Interface to Network Security Functions (I2NSF) L. Xia
Internet-Draft Q. Lin
Intended status: Standards Track Huawei
Expires: September 14, 2017 March 13, 2017

Policy Object for Interface to Network Security Functions (I2NSF)
draft-xia-i2nsf-security-policy-object-00

Abstract

This document describes policy objects used in the Interface to Network Security Functions (I2NSF) policy rules and defines the attributes of each policy object.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on September 14, 2017.

Copyright Notice

Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

I2NSF policy consists of policy rules that are used to provision NSF instances. The I2NSF policy rule is defined by using "Event-Condition-Action" (ECA) model described in Framework for Interface to Network Security Functions [I-D.ietf-i2nsf-framework]. In the ECA model, a condition is used to determine whether or not the predefined actions should be executed. A condition usually consists of several attributes. Information Model of NSFs Capabilities [I-D.ietf-i2nsf-capability] describes or illustrates attributes of different Condition subclasses. When configuring policy rules by using attributes, it is no surprise to see that the same value of an attribute or the same value set of several attributes are configured for several times or more. And modifications of the policy rules are also very complex and time-consuming.

To facilitate the provisioning of NSF instances, this document describes a set of policy objects which are reusable and can be referenced by variable I2NSF policy rules. A policy object can be identified by a set of data items, such as IP addresses, TCP/UDP ports, and domain names. Each policy object is predefined and named in order to be used in I2NSF policy rules. By defining policy objects, the creation and maintenance of policy rules are greatly simplified.

In this document, a set of policy objects are described, and for each policy object, several related attributes are defined.

2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

3. Terminology

This document uses the terminology described in Interface to Network Security Functions (I2NSF) Terminology [I-D.ietf-i2nsf-terminology].

4. Policy Object

Policy objects are collections of commonly used condition attributes. Different policy objects consist of different attributes. For each policy object, a description of this policy object may be an optional attribute. The following figure shows the policy objects defined in this document.


Policy Object
|
+---Address Object
|   
+---Address Group Object
|  
+---Domain Group Object
|   
+---Region Object
|
+---Region Group Object
|   
+---Service Object
|
+---Service Group Object
|
+---Application Object
|
+---Application Group Object
|
+---Schedule Object
|
+---User Object
|
+---User Group Object
|
+---Security Group Object
           

Figure 1: The policy objects

4.1. Address Object

An address object is a collection of IPv4/IPv6 addresses or MAC addresses. It consists of the following attributes:

4.1.1. The addressName Attribute

This attribute defines the unique name of the address object.

4.1.2. The addressRange Attribute

This attribute defines a set of IPv4/IPv6 addresses or MAC addresses, or a range of contiguous IPv4/IPv6 addresses.

The IPv4 address range can be defined by IPv4 address with wildcard mask, or IPv4 address with subnet mask (subnet mask address or length of the subnet mask), or the start address and the end address of the IPv4 address range.

The IPv6 address range can be defined by IPv6 address with length of the prefix, or the start address and the end address of the IPv6 address range.

4.2. Address Group Object

An address group object is composed of several address items that require the same policy enforcement. An address item can be an IPv4/IPv6 address, or a MAC address, or a range of contiguous IPv4/IPv6 addresses, or existing address object, or existing address group object. An address group object consists of the following attributes:

4.2.1. The addressGroupName Attribute

This attribute defines the unique name of the address group object.

4.2.2. The addressReference Attribute

This attribute refers to the existing address objects or existing address group objects identified by their unique names.

4.2.3. The addressRange Attribute

This attribute is the same as the addressRange attribute of address object. It can define a set of IPv4/IPv6 addresses or MAC addresses, or a range of contiguous IPv4/IPv6 addresses.

The IPv4 address range can be defined by IPv4 address with wildcard mask, or IPv4 address with subnet mask (subnet mask address or length of the subnet mask), or the start address and the end address of the IPv4 address range.

The IPv6 address range can be defined by IPv6 address with length of the prefix, or the start address and the end address of the IPv6 address range.

