Internet DRAFT - draft-dong-i2nsf-asf-config
draft-dong-i2nsf-asf-config
Network Working Group W. Pan
Internet-Draft L. Xia
Intended status: Standards Track Huawei
Expires: April 18, 2019 October 15, 2018
Configuration of Advanced Security Functions with I2NSF Security
Controller
draft-dong-i2nsf-asf-config-01
Abstract
This draft defines a network security function (NSF-) facing
interface of the security controller for the purpose of configuring
some advanced security functions. These advanced security functions
include antivirus, anti-ddos, and intrusion prevention system (IPS).
The interface is presented in a YANG data model fashion and can be
used to deploy a large amount of NSF blocks that all support above
mentioned functions in the software defined network (SDN) based
paradigm.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Pan & Xia Expires April 18, 2019 [Page 1]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 3
3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Data Model Structure . . . . . . . . . . . . . . . . . . . . 3
4.1. Antivirus . . . . . . . . . . . . . . . . . . . . . . . . 3
4.2. Anti-ddos . . . . . . . . . . . . . . . . . . . . . . . . 4
4.3. Intrusion prevention system . . . . . . . . . . . . . . . 6
5. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Antivirus . . . . . . . . . . . . . . . . . . . . . . . . 7
5.2. Anti-ddos . . . . . . . . . . . . . . . . . . . . . . . . 13
5.3. Intrusion prevention system . . . . . . . . . . . . . . . 20
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
7. Security Considerations . . . . . . . . . . . . . . . . . . . 26
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
9.1. Normative References . . . . . . . . . . . . . . . . . . 26
9.2. Informative References . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction
I2NSF provides a technology and vendor independent way for a
centralized security controller in a SDN environment to manage and
configure the distributed NSFs [RFC8329]. The NSFs are automatically
customized in a programmable manner via a standard interface. In the
draft [I-D.ietf-i2nsf-nsf-facing-interface-dm], it proposed a generic
NSF-facing interface to manage which action should be applied on
which traffic. In addition, there is another draft that defined the
NSF-facing interface for management, including configuration and
monitoring, of IPsec SAs [I-D.ietf-i2nsf-sdn-ipsec-flow-protection].
In this document, we defined another NSF-facing interface for
security controller to configure some advanced security functions
including the antivirus, anti-ddos, and IPS profiles. With the
variety and complexity of the advanced security functions, it is
hardly to define all the interfaces to configure each advanced
security function. The antivirus, anti-ddos and IPS profiles, these
three functions are the most common and well-developed advanced
security functions and have been widely used. Standardizing the
interface of these three functions can minimize the cost of
Pan & Xia Expires April 18, 2019 [Page 2]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
management and configuration of the security controller with a vendor
independent way.
2. Terminology
2.1. Key Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2.2. Definition of Terms
This document uses the terms defined in [I-D.ietf-i2nsf-terminology].
3. Tree Diagrams
A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these diagrams is as
follows:
o Brackets "[" and "]" enclose list keys.
o Abbreviations before data node names: "rw" means configuration
(read-write) and "ro" state data (read-only).
o Symbols after data node names: "?" means an optional node and "*"
denotes a "list" and "leaf-list".
o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not
shown.
4. Data Model Structure
4.1. Antivirus
The following tree diagram shows the interface for configuring
antivirus detections on incoming and outgoing files. The file
transfer protocol type, direction of file transfer, and the action
applied on the detected virus are able to be configured. In
addition, this interface also supports to configure the application
and signature exception features to apply specific actions on certain
applications and detected virus respectively. The anti-virus also
supports to configure a whitelist for trusted files.
Pan & Xia Expires April 18, 2019 [Page 3]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
module: ietf-i2nsf-asf-config-antivirus
+--rw antivirus
+--rw profiles
+--rw profile* [name]
+--rw name string
+--rw description? string
+--rw detect* [protocol-type direction]
| +--rw protocol-type detect-protocol
| +--rw direction detect-direction
| +--rw action? detect-action
+--rw exception-application* [application-name]
| +--rw application-name string
| +--rw application-action? detect-action
+--rw exception-signature* [signature-id]
| +--rw signature-id uint64
| +--rw signature-action? detect-action
+--rw whitelists {antivirus-whitelists}?
