idnits 2.17.00 (12 Aug 2021) /tmp/idnits6268/draft-dong-i2nsf-asf-config-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (October 15, 2018) is 1307 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-26) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-00 == Outdated reference: draft-ietf-i2nsf-sdn-ipsec-flow-protection has been published as RFC 9061 == Outdated reference: A later version (-08) exists of draft-ietf-i2nsf-terminology-05 Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group W. Pan 3 Internet-Draft L. Xia 4 Intended status: Standards Track Huawei 5 Expires: April 18, 2019 October 15, 2018 7 Configuration of Advanced Security Functions with I2NSF Security 8 Controller 9 draft-dong-i2nsf-asf-config-01 11 Abstract 13 This draft defines a network security function (NSF-) facing 14 interface of the security controller for the purpose of configuring 15 some advanced security functions. These advanced security functions 16 include antivirus, anti-ddos, and intrusion prevention system (IPS). 17 The interface is presented in a YANG data model fashion and can be 18 used to deploy a large amount of NSF blocks that all support above 19 mentioned functions in the software defined network (SDN) based 20 paradigm. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on April 18, 2019. 39 Copyright Notice 41 Copyright (c) 2018 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 3 60 3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 3 61 4. Data Model Structure . . . . . . . . . . . . . . . . . . . . 3 62 4.1. Antivirus . . . . . . . . . . . . . . . . . . . . . . . . 3 63 4.2. Anti-ddos . . . . . . . . . . . . . . . . . . . . . . . . 4 64 4.3. Intrusion prevention system . . . . . . . . . . . . . . . 6 65 5. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 7 66 5.1. Antivirus . . . . . . . . . . . . . . . . . . . . . . . . 7 67 5.2. Anti-ddos . . . . . . . . . . . . . . . . . . . . . . . . 13 68 5.3. Intrusion prevention system . . . . . . . . . . . . . . . 20 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 70 7. Security Considerations . . . . . . . . . . . . . . . . . . . 26 71 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 72 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 73 9.1. Normative References . . . . . . . . . . . . . . . . . . 26 74 9.2. Informative References . . . . . . . . . . . . . . . . . 26 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 77 1. Introduction 79 I2NSF provides a technology and vendor independent way for a 80 centralized security controller in a SDN environment to manage and 81 configure the distributed NSFs [RFC8329]. The NSFs are automatically 82 customized in a programmable manner via a standard interface. In the 83 draft [I-D.ietf-i2nsf-nsf-facing-interface-dm], it proposed a generic 84 NSF-facing interface to manage which action should be applied on 85 which traffic. In addition, there is another draft that defined the 86 NSF-facing interface for management, including configuration and 87 monitoring, of IPsec SAs [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. 88 In this document, we defined another NSF-facing interface for 89 security controller to configure some advanced security functions 90 including the antivirus, anti-ddos, and IPS profiles. With the 91 variety and complexity of the advanced security functions, it is 92 hardly to define all the interfaces to configure each advanced 93 security function. The antivirus, anti-ddos and IPS profiles, these 94 three functions are the most common and well-developed advanced 95 security functions and have been widely used. Standardizing the 96 interface of these three functions can minimize the cost of 97 management and configuration of the security controller with a vendor 98 independent way. 100 2. Terminology 102 2.1. Key Words 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in [RFC2119]. 108 2.2. Definition of Terms 110 This document uses the terms defined in [I-D.ietf-i2nsf-terminology]. 