Network Working Group J. Kim Internet-Draft J. Jeong Intended status: Standards Track Sungkyunkwan University Expires: January 4, 2018 J. Park ETRI S. Hares L. Xia Huawei July 3, 2017 I2NSF Network Security Functions-Facing Interface YANG Data Model draft-kim-i2nsf-nsf-facing-interface-data-model-02 Abstract This document defines a YANG data model corresponding to the information model for Network Security Functions (NSF) facing interface in Interface to Network Security Functions (I2NSF). It describes a data model for three security capabilities (i.e., network security functions), such as network security control, content security control, and attack mitigation control, as defined in the information model for the I2NSF NSF capabilities. Status of This Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 4, 2018. Copyright Notice Kim, et al. Expires January 4, 2018 [Page 1] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 4. Information Model Structure . . . . . . . . . . . . . . . . . 4 5. YANG Model . . . . . . . . . . . . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 65 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 65 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 66 8.1. Normative References . . . . . . . . . . . . . . . . . . . 66 8.2. Informative References . . . . . . . . . . . . . . . . . . 66 Appendix A. Changes from draft-kim-i2nsf-nsf-facing-interface-data-model-01 . 66 Kim, et al. Expires January 4, 2018 [Page 2] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 1. Introduction This document defines a YANG [RFC6020] data model for security services with the information model for Network Security Functions (NSF) facing interface in Interface to Network Security Functions (I2NSF). It provides a specific information model and the corresponding data models for three security capabilities (i.e., network security functions), such as network security control, content security control, and attack mitigation control, as defined in [i2nsf-nsf-cap-im]. With these data model, I2NSF controller can control the capabilities of NSFs. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Terminology This document uses the terminology described in [i2nsf-nsf-cap-im][i2rs-rib-data-model][supa-policy-info-model]. Especially, the following terms are from [supa-policy-info-model]: o Data Model: A data model is a representation of concepts of interest to an environment in a form that is dependent on data repository, data definition language, query language, implementation language, and protocol. o Information Model: An information model is a representation of concepts of interest to an environment in a form that is independent of data repository, data definition language, query language, implementation language, and protocol. 3.1. Tree Diagrams A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams [i2rs-rib-data-model] is as follows: o Brackets "[" and "]" enclose list keys. o Abbreviations before data node names: "rw" means configuration (read-write) and "ro" state data (read-only). o Symbols after data node names: "?" means an optional node and "*" denotes a "list" and "leaf-list". Kim, et al. Expires January 4, 2018 [Page 3] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":"). o Ellipsis ("...") stands for contents of subtrees that are not shown. 4. Information Model Structure Figure 1 shows an overview of a structure tree of network security control, content security control, and attack mitigation control, as defined in the [i2nsf-nsf-cap-im]. module: ietf-i2nsf-nsf-facing-interface +--rw cfg-network-security-control | +--rw policy* [policy-id] | +--rw policy-name string | +--rw policy-id uint8 | +--rw rules* [rule-id] | +--rw rule-name string | +--rw rule-id uint8 | +--rw rule-msg? string | +--rw rule-rev? uint8 | +--rw rule-gid? uint8 | +--rw rule-class-type? string | +--rw rule-reference? string | +--rw rule-priority? uint8 | +--rw event | | +--rw user-security-event* [usr-sec-event-id] | | | +--rw usr-sec-event-id uint8 | | | +--rw usr-sec-event-content string | | | +--rw usr-sec-event-format sec-event-format | | | +--rw usr-sec-event-type enumeration | | +--rw device-security-event* [dev-sec-event-id] | | | +--rw dev-sec-event-id uint8 | | | +--rw dev-sec-event-content string | | | +--rw dev-sec-event-format sec-event-format | | | +--rw dev-sec-event-type enumeration | | | +--rw dev-sec-event-type-severity enumeration | | +--rw system-security-event* [sys-sec-event-id] | | | +--rw sys-sec-event-id uint8 | | | +--rw sys-sec-event-content string | | | +--rw sys-sec-event-format sec-event-format | | | +--rw sys-sec-event-type enumeration | | +--rw time-security-event* [time-sec-event-id] | | +--rw time-sec-event-id uint8 | | +--rw time-sec-event-period-begin yang:date-and-time | | +--rw time-sec-event-period-end yang:date-and-time | | +--rw time-sec-event-time-zone string Kim, et al. Expires January 4, 2018 [Page 4] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 | +--rw condition | | +--rw packet-security-condition* [pkt-security-id] | | | +--rw pkt-security-id uint8 | | | +--rw packet-security-mac-condition | | | | +--rw pkt-sec-cond-mac-dest* inet:port-number | | | | +--rw pkt-sec-cond-mac-src* inet:port-number | | | | +--rw pkt-sec-cond-mac-8021q* string | | | | +--rw pkt-sec-cond-mac-ether-type* string | | | | +--rw pkt-sec-cond-mac-tci* string | | | +--rw packet-security-ipv4-condition | | | | +--rw pkt-sec-cond-ipv4-header-length* uint8 | | | | +--rw pkt-sec-cond-ipv4-tos* uint8 | | | | +--rw pkt-sec-cond-ipv4-total-length* uint16 | | | | +--rw pkt-sec-cond-ipv4-id* uint8 | | | | +--rw pkt-sec-cond-ipv4-fragment* uint8 | | | | +--rw pkt-sec-cond-ipv4-fragment-offset* uint16 | | | | +--rw pkt-sec-cond-ipv4-ttl* uint8 | | | | +--rw pkt-sec-cond-ipv4-protocol* uint8 | | | | +--rw pkt-sec-cond-ipv4-src* inet:ipv4-address | | | | +--rw pkt-sec-cond-ipv4-dest* inet:ipv4-address | | | | +--rw pkt-sec-cond-ipv4-ipopts? string | | | | +--rw pkt-sec-cond-ipv4-sameip? boolean | | | | +--rw pkt-sec-cond-ipv4-geoip* string | | | +--rw packet-security-ipv6-condition | | | | +--rw pkt-sec-cond-ipv6-dscp* string | | | | +--rw pkt-sec-cond-ipv6-ecn* string | | | | +--rw pkt-sec-cond-ipv6-traffic-class* uint8 | | | | +--rw pkt-sec-cond-ipv6-flow-label* uint32 | | | | +--rw pkt-sec-cond-ipv6-payload-length* uint16 | | | | +--rw pkt-sec-cond-ipv6-next-header* uint8 | | | | +--rw pkt-sec-cond-ipv6-hop-limit* uint8 | | | | +--rw pkt-sec-cond-ipv6-src* inet:ipv6-address | | | | +--rw pkt-sec-cond-ipv6-dest* inet:ipv6-address | | | +--rw packet-security-tcp-condition | | | | +--rw pkt-sec-cond-tcp-seq-num* uint32 | | | | +--rw pkt-sec-cond-tcp-ack-num* uint32 | | | | +--rw pkt-sec-cond-tcp-window-size* uint16 | | | | +--rw pkt-sec-cond-tcp-flags* uint8 | | | +--rw packet-security-udp-condition | | | | +--rw pkt-sec-cond-udp-length* string | | | +--rw packet-security-icmp-condition | | | +--rw pkt-sec-cond-icmp-type* uint8 | | | +--rw pkt-sec-cond-icmp-code* uint8 | | | +--rw pkt-sec-cond-icmp-seg-num* uint32 | | +--rw packet-payload-security-condition* [pkt-payload-id] | | | +--rw pkt-payload-id uint8 | | | +--rw pkt-payload-content? string | | | +--rw pkt-payload-nocase? boolean Kim, et al. Expires January 4, 2018 [Page 5] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 | | | +--rw pkt-payload-depth? uint32 | | | +--rw pkt-payload-offset? uint32 | | | +--rw pkt-payload-distance? uint32 | | | +--rw pkt-payload-within? uint32 | | | +--rw pkt-payload-isdataat? uint32 | | | +--rw pkt-payload-dsize? uint32 | | | +--rw pkt-payload-replace? string | | | +--rw pkt-payload-pcre? string | | | +--rw pkt-payload-rpc | | | +--rw pkt-payload-rpc-app-num? uint32 | | | +--rw pkt-payload-rpc-version-num? uint32 | | | +--rw pkt-payload-rpc-procedure-num? uint32 | | +--rw target-security-condition* [target-sec-cond-id] | | | +--rw target-sec-cond-id uint8 | | | +--rw service-sec-context-cond | | | | +--rw name string | | | | +--rw id uint8 | | | | +--rw protocol | | | | | +--rw tcp? boolean | | | | | +--rw udp? boolean | | | | | +--rw icmp? boolean | | | | | +--rw icmpv6? boolean | | | | | +--rw ip? boolean | | | | +--rw src-port? inet:port-number | | | | +--rw dest-port? inet:port-number | | | +--rw application-sec-context-cond | | | | +--rw name string | | | | +--rw id uint8 | | | | +--rw category | | | | | +--rw business-system? boolean | | | | | +--rw entertainment? boolean | | | | | +--rw interest? boolean | | | | | +--rw network? boolean | | | | | +--rw general? boolean | | | | +--rw subcategory | | | | | +--rw finance? boolean | | | | | +--rw email? boolean | | | | | +--rw game? boolean | | | | | +--rw media-sharing? boolean | | | | | +--rw social-network? boolean | | | | | +--rw web-posting? boolean | | | | +--rw data-transmission-model | | | | | +--rw client-server? boolean | | | | | +--rw browser-based? boolean | | | | | +--rw networking? boolean | | | | | +--rw peer-to-peer? boolean | | | | | +--rw unassigned? boolean | | | | +--rw risk-level Kim, et al. Expires January 4, 2018 [Page 6] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 | | | | +--rw exploitable? boolean | | | | +--rw productivity-loss? boolean | | | | +--rw evasive? boolean | | | | +--rw data-loss? boolean | | | | +--rw malware-vehicle? boolean | | | | +--rw bandwidth-consuming? boolean | | | | +--rw tunneling? boolean | | | +--rw device-sec-context-cond | | | +--rw pc? boolean | | | +--rw mobile-phone? boolean | | | +--rw tablet? boolean | | | +--rw voip-volte-phone? boolean | | +--rw user-security-cond* [usr-sec-cond-id] | | | +--rw usr-sec-cond-id uint8 | | | +--rw user | | | | +--rw (user-name)? | | | | +--:(tenant) | | | | | +--rw tenant uint8 | | | | +--:(vn-id) | | | | +--rw vn-id uint8 | | | +--rw group | | | +--rw (group-name)? | | | +--:(tenant) | | | | +--rw tenant uint8 | | | +--:(vn-id) | | | +--rw vn-id uint8 | | +--rw generic-context-condition* [gen-context-cond-id] | | +--rw gen-context-cond-id uint8 | | +--rw geographic-location | | +--rw geographic-location* uint8 | +--rw action | +--rw (action-type)? | +--:(ingress-action) | | +--rw ingress-action-type? ingress-action | +--:(egress-action) | | +--rw egress-action-type? egress-action | +--:(apply-profile-action) | +--rw (apply-profile-action-type)? | +--:(content-security-control) | | +--rw content-security-control-types | | +--rw antivirus-insp? boolean | | +--rw ips-insp? boolean | | +--rw ids-insp? boolean | | +--rw url-filtering-insp? boolean | | +--rw data-filtering-insp? boolean | | +--rw mail-filtering-insp? boolean | | +--rw file-blocking-insp? boolean | | +--rw file-isolate-insp? boolean Kim, et al. Expires January 4, 2018 [Page 7] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 | | +--rw pkt-capture-insp? boolean | | +--rw application-control-insp? boolean | | +--rw voip-volte-insp? boolean | +--:(attack-mitigation-control) | +--rw (attack-mitigation-control-type)? | +--:(ddos-attack) | | +--rw ddos-attack-type | | +--rw network-layer-ddos-attack | | | +--rw network-layer-ddos-attack-types | | | +--rw syn-flood-insp? boolean | | | +--rw udp-flood-insp? boolean | | | +--rw icmp-flood-insp? boolean | | | +--rw ip-frag-flood-insp? boolean | | | +--rw ipv6-related-insp? boolean | | +--rw app-layer-ddos-attack | | +--rw app-ddos-attack-types | | +--rw http-flood-insp? boolean | | +--rw https-flood-insp? boolean | | +--rw dns-flood-insp? boolean | | +--rw dns-amp-flood-insp? boolean | | +--rw ssl-ddos-insp? boolean | +--:(single-packet-attack) | +--rw single-packet-attack-type | +--rw scan-and-sniff-attack | | +--rw scan-and-sniff-attack-types | | +--rw ip-sweep-insp? boolean | | +--rw port-scanning-insp? boolean | +--rw malformed-packet-attack | | +--rw malformed-packet-attack-types | | +--rw ping-of-death-insp? boolean | | +--rw teardrop-insp? boolean | +--rw special-packet-attack | +--rw special-packet-attack-types | +--rw oversized-icmp-insp? boolean | +--rw tracert-insp? boolean +--rw cfg-content-security-control | +--rw (cfg-content-security-control-type)? | +--:(cfg-antivirus) | | +--rw antivirus-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-ips) | | +--rw ips-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-ids) | | +--rw ids-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-url-filter) | | +--rw url-filter-rule* [rule-id] Kim, et al. Expires January 4, 2018 [Page 8] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 | | +--rw rule-id uint8 | +--:(cfg-data-filter) | | +--rw data-filter-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-mail-filter) | | +--rw mail-filter-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-file-blocking) | | +--rw file-blocking-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-file-isolate) | | +--rw file-isolate-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-pkt-capture) | | +--rw pkt-capture-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-app-control) | | +--rw app-control-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-voip-volte) | +--rw voip-volte-rule* [rule-id] | +--rw rule-id uint8 | +--rw event | | +--rw called-voip boolean | | +--rw called-volte boolean | +--rw condition | | +--rw sip-header* [sip-header-uri] | | | +--rw sip-header-uri string | | | +--rw sip-header-method string | | | +--rw sip-header-expire-time yang:date-and-time | | | +--rw sip-header-user-agent uint32 | | +--rw cell-region* [cell-id-region] | | +--rw cell-id-region uint32 | +--rw action | +--rw (action-type)? | +--:(ingress-action) | | +--rw ingress-action-type? ingress-action | +--:(egress-action) | +--rw egress-action-type? egress-action +--rw cfg-attack-mitigation-control +--rw (cfg-attack-mitigation-control-type)? +--:(cfg-ddos-attack) | +--rw (cfg-ddos-attack-type)? | +--:(cfg-network-layer-ddos-attack) | | +--rw (cfg-network-layer-ddos-attack-type)? | | +--:(cfg-syn-flood-attack) | | | +--rw syn-flood-attack-rule* [rule-id] | | | +--rw rule-id uint8 Kim, et al. Expires January 4, 2018 [Page 9] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 | | +--:(cfg-udp-flood-attack) | | | +--rw udp-flood-attack-rule* [rule-id] | | | +--rw rule-id uint8 | | +--:(cfg-icmp-flood-attack) | | | +--rw icmp-flood-attack-rule* [rule-id] | | | +--rw rule-id uint8 | | +--:(cfg-ip-frag-flood-attack) | | | +--rw ip-frag-flood-attack-rule* [rule-id] | | | +--rw rule-id uint8 | | +--:(cfg-ipv6-related-attacks) | | +--rw ipv6-related-attacks-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-app-layer-ddos-attack) | +--rw (cfg-app-ddos-attack-type)? | +--:(cfg-http-flood-attack) | | +--rw http-flood-attack-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-https-flood-attack) | | +--rw https-flood-attack-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-dns-flood-attack) | | +--rw dns-flood-attack-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-dns-amp-flood-attack) | | +--rw dns-amp-flood-attack-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-ssl-ddos-attack) | +--rw ssl-ddos-attack-rule* [rule-id] | +--rw rule-id uint8 +--:(cfg-single-packet-attack) +--rw (cfg-single-packet-attack-type)? +--:(cfg-scan-and-sniff-attack) | +--rw (cfg-scan-and-sniff-attack-type)? | +--:(cfg-ip-sweep-attack) | | +--rw ip-sweep-attack-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-port-scanning-attack) | +--rw port-scanning-attack-rule* [rule-id] | +--rw rule-id uint8 +--:(cfg-malformed-packet-attack) | +--rw (cfg-malformed-packet-attack-type)? | +--:(cfg-ping-of-death-attack) | | +--rw ping-of-death-attack-rule* [rule-id] | | +--rw rule-id uint8 | +--:(cfg-teardrop-attack) | +--rw teardrop-attack-rule* [rule-id] | +--rw rule-id uint8 +--:(cfg-special-packet-attack) Kim, et al. Expires January 4, 2018 [Page 10] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 +--rw (cfg-special-packet-attack-type)? +--:(cfg-oversized-icmp-attack) | +--rw oversized-icmp-attack-rule* [rule-id] | +--rw rule-id uint8 +--:(cfg-tracert-attack) +--rw tracert-attack-rule* [rule-id] +--rw rule-id uint8 Figure 1: Information Model of I2NSF NSF Facing Interface 5. YANG Model This section introduces a YANG model for the information model of network security functions, as defined in the [i2nsf-nsf-cap-im]. file "ietf-i2nsf-nsf-facing-interface@2017-07-03.yang" module ietf-i2nsf-nsf-facing-interface { namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-facing-interface"; prefix nsf-facing-interface; import ietf-inet-types{ prefix inet; } import ietf-yang-types{ prefix yang; } organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact "WG Web: WG List: WG Chair: Adrian Farrel WG Chair: Linda Dunbar Editor: Jingyong Tim Kim Editor: Jaehoon Paul Jeong Kim, et al. Expires January 4, 2018 [Page 11] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 Editor: Susan Hares "; description "This module defines a YANG data module for network security functions."; revision "2017-07-03"{ description "The second revision"; reference "draft-xibassnez-i2nsf-capability-01; draft-kim-i2nsf-nsf-facing-interface-data-model-02"; } typedef sec-event-format { type enumeration { enum unknown { description "If usrSecEventFormat is unknown"; } enum guid { description "If usrSecEventFormat is GUID (Generic Unique IDentifier)"; } enum uuid { description "If usrSecEventFormat is UUID (Universal Unique IDentifier)"; } enum uri { description "If usrSecEventFormat is URI (Uniform Resource Identifier)"; } enum fqdn { description "If usrSecEventFormat is FQDN (Fully Qualified Domain Name)"; } enum fqpn { description "If usrSecEventFormat is FQPN (Fully Qualified Path Name)"; } } description Kim, et al. Expires January 4, 2018 [Page 12] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "This is used for SecEventFormat."; } typedef ingress-action { type enumeration { enum pass { description "If ingress action is pass"; } enum drop { description "If ingress action is drop"; } enum reject { description "If ingress action is reject"; } enum alert { description "If ingress action is alert"; } enum