+--rw match-rules
| +--rw match-rule* [scope type value]
| +--rw scope match-scope
| +--rw type match-type
| +--rw value string
+--rw source-address* inet:ip-address
+--rw source-address-range*
[start-address end-address]
| +--rw start-address inet:ip-address
| +--rw end-address inet:ip-address
+--rw destination-address* inet:ip-address
+--rw destination-address-range*
[start-address end-address]
+--rw start-address inet:ip-address
+--rw end-address inet:ip-address
4.2. Anti-ddos
The following tree diagram shows the configuration parameters of DDoS
detection and prevention functions of different types of DDoS
attacks.
* SYN flood: The total number of packets that have the same
destination address are counted in a period of time. If the counted
packets number exceeds a pre-defined threshold, the prevention
function is triggered. The anti-ddos system will alert the user/
administrator, and start up source address inspection or TCP proxy
function as configured.
* UPD flood: The UDP flood packets normally have the same payload or
the payload changes regularly. The anti-ddos system is able to
Pan & Xia Expires April 18, 2019 [Page 4]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
automatically learn this payload characteristics, which is so called
fingerprint of the UDP flood attack packets. And then if a packet
matches the learned fingerprint, it will be discarded. For some UDP
flood attack that does not has a fingerprint, a threshold bandwidth
will be configured to limit the UDP traffic. If the UDP packet is
associated with some TCP packets, the anti-ddos system can trigger
the TCP protection measures and use the generated white list to
determine whether to discard the UDP packets.
* HTTP and HTTPS flood: The detection mechanisms for these two
attacks are similar to SYN flood detection. The total number of
packets that have the same destination address are counted in a
period of time. A threshold is set for the purpose of alerting.
* DNS request flood: The anti-ddos system counts the number of DNS
request packets that have the same destination address in a period of
time. Once this number exceeds a configured threshold, the
prevention function is triggered. The anti-ddos system sends a
response to the client to ask for another request with a TCP
connection, and then verify the source address.
* DNS reply flood: The anti-ddos system counts the number of DNS
reply packets that have the same destination address in a period of
time. Once this number exceeds a configured threshold, the source
address inspection is triggered. The anti-ddos ask the sender to
send the reply message again with a new query ID and port number. If
the second reply message is received and the query ID and port number
match with the asked one. This source address will be added into the
white list.
* ICMP flood: A threshold is configured to limit the rate of ICMP
traffic.
* SIP flood: The anti-ddos system counts the number of SIP request
packets that have the same destination address in a period of time.
If the counted packets number exceeds a pre-defined threshold, the
source authentication is triggered. The anti-ddos system sends an
OPTIONS request packet with a specific branch value to verify whether
the source address exists. If the reply message is in response to
the OPTIONS packet, this source address will be added into the white
list.
Pan & Xia Expires April 18, 2019 [Page 5]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
module: ietf-i2nsf-asf-config-antiddos
+--rw antiddos
+--rw profiles
+--rw profile* [name]
+--rw name string
+--rw description? string
+--rw syn-flood* [action]
| +--rw action syn-flood-action
| +--rw alert-rate? uint32
+--rw udp-flood* [action]
| +--rw action udp-flood-action
| +--rw alert-rate? uint32
+--rw http-flood* [action]
| +--rw action http-flood-action
| +--rw alert-rate? uint32
+--rw https-flood* [action]
| +--rw action https-flood-action
| +--rw alert-rate? uint32
+--rw dns-request-flood* [action]
| +--rw action dns-request-flood-action
| +--rw alert-rate? uint32
+--rw dns-reply-flood* [action]
| +--rw action dns-reply-flood-action
| +--rw alert-rate? uint32
+--rw icmp-flood * [action]
| +--rw action icmp-flood-action
| +--rw alert-rate? uint32
+--rw sip-flood* [action]
| +--rw action sip-flood-action
| +--rw alert-rate? uint32
+--rw detect-mode? enumeration
+--rw baseline-learn
+--rw auto-apply? boolean
+--rw start? boolean
+--rw mode? enumeration
+--rw tolerance-value? uint16
+--rw learn-duration? uint32
+--rw learn-interval? uint32
4.3. Intrusion prevention system
The following tree diagram shows the interface for configuring the
IPS. This interface supports to configure a set of IPS signature-
based filters to detect known type of attacks and to respond with
user defined actions such as sending an alert or block the matched
packets.