112 3. Tree Diagrams 114 A simplified graphical representation of the data model is used in 115 this document. The meaning of the symbols in these diagrams is as 116 follows: 118 o Brackets "[" and "]" enclose list keys. 120 o Abbreviations before data node names: "rw" means configuration 121 (read-write) and "ro" state data (read-only). 123 o Symbols after data node names: "?" means an optional node and "*" 124 denotes a "list" and "leaf-list". 126 o Parentheses enclose choice and case nodes, and case nodes are also 127 marked with a colon (":"). 129 o Ellipsis ("...") stands for contents of subtrees that are not 130 shown. 132 4. Data Model Structure 134 4.1. Antivirus 136 The following tree diagram shows the interface for configuring 137 antivirus detections on incoming and outgoing files. The file 138 transfer protocol type, direction of file transfer, and the action 139 applied on the detected virus are able to be configured. In 140 addition, this interface also supports to configure the application 141 and signature exception features to apply specific actions on certain 142 applications and detected virus respectively. The anti-virus also 143 supports to configure a whitelist for trusted files. 145 module: ietf-i2nsf-asf-config-antivirus 146 +--rw antivirus 147 +--rw profiles 148 +--rw profile* [name] 149 +--rw name string 150 +--rw description? string 151 +--rw detect* [protocol-type direction] 152 | +--rw protocol-type detect-protocol 153 | +--rw direction detect-direction 154 | +--rw action? detect-action 155 +--rw exception-application* [application-name] 156 | +--rw application-name string 157 | +--rw application-action? detect-action 158 +--rw exception-signature* [signature-id] 159 | +--rw signature-id uint64 160 | +--rw signature-action? detect-action 161 +--rw whitelists {antivirus-whitelists}? 162 +--rw match-rules 163 | +--rw match-rule* [scope type value] 164 | +--rw scope match-scope 165 | +--rw type match-type 166 | +--rw value string 167 +--rw source-address* inet:ip-address 168 +--rw source-address-range* 169 [start-address end-address] 170 | +--rw start-address inet:ip-address 171 | +--rw end-address inet:ip-address 172 +--rw destination-address* inet:ip-address 173 +--rw destination-address-range* 174 [start-address end-address] 175 +--rw start-address inet:ip-address 176 +--rw end-address inet:ip-address 178 4.2. Anti-ddos 180 The following tree diagram shows the configuration parameters of DDoS 181 detection and prevention functions of different types of DDoS 182 attacks. 184 * SYN flood: The total number of packets that have the same 185 destination address are counted in a period of time. If the counted 186 packets number exceeds a pre-defined threshold, the prevention 187 function is triggered. The anti-ddos system will alert the user/ 188 administrator, and start up source address inspection or TCP proxy 189 function as configured. 191 * UPD flood: The UDP flood packets normally have the same payload or 192 the payload changes regularly. The anti-ddos system is able to 193 automatically learn this payload characteristics, which is so called 194 fingerprint of the UDP flood attack packets. And then if a packet 195 matches the learned fingerprint, it will be discarded. For some UDP 196 flood attack that does not has a fingerprint, a threshold bandwidth 197 will be configured to limit the UDP traffic. If the UDP packet is 198 associated with some TCP packets, the anti-ddos system can trigger 199 the TCP protection measures and use the generated white list to 200 determine whether to discard the UDP packets. 202 * HTTP and HTTPS flood: The detection mechanisms for these two 203 attacks are similar to SYN flood detection. The total number of 204 packets that have the same destination address are counted in a 205 period of time. A threshold is set for the purpose of alerting. 