mirror { description "If ingress action is mirror"; } } description "This is used for ingress action."; } typedef egress-action { type enumeration { enum invoke-signaling { description "If egress action is invoke signaling"; } enum tunnel-encapsulation { description "If egress action is tunnel encapsulation"; } enum forwarding { description "If egress action is forwarding"; } enum redirection { description "If egress action is redirection"; } Kim, et al. Expires January 4, 2018 [Page 13] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 } description "This is used for egress action."; } //Groupings container cfg-network-security-control { description "Configuration for Network Security Control."; list policy { key "policy-id"; description "policy is a grouping including a set of security rules according to certain logic, i.e., their similarity or mutual relations, etc. The network security policy is able to apply over both the unidirectional and bidirectional traffic across the NSF."; leaf policy-name { type string; mandatory true; description "The name of the policy. This must be unique."; } leaf policy-id { type uint8; mandatory true; description "The ID of the policy. This must be unique."; } list rules { key "rule-id"; description "This is a rule for network security control."; leaf rule-name { type string; mandatory true; description "The name of the rule. This must be unique."; Kim, et al. Expires January 4, 2018 [Page 14] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 } leaf rule-id { type uint8; mandatory true; description "The ID of the rule. This is key for rule-list. This must be unique."; } leaf rule-msg { type string; description "The keyword msg gives more information about the signature and the possible alert."; } leaf rule-rev { type uint8; description "The sid keyword is almost every time accompanied by reb."; } leaf rule-gid { type uint8; description "The gid keyword can be used to give different groups of signatures another id value (like in sid).."; } leaf rule-class-type { type string; description "The classtype keyword gives information about the classification of rules and alerts."; } leaf rule-reference { type string; description "The reference keywords direct to places where information about the signature and about the problem the signature tries to address, can be found."; } Kim, et al. Expires January 4, 2018 [Page 15] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 leaf rule-priority { type uint8; description "The priority keyword comes with a mandatory numeric value which can range from 1 till 255."; } container event { description " An event is defined as any important occurrence in time of a change in the system being managed, and/or in the environment of the system being managed. When used in the context of policy rules for a flow-based NSF, it is used to determine whether the Condition clause of the Policy Rule can be evaluated or not. Examples of an I2NSF event include time and user actions (e.g., logon, logoff, and actions that violate any ACL.)."; list user-security-event { key usr-sec-event-id; description "The purpose of this class is to represent events that are initiated by a user, such as logon and logoff events. Information in this event may be used as part of a test to determine if the Condition clause in this ECA Policy Rule should be evaluated or not. Examples include user identification data and the type of connection used by the user."; leaf usr-sec-event-id { type uint8; mandatory true; description "The ID of the usr-sec-event. This is key for usr-sec-event-list. This must be unique."; } leaf usr-sec-event-content { type string; mandatory true; description "This is a mandatory string that contains the content of the UserSecurityEvent. The format of the content is specified in the usrSecEventFormat class attribute, and the type of event is defined in the usrSecEventType class attribute. An example of the usrSecEventContent attribute is a string hrAdmin, Kim, et al. Expires January 4, 2018 [Page 16] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 with the usrSecEventFormat set to 1 (GUID) and the usrSecEventType attribute set to 5 (new logon)."; } leaf usr-sec-event-format { type sec-event-format; mandatory true; description "This is a mandatory uint 8 enumerated integer, which is used to specify the data type of the usrSecEventContent attribute. The content is specified in the usrSecEventContent class attribute, and the type of event is defined in the usrSecEventType class attribute. An example of the usrSecEventContent attribute is string hrAdmin, with the usrSecEventFormat attribute set to 1 (GUID) and the usrSecEventType attribute set to 5 (new logon)."; } leaf usr-sec-event-type { type enumeration { enum unknown { description "If usrSecEventType is unknown"; } enum user-created { description "If usrSecEventType is new user created"; } enum user-grp-created { description "If usrSecEventType is new user group created"; } enum user-deleted { description "If usrSecEventType is user deleted"; } enum user-grp-deleted { description "If usrSecEventType is user group deleted"; } enum user-logon { description Kim, et al. Expires January 4, 2018 [Page 17] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "If usrSecEventType is user logon"; } enum user-logoff { description "If usrSecEventType is user logoff"; } enum user-access-request { description "If usrSecEventType is user access request"; } enum user-access-granted { description "If usrSecEventType is user granted"; } enum user-access-violation { description "If usrSecEventType is user violation"; } } mandatory true; description "This is a mandatory uint 8 enumerated integer, which is used to specify the type of event that involves this user. The content and format are specified in the usrSecEventContent and usrSecEventFormat class attributes, respectively. An example of the usrSecEventContent attribute is string hrAdmin, with the usrSecEventFormat attribute set to 1 (GUID) and the usrSecEventType attribute set to 5 (new logon)."; } } list device-security-event { key dev-sec-event-id; description "The purpose of a DeviceSecurityEvent is to represent events that provide information from the Device that are important to I2NSF Security. Information in this event may be used as part of a test to determine if the Condition clause in this ECA Policy Rule should be evaluated or not. Examples include alarms and various device statistics (e.g., a type of threshold that was Kim, et al. Expires January 4, 2018 [Page 18] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 exceeded), which may signal the need for further action."; leaf dev-sec-event-id { type uint8; mandatory true; description "The ID of the dev-sec-event. This is key for dev-sec-event-list. This must be unique."; } leaf dev-sec-event-content { type string; mandatory true; description "This is a mandatory string that contains the content of the DeviceSecurityEvent. The format of the content is specified in the devSecEventFormat class attribute, and the type of event is defined in the devSecEventType class attribute. An example of the devSecEventContent attribute is alarm, with the devSecEventFormat attribute set to 1 (GUID), the devSecEventType attribute set to 5 (new logon)."; } leaf dev-sec-event-format { type sec-event-format; mandatory true; description "This is a mandatory uint 8 enumerated integer, which is used to specify the data type of the devSecEventContent attribute."; } leaf dev-sec-event-type { type enumeration { enum unknown { description "If devSecEventType is unknown"; } enum comm-alarm { description "If devSecEventType is communications alarm"; } enum quality-of-service-alarm { description Kim, et al. Expires January 4, 2018 [Page 19] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "If devSecEventType is quality of service alarm"; } enum process-err-alarm { description "If devSecEventType is processing error alarm"; } enum equipment-err-alarm { description "If devSecEventType is equipment error alarm"; } enum environmental-err-alarm { description "If devSecEventType is environmental error alarm"; } } mandatory true; description "This is a mandatory uint 8 enumerated integer, which is used to specify the type of event that was generated by this device."; } leaf dev-sec-event-type-severity { type enumeration { enum unknown { description "If devSecEventType is unknown"; } enum cleared { description "If devSecEventTypeSeverity is cleared"; } enum indeterminate { description "If devSecEventTypeSeverity is indeterminate"; } enum critical { description "If devSecEventTypeSeverity is critical"; } enum major{ description "If devSecEventTypeSeverity is major"; Kim, et al. Expires January 4, 2018 [Page 20] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 } enum minor { description "If devSecEventTypeSeverity is minor"; } enum warning { description "If devSecEventTypeSeverity is warning"; } } mandatory true; description "This is a mandatory uint 