Pan & Xia Expires April 18, 2019 [Page 6]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
module: ietf-i2nsf-asf-config-ips
+--rw ips
+--rw profiles
+--rw profile* [name]
+--rw name string
+--rw description? string
+--rw signature-sets
| +--rw signature-set* [name]
| +--rw name string
| +--rw action? action-type
| +--rw application
| | +--rw all-application boolean
| | +--rw specified-application* string
| +--rw target? target-type
| +--rw severity* severity-type
| +--rw operating-system* operating-system-type
| +--rw protocol
| | +--rw all-protocol boolean
| | +--rw specified-protocol* string
| +--rw category
| +--rw all-category boolean
| +--rw specified-category* [name]
| +--rw name string
| +--rw all-sub-category boolean
| +--rw sub-category* [name]
| +--rw name string
+--rw exception-signatures
+--rw exception-signature* [id]
+--rw id uint32
+--rw action? action-type
5. YANG Modules
5.1. Antivirus
module ietf-i2nsf-asf-config-antivirus {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-asf-config-antivirus";
prefix
asf-config-antivirus;
import ietf-inet-types{
prefix inet;
}
organization
"Huawei Technologies";
Pan & Xia Expires April 18, 2019 [Page 7]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
contact
"Wei Pan: william.panwei@huawei.com
Liang Xia: Frank.xialiang@huawei.com";
description
"This module contains a collection of yang definitions
for configuring antivirus.";
revision 2018-10-15 {
description
"Init revision.";
reference "xxx.";
}
typedef detect-protocol {
type enumeration {
enum http {
description "HTTP.";
}
enum ftp {
description "FTP.";
}
enum smtp {
description "SMTP.";
}
enum pop3 {
description "POP3.";
}
enum imap {
description "IMAP.";
}
enum nfs {
description "NFS.";
}
enum smb {
description "SMB.";
}
}
description
"This is detect protocol type in antivirus profile.";
}
typedef detect-direction {
type enumeration {
enum none {
description "None.";
}
enum download {
Pan & Xia Expires April 18, 2019 [Page 8]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
description "Download.";
}
enum upload {
description "Upload.";
}
enum both {
description "Both directions.";
}
}
description
"This is detect direction type in antivirus profile.";
}
typedef detect-action {
type enumeration {
enum alert {
description "Permit files and generate virus logs.";
}
enum allow {
description "Permit files.";
}
enum block {
description "Block files and generate virus logs.";
}
enum declare {
description
"Permit virus-infected email messages, then add information to
announce the detection of viruses and generate virus logs.";
}
enum delete-attachment {
description
"Permit virus-infected email messages with deleting there
attachments, add information to announce the detection of
viruses and generate virus logs.";
}
}
description
"This is detect action type in antivirus profile.";
}
typedef match-scope {
type enumeration {
enum url {
description "URL.";
}
enum host {
description "Host.";
}
Pan & Xia Expires April 18, 2019 [Page 9]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
enum referer {
description "Referer.";
}
}
description "This is antivirus whitelist match scope.";
}
typedef match-type {
type enumeration {
enum prefix {
description "Prefix.";
}
enum suffix {
description "Suffix.";
}
enum fuzzy {
description "Fuzzy.";
}
enum exact {
description "Exact.";
}
}
description "This is antivirus whitelist match type.";
}
feature antivirus-whitelists {
description
"This feature means the antivirus function supports
whitelists.";
}
grouping address-range {
description "Address range.";
leaf start-address {
type inet:ip-address;
description
"Start address.";
}
leaf end-address {
type inet:ip-address;
description
"End address.";
}
}
container antivirus {
description "Antivirus.";
Pan & Xia Expires April 18, 2019 [Page 10]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
container profiles {
description "Profiles.";
list profile {
key "name";
description "Antivirus profile.";
leaf name {
type string;
description "The name of the profile.";
}
leaf description {
type string;
description "The description of the profile.";
}
list detect {
key "protocol-type direction";
description "Antivirus detect.";
leaf protocol-type {
type detect-protocol;
description "The protocol type of detect.";
}
leaf direction {
type detect-direction;
description "The direction of detect.";
}
leaf action {
type detect-action;
description "The action of detect.";
}
}
list exception-application {
key "application-name";
description "Exceptional application.";
leaf application-name {
type string;
description "The name of exceptional application.";
}
leaf application-action {
type detect-action;
description "The action of exceptional application.";