4.3. Domain Group Object

A domain group object is a collection of domain names that require the same policy enforcement. It consists of the following attributes:

4.3.1. The domainGroupName Attribute

This attribute defines the unique name of the domain group object.

4.3.2. The domainNameList Attribute

This attribute defines a set of domain names. The domain name can be matched in two modes: exact match and suffix match. Thus a domain name can be added by using the full string of the domain name (e.g., www.example.com) or a domain name begins with a wildcard (e.g., *.example.com).

4.4. Region Object

A region object is an IPv4/IPv6 address of a geographical region or a collection of IPv4/IPv6 addresses located in the same geographical region. A set of region objects which can be referenced directly should be predefined by NSFs. A region object consists of the following attributes:

4.4.1. The regionName Attribute

This attribute defines the unique name of the region object.

4.4.2. The regionLocation Attribute

This attribute defines the longitude and latitude of the region. It consists of two sub-attributes:

4.4.2.1. The regionLongitude Attribute

This attribute defines the longitude of the region.

4.4.2.2. The regionLatitude Attribute

This attribute defines the latitude of the region.

4.4.3. The regionIPAddress Attribute

This attribute defines a set of IPv4/IPv6 addresses or a range of contiguous IPv4/IPv6 addresses. And an IP address can only belong to one region object.

The IPv4 address range can be defined by IPv4 address with wildcard mask, IPv4 address with subnet mask (subnet mask address or length of the subnet mask), or the start address and the end address of the IPv4 address range.

The IPv6 address range can be defined by IPv6 address with length of the prefix, or the start address and the end address of the IPv6 address range.

4.5. Region Group Object

A region group object is a collection of region objects that require the same policy enforcement. It consists of the following attributes:

4.5.1. The regionGroupName Attribute

This attribute defines the unique name of the region group object.

4.5.2. The regionGroupReference Attribute

This attribute refers to the existing region objects or region group objects identified by their unique names.

4.6. Service Object

A service object is one or more services that can be identified by certain information, such as protocol type, source port number and destination port number. A set of well-known services should be predefined by NSFs as service objects to support direct reference. A service object consists of the following attributes:

4.6.1. The serviceName Attribute

This attribute defines the unique name of the service object.

4.6.2. The serviceList Attribute

This attribute defined a set of services. A service can be defined by the following sub-attributes.

4.6.2.1. The serviceProtocol Attribute

This attribute defines the protocol type of the service. The value of this attribute is selected from six types of protocols: TCP, UDP, SCTP, ICMP, ICMPv6 or IP.

4.6.2.2. The serviceProtocolNumber Attribute

This attribute defines the protocol number for IP protocol. The protocol number is the protocol field value in IP packet which identifies which kind of upper layer protocol is used.

4.6.2.3. The serviceSourcePort Attribute

This attribute defines the source port number range for TCP, UDP or SCTP protocol. A single port number or a range of port numbers can be set.

4.6.2.4. The serviceDestinationPort Attribute

This attribute defines the destination port number range for TCP, UDP or SCTP protocol. A single port number or a range of port numbers can be set.

4.6.2.5. The serviceICMPType Attribute

This attribute defines the ICMP/ICMPv6 type for ICMP or ICMPv6 protocol. The ICMP/ICMPv6 type can be identified by ICMP/ICMPv6 type number and ICMP/ICMPv6 message code. Thus, this attribute has two sub-attributes: serviceICMPTypeNumber and serviceICMPMessageCode.

The serviceICMPTypeNumber Attribute: It defines the ICMP/ICMPv6 type number and shall be defined together with the serviceICMPMessageCode attribute. For example, if the ICMP packet type is Echo, this attribute shall be set to 8 and the serviceICMPMessageCode attribute shall be set to 0.

The serviceICMPMessageCode Attribute: It defines the ICMP/ICMPv6 message code and shall be defined together with the serviceICMPTypeNumber attribute. For example, if the ICMP packet type is Echo, this attribute shall be set to 0 and the serviceICMPTypeNumber attribute shall be set to 8.