8 enumerated integer, which is used to specify the perceived severity of the event generated by this Device."; } } list system-security-event { key sys-sec-event-id; description "The purpose of a SystemSecurityEvent is to represent events that are detected by the management system, instead of events that are generated by a user or a device. Information in this event may be used as part of a test to determine if the Condition clause in this ECA Policy Rule should be evaluated or not. Examples include an event issued by an analytics system that warns against a particular pattern of unknown user accesses, or an event issued by a management system that represents a set of correlated and/or filtered events."; leaf sys-sec-event-id { type uint8; mandatory true; description "The ID of the sys-sec-event. This is key for sys-sec-event-list. This must be unique."; } leaf sys-sec-event-content { type string; mandatory true; description Kim, et al. Expires January 4, 2018 [Page 21] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "This is a mandatory string that contains a content of the SystemSecurityEvent. The format of a content is specified in a sysSecEventFormat class attribute, and the type of event is defined in the sysSecEventType class attribute. An example of the sysSecEventContent attribute is string sysadmin3, with the sysSecEventFormat attribute set to 1(GUID), and the sysSecEventType attribute set to 2 (audit log cleared)."; } leaf sys-sec-event-format { type sec-event-format; mandatory true; description "This is a mandatory uint 8 enumerated integer, which is used to specify the data type of the sysSecEventContent attribute."; } leaf sys-sec-event-type { type enumeration { enum unknown { description "If sysSecEventType is unknown"; } enum audit-log-written-to { description "If sysSecEventTypeSeverity is that audit log is written to"; } enum audit-log-cleared { description "If sysSecEventTypeSeverity is that audit log is cleared"; } enum policy-created { description "If sysSecEventTypeSeverity is that policy is created"; } enum policy-edited{ description "If sysSecEventTypeSeverity is that policy is edited"; } enum policy-deleted{ description Kim, et al. Expires January 4, 2018 [Page 22] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "If sysSecEventTypeSeverity is that policy is deleted"; } enum policy-executed{ description "If sysSecEventTypeSeverity is that policy is executed"; } } mandatory true; description "This is a mandatory uint 8 enumerated integer, which is used to specify the type of event that involves this device."; } } list time-security-event { key time-sec-event-id; description "Purpose of a TimeSecurityEvent is to represent events that are temporal in nature (e.g., the start or end of a period of time). Time events signify an individual occurrence, or a time period, in which a significant event happened. Information in the event may be used as part of a test to determine if the Condition clause in this ECA Rule should be evaluated or not. Examples include issuing an event at a specific time to indicate that a particular resource should not be accessed, or that different authentication and authorization mechanisms should now be used (e.g., because it is now past regular business hours)."; leaf time-sec-event-id { type uint8; mandatory true; description "The ID of the time-sec-event. This is key for time-sec-event-list. This must be unique."; } leaf time-sec-event-period-begin { type yang:date-and-time; mandatory true; description "This is a mandatory DateTime attribute, and represents the beginning of a time period. Kim, et al. Expires January 4, 2018 [Page 23] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 It has a value that has a date and/or a time component (as in the Java or Python libraries)."; } leaf time-sec-event-period-end { type yang:date-and-time; mandatory true; description "This is a mandatory DateTime attribute, and represents the end of a time period. It has a value that has a date and/or a time component (as in the Java or Python libraries). If this is a single event occurrence, and not a time period when the event can occur, then the timeSecEventPeriodEnd attribute may be ignored."; } leaf time-sec-event-time-zone { type string; mandatory true; description "This is a mandatory string attribute, and defines a time zone that this event occurred in using the format specified in ISO8601."; } } } container condition { description "TBD"; list packet-security-condition { key pkt-security-id; description "The purpose of this Class is to represent packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not. This class is abstract, and serves as the superclass of more detailed conditions that involve different types of packet formats."; leaf pkt-security-id { type uint8; mandatory true; description "The ID of the packet-security-condition."; } Kim, et al. Expires January 4, 2018 [Page 24] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 container packet-security-mac-condition { description "The purpose of this Class is to represent packet MAC packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be execute or not."; leaf-list pkt-sec-cond-mac-dest { type inet:port-number; description "The MAC destination address (6 octets long)."; } leaf-list pkt-sec-cond-mac-src { type inet:port-number; description "The MAC source address (6 octets long)."; } leaf-list pkt-sec-cond-mac-8021q { type string; description "This is an optional string attribute, and defines The 802.1Q tab value (2 octets long)."; } leaf-list pkt-sec-cond-mac-ether-type { type string; description "The EtherType field (2 octets long). Values up to and including 1500 indicate the size of the payload in octets; values of 1536 and above define which protocol is encapsulated in the payload of the frame."; } leaf-list pkt-sec-cond-mac-tci { type string; description "This is an optional string attribute, and defines the Tag Control Information. This consists of a 3 bit user priority field, a drop eligible indicator (1 bit), and a VLAN identifier (12 bits)."; } } container packet-security-ipv4-condition { description Kim, et al. Expires January 4, 2018 [Page 25] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "The purpose of this Class is to represent packet IPv4 packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not."; leaf-list pkt-sec-cond-ipv4-header-length { type uint8; description "The IPv4 packet header consists of 14 fields, of which 13 are required."; } leaf-list pkt-sec-cond-ipv4-tos { type uint8; description "The ToS field could specify a datagram's priority and request a route for low-delay, high-throughput, or highly-reliable service.."; } leaf-list pkt-sec-cond-ipv4-total-length { type uint16; description "This 16-bit field defines the entire packet size, including header and data, in bytes."; } leaf-list pkt-sec-cond-ipv4-id { type uint8; description "This field is an identification field and is primarily used for uniquely identifying the group of fragments of a single IP datagram."; } leaf-list pkt-sec-cond-ipv4-fragment { type uint8; description "IP fragmentation is an Internet Protocol (IP) process that breaks datagrams into smaller pieces (fragments), so that packets may be formed that can pass through a link with a smaller maximum transmission unit (MTU) than the original datagram size."; } leaf-list pkt-sec-cond-ipv4-fragment-offset { type uint16; Kim, et al. Expires January 4, 2018 [Page 26] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 description "Fragment offset field along with Don't Fragment and More Fragment flags in the IP protocol header are used for fragmentation and reassembly of IP datagrams."; } leaf-list pkt-sec-cond-ipv4-ttl { type uint8; description "The ttl keyword is used to check for a specific IP time-to-live value in the header of a packet."; } leaf-list pkt-sec-cond-ipv4-protocol { type uint8; description "Internet Protocol version 4(IPv4) is the fourth version of the Internet Protocol (IP)."; } leaf-list pkt-sec-cond-ipv4-src { type inet:ipv4-address; description "Defines the IPv4 Source Address."; } leaf-list pkt-sec-cond-ipv4-dest { type inet:ipv4-address; description "Defines the IPv4 Destination Address."; } leaf pkt-sec-cond-ipv4-ipopts { type string; description "With the ipopts keyword you can check if a specific ip option is set. Ipopts has to be used at the beginning of a rule."; } leaf pkt-sec-cond-ipv4-sameip { type boolean; description "Every packet has a source IP-address and a destination IP-address. It can be that the source IP is the same as Kim, et al. Expires January 4, 2018 [Page 27] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 the destination IP."; } leaf-list pkt-sec-cond-ipv4-geoip { type string; description "The geoip keyword enables you to match on the source, destination or source and destination IP addresses of network traffic and to see to which country it belongs. To do this, Suricata uses GeoIP API with MaxMind database format."; } } container