Pan & Xia Expires April 18, 2019 [Page 11]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
}
}
list exception-signature {
key "signature-id";
description "Exceptional signature.";
leaf signature-id {
type uint64;
description "The exception id of antivirus signature.";
}
leaf signature-action {
type detect-action;
description "The action of exceptional signature.";
}
}
container whitelists {
if-feature antivirus-whitelists;
description "The whitelist of antivirus.";
container match-rules {
description "The match rules of antivirus whitelist.";
list match-rule {
key "scope type value";
description "The match rule of antivirus whitelist.";
leaf scope {
type match-scope;
description
"The scope of antivirus whitelist match rule.";
}
leaf type {
type match-type;
description
"The type of antivirus whitelist match rule.";
}
leaf value {
type string;
description
"The value of antivirus whitelist match rule.";
}
}
}
Pan & Xia Expires April 18, 2019 [Page 12]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
leaf-list source-address {
type inet:ip-address;
description "The source-address of whitelist.";
}
list source-address-range {
key "start-address end-address";
description "The source-address range of whitelist.";
uses address-range;
}
leaf-list destination-address {
type inet:ip-address;
description "The destination-address of whitelist.";
}
list destination-address-range {
key "start-address end-address";
description "The destination-address range of whitelist.";
uses address-range;
}
}
}
}
}
}
5.2. Anti-ddos
module ietf-i2nsf-asf-config-antiddos {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-asf-config-antiddos";
prefix
asf-config-antiddos;
organization
"Huawei Technologies";
contact
"Wei Pan: william.panwei@huawei.com
Liang Xia: Frank.xialiang@huawei.com";
description
"This module contains a collection of yang definitions
for configuring anti-ddos.";
revision 2018-10-15 {
Pan & Xia Expires April 18, 2019 [Page 13]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
description
"Init revision.";
reference "xxx.";
}
typedef syn-flood-action {
type enumeration {
enum tcp-proxy {
description
"TCP proxy function.";
}
enum tcp-source-authentication {
description
"Authenticate the source addresses of TCP packets.";
}
}
description
"This is detect action type of syn-flood.";
}
typedef udp-flood-action {
type enumeration {
enum fingerprint-learning {
description
"Learn the fingerprint of UDP packets.";
}
enum udp-tcp-association {
description
"Authenticate the source addresses of TCP packets
associated with UDP packets.";
}
enum traffic-limit {
description
"Limit the UDP traffic.";
}
}
description
"This is detect action type of udp-flood.";
}
typedef http-flood-action {
type enumeration {
enum source-authentication-meta-refresh {
description
"Authenticate the source addresses of HTTP packets by a way of
meta-refresh.";
}
enum source-authentication-code-based {
Pan & Xia Expires April 18, 2019 [Page 14]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
description
"Authenticate the source addresses of HTTP packets by a way of
code-based.";
}
enum source-authentication-302-redirect {
description
"Authenticate the source addresses of HTTP packets by a way of
302-redirect.";
}
}
description
"This is detect action type of http-flood.";
}
typedef https-flood-action {
type enumeration {
enum source-authentication {
description
"Authenticate the source addresses of HTTPS packets.";
}
}
description
"This is detect action type of https-flood.";
}
typedef dns-request-flood-action {
type enumeration {
enum source-authentication-dns-cache-server {
description
"Authenticate the source addresses of DNS request packets for
the DNS Cache Server.";
}
enum source-authentication-dns-authoritative-server {
description
"Authenticate the source addresses of DNS request packets for
the DNS Authoritative Server.";
}
}
description
"This is detect action type of dns-request-flood.";
}
typedef dns-reply-flood-action {
type enumeration {
enum source-authentication {
description
"Authenticate the source addresses of DNS reply packets.";
}
Pan & Xia Expires April 18, 2019 [Page 15]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
}
description
"This is detect action type of dns-reply-flood.";
}
typedef icmp-flood-action {
type enumeration {
enum traffic-limit {
description
"Limit the ICMP traffic.";
}
}
description
"This is detect action type of icmp-flood.";
}
typedef sip-flood-action {
type enumeration {
enum source-authentication {
description
"Authenticate the source addresses of SIP packets.";
}
}
description
"This is detect action type of sip-flood.";
}
container antiddos {
description "Anti-ddos.";
container profiles {
description "Profiles.";
list profile {