207 * DNS request flood: The anti-ddos system counts the number of DNS 208 request packets that have the same destination address in a period of 209 time. Once this number exceeds a configured threshold, the 210 prevention function is triggered. The anti-ddos system sends a 211 response to the client to ask for another request with a TCP 212 connection, and then verify the source address. 214 * DNS reply flood: The anti-ddos system counts the number of DNS 215 reply packets that have the same destination address in a period of 216 time. Once this number exceeds a configured threshold, the source 217 address inspection is triggered. The anti-ddos ask the sender to 218 send the reply message again with a new query ID and port number. If 219 the second reply message is received and the query ID and port number 220 match with the asked one. This source address will be added into the 221 white list. 223 * ICMP flood: A threshold is configured to limit the rate of ICMP 224 traffic. 226 * SIP flood: The anti-ddos system counts the number of SIP request 227 packets that have the same destination address in a period of time. 228 If the counted packets number exceeds a pre-defined threshold, the 229 source authentication is triggered. The anti-ddos system sends an 230 OPTIONS request packet with a specific branch value to verify whether 231 the source address exists. If the reply message is in response to 232 the OPTIONS packet, this source address will be added into the white 233 list. 235 module: ietf-i2nsf-asf-config-antiddos 236 +--rw antiddos 237 +--rw profiles 238 +--rw profile* [name] 239 +--rw name string 240 +--rw description? string 241 +--rw syn-flood* [action] 242 | +--rw action syn-flood-action 243 | +--rw alert-rate? uint32 244 +--rw udp-flood* [action] 245 | +--rw action udp-flood-action 246 | +--rw alert-rate? uint32 247 +--rw http-flood* [action] 248 | +--rw action http-flood-action 249 | +--rw alert-rate? uint32 250 +--rw https-flood* [action] 251 | +--rw action https-flood-action 252 | +--rw alert-rate? uint32 253 +--rw dns-request-flood* [action] 254 | +--rw action dns-request-flood-action 255 | +--rw alert-rate? uint32 256 +--rw dns-reply-flood* [action] 257 | +--rw action dns-reply-flood-action 258 | +--rw alert-rate? uint32 259 +--rw icmp-flood * [action] 260 | +--rw action icmp-flood-action 261 | +--rw alert-rate? uint32 262 +--rw sip-flood* [action] 263 | +--rw action sip-flood-action 264 | +--rw alert-rate? uint32 265 +--rw detect-mode? enumeration 266 +--rw baseline-learn 267 +--rw auto-apply? boolean 268 +--rw start? boolean 269 +--rw mode? enumeration 270 +--rw tolerance-value? uint16 271 +--rw learn-duration? uint32 272 +--rw learn-interval? uint32 274 4.3. Intrusion prevention system 276 The following tree diagram shows the interface for configuring the 277 IPS. This interface supports to configure a set of IPS signature- 278 based filters to detect known type of attacks and to respond with 279 user defined actions such as sending an alert or block the matched 280 packets. 282 module: ietf-i2nsf-asf-config-ips 283 +--rw ips 284 +--rw profiles 285 +--rw profile* [name] 286 +--rw name string 287 +--rw description? string 288 +--rw signature-sets 289 | +--rw signature-set* [name] 290 | +--rw name string 291 | +--rw action? action-type 292 | +--rw application 293 | | +--rw all-application boolean 294 | | +--rw specified-application* string 295 | +--rw target? target-type 296 | +--rw severity* severity-type 297 | +--rw operating-system* operating-system-type 298 | +--rw protocol 299 | | +--rw all-protocol boolean 300 | | +--rw specified-protocol* string 301 | +--rw category 302 | +--rw all-category boolean 303 | +--rw specified-category* [name] 304 | +--rw name string 305 | +--rw all-sub-category boolean 306 | +--rw sub-category* [name] 307 | +--rw name string 308 +--rw exception-signatures 309 +--rw exception-signature* [id] 310 +--rw id uint32 311 +--rw action? action-type 313 5. YANG Modules 315 5.1. Antivirus 317 module