
container pkt-capture {
description
"Packet capture security service.";
leaf pkt-capture-insp {
type boolean;
description
"Additional inspection of packet capture.";
}
}
container application-control {
description
"app-control security service.";
leaf application-control-insp {
type boolean;
description
"Additional inspection of app control.";
}
}
container voip-volte {
description
"VoIP/VoLTE security service.";
leaf voip-volte-insp {
type boolean;
description
"Additional inspection of VoIP/VoLTE.";
}
}
}
}
case attack-mitigation-control {
Kim, et al. Expires September 13, 2017 [Page 43]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
description
"This category of security capabilities is
specially used to detect and mitigate various
types of network attacks.";
choice attack-mitigation-control-type {
description
"Attack-mitigation types: DDoS-attack and
Single-packet attack.";
case ddos-attack {
description
"A distributed-denial-of-service (DDoS) is
where the attack source is more than one,
often thousands of unique IP addresses.";
choice ddos-attack-type {
description
"DDoS-attack types: Network Layer DDoS Attacks
and Application Layer DDoS Attacks.";
case network-layer-ddos-attack {
description
"Network layer DDoS-attack.";
container network-layer-ddos-attack-types {
description
"Network layer DDoS attack types:
Syn Flood Attack, UDP Flood Attack,
ICMP Flood Attack, IP Fragment Flood,
IPv6 Related Attacks, and etc";
container syn-flood-attack {
description
"If the network layer DDoS-attack is
a syn flood attack.";
leaf syn-flood-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
Syn Flood Attack.";
}
}
container udp-flood-attack {
description
"If the network layer DDoS-attack is
a udp flood attack.";
leaf udp-flood-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
UDP Flood Attack.";
Kim, et al. Expires September 13, 2017 [Page 44]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
}
}
container icmp-flood-attack {
description
"If the network layer DDoS-attack is
an icmp flood attack.";
leaf icmp-flood-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
ICMP Flood Attack.";
}
}
container ip-frag-flood-attack {
description
"If the network layer DDoS-attack is
an ip fragment flood attack.";
leaf ip-frag-flood-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
IP Fragment Flood.";
}
}
container ipv6-related-attacks {
description
"If the network layer DDoS-attack is
ipv6 related attacks.";
leaf ipv6-related-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
IPv6 Related Attacks.";
}
}
}
}
case app-layer-ddos-attack {
description
"Application layer DDoS-attack.";
container app-ddos-attack-types {
description
"Application layer DDoS-attack types:
Http Flood Attack, Https Flood Attack,
DNS Flood Attack, and
Kim, et al. Expires September 13, 2017 [Page 45]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
DNS Amplification Flood Attack,
SSL DDoS Attack, and etc.";
container http-flood-attack {
description
"If the application layer DDoS-attack is
a http flood attack.";
leaf http-flood-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
Http Flood Attack.";
}
}
container https-flood-attack {
description
"If the application layer DDoS-attack is
a https flood attack.";
leaf https-flood-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
Https Flood Attack.";
}
}
container dns-flood-attack {
description
"If the application layer DDoS-attack is
a dns flood attack.";
leaf dns-flood-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
DNS Flood Attack.";
}
}
container dns-amp-flood-attack {
description
"If the application layer DDoS-attack is
a dns amplification flood attack.";
leaf dns-amp-flood-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
DNS Amplification Flood Attack.";
Kim, et al. Expires September 13, 2017 [Page 46]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
}
}
container ssl-ddos-attack {
description
"If the application layer DDoS-attack is
an ssl DDoS attack.";
leaf ssl-ddos-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
SSL Flood Attack.";
}
}
}
}
}
}
case single-packet-attack {
description
"Single Packet Attacks.";
choice single-packet-attack-type {
description
"DDoS-attack types: Scanning Attack,
Sniffing Attack, Malformed Packet Attack,
Special Packet Attack, and etc.";
case scan-and-sniff-attack {
description
"Scanning and Sniffing Attack.";
container scan-and-sniff-attack-types {
description
"Scanning and sniffing attack types:
IP Sweep attack, Port Scanning,
and etc.";
container ip-sweep-attack {
description
"If the scanning and sniffing attack is
an ip sweep attack.";
leaf ip-sweep-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
IP Sweep Attack.";
}
}
container port-scanning-attack {
description
Kim, et al. Expires September 13, 2017 [Page 47]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"If the scanning and sniffing attack is