key "name";
description "Anti-ddos profile.";
leaf name {
type string;
description "The name of the profile.";
}
leaf description {
type string;
description "The description of the profile.";
}
list syn-flood {
key "action";
description "SYN flood detect.";
Pan & Xia Expires April 18, 2019 [Page 16]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
leaf action {
type syn-flood-action;
description "The action of syn-flood detect.";
}
leaf alert-rate {
type uint32;
description "The alert rate of syn-flood detect.";
}
}
list udp-flood {
key "action";
description "UDP flood detect.";
leaf action {
type udp-flood-action;
description "The action of udp-flood detect.";
}
leaf alert-rate {
type uint32;
description "The alert rate of udp-flood detect.";
}
}
list http-flood {
key "action";
description "HTTP flood detect.";
leaf action {
type http-flood-action;
description "The action of http-flood detect.";
}
leaf alert-rate {
type uint32;
description "The alert rate of http-flood detect.";
}
}
list https-flood {
key "action";
description "HTTPS flood detect.";
leaf action {
type https-flood-action;
description "The action of https-flood detect.";
Pan & Xia Expires April 18, 2019 [Page 17]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
}
leaf alert-rate {
type uint32;
description "The alert rate of https-flood detect.";
}
}
list dns-request-flood {
key "action";
description "DNS request flood detect.";
leaf action {
type dns-request-flood-action;
description "The action of dns-request-flood detect.";
}
leaf alert-rate {
type uint32;
description "The alert rate of dns-request-flood detect.";
}
}
list dns-reply-flood {
key "action";
description "DNS reply flood detect.";
leaf action {
type dns-reply-flood-action;
description "The action of dns-reply-flood detect.";
}
leaf alert-rate {
type uint32;
description "The alert rate of dns-reply-flood detect.";
}
}
list icmp-flood {
key "action";
description "ICMP flood detect.";
leaf action {
type icmp-flood-action;
description "The action of icmp-flood detect.";
}
leaf alert-rate {
Pan & Xia Expires April 18, 2019 [Page 18]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
type uint32;
description "The alert rate of icmp-flood detect.";
}
}
list sip-flood {
key "action";
description "SIP flood detect.";
leaf action {
type sip-flood-action;
description "The action of sip-flood detect.";
}
leaf alert-rate {
type uint32;
description "The alert rate of sip-flood detect.";
}
}
leaf detect-mode {
type enumeration {
enum detect-clean {
description
"Detect DDoS attacks and defend against them.";
}
enum detect-only{
description
"Detect DDoS attacks only.";
}
}
description "DDoS detect mode.";
}
container baseline-learn {
description "Alart rate baseline learning.";
leaf auto-apply {
type boolean;
description "Apply baseline learning results.";
}
leaf start {
type boolean;
description "Enable baseline learning.";
}
Pan & Xia Expires April 18, 2019 [Page 19]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
leaf mode {
type enumeration {
enum loop {
description
"Indicate that baseline learning is performed
periodically.";
}
enum once {
description
"Indicate that baseline learning is performed once.";
}
}
description "Indicate the baseline learning mode.";
}
leaf tolerance-value {
type uint16;
description
"Indicate the baseline learning tolerance
value.";
}
leaf learn-duration {
type uint32;
description "Indicate the baseline learning duration.";
}
leaf learn-interval {
type uint32;
description "Indicate the interval for baseline learning.";
}
}
}
}
}
}
5.3. Intrusion prevention system
module ietf-i2nsf-asf-config-ips {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-asf-config-ips";
prefix
asf-config-ips;
organization
Pan & Xia Expires April 18, 2019 [Page 20]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
"Huawei Technologies";
contact
"Wei Pan: william.panwei@huawei.com
Liang Xia: Frank.xialiang@huawei.com";
description
"This module contains a collection of yang definitions for
configuring ips.";
revision 2018-10-15 {
description
"Init revision.";
reference "xxx.";
}
typedef action-type {
type enumeration {
enum default-type {
description "Default action type.";
}
enum alert {
description "Alert.";
}
enum block {
description "Block.";
}
enum allow {
description "Allow.";
}
}
description "The action type.";
}
typedef target-type {
type enumeration {
enum both {
description "Both client and server.";
}
enum client {
description "Client.";
}
enum server {
description "Server.";
}
}
description "The target type.";
}
Pan & Xia Expires April 18, 2019 [Page 21]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
typedef severity-type {
type enumeration {
enum high {
description "High.";
}