ietf-i2nsf-asf-config-antivirus { 318 yang-version 1.1; 319 namespace 320 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-asf-config-antivirus"; 321 prefix 322 asf-config-antivirus; 324 import ietf-inet-types{ 325 prefix inet; 326 } 328 organization 329 "Huawei Technologies"; 331 contact 332 "Wei Pan: william.panwei@huawei.com 333 Liang Xia: Frank.xialiang@huawei.com"; 335 description 336 "This module contains a collection of yang definitions 337 for configuring antivirus."; 339 revision 2018-10-15 { 340 description 341 "Init revision."; 342 reference "xxx."; 343 } 345 typedef detect-protocol { 346 type enumeration { 347 enum http { 348 description "HTTP."; 349 } 350 enum ftp { 351 description "FTP."; 352 } 353 enum smtp { 354 description "SMTP."; 355 } 356 enum pop3 { 357 description "POP3."; 358 } 359 enum imap { 360 description "IMAP."; 361 } 362 enum nfs { 363 description "NFS."; 364 } 365 enum smb { 366 description "SMB."; 367 } 368 } 369 description 370 "This is detect protocol type in antivirus profile."; 371 } 373 typedef detect-direction { 374 type enumeration { 375 enum none { 376 description "None."; 377 } 378 enum download { 379 description "Download."; 380 } 381 enum upload { 382 description "Upload."; 383 } 384 enum both { 385 description "Both directions."; 386 } 387 } 388 description 389 "This is detect direction type in antivirus profile."; 390 } 392 typedef detect-action { 393 type enumeration { 394 enum alert { 395 description "Permit files and generate virus logs."; 396 } 397 enum allow { 398 description "Permit files."; 399 } 400 enum block { 401 description "Block files and generate virus logs."; 402 } 403 enum declare { 404 description 405 "Permit virus-infected email messages, then add information to 406 announce the detection of viruses and generate virus logs."; 407 } 408 enum delete-attachment { 409 description 410 "Permit virus-infected email messages with deleting there 411 attachments, add information to announce the detection of 412 viruses and generate virus logs."; 413 } 414 } 415 description 416 "This is detect action type in antivirus profile."; 417 } 419 typedef match-scope { 420 type enumeration { 421 enum url { 422 description "URL."; 423 } 424 enum host { 425 description "Host."; 426 } 427 enum referer { 428 description "Referer."; 429 } 430 } 431 description "This is antivirus whitelist match scope."; 432 } 434 typedef match-type { 435 type enumeration { 436 enum prefix { 437 description "Prefix."; 438 } 439 enum suffix { 440 description "Suffix."; 441 } 442 enum fuzzy { 443 description "Fuzzy."; 444 } 445 enum exact { 446 description "Exact."; 447 } 448 } 449 description "This is antivirus whitelist match type."; 450 } 452 feature antivirus-whitelists { 453 description 454 "This feature means the antivirus function supports 455 whitelists."; 456 } 458 grouping address-range { 459 description "Address range."; 460 leaf start-address { 461 type inet:ip-address; 462 description 463 "Start address."; 464 } 466 leaf end-address { 467 type inet:ip-address; 468 description 469 "End address."; 470 } 471 } 473 container antivirus { 474 description "Antivirus."; 475 container profiles { 476 description "Profiles."; 477 list profile { 478 key "name"; 479 description "Antivirus profile."; 481 leaf name { 482 type string; 483 description "The name of the profile."; 484 } 486 leaf description { 487 type string; 488 description "The description of the profile."; 489 } 491 list detect { 492 key "protocol-type direction"; 493 description "Antivirus detect."; 495 leaf protocol-type { 496 type detect-protocol; 497 description "The protocol type of detect."; 498 } 500 leaf direction { 501 type detect-direction; 502 description "The direction of detect."; 503 } 505 leaf action { 506 type detect-action; 507 description "The action of detect."; 508 } 509 } 511 list exception-application { 512 key "application-name"; 513 description "Exceptional application."; 515 leaf application-name { 516 type string; 517 description "The name of exceptional application."; 518 } 520 leaf application-action { 521 type detect-action; 522 description "The action of exceptional application."; 524 } 525 } 527 list exception-signature { 528 key "signature-id"; 529 description "Exceptional signature."; 531 leaf signature-id { 532 type uint64; 533 description "The exception id of antivirus signature."; 534 } 536 leaf signature-action { 537 type detect-action; 538 description "The action of exceptional signature."; 539 } 540 } 542 container whitelists { 543 if-feature antivirus-whitelists; 544 description "The whitelist of antivirus."; 546 container match-rules { 547 description "The match rules of antivirus whitelist."; 549 list match-rule { 550 key "scope type value"; 551 description "The match rule of antivirus whitelist."; 553 leaf scope { 554 type match-scope; 555 description 556 "The scope of antivirus whitelist match rule."; 557 } 559 leaf type { 560 type match-type; 561 description 562 "The type of antivirus whitelist match rule."; 563 } 565 leaf value { 566 type string; 567 description 568 "The value of antivirus whitelist match rule."; 569 } 570 } 571 } 572 leaf-list source-address { 573 type inet:ip-address; 574 description "The source-address of whitelist."; 575 } 577 list source-address-range { 578 key "start-address end-address"; 579 description "The source-address range of whitelist."; 580 uses address-range; 581 } 583 leaf-list destination-address { 584 type inet:ip-address; 585 description "The destination-address of whitelist."; 586 } 588 list destination-address-range { 589 key "start-address end-address"; 590 description "The destination-address range of whitelist."; 591 uses address-range; 592 } 593 } 594 } 595 } 596 } 597 } 599 5.2. Anti-ddos 601 module ietf-i2nsf-asf-config-antiddos { 602 yang-version 1.1; 603 namespace 604 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-asf-config-antiddos"; 605 prefix 606 asf-config-antiddos; 608 organization 609 "Huawei Technologies"; 611 contact 612 "Wei Pan: william.panwei@huawei.com 613 Liang Xia: Frank.xialiang@huawei.com"; 615 description 616 "This module contains a collection of yang definitions 617 for configuring anti-ddos."; 619 revision 2018-10-15 { 620 description 621 "Init revision."; 622 reference "xxx."; 623 } 625 typedef syn-flood-action { 626 type enumeration { 627 enum tcp-proxy { 628 description 629 "TCP proxy function."; 630 } 631 enum tcp-source-authentication { 632 description 633 "Authenticate the source addresses of TCP packets."; 634 } 635 } 636 description 637 "This is detect action type of syn-flood."; 638 } 640 typedef udp-flood-action { 641 type enumeration { 642 enum fingerprint-learning { 643 description 644 "Learn the fingerprint of UDP packets."; 645 } 646 enum udp-tcp-association { 647 description 648 "Authenticate the source addresses of TCP packets 649 associated with UDP packets."; 650 } 651 enum traffic-limit { 652 description 653 "Limit the UDP traffic."; 654 } 655 } 656 description 657 "This is detect action type of udp-flood."; 658 } 660 typedef http-flood-action { 661 type enumeration { 662 enum source-authentication-meta-refresh { 663 description 664 "Authenticate the source addresses of HTTP packets by a way of 665 meta-refresh."; 666 } 667 enum source-authentication-code-based { 668 description 669 "Authenticate the source addresses of HTTP packets by a way of 670 code-based."; 671 } 672 enum source-authentication-302-redirect { 673 description 674 "Authenticate the source addresses of HTTP packets by a way of 675 302-redirect."; 676 } 677 } 678 description 679 "This is detect action type of http-flood."; 680 } 682 typedef https-flood-action { 683 type enumeration { 684 enum source-authentication { 685 description 686 "Authenticate the source addresses of HTTPS packets."; 687 } 688 } 689 description 690 "This is detect action type of https-flood."; 691 } 693 typedef dns-request-flood-action { 