4.7. Service Group Object

A service group object is a collection of service objects that require the same policy enforcement. It consists of the following attributes:

4.7.1. The serviceGroupName Attribute

This attribute defines the unique name of the service group object.

4.7.2. The serviceReference Attribute

This attribute refers to the existing service objects or service group objects identified by their unique names.

4.8. Application Object

An application object is a kind of application that can be identified by several features, such as category, subcategory or risk level. A set of well-known application objects should be predefined by NSFs to support direct reference. An application object consists of the following attributes:

4.8.1. The applicationName Attribute

This attribute defines the unique name of the application object.

4.8.2. The applicationCategory Attribute

This attribute defines the category of the application. The value of this attribute is selected from a predefined set of categories, e.g., general category, network application category.

4.8.3. The applicationSubCategory Attribute

This attribute defines the subcategory of the application. The value of this attribute is selected from a predefined set of subcategories, e.g., search engine subcategory, electronic commerce subcategory.

4.8.4. The applicationTransmissionModel Attribute

This attribute defines the data transmission model of the application. The value of this attribute is selected from a predefined set of transmission models, e.g., client/server model, peer-to-peer model.

4.8.5. The applicationLabel Attribute

This attribute defines a set of labels for the application. The values of this attribute are selected from a predefined set of labels, e.g., database, encrypted-communication.

4.8.6. The applicationRiskLevel Attribute

This attribute defines a risk level for the application. The value of this attribute is selected from a predefined number of risk levels.

4.9. Application Group Object

An application group object is a collection of application objects that require the same policy enforcement. It consists of the following attributes:

4.9.1. The applicationGroupName Attribute

This attribute defines the unique name of the application group object.

4.9.2. The applicationReference Attribute

This attribute refers to the existing application objects or application group objects identified by their unique names.

4.10. Schedule Object

A schedule object is a set of time ranges. There are two kinds of time ranges: periodic time range and absolute time range. A periodic time range occurs every week. An absolute time range occurs only once. A schedule object consists of the following attributes:

4.10.1. The scheduleName Attribute

This attribute defines the unique name of the schedule object.

4.10.2. The scheduleList Attribute

This attribute defines a set of time ranges. A time range can be defined by the following sub-attributes.

4.10.2.1. The scheduleType Attribute

This attribute defines the type of a time range. The value of this attribute is selected from the two types: periodic, absolute.

4.10.2.2. The scheduleStartTime Attribute

For a periodic time range, this attribute defines the start time in a day. For an absolute time range, this attribute defines the start time and start date.

4.10.2.3. The scheduleEndTime Attribute

For a periodic time range, this attribute defines the end time in a day. For an absolute time range, this attribute defines the end time and end date.

4.10.2.4. The scheduleWeekDay Attribute

This attribute defines the days in a week that the periodic time range takes effect.

4.11. User Object

A user object identifies a person who may access network resources. It is the basis of implementing user-based I2NSF policy. The user objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. User objects that require the same policy enforcement are grouped as user group objects or security group objects. The user group objects are organized as a hierarchical structure. A security group object consists of user objects from different user group objects that require the same policy enforcement. A user object consists of the following attributes:

4.11.1. The userName Attribute

This attribute refers to the user name that used for user authentication.

4.11.2. The userParentGroup Attribute

This attribute refers to the existing parent user group object to which this user object belongs. The parent user group object is identified by its unique name. A user object can only belong to one user group object.

4.11.3. The userSecurityGroup Attribute

This attribute refers to the existing security group object to which this user object belongs. The security user group object is identified by its unique name. A user object can belong to several security group objects.

4.11.4. The userDomain Attribute

This attribute refers to the authentication domain to which this user object belongs.

4.11.5. The userPassword Attribute

If user is authenticated locally on the NSF, this attribute is mandatory. It defines the password corresponding to the user name.

4.11.6. The userExpirationTime Attribute

This attribute defines when will this user object expire.

4.11.7. The userAllowSharing Attribute

This attribute defines whether this user account identified by the userName and userPassword attribute is allowed to be shared by different persons. If allowed, this user object can be logged on to several devices simultaneously.

