I2NSF Network Security Functions-Facing Interface YANG Data Model
Department of Computer Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 10 8273 0930timkim@skku.edu
Department of Software
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 299 4957+82 31 290 7996pauljeong@skku.eduhttp://iotlab.skku.edu/people-jaehoon-jeong.php
Electronics and Telecommunications Research Institute
218 Gajeong-Ro, Yuseong-GuDaejeon34129Republic of Korea+82 42 860 6514pjs@etri.re.kr
Huawei
7453 Hickory HillSalineMI48176USA+1-734-604-0332shares@ndzh.com
Huawei
Huawei Industrial BaseShenzhenGuangdong 518129Chinalinqiushi@huawei.comInternet-Draft
This document defines a YANG data model corresponding to the information model
for Network Security Functions (NSF) facing interface in Interface to Network Security Functions (I2NSF).
It describes a data model for the features provided by generic security functions.
This data model provides generic components whose vendors is well understood, so that the generic
component can be used even if it has some vendor specific functions.
These generic functions represent a point of interoperability, and can be provided by any product that offers the required Capabilities.
Also, if vendors need additional features for its network security function, they can add the features by extending the YANG data model.
This document defines a YANG data model for the configuration of security services with the information model for Network Security Functions (NSF) facing interface in Interface to Network Security Functions (I2NSF).
It provides a specific information model and the corresponding data models for generic network
security functions (i.e., network security functions), as defined in . With these data model, I2NSF controller can control the capabilities of NSFs.
The "Event-Condition-Action" (ECA) policy model is used as the basis for the design of I2NSF Policy
Rules.
The "ietf-i2nsf-nsf-facing-interface" YANG module defined in this document provides the following features:
configuration of I2NSF security policy rule for generic network security function policy
configuration of event caluse for generic network security function policy
configuration of condition caluse for generic network security function policy
configuration of action caluse for generic network security function policy
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .
This document uses the terminology described in . Especially, the following terms are from :
Data Model: A data model is a representation of concepts of
interest to an environment in a form that is dependent on data
repository, data definition language, query language,
implementation language, and protocol.
Information Model: An information model is a representation of
concepts of interest to an environment in a form that is
independent of data repository, data definition language, query
language, implementation language, and protocol.
A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these diagrams is as
follows:
Brackets "[" and "]" enclose list keys.
Abbreviations before data node names: "rw" means configuration (read-write) and "ro" state data (read-only).
Symbols after data node names: "?" means an optional node and "*"
denotes a "list" and "leaf-list".
Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
Ellipsis ("...") stands for contents of subtrees that are not
shown.
This shows a identification of policy for generic network security functions.
These objects are defined as policy information and rule information.
This includes ECA Policy Rule, Event Clause Objects, Condition Clause Objects, and Action Clause Objects, Resolution Strategy, Default Action.
This shows a event caluse for generic network security functions.
An Event is any important occurrence in time of a change in the system being managed, and/or in the environment of the system being managed.
When used in the context of I2NSF Policy Rules, it is used to determine whether the Condition clause of the I2NSF Policy Rule can be evaluated or not.
These objects are defined as user security event, device security event, system security event, and time security event.
These objects can be extended according to specific vendor event features.
This shows a condition caluse for generic network security functions.
A condition is defined as a set of attributes, features, and/or values that are to be compared with a set of known attributes, features, and/or values in order to determine whether or not the set of Actions in that (imperative) I2NSF Policy Rule can be executed or not.
These objects are defined as user security event, device security event, system security event,
and time security event.
These objects are defined as packet security condition, packet payload security condition, target security condition, user security condition, context condition, and generic context condition.
These objects can be extended according to specific vendor condition features.
This shows a action caluse for generic network security functions.
An action is used to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied. NSFs provide security functions by executing various Actions.
These objects are defined as ingress action, egress action, and apply profile action.
These objects can be extended according to specific vendor action features.
This section shows an following mapped features of
a data model structure tree of generic network security functions, as defined in the .
Consideration of ECA Policy Model by Aggregating the Event, Condition, and Action Clauses Objects.
Consideration of Capability Algebra.
Consideration of NSFs Capability Categories (i.e., Network Security, Content Security, and Attack Mitigation Capabilities).
Definitions for Network Security Event Class, Network Security Condition Class, and Network Security Action Class.
The data model for identification of network security policy has the following structure:
The data model for event rule has the following structure:
These objects are defined as user security event, device security event, system security event, and time security event.
These objects can be extended according to specific vendor event features.
We will add additional event objects for more generic network security functions.
The data model for condition rule has the following structure:
These objects are defined as packet security condition, packet payload security condition, target security condition, user security condition, context condition, and generic context condition.
These objects can be extended according to specific vendor condition features.
We will add additional condition objects for more generic network security functions.
The data model for action rule has the following structure:
These objects are defined as ingress action, egress action, and apply profile action.
These objects can be extended according to specific vendor action feature.
We will add additional action objects for more generic network security functions.
This section introduces a YANG module for the information model of network
security functions, as defined in the .
This document introduces no additional security threats and SHOULD
follow the security requirements as stated in .
This work was supported by Institute for Information & communications
Technology Promotion (IITP) grant funded by the Korea government (MSIP)
(No.R-20160222-002755, Cloud based Security Intelligence Technology
Development for the Customized Security Service Provisioning).
I2NSF is a group effort.
I2NSF has had a number of contributing authors.
The following are considered co-authors:
Hyoungshick Kim (Sungkyunkwan University) Daeyoung Hyun (Sungkyunkwan University) Dongjin Hong (Sungkyunkwan University) Liang Xia (Huawei) Jung-Soo Park (ETRI) Tae-