694 type enumeration { 695 enum source-authentication-dns-cache-server { 696 description 697 "Authenticate the source addresses of DNS request packets for 698 the DNS Cache Server."; 699 } 700 enum source-authentication-dns-authoritative-server { 701 description 702 "Authenticate the source addresses of DNS request packets for 703 the DNS Authoritative Server."; 704 } 705 } 706 description 707 "This is detect action type of dns-request-flood."; 708 } 710 typedef dns-reply-flood-action { 711 type enumeration { 712 enum source-authentication { 713 description 714 "Authenticate the source addresses of DNS reply packets."; 715 } 717 } 718 description 719 "This is detect action type of dns-reply-flood."; 720 } 722 typedef icmp-flood-action { 723 type enumeration { 724 enum traffic-limit { 725 description 726 "Limit the ICMP traffic."; 727 } 728 } 729 description 730 "This is detect action type of icmp-flood."; 731 } 733 typedef sip-flood-action { 734 type enumeration { 735 enum source-authentication { 736 description 737 "Authenticate the source addresses of SIP packets."; 738 } 739 } 740 description 741 "This is detect action type of sip-flood."; 742 } 744 container antiddos { 745 description "Anti-ddos."; 746 container profiles { 747 description "Profiles."; 748 list profile { 749 key "name"; 750 description "Anti-ddos profile."; 752 leaf name { 753 type string; 754 description "The name of the profile."; 755 } 757 leaf description { 758 type string; 759 description "The description of the profile."; 760 } 762 list syn-flood { 763 key "action"; 764 description "SYN flood detect."; 765 leaf action { 766 type syn-flood-action; 767 description "The action of syn-flood detect."; 768 } 770 leaf alert-rate { 771 type uint32; 772 description "The alert rate of syn-flood detect."; 773 } 774 } 776 list udp-flood { 777 key "action"; 778 description "UDP flood detect."; 780 leaf action { 781 type udp-flood-action; 782 description "The action of udp-flood detect."; 783 } 785 leaf alert-rate { 786 type uint32; 787 description "The alert rate of udp-flood detect."; 788 } 789 } 791 list http-flood { 792 key "action"; 793 description "HTTP flood detect."; 795 leaf action { 796 type http-flood-action; 797 description "The action of http-flood detect."; 798 } 800 leaf alert-rate { 801 type uint32; 802 description "The alert rate of http-flood detect."; 803 } 804 } 806 list https-flood { 807 key "action"; 808 description "HTTPS flood detect."; 810 leaf action { 811 type https-flood-action; 812 description "The action of https-flood detect."; 814 } 816 leaf alert-rate { 817 type uint32; 818 description "The alert rate of https-flood detect."; 819 } 820 } 822 list dns-request-flood { 823 key "action"; 824 description "DNS request flood detect."; 826 leaf action { 827 type dns-request-flood-action; 828 description "The action of dns-request-flood detect."; 829 } 831 leaf alert-rate { 832 type uint32; 833 description "The alert rate of dns-request-flood detect."; 834 } 835 } 837 list dns-reply-flood { 838 key "action"; 839 description "DNS reply flood detect."; 841 leaf action { 842 type dns-reply-flood-action; 843 description "The action of dns-reply-flood detect."; 844 } 846 leaf alert-rate { 847 type uint32; 848 description "The alert rate of dns-reply-flood detect."; 849 } 850 } 852 list icmp-flood { 853 key "action"; 854 description "ICMP flood detect."; 856 leaf action { 857 type icmp-flood-action; 858 description "The action of icmp-flood detect."; 859 } 861 leaf alert-rate { 862 type uint32; 863 description "The alert rate of icmp-flood detect."; 864 } 865 } 867 list sip-flood { 868 key "action"; 869 description "SIP flood detect."; 871 leaf action { 872 type sip-flood-action; 873 description "The action of sip-flood detect."; 874 } 876 leaf alert-rate { 877 type uint32; 878 description "The alert rate of sip-flood detect."; 879 } 880 } 882 leaf detect-mode { 883 type enumeration { 884 enum detect-clean { 885 