packet-security-ipv6-condition { description "The purpose of this Class is to represent packet IPv6 packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not."; leaf-list pkt-sec-cond-ipv6-dscp { type string; description "Differentiated Services Code Point (DSCP) of ipv6."; } leaf-list pkt-sec-cond-ipv6-ecn { type string; description "ECN allows end-to-end notification of network congestion without dropping packets."; } leaf-list pkt-sec-cond-ipv6-traffic-class { type uint8; description "The bits of this field hold two values. The 6 most-significant bits are used for differentiated services, which is used to classify packets."; } leaf-list pkt-sec-cond-ipv6-flow-label { type uint32; description Kim, et al. Expires January 4, 2018 [Page 28] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "The flow label when set to a non-zero value serves as a hint to routers and switches with multiple outbound paths that these packets should stay on the same path so that they will not be reordered."; } leaf-list pkt-sec-cond-ipv6-payload-length { type uint16; description "The size of the payload in octets, including any extension headers."; } leaf-list pkt-sec-cond-ipv6-next-header { type uint8; description "Specifies the type of the next header. This field usually specifies the transport layer protocol used by a packet's payload."; } leaf-list pkt-sec-cond-ipv6-hop-limit { type uint8; description "Replaces the time to live field of IPv4."; } leaf-list pkt-sec-cond-ipv6-src { type inet:ipv6-address; description "The IPv6 address of the sending node."; } leaf-list pkt-sec-cond-ipv6-dest { type inet:ipv6-address; description "The IPv6 address of the destination node(s)."; } } container packet-security-tcp-condition { description "The purpose of this Class is to represent packet TCP packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not."; Kim, et al. Expires January 4, 2018 [Page 29] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 leaf-list pkt-sec-cond-tcp-seq-num { type uint32; description "If the SYN flag is set (1), then this is the initial sequence number."; } leaf-list pkt-sec-cond-tcp-ack-num { type uint32; description "If the ACK flag is set then the value of this field is the next sequence number that the sender is expecting."; } leaf-list pkt-sec-cond-tcp-window-size { type uint16; description "The size of the receive window, which specifies the number of windows size units (by default,bytes) (beyond the segment identified by the sequence number in the acknowledgment field) that the sender of this segment is currently willing to recive."; } leaf-list pkt-sec-cond-tcp-flags { type uint8; description "This is a mandatory string attribute, and defines the nine Control bit flags (9 bits)."; } } container packet-security-udp-condition { description "The purpose of this Class is to represent packet UDP packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not."; leaf-list pkt-sec-cond-udp-length { type string; description "This is a mandatory string attribute, and defines the length in bytes of the UDP header and data (16 bits)."; } } Kim, et al. Expires January 4, 2018 [Page 30] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 container packet-security-icmp-condition { description "The internet control message protocol condition."; leaf-list pkt-sec-cond-icmp-type { type uint8; description "ICMP type, see Control messages."; } leaf-list pkt-sec-cond-icmp-code { type uint8; description "ICMP subtype, see Control messages."; } leaf-list pkt-sec-cond-icmp-seg-num { type uint32; description "The icmp Sequence Number."; } } } list packet-payload-security-condition { key "pkt-payload-id"; description "The ID of the pkt-payload. This is key for pkt-payload-list. This must be unique."; leaf pkt-payload-id { type uint8; mandatory true; description "The ID of the packet payload. This must be unique."; } leaf pkt-payload-content { type string; description "The content keyword is very important in signatures. Between the quotation marks you can write on what you would like the signature to match."; } leaf pkt-payload-nocase { Kim, et al. Expires January 4, 2018 [Page 31] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 type boolean; description "If you do not want to make a distinction between uppercase and lowercase characters, you can use nocase."; } leaf pkt-payload-depth { type uint32; description "The depth keyword is a absolute content modifier."; } leaf pkt-payload-offset { type uint32; description "The offset keyword designates from which byte in the payload will be checked to fined to find a match."; } leaf pkt-payload-distance { type uint32; description "The keyword distance is a relative content modifier. This means it indicates a relation between this content keyword and the content preceding it."; } leaf pkt-payload-within { type uint32; description "The keyword within is relative to the preceding match. The keyword within comes with a mandatory numeric value."; } leaf pkt-payload-isdataat { type uint32; description "The purpose of the isdataat keyword is to look if there is still data at a specific part of the payload."; } leaf pkt-payload-dsize { Kim, et al. Expires January 4, 2018 [Page 32] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 type uint32; description "With the dsize keyword, you can match on the size of the packet payload."; } leaf pkt-payload-replace { type string; description "The replace content modifier can only be used in ips. It adjusts network traffic."; } leaf pkt-payload-pcre { type string; description "For information about pcre check the pcre (Perl Compatible Regular Expressions)page."; } container pkt-payload-rpc{ description "The rpc keyword can be used to match in the SUNRPC CALL on the RPC procedure numbers and the RPC version."; leaf pkt-payload-rpc-app-num { type uint32; description "."; } leaf pkt-payload-rpc-version-num { type uint32; description "|*."; } leaf pkt-payload-rpc-procedure-num { type uint32; description "|*."; } } } list target-security-condition { key "target-sec-cond-id"; description Kim, et al. Expires January 4, 2018 [Page 33] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "Under the circumstances of network, it mainly refers to the service, application, and device."; leaf target-sec-cond-id { type uint8; mandatory true; description "The ID of the target. This must be unique."; } container service-sec-context-cond{ description "A service is an application identified by a protocol type and port number, such as TCP, UDP, ICMP, and IP."; leaf name { type string; mandatory true; description "The name of the service. This must be unique."; } leaf id { type uint8; mandatory true; description "The ID of the service. This must be unique."; } container protocol { description "Protocol types: TCP, UDP, ICMP, ICMPv6, IP, and etc."; leaf tcp { type boolean; description "TCP protocol type."; } leaf udp { type boolean; description "UDP protocol type."; } Kim, et al. Expires January 4, 2018 [Page 34] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 leaf icmp { type boolean; description "ICMP protocol type."; } leaf icmpv6 { type boolean; description "ICMPv6 protocol type."; } leaf ip { type boolean; description "IP protocol type."; } } leaf src-port{ type inet:port-number; description "It can be used for finding programs."; } leaf dest-port{ type inet:port-number; description "It can be used for finding programs."; } } container application-sec-context-cond { description "An application is a computer program for a specific task or purpose. It provides a finer granularity than service in matching traffic."; leaf name{ type string; mandatory true; description "The name of the application. This must be unique."; } leaf id{ Kim, et al. Expires January 4, 2018 [Page 35] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 type uint8; mandatory true; description "The ID of the application. This must be unique."; } container category{ description "Category types: Business system, Entertainment, Interest, Network, General, and etc."; leaf business-system { type boolean; description "Business system category."; } leaf entertainment { type boolean; description "Entertainment category."; } leaf interest { type boolean; description "Interest category."; } leaf network { type boolean; description "Network category."; } leaf general { type boolean; description "General category."; } } container subcategory{ description "Subcategory types: Finance, Email, Game, Media sharing, Social network, Web posting, and etc."; Kim, et al. Expires January 4, 2018 [Page 36] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 leaf finance { type boolean; description "Finance subcategory."; } leaf email { type boolean; description "Email subcategory."; } leaf game { type boolean; description "Game subcategory."; } leaf media-sharing { type boolean; description "Media sharing subcategory."; } leaf social-network { type boolean; description "Social network subcategory."; } leaf web-posting { type boolean; description "Web posting subcategory."; } } container data-transmission-model{ description "Data transmission model types: Client-server, Browser-based, Networking, Peer-to-Peer, Unassigned, and etc."; leaf client-server { type boolean; description "client-server data transmission model."; } Kim, et al. Expires January 4, 2018 [Page 37] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 leaf browser-based { type boolean; description "Browser-based data transmission model."; } leaf networking { type boolean; description "Networking data transmission model."; } leaf peer-to-peer { type boolean; description "Peer-to-Peer data transmission model."; } leaf unassigned { type boolean; description "Unassigned data transmission model."; } } container risk-level{ description "Risk level types: Exploitable, Productivity loss, Evasive, Data loss, Malware vehicle, Bandwidth consuming, Tunneling, and etc."; leaf exploitable { type boolean; description "Exploitable risk level."; } leaf productivity-loss { type boolean; description "Productivity loss risk level."; } leaf evasive { type boolean; description "Evasive risk level."; } Kim, et al. Expires January 4, 2018 [Page 38] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 leaf data-loss { type boolean; description "Data loss risk level."; } leaf malware-vehicle { type boolean; description "Malware vehicle risk level."; } leaf bandwidth-consuming { type boolean; description "Bandwidth consuming risk level."; } leaf tunneling { type boolean; description "Tunneling risk level."; } } } container device-sec-context-cond { description "The device attribute that can identify a device, including the device type (i.e., router, switch, pc, ios, or android) and the device's owner as well."; leaf pc { type boolean; description "If type of a device is PC."; } leaf mobile-phone { type boolean; description "If type of a device is mobile-phone."; } leaf tablet { type boolean; description Kim, et al. Expires January 4, 2018 [Page 39] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "If type of a device is tablet."; } leaf voip-volte-phone { type boolean; description "If type of a device is voip-volte-phone."; } } } list user-security-cond { key "usr-sec-cond-id"; description "TBD"; leaf usr-sec-cond-id { type uint8; description "The ID of the user-sec-cond. This is key for user-sec-cond-list. This must be unique."; } container user{ description "The user (or user group) information with which network flow is associated: The user has many attributes such as name, id, password, type, authentication mode and so on. Name/id is often used in the security policy to identify the user. Besides, NSF is aware of the IP address of the user provided by a unified user management system via network. Based on name-address association, NSF is able to enforce the security functions over the given user (or user group)"; choice user-name { description "The name of the user. This must be unique."; case tenant { description "Tenant information."; leaf tenant { type uint8; Kim, et al. Expires January 4, 2018 [Page 40] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 mandatory true; description "User's tenant information."; } } case vn-id { description "VN-ID information."; leaf vn-id { type uint8; mandatory true; description "User's VN-ID information."; } } } } container group { description "The user (or user group) information with which network flow is associated: The user has many attributes such as name, id, password, type, authentication mode and so on. Name/id is often used in the security policy to identify the user. Besides, NSF is aware of the IP address of the user provided by a unified user management system via network. Based on name-address association, NSF is able to enforce the security functions over the given user (or user group)"; choice group-name { description "The name of the user. This must be unique."; case tenant { description "Tenant information."; leaf tenant { type uint8; mandatory true; description "User's tenant information."; } } Kim, et al. Expires January 4, 2018 [Page 41] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 case vn-id { description "VN-ID information."; leaf vn-id { type uint8; mandatory true; description "User's VN-ID information."; } } } } } list generic-context-condition { key "gen-context-cond-id"; description "TBD"; leaf gen-context-cond-id { type uint8; description "The ID of the gen-context-cond. This is key for gen-context-cond-list. This must be unique."; } container geographic-location { description "The location where network traffic is associated with. The region can be the geographic location such as country, province, and city, as well as the logical network location such as IP address, network section, and network domain."; leaf-list geographic-location { type uint8; description "This is mapped to ip address. We can acquire region through ip address stored the database."; } } } } container action { description Kim, et al. Expires January 4, 2018 [Page 42] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "TBD."; choice action-type { description "The flow-based NSFs realize the network security functions by executing various Actions, which at least includes ingress-action, egress-action, and advanced-action."; case ingress-action { description "The ingress actions consist of permit, deny, and mirror."; leaf ingress-action-type { type ingress-action; description "Ingress action type: permit, deny, and mirror."; } } case egress-action { description "The egress actions consist of invoke-signaling, tunnel-encapsulation, and forwarding."; leaf egress-action-type { type egress-action; description "Egress-action-type: invoke-signaling, tunnel-encapsulation, and forwarding."; } } case apply-profile-action { description "Applying a specific Functional Profile or signature - e.g., an IPS Profile, a signature file, an anti-virus file, or a URL filtering file. The functional profile or signature file corresponds to the security capability for the content security control and attack mitigation control which will be described afterwards. It is one of the key properties that determine the effectiveness of the NSF, and is mostly vendor specific today. One goal of I2NSF is to standardize the form and functional interface of those security capabilities while supporting vendor- specific implementations of each."; Kim, et al. Expires January 4, 2018 [Page 43] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 choice apply-profile-action-type { description "Advanced action types: Content Security Control and Attack Mitigation Control."; case content-security-control { description "Content security control is another category of security capabilities applied to application layer. Through detecting the contents carried over the traffic in application layer, these capabilities can realize various security purposes, such as defending against intrusion, inspecting virus, filtering malicious URL or junk email, and blocking illegal web access or data retrieval."; container content-security-control-types { description "Content Security types: Antivirus, IPS, IDS, url-filtering, data-filtering, mail-filtering, file-blocking, file-isolate, pkt-capture, application-control, and voip-volte."; leaf antivirus-insp { type boolean; description "Additional inspection of antivirus."; } leaf ips-insp { type boolean; description "Additional inspection of IPS."; } leaf ids-insp { type boolean; description "Additional inspection of IDS."; } leaf url-filtering-insp { type boolean; description "Additional inspection of URL filtering."; } leaf data-filtering-insp { Kim, et al. Expires January 4, 2018 [Page 44] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 type boolean; description "Additional inspection of data filtering."; } leaf mail-filtering-insp { type boolean; description "Additional inspection of mail filtering."; } leaf file-blocking-insp { type boolean; description "Additional inspection of file blocking."; } leaf file-isolate-insp { type boolean; description "Additional inspection of file isolate."; } leaf pkt-capture-insp { type boolean; description "Additional inspection of packet capture."; } leaf application-control-insp { type boolean; description "Additional inspection of app control."; } leaf voip-volte-insp { type boolean; description "Additional inspection of VoIP/VoLTE."; } } } case attack-mitigation-control { description "This category of security capabilities is specially used to detect and mitigate various types of network attacks."; Kim, et al. Expires January 4, 2018 [Page 45] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 choice attack-mitigation-control-type { description "Attack-mitigation types: DDoS-attack and Single-packet attack."; case ddos-attack { description "A distributed-denial-of-service (DDoS) is where the attack source is more than one, often thousands of unique IP addresses."; container ddos-attack-type { description "DDoS-attack