a port scanning attack.";
leaf port-scanning-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
Port Scanning Attack.";
}
}
}
}
case malformed-packet-attack {
description
"Malformed Packet Attack.";
container malformed-packet-attack-types {
description
"Malformed packet attack types:
Ping of Death Attack, Teardrop Attack,
and etc.";
container ping-of-death-attack {
description
"If the malformed packet attack is
a ping of death attack.";
leaf ping-of-death-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
Ping of Death Attack.";
}
}
container teardrop-attack {
description
"If the malformed packet attack is
a teardrop attack.";
leaf teardrop-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
Teardrop Attack.";
}
}
}
}
case special-packet-attack {
description
Kim, et al. Expires September 13, 2017 [Page 48]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"special Packet Attack.";
container special-packet-attack-types {
description
"Special packet attack types:
Oversized ICMP Attack, Tracert Attack,
and etc.";
container oversized-icmp-attack {
description
"If the special packet attack is
an oversized icmp attack.";
leaf oversized-icmp-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
Oversize ICMP Attack.";
}
}
container tracert-attack {
description
"If the special packet attack is
a tracert attack.";
leaf tracert-insp {
type boolean;
mandatory true;
description
"Additional Inspection of
Tracrt Attack.";
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
grouping cfg-content-security-conrol {
description
"Configuration for Content Security Control.";
Kim, et al. Expires September 13, 2017 [Page 49]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
choice cfg-content-security-control-type {
description
"Content Security types: Antivirus, IPS, IDS,
url-filtering, data-filtering, mail-filtering,
file-blocking, file-isolate, pkt-capture,
application-control, and voip-volte.";
case cfg-antivirus {
description
"Antivirus Case.";
list antivirus-rule {
key rule-id;
description
"Rule of Antivirus.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about antivirus.";
}
}
}
case cfg-ips {
description
"IPS Case.";
list ips-rule {
key rule-id;
description
"Rule of IPS.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about IPS.";
}
}
}
case cfg-ids {
description
"IDS Case.";
list ids-rule {
key rule-id;
description
Kim, et al. Expires September 13, 2017 [Page 50]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"Rule of IDS.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about IDS.";
}
}
}
case cfg-url-filter {
description
"URL Filter Case.";
list url-filter-rule {
key rule-id;
description
"Rule of URL filter.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about URL filter.";
}
}
}
case cfg-data-filter {
description
"Data Filter Case.";
list data-filter-rule {
key rule-id;
description
"Rule of Data Filter.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about data filter.";
}
}
}
case cfg-mail-filter {
description
"Mail Filter Case.";
Kim, et al. Expires September 13, 2017 [Page 51]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
list mail-filter-rule {
key rule-id;
description
"Rule of Mail Filter.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about mail filter.";
}
}
}
case cfg-file-blocking {
description
"File Blocking Case.";
list file-blocking-rule {
key rule-id;
description
"Rule of File Blocking.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about file blocking.";
}
}
}
case cfg-file-isolate {
description
"File Isolate Case.";
list file-isolate-rule {
key rule-id;
description
"Rule of File Isolate.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about file isolate.";
}
}
}
case cfg-pkt-capture {
Kim, et al. Expires September 13, 2017 [Page 52]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
description
"Packet Capture Case.";
list pkt-capture-rule {
key rule-id;
description
"Rule of Packet Capture.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about pacekt capture.";
}
}
}
case cfg-app-control {
description
"App Control Case.";
list app-control-rule {
key rule-id;
description
"Rule of App Control.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about app control.";
}
}
}
case cfg-voip-volte {
description
"VoIP/VoLTE Case.";
list voip-volte-rule {
key "rule-id";
description
"For the VoIP/VoLTE security system, a VoIP/
VoLTE security system can monitor each
VoIP/VoLTE flow and manage VoIP/VoLTE
security rules controlled by a centralized
server for VoIP/VoLTE security service
(called VoIP IPS). The VoIP/VoLTE security
system controls each switch for the
VoIP/VoLTE call flow management by
Kim, et al. Expires September 13, 2017 [Page 53]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
manipulating the rules that can be added,
deleted, or modified dynamically.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the voip-volte-rule.