4.11.8. The userBindingStatus Attribute

This attribute defines whether the user object is bound to IP addresses, or MAC addresses, or IP/MAC address pairs. It is selected from three binding modes: no binding, unidirectional binding, and bidirectional binding. For no binding mode, the user object is not bound to any IP or MAC address or IP/MAC address pair. For unidirectional binding mode, the addresses or address pairs bound to this user object also can be bound to other users. For bidirectional binding mode, the addresses or address pairs bound to this user should not be bound to other bidirectional binding user object.

4.11.9. The userBindingAddress Attribute

This attribute defines the bound IP addresses, or MAC addresses, or IP/MAC address pairs. If the userBindingStatus is unidirectional binding or bidirectional binding, this attribute is mandatory.

4.12. User Group Object

A user object group is a collection of user objects that require the same policy enforcement and it usually corresponds to a physical entity such as a department. The user group objects are organized as a hierarchical structure. A user group object may belong to another user group object. The user group objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. It consists of the following attributes:

4.12.1. The userGroupName Attribute

This attribute defines the unique name of the user group object.

4.12.2. The userGroupParentGroup Attribute

This attribute refers to the existing parent user group object to which this user group object belongs. The parent user group object is identified by its unique name. A user group object can only belong to one parent user group object.

4.12.3. The userGroupDomain Attribute

This attribute refers to the authentication domain to which this user group object belongs.

4.12.4. The userGroupReference Attribute

This attribute refers to the existing user objects or user group objects which belong to this user group object.

4.12.5. The userGroupAllowSharing Attribute

This attribute defines whether the user objects of this user group object are allowed to be shared by different persons. If allowed, all user objects of this user group object can be logged on to several devices simultaneously.

4.13. Security Group Object

A security group object consists of user objects from different user group objects that require the same policy enforcement. The security group objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. This attribute consists of the following attributes:

4.13.1. The securityGroupName Attribute

This attribute defines the unique name of the security group object.

4.13.2. The securityGroupParentGroup Attribute

This attribute refers to the existing parent security group objects to which this security group object belongs. The parent security group objects are identified by their unique names.

4.13.3. The securityGroupDomain Attribute

This attribute refers to the authentication domain to which this security group object belongs.

4.13.4. The securityGroupType Attribute

This attribute defines the type of the security group object. There are two types: static and dynamic. For static security group, the member objects are fixed and added as required. For dynamic security group, the member objects are dynamically generated by setting filtering rules.

4.13.5. The securityGroupReference Attribute

This attribute defines the member objects for static security group object. It refers to the existing user objects or security group objects which belong to this security group object.

4.13.6. The securityGroupFilters Attribute

This attribute defines the filtering rules for dynamic security group object.

4.13.7. The securityGroupAllowSharing Attribute

This attribute defines whether the user objects of this security group object are allowed to be shared by different persons. If allowed, all user objects of this security group object can be logged on to several devices simultaneously.

5. Acknowledgements

6. IANA Considerations

This document requires no IANA actions.

7. Security Considerations

When the policy objects are transmitted, the integrity of these policy objects should be guaranteed. NSFs should verify that the modifications of policy objects come from the authenticated security controller. And NSF should protect the stored policy objects from being tampered.

8. References

8.1. Normative References

[I-D.ietf-i2nsf-capability] Xia, L., Strassner, J., Zhang, D., Li, K., Basile, C., Lioy, A., Lopez, D., Lopez, E., BOUTHORS, N. and L. Fang, "Information Model of NSFs Capabilities", 2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.

8.2. Informative References

[I-D.ietf-i2nsf-framework] Lopez, D., Lopez, E., Dunbar, L., Strassner, J. and R. Kumar, "Framework for Interface to Network Security Functions", 2016.
[I-D.ietf-i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, L. and H. Birkholz, "Interface to Network Security Functions (I2NSF) Terminology", 2016.

Authors' Addresses

Liang Xia Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu 210012 China EMail: Frank.xialiang@huawei.com
Qiushi Lin Huawei Huawei Industrial Base Shenzhen, Guangdong 518129 China EMail: linqiushi@huawei.com