types: Network Layer DDoS Attacks and Application Layer DDoS Attacks."; container network-layer-ddos-attack { description "Network layer DDoS-attack."; container network-layer-ddos-attack-types { description "Network layer DDoS attack types: Syn Flood Attack, UDP Flood Attack, ICMP Flood Attack, IP Fragment Flood, IPv6 Related Attacks, and etc"; leaf syn-flood-insp { type boolean; description "Additional Inspection of Syn Flood Attack."; } leaf udp-flood-insp { type boolean; description "Additional Inspection of UDP Flood Attack."; } leaf icmp-flood-insp { type boolean; description "Additional Inspection of ICMP Flood Attack."; } leaf ip-frag-flood-insp { Kim, et al. Expires January 4, 2018 [Page 46] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 type boolean; description "Additional Inspection of IP Fragment Flood."; } leaf ipv6-related-insp { type boolean; description "Additional Inspection of IPv6 Related Attacks."; } } } container app-layer-ddos-attack { description "Application layer DDoS-attack."; container app-ddos-attack-types { description "Application layer DDoS-attack types: Http Flood Attack, Https Flood Attack, DNS Flood Attack, and DNS Amplification Flood Attack, SSL DDoS Attack, and etc."; leaf http-flood-insp { type boolean; description "Additional Inspection of Http Flood Attack."; } leaf https-flood-insp { type boolean; description "Additional Inspection of Https Flood Attack."; } leaf dns-flood-insp { type boolean; description "Additional Inspection of DNS Flood Attack."; } Kim, et al. Expires January 4, 2018 [Page 47] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 leaf dns-amp-flood-insp { type boolean; description "Additional Inspection of DNS Amplification Flood Attack."; } leaf ssl-ddos-insp { type boolean; description "Additional Inspection of SSL Flood Attack."; } } } } } case single-packet-attack { description "Single Packet Attacks."; container single-packet-attack-type { description "DDoS-attack types: Scanning Attack, Sniffing Attack, Malformed Packet Attack, Special Packet Attack, and etc."; container scan-and-sniff-attack { description "Scanning and Sniffing Attack."; container scan-and-sniff-attack-types { description "Scanning and sniffing attack types: IP Sweep attack, Port Scanning, and etc."; leaf ip-sweep-insp { type boolean; description "Additional Inspection of IP Sweep Attack."; } leaf port-scanning-insp { type boolean; description "Additional Inspection of Port Scanning Attack."; Kim, et al. Expires January 4, 2018 [Page 48] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 } } } container malformed-packet-attack { description "Malformed Packet Attack."; container malformed-packet-attack-types { description "Malformed packet attack types: Ping of Death Attack, Teardrop Attack, and etc."; leaf ping-of-death-insp { type boolean; description "Additional Inspection of Ping of Death Attack."; } leaf teardrop-insp { type boolean; description "Additional Inspection of Teardrop Attack."; } } } container special-packet-attack { description "special Packet Attack."; container special-packet-attack-types { description "Special packet attack types: Oversized ICMP Attack, Tracert Attack, and etc."; leaf oversized-icmp-insp { type boolean; description "Additional Inspection of Oversize ICMP Attack."; } leaf tracert-insp { type boolean; description Kim, et al. Expires January 4, 2018 [Page 49] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "Additional Inspection of Tracrt Attack."; } } } } } } } } } } } } } } container cfg-content-security-control { description "Configuration for Content Security Control."; choice cfg-content-security-control-type { description "Content Security types: Antivirus, IPS, IDS, url-filtering, data-filtering, mail-filtering, file-blocking, file-isolate, pkt-capture, application-control, and voip-volte."; case cfg-antivirus { description "Antivirus Case."; list antivirus-rule { key rule-id; description "Rule of Antivirus."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about antivirus."; } } } case cfg-ips { description Kim, et al. Expires January 4, 2018 [Page 50] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "IPS Case."; list ips-rule { key rule-id; description "Rule of IPS."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about IPS."; } } } case cfg-ids { description "IDS Case."; list ids-rule { key rule-id; description "Rule of IDS."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about IDS."; } } } case cfg-url-filter { description "URL Filter Case."; list url-filter-rule { key rule-id; description "Rule of URL filter."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about URL filter."; Kim, et al. Expires January 4, 2018 [Page 51] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 } } } case cfg-data-filter { description "Data Filter Case."; list data-filter-rule { key rule-id; description "Rule of Data Filter."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about data filter."; } } } case cfg-mail-filter { description "Mail Filter Case."; list mail-filter-rule { key rule-id; description "Rule of Mail Filter."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about mail filter."; } } } case cfg-file-blocking { description "File Blocking Case."; list file-blocking-rule { key rule-id; description "Rule of File Blocking."; Kim, et al. Expires January 4, 2018 [Page 52] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 leaf rule-id { type uint8; mandatory true; description "The ID of the rule about file blocking."; } } } case cfg-file-isolate { description "File Isolate Case."; list file-isolate-rule { key rule-id; description "Rule of File Isolate."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about file isolate."; } } } case cfg-pkt-capture { description "Packet Capture Case."; list pkt-capture-rule { key rule-id; description "Rule of Packet Capture."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about pacekt capture."; } } } case cfg-app-control { description "App Control Case."; Kim, et al. Expires January 4, 2018 [Page 53] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 list app-control-rule { key rule-id; description "Rule of App Control."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about app control."; } } } case cfg-voip-volte { description "VoIP/VoLTE Case."; list voip-volte-rule { key "rule-id"; description "For the VoIP/VoLTE security system, a VoIP/ VoLTE security system can monitor each VoIP/VoLTE flow and manage VoIP/VoLTE security rules controlled by a centralized server for VoIP/VoLTE security service (called VoIP IPS). The VoIP/VoLTE security system controls each switch for the VoIP/VoLTE call flow management by manipulating the rules that can be added, deleted, or modified dynamically."; leaf rule-id { type uint8; mandatory true; description "The ID of the voip-volte-rule. This is the key for voip-volte-rule-list. This must be unique."; } container event { description "Event types: VoIP and VoLTE."; leaf called-voip { type boolean; mandatory true; Kim, et al. Expires January 4, 2018 [Page 54] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 description "If content-security-control-type is voip."; } leaf called-volte { type boolean; mandatory true; description "If content-security-control-type is volte."; } } container condition { description "TBD."; list sip-header { key "sip-header-uri"; description "TBD."; leaf sip-header-uri { type string; mandatory true; description "SIP header URI."; } leaf sip-header-method { type string; mandatory true; description "SIP header method."; } leaf sip-header-expire-time { type yang:date-and-time; mandatory true; description "SIP header expire time."; } leaf sip-header-user-agent { type uint32; mandatory true; description Kim, et al. Expires January 4, 2018 [Page 55] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "SIP header user agent."; } } list cell-region { key "cell-id-region"; description "TBD."; leaf cell-id-region { type uint32; mandatory true; description "Cell region."; } } } container action { description "The flow-based NSFs realize the security functions by executing various Actions."; choice action-type { description "Action type: ingress action and egress action."; case ingress-action { description "The ingress actions consist of permit, deny, and mirror."; leaf ingress-action-type { type ingress-action; description "Ingress-action-type: permit, deny, and mirror."; } } case egress-action { description "The engress actions consist of mirror and etc."; leaf egress-action-type { type egress-action; Kim, et al. Expires January 4, 2018 [Page 56] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 description "Engress-action-type: redirection, and etc."; } } } } } } } } container cfg-attack-mitigation-control { description "Configuration for Attack Mitigation Control."; choice cfg-attack-mitigation-control-type { description "Attack-mitigation types: DDoS-attack and Single-packet attack."; case cfg-ddos-attack { description "A