description 886 "Detect DDoS attacks and defend against them."; 887 } 889 enum detect-only{ 890 description 891 "Detect DDoS attacks only."; 892 } 893 } 894 description "DDoS detect mode."; 895 } 897 container baseline-learn { 898 description "Alart rate baseline learning."; 900 leaf auto-apply { 901 type boolean; 902 description "Apply baseline learning results."; 903 } 905 leaf start { 906 type boolean; 907 description "Enable baseline learning."; 908 } 909 leaf mode { 910 type enumeration { 911 enum loop { 912 description 913 "Indicate that baseline learning is performed 914 periodically."; 915 } 917 enum once { 918 description 919 "Indicate that baseline learning is performed once."; 920 } 921 } 922 description "Indicate the baseline learning mode."; 923 } 925 leaf tolerance-value { 926 type uint16; 927 description 928 "Indicate the baseline learning tolerance 929 value."; 930 } 932 leaf learn-duration { 933 type uint32; 934 description "Indicate the baseline learning duration."; 935 } 937 leaf learn-interval { 938 type uint32; 939 description "Indicate the interval for baseline learning."; 940 } 941 } 942 } 943 } 944 } 945 } 947 5.3. Intrusion prevention system 949 module ietf-i2nsf-asf-config-ips { 950 yang-version 1.1; 951 namespace 952 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-asf-config-ips"; 953 prefix 954 asf-config-ips; 956 organization 957 "Huawei Technologies"; 959 contact 960 "Wei Pan: william.panwei@huawei.com 961 Liang Xia: Frank.xialiang@huawei.com"; 963 description 964 "This module contains a collection of yang definitions for 965 configuring ips."; 967 revision 2018-10-15 { 968 description 969 "Init revision."; 970 reference "xxx."; 971 } 973 typedef action-type { 974 type enumeration { 975 enum default-type { 976 description "Default action type."; 977 } 978 enum alert { 979 description "Alert."; 980 } 981 enum block { 982 description "Block."; 983 } 984 enum allow { 985 description "Allow."; 986 } 987 } 988 description "The action type."; 989 } 991 typedef target-type { 992 type enumeration { 993 enum both { 994 description "Both client and server."; 995 } 996 enum client { 997 description "Client."; 998 } 999 enum server { 1000 description "Server."; 1001 } 1002 } 1003 description "The target type."; 1004 } 1005 typedef severity-type { 1006 type enumeration { 1007 enum high { 1008 description "High."; 1009 } 1010 enum medium { 1011 description "Medium."; 1012 } 1013 enum low { 1014 description "Low."; 1015 } 1016 enum information { 1017 description "Information."; 1018 } 1019 } 1020 description "The severity filter type."; 1021 } 1023 typedef operating-system-type { 1024 type enumeration { 1025 enum android { 1026 description "Android OS."; 1027 } 1028 enum ios { 1029 description "IOS."; 1030 } 1031 enum unix-like { 1032 description "UNIX-like OS."; 1033 } 1034 enum windows { 1035 description "Windows OS."; 1036 } 1037 enum other { 1038 description "Other OS."; 1039 } 1040 } 1041 description "The operating system type."; 1042 } 1044 container ips { 1045 description "Intrusion prevention system."; 1046 container profiles { 1047 description "Profiles."; 1048 list profile { 1049 key "name"; 1050 description "IPS Profile."; 1052 leaf name { 1053 type string; 1054 description "The name of a profile."; 1055 } 1057 leaf description { 1058 type string; 1059 description "The description of a profile."; 1060 } 1062 container signature-sets { 1063 description "Signature sets."; 1064 list signature-set { 1065 key "name"; 1066 description "Signature set."; 1068 leaf name { 1069 type string; 1070 description "The name of a signature set."; 1071 } 1073 leaf action { 1074 type action-type; 1075 description "The action for a signature set."; 1076 } 1078 container application { 1079 description "Application."; 1080 leaf all-application { 1081 type boolean; 1082 mandatory true; 1083 description 1084 "The all application filtering conditions of the 1085 signature set."; 1086 } 1088 