This is the key for voip-volte-rule-list.
This must be unique.";
}
container event {
description
"Event types: VoIP and VoLTE.";
leaf called-voip {
type boolean;
mandatory true;
description
"If content-security-control-type is
voip.";
}
leaf called-volte {
type boolean;
mandatory true;
description
"If content-security-control-type is
volte.";
}
}
container condition {
description
"TBD.";
list sip-header {
key "sip-header-uri";
description
"TBD.";
leaf sip-header-uri {
type string;
mandatory true;
description
"SIP header URI.";
}
leaf sip-header-method {
type string;
mandatory true;
description
"SIP header method.";
}
Kim, et al. Expires September 13, 2017 [Page 54]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
leaf sip-header-expire-time {
type yang:date-and-time;
mandatory true;
description
"SIP header expire time.";
}
leaf sip-header-user-agent {
type uint32;
mandatory true;
description
"SIP header user agent.";
}
}
list cell-region {
key "cell-id-region";
description
"TBD.";
leaf cell-id-region {
type uint32;
mandatory true;
description
"Cell region.";
}
}
}
container action {
description
"The flow-based NSFs realize the security
functions by executing various Actions.";
choice action-type {
description
"Action type: ingress action and
egress action.";
case ingress-action {
description
"The ingress actions consist of permit,
deny, and mirror.";
choice ingress-action-type {
description
"Ingress-action-type: permit, deny,
and mirror.";
case pass {
description
"Pass case.";
leaf pass {
type boolean;
mandatory true;
description
Kim, et al. Expires September 13, 2017 [Page 55]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"Packet flow is passed.";
}
}
case drop {
description
"Drop case.";
leaf drop {
type boolean;
mandatory true;
description
"Packet flow is droped.";
}
}
case reject {
description
"Reject case.";
leaf reject {
type boolean;
mandatory true;
description
"Packet flow is reject.";
}
}
case alert {
description
"Alert case.";
leaf alert {
type boolean;
mandatory true;
description
"Packet flow is alert.";
}
}
case mirror {
description
"Mirror case.";
leaf mirror {
type boolean;
mandatory true;
description
"Packet flow is mirrored.";
}
}
}
}
case egress-action {
description
"The engress actions consist of
Kim, et al. Expires September 13, 2017 [Page 56]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
mirror and etc.";
choice egress-action-type {
description
"Engress-action-type: redirection,
and etc.";
case redirection {
description
"Redirection case.";
leaf redirection {
type boolean;
mandatory true;
description "TBD.";
}
}
}
}
}
}
}
}
}
}
grouping cfg-attack-mitigation-conrol {
description
"Configuration for Attack Mitigation Control.";
choice cfg-attack-mitigation-control-type {
description
"Attack-mitigation types: DDoS-attack and
Single-packet attack.";
case cfg-ddos-attack {
description
"A distributed-denial-of-service (DDoS) is
where the attack source is more than one,
often thousands of unique IP addresses.";
choice cfg-ddos-attack-type {
description
"DDoS-attack types: Network Layer DDoS Attacks
and Application Layer DDoS Attacks.";
case cfg-network-layer-ddos-attack {
description
"Network layer DDoS-attack.";
choice cfg-network-layer-ddos-attack-type {
Kim, et al. Expires September 13, 2017 [Page 57]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
description
"Network layer DDoS attack types:
Syn Flood Attack, UDP Flood Attack,
ICMP Flood Attack, IP Fragment Flood,
IPv6 Related Attacks, and etc.";
case cfg-syn-flood-attack {
description
"Syn Flood Attack Case.";
list syn-flood-attack-rule {
key rule-id;
description
"Rule of Syn Flood Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about syn flood attack.";
}
}
}
case cfg-udp-flood-attack {
description
"UDP Flood Attack Case.";
list udp-flood-attack-rule {
key rule-id;
description
"Rule of UDP Flood Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about udp flood attack.";
}
}
}
case cfg-icmp-flood-attack {
description
"ICMP Flood Attack Case.";
list icmp-flood-attack-rule {
key rule-id;
description
"Rule of ICMP Flood Attack.";
Kim, et al. Expires September 13, 2017 [Page 58]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about icmp flood attack.";
}
}
}
case cfg-ip-frag-flood-attack {
description
"IP Fragment Flood Attack Case.";
list ip-frag-flood-attack-rule {
key rule-id;
description
"Rule of Ip Fragment Flood Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
ip fragment flood attack.";
}
}
}
case cfg-ipv6-related-attacks {
description
"IPv6 Related Attacks Case.";
list ipv6-related-attacks-rule {
key rule-id;
description