distributed-denial-of-service (DDoS) is where the attack source is more than one, often thousands of unique IP addresses."; choice cfg-ddos-attack-type { description "DDoS-attack types: Network Layer DDoS Attacks and Application Layer DDoS Attacks."; case cfg-network-layer-ddos-attack { description "Network layer DDoS-attack."; choice cfg-network-layer-ddos-attack-type { description "Network layer DDoS attack types: Syn Flood Attack, UDP Flood Attack, ICMP Flood Attack, IP Fragment Flood, IPv6 Related Attacks, and etc."; case cfg-syn-flood-attack { description "Syn Flood Attack Case."; list syn-flood-attack-rule { Kim, et al. Expires January 4, 2018 [Page 57] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 key rule-id; description "Rule of Syn Flood Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about syn flood attack."; } } } case cfg-udp-flood-attack { description "UDP Flood Attack Case."; list udp-flood-attack-rule { key rule-id; description "Rule of UDP Flood Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about udp flood attack."; } } } case cfg-icmp-flood-attack { description "ICMP Flood Attack Case."; list icmp-flood-attack-rule { key rule-id; description "Rule of ICMP Flood Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about icmp flood attack."; } } } Kim, et al. Expires January 4, 2018 [Page 58] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 case cfg-ip-frag-flood-attack { description "IP Fragment Flood Attack Case."; list ip-frag-flood-attack-rule { key rule-id; description "Rule of Ip Fragment Flood Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about ip fragment flood attack."; } } } case cfg-ipv6-related-attacks { description "IPv6 Related Attacks Case."; list ipv6-related-attacks-rule { key rule-id; description "Rule of Ipv6 Related Attacks."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about ipv6 related attacks."; } } } } } case cfg-app-layer-ddos-attack { description "Application layer DDoS-attack."; choice cfg-app-ddos-attack-type { description "Application layer DDoS-attack types: Http Flood Attack, Https Flood Attack, Kim, et al. Expires January 4, 2018 [Page 59] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 DNS Flood Attack, and DNS Amplification Flood Attack, SSL DDoS Attack, and etc."; case cfg-http-flood-attack { description "HTTP Flood Attack Case."; list http-flood-attack-rule { key rule-id; description "Rule of HTTP Flood Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about http flood attack."; } } } case cfg-https-flood-attack { description "HTTPs Flood Attack Case."; list https-flood-attack-rule { key rule-id; description "Rule of HTTPs Flood Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about https flood attack."; } } } case cfg-dns-flood-attack { description "DNS Flood Attack Case."; list dns-flood-attack-rule { key rule-id; Kim, et al. Expires January 4, 2018 [Page 60] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 description "Rule of DNS Flood Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about dns flood attack."; } } } case cfg-dns-amp-flood-attack { description "DNS Amp Flood Attack Case."; list dns-amp-flood-attack-rule { key rule-id; description "Rule of DNS Amp Flood Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about dns amp flood attack."; } } } case cfg-ssl-ddos-attack { description "SSL DDoS Attack Case."; list ssl-ddos-attack-rule { key rule-id; description "Rule of SSL DDoS Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about ssl ddos attack."; } Kim, et al. Expires January 4, 2018 [Page 61] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 } } } } } } case cfg-single-packet-attack { description "Single Packet Attacks."; choice cfg-single-packet-attack-type { description "DDoS-attack types: Scanning Attack, Sniffing Attack, Malformed Packet Attack, Special Packet Attack, and etc."; case cfg-scan-and-sniff-attack { description "Scanning and Sniffing Attack."; choice cfg-scan-and-sniff-attack-type { description "Scanning and sniffing attack types: IP Sweep attack, Port Scanning, and etc."; case cfg-ip-sweep-attack { description "IP Sweep Attack Case."; list ip-sweep-attack-rule { key rule-id; description "Rule of IP Sweep Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about ip sweep attack."; } } } case cfg-port-scanning-attack { description Kim, et al. Expires January 4, 2018 [Page 62] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 "Port Scanning Attack Case."; list port-scanning-attack-rule { key rule-id; description "Rule of Port Scanning Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about port scanning attack."; } } } } } case cfg-malformed-packet-attack { description "Malformed Packet Attack."; choice cfg-malformed-packet-attack-type { description "Malformed packet attack types: Ping of Death Attack, Teardrop Attack, and etc."; case cfg-ping-of-death-attack { description "Ping of Death Attack Case."; list ping-of-death-attack-rule { key rule-id; description "Rule of Ping of Death Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about ping of death attack."; } } } Kim, et al. Expires January 4, 2018 [Page 63] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 case cfg-teardrop-attack { description "Teardrop Attack Case."; list teardrop-attack-rule { key rule-id; description "Rule of Teardrop Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about teardrop attack."; } } } } } case cfg-special-packet-attack { description "special Packet Attack."; choice cfg-special-packet-attack-type { description "Special packet attack types: Oversized ICMP Attack, Tracert Attack, and etc."; case cfg-oversized-icmp-attack { description "Oversized ICMP Attack Case."; list oversized-icmp-attack-rule { key rule-id; description "Rule of Oversized ICMP Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about oversized icmp attack."; } } Kim, et al. Expires January 4, 2018 [Page 64] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 } case cfg-tracert-attack { description "Tracert Attack Case."; list tracert-attack-rule { key rule-id; description "Rule of Tracert Attack."; leaf rule-id { type uint8; mandatory true; description "The ID of the rule about tracert attack."; } } } } } } } } } } Figure 2: Data Model of I2NSF NSF Facing Interface 6. Security Considerations This document introduces no additional security threats and SHOULD follow the security requirements as stated in [i2nsf-framework]. 7. Acknowledgements This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning). This document has greatly benefited from inputs by Daeyoung Hyun, Dongjin Hong, Hyoungshick Kim, Tae-Jin Ahn, and Se-Hui Lee. 8. References Kim, et al. Expires January 4, 2018 [Page 65] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. 8.2. Informative References [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", draft-xibassnez-i2nsf-capability-01 (work in progress), March 2017. [i2rs-rib-data-model] Wang, L., Ananthakrishnan, H., Chen, M., Dass, A., Kini, S., and N. Bahadur, "A YANG Data Model for Routing Information Base (RIB)", draft-ietf-i2rs-rib-data-model-07 (work in progress), January 2017. [supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer, "Generic Policy Information Model for Simplified Use of Policy Abstractions (SUPA)", draft-ietf-supa-generic-policy- info-model-03 (work in progress), May 2017. [i2nsf-framework] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", draft-ietf-i2nsf-framework-05 (work in progress), May 2017. Appendix A. Changes from draft-kim-i2nsf-nsf-facing-interface-data-model-01 The following changes are made from draft-kim-i2nsf-nsf-facing-interface-data-model-01: o Event components are revised by using enumeration according to the draft about Information Model of NSFs Capabilities [i2nsf-nsf-cap-im]. Kim, et al. Expires January 4, 2018 [Page 66] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 o Action components such as ingress-action and egress-action are revised by using enumeration. o Action components such as apply-profile-action are revised to allow for the execution of advanced NSFs. Authors' Addresses Jinyong Tim Kim Department of Computer Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 10 8273 0930 EMail: timkim@skku.edu Jaehoon Paul Jeong Department of Software Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 31 299 4957 Fax: +82 31 290 7996 EMail: pauljeong@skku.edu URI: http://iotlab.skku.edu/people-jaehoon-jeong.php Jung-Soo Park Electronics and Telecommunications Research Institute 218 Gajeong-Ro, Yuseong-Gu Daejeon 34129 Republic of Korea Phone: +82 42 860 6514 EMail: pjs@etri.re.kr Kim, et al. Expires January 4, 2018 [Page 67] Internet-Draft NSF-Facing Interface YANG Data Model July 2017 Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 USA Phone: +1-734-604-0332 EMail: shares@ndzh.com Liang Xia (Frank) Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu China Phone: EMail: Frank.xialiang@huawei.com Kim, et al. Expires January 4, 2018 [Page 68]