enum medium {
description "Medium.";
}
enum low {
description "Low.";
}
enum information {
description "Information.";
}
}
description "The severity filter type.";
}
typedef operating-system-type {
type enumeration {
enum android {
description "Android OS.";
}
enum ios {
description "IOS.";
}
enum unix-like {
description "UNIX-like OS.";
}
enum windows {
description "Windows OS.";
}
enum other {
description "Other OS.";
}
}
description "The operating system type.";
}
container ips {
description "Intrusion prevention system.";
container profiles {
description "Profiles.";
list profile {
key "name";
description "IPS Profile.";
leaf name {
Pan & Xia Expires April 18, 2019 [Page 22]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
type string;
description "The name of a profile.";
}
leaf description {
type string;
description "The description of a profile.";
}
container signature-sets {
description "Signature sets.";
list signature-set {
key "name";
description "Signature set.";
leaf name {
type string;
description "The name of a signature set.";
}
leaf action {
type action-type;
description "The action for a signature set.";
}
container application {
description "Application.";
leaf all-application {
type boolean;
mandatory true;
description
"The all application filtering conditions of the
signature set.";
}
leaf-list specified-application {
when "../all-application = 'false'";
type string;
description
"The specified application filtering conditions of the
signature set.";
}
}
leaf target {
type target-type;
description
"The target type of a signature set.";
Pan & Xia Expires April 18, 2019 [Page 23]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
}
leaf-list severity {
type severity-type;
description
"The severity type of a signature set.";
}
leaf-list operating-system {
type operating-system-type;
description
"The operating system of a signature set.";
}
container protocol {
description "Protocol.";
leaf all-protocol {
type boolean;
mandatory true;
description
"The all protocol filtering conditions of a
signature set.";
}
leaf-list specified-protocol {
when "../all-protocol = 'false'";
type string;
description
"The specified protocol filtering conditions of a
signature set.";
}
}
container category {
description "Category.";
leaf all-category {
type boolean;
mandatory true;
description
"The all category filtering conditions of t signature
set.";
}
list specified-category {
when "../all-category = 'false'";
key "name";
description "Specified category.";
Pan & Xia Expires April 18, 2019 [Page 24]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
leaf name {
type string;
description
"The specified name of category
filtering conditions of a signature set.";
}
leaf all-sub-category {
type boolean;
mandatory true;
description
"The all sub-category filtering
conditions of a signature set.";
}
list sub-category {
when "../all-sub-category = 'false'";
key "name";
description "Sub category.";
leaf name {
type string;
description
"The specified name of sub-category filtering
conditions of a signature set.";
}
}
}
}
}
}
container exception-signatures {
description "Exceptional signatures.";
list exception-signature {
key "id";
description "Exceptional signature.";
leaf id {
type uint32;
description "The ID of an exception signature.";
}
leaf action {
type action-type;
description
"This action type of an exception signature.";
}
Pan & Xia Expires April 18, 2019 [Page 25]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
}
}
}
}
}
}
6. IANA Considerations
This document makes no request of IANA.
Note to RFC Editor: this section may be removed on publication as an
RFC.
7. Security Considerations
TBD.
8. Acknowledgements
TBD
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
9.2. Informative References
[I-D.ietf-i2nsf-nsf-facing-interface-dm]
Kim, J., Jeong, J., Jung-Soo, P., Hares, S., and l.
linqiushi@huawei.com, "I2NSF Network Security Function-
Facing Interface YANG Data Model", draft-ietf-i2nsf-nsf-
facing-interface-dm-00 (work in progress), March 2018.
[I-D.ietf-i2nsf-sdn-ipsec-flow-protection]
Lopez, R. and G. Lopez-Millan, "Software-Defined
Networking (SDN)-based IPsec Flow Protection", draft-ietf-
i2nsf-sdn-ipsec-flow-protection-01 (work in progress),
March 2018.
Pan & Xia Expires April 18, 2019 [Page 26]
�
Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018
[I-D.ietf-i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
Birkholz, "Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-05 (work in
progress), January 2018.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>.
Authors' Addresses
Wei Pan
Huawei
Email: william.panwei@huawei.com
Liang Xia
Huawei
Email: frank.xialiang@huawei.com
Pan & Xia Expires April 18, 2019 [Page 27]