"Rule of Ipv6 Related Attacks.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
ipv6 related attacks.";
}
}
}
}
}
case cfg-app-layer-ddos-attack {
description
Kim, et al. Expires September 13, 2017 [Page 59]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"Application layer DDoS-attack.";
choice cfg-app-ddos-attack-type {
description
"Application layer DDoS-attack types:
Http Flood Attack, Https Flood Attack,
DNS Flood Attack, and
DNS Amplification Flood Attack,
SSL DDoS Attack, and etc.";
case cfg-http-flood-attack {
description
"HTTP Flood Attack Case.";
list http-flood-attack-rule {
key rule-id;
description
"Rule of HTTP Flood Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
http flood attack.";
}
}
}
case cfg-https-flood-attack {
description
"HTTPs Flood Attack Case.";
list https-flood-attack-rule {
key rule-id;
description
"Rule of HTTPs Flood Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
https flood attack.";
}
}
}
case cfg-dns-flood-attack {
description
Kim, et al. Expires September 13, 2017 [Page 60]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"DNS Flood Attack Case.";
list dns-flood-attack-rule {
key rule-id;
description
"Rule of DNS Flood Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
dns flood attack.";
}
}
}
case cfg-dns-amp-flood-attack {
description
"DNS Amp Flood Attack Case.";
list dns-amp-flood-attack-rule {
key rule-id;
description
"Rule of DNS Amp Flood Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
dns amp flood attack.";
}
}
}
case cfg-ssl-ddos-attack {
description
"SSL DDoS Attack Case.";
list ssl-ddos-attack-rule {
key rule-id;
description
"Rule of SSL DDoS Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
Kim, et al. Expires September 13, 2017 [Page 61]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
ssl ddos attack.";
}
}
}
}
}
}
}
case cfg-single-packet-attack {
description
"Single Packet Attacks.";
choice cfg-single-packet-attack-type {
description
"DDoS-attack types: Scanning Attack,
Sniffing Attack, Malformed Packet Attack,
Special Packet Attack, and etc.";
case cfg-scan-and-sniff-attack {
description
"Scanning and Sniffing Attack.";
choice cfg-scan-and-sniff-attack-type {
description
"Scanning and sniffing attack types:
IP Sweep attack, Port Scanning,
and etc.";
case cfg-ip-sweep-attack {
description
"IP Sweep Attack Case.";
list ip-sweep-attack-rule {
key rule-id;
description
"Rule of IP Sweep Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
ip sweep attack.";
}
}
}
case cfg-port-scanning-attack {
description
"Port Scanning Attack Case.";
list port-scanning-attack-rule {
Kim, et al. Expires September 13, 2017 [Page 62]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
key rule-id;
description
"Rule of Port Scanning Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
port scanning attack.";
}
}
}
}
}
case cfg-malformed-packet-attack {
description
"Malformed Packet Attack.";
choice cfg-malformed-packet-attack-type {
description
"Malformed packet attack types:
Ping of Death Attack, Teardrop Attack,
and etc.";
case cfg-ping-of-death-attack {
description
"Ping of Death Attack Case.";
list ping-of-death-attack-rule {
key rule-id;
description
"Rule of Ping of Death Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
ping of death attack.";
}
}
}
case cfg-teardrop-attack {
description
"Teardrop Attack Case.";
list teardrop-attack-rule {
key rule-id;
Kim, et al. Expires September 13, 2017 [Page 63]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
description
"Rule of Teardrop Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
teardrop attack.";
}
}
}
}
}
case cfg-special-packet-attack {
description
"special Packet Attack.";
choice cfg-special-packet-attack-type {
description
"Special packet attack types:
Oversized ICMP Attack, Tracert Attack,
and etc.";
case cfg-oversized-icmp-attack {
description
"Oversized ICMP Attack Case.";
list oversized-icmp-attack-rule {
key rule-id;
description
"Rule of Oversized ICMP Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
oversized icmp attack.";
}
}
}
case cfg-tracert-attack {
description
"Tracert Attack Case.";
list tracert-attack-rule {
key rule-id;
description
Kim, et al. Expires September 13, 2017 [Page 64]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
"Rule of Tracert Attack.";
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule about
tracert attack.";
}
}
}
}
}
}
}
}
}
}
<CODE ENDS>
Figure 2: Data Model of I2NSF NSF Facing Interface
6. Security Considerations
This document introduces no additional security threats and SHOULD
follow the security requirements as stated in [i2nsf-framework].