leaf-list specified-application { 1089 when "../all-application = 'false'"; 1090 type string; 1091 description 1092 "The specified application filtering conditions of the 1093 signature set."; 1094 } 1095 } 1097 leaf target { 1098 type target-type; 1099 description 1100 "The target type of a signature set."; 1102 } 1104 leaf-list severity { 1105 type severity-type; 1106 description 1107 "The severity type of a signature set."; 1108 } 1110 leaf-list operating-system { 1111 type operating-system-type; 1112 description 1113 "The operating system of a signature set."; 1114 } 1116 container protocol { 1117 description "Protocol."; 1118 leaf all-protocol { 1119 type boolean; 1120 mandatory true; 1121 description 1122 "The all protocol filtering conditions of a 1123 signature set."; 1124 } 1126 leaf-list specified-protocol { 1127 when "../all-protocol = 'false'"; 1128 type string; 1129 description 1130 "The specified protocol filtering conditions of a 1131 signature set."; 1132 } 1133 } 1135 container category { 1136 description "Category."; 1137 leaf all-category { 1138 type boolean; 1139 mandatory true; 1140 description 1141 "The all category filtering conditions of t signature 1142 set."; 1143 } 1145 list specified-category { 1146 when "../all-category = 'false'"; 1147 key "name"; 1148 description "Specified category."; 1149 leaf name { 1150 type string; 1151 description 1152 "The specified name of category 1153 filtering conditions of a signature set."; 1154 } 1156 leaf all-sub-category { 1157 type boolean; 1158 mandatory true; 1159 description 1160 "The all sub-category filtering 1161 conditions of a signature set."; 1162 } 1164 list sub-category { 1165 when "../all-sub-category = 'false'"; 1166 key "name"; 1167 description "Sub category."; 1169 leaf name { 1170 type string; 1171 description 1172 "The specified name of sub-category filtering 1173 conditions of a signature set."; 1174 } 1175 } 1176 } 1177 } 1178 } 1179 } 1181 container exception-signatures { 1182 description "Exceptional signatures."; 1183 list exception-signature { 1184 key "id"; 1185 description "Exceptional signature."; 1187 leaf id { 1188 type uint32; 1189 description "The ID of an exception signature."; 1190 } 1192 leaf action { 1193 type action-type; 1194 description 1195 "This action type of an exception signature."; 1196 } 1198 } 1199 } 1200 } 1201 } 1202 } 1203 } 1205 6. IANA Considerations 1207 This document makes no request of IANA. 1209 Note to RFC Editor: this section may be removed on publication as an 1210 RFC. 1212 7. Security Considerations 1214 TBD. 1216 8. Acknowledgements 1218 TBD 1220 9. References 1222 9.1. Normative References 1224 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1225 Requirement Levels", BCP 14, RFC 2119, 1226 DOI 10.17487/RFC2119, March 1997, 1227 . 1229 9.2. Informative References 1231 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 1232 Kim, J., Jeong, J., Jung-Soo, P., Hares, S., and l. 1233 linqiushi@huawei.com, "I2NSF Network Security Function- 1234 Facing Interface YANG Data Model", draft-ietf-i2nsf-nsf- 1235 facing-interface-dm-00 (work in progress), March 2018. 1237 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 1238 Lopez, R. and G. Lopez-Millan, "Software-Defined 1239 Networking (SDN)-based IPsec Flow Protection", draft-ietf- 1240 i2nsf-sdn-ipsec-flow-protection-01 (work in progress), 1241 March 2018. 1243 [I-D.ietf-i2nsf-terminology] 1244 Hares, S., Strassner, J., Lopez, D., Xia, L., and H. 1245 Birkholz, "Interface to Network Security Functions (I2NSF) 1246 Terminology", draft-ietf-i2nsf-terminology-05 (work in 1247 progress), January 2018. 1249 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1250 Kumar, "Framework for Interface to Network Security 1251 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 1252 . 1254 Authors' Addresses 1256 Wei Pan 1257 Huawei 1259 Email: william.panwei@huawei.com 1261 Liang Xia 1262 Huawei 1264 Email: frank.xialiang@huawei.com