7. Acknowledgements
This work was supported by Institute for Information & communications
Technology Promotion (IITP) grant funded by the Korea government
(MSIP) (No.R-20160222-002755, Cloud based Security Intelligence
Technology Development for the Customized Security Service
Provisioning).
This document has greatly benefited from inputs by Daeyoung Hyun,
Hyoungshick Kim, Tae-Jin Ahn, and Se-Hui Lee.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to
Indicate Requirement Levels", BCP 14,
RFC 2119, March 1997.
Kim, et al. Expires September 13, 2017 [Page 65]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
[RFC6020] Bjorklund, M., "YANG - A Data Modeling
Language for the Network Configuration
Protocol (NETCONF)", RFC 6020,
October 2010.
8.2. Informative References
[i2nsf-cap-interface-im] Xia, L., Strassner, J., Zhang, D., Li, K.,
Basile, C., Lioy, A., Lopez, D., Lopez, E.,
BOUTHORS, N., and L. Fang, "Information
Model of NSFs Capabilities",
draft-xibassnez-i2nsf-capability-00 (work
in progress), Novemver 2016.
[i2rs-rib-data-model] Wang, L., Ananthakrishnan, H., Chen, M.,
Dass, A., Kini, S., and N. Bahadur, "A YANG
Data Model for Routing Information Base
(RIB)", draft-ietf-i2rs-rib-data-model-07
(work in progress), January 2017.
[supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer,
"Generic Policy Information Model for
Simplified Use of Policy Abstractions
(SUPA)", draft-ietf-supa-generic-policy-
info-model-02 (work in progress),
January 2017.
[i2nsf-framework] Lopez, D., Lopez, E., Dunbar, L.,
Strassner, J., and R. Kumar, "Framework for
Interface to Network Security Functions",
draft-ietf-i2nsf-framework-04 (work in
progress), October 2016.
Appendix A. Changes from
draft-kim-i2nsf-nsf-facing-interface-data-model-00
The following changes are made from
draft-kim-i2nsf-nsf-facing-interface-data-model-00:
o Rules for network security (e.g., iptables) and contents security
(e.g., Suricata) are added.
o Some lists are replaced with containers, and also some leafs are
correspondingly replaced with leaf-lists.
Kim, et al. Expires September 13, 2017 [Page 66]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
Authors' Addresses
Jinyong Tim Kim
Department of Computer Engineering
Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419
Republic of Korea
Phone: +82 10 8273 0930
EMail: wlsdyd0930@nate.com
Jaehoon Paul Jeong
Department of Software
Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419
Republic of Korea
Phone: +82 31 299 4957
Fax: +82 31 290 7996
EMail: pauljeong@skku.edu
URI: http://iotlab.skku.edu/people-jaehoon-jeong.php
Jung-Soo Park
Electronics and Telecommunications Research Institute
218 Gajeong-Ro, Yuseong-Gu
Daejeon 34129
Republic of Korea
Phone: +82 42 860 6514
EMail: pjs@etri.re.kr
Susan Hares
Huawei
7453 Hickory Hill
Saline, MI 48176
USA
Phone: +1-734-604-0332
EMail: shares@ndzh.com
Kim, et al. Expires September 13, 2017 [Page 67]
Internet-Draft NSF Facing Interface YANG Data Model March 2017
Liang Xia (Frank)
Huawei
101 Software Avenue, Yuhuatai District
Nanjing, Jiangsu
China
Phone:
EMail: Frank.xialiang@huawei.com
Kim, et al. Expires September 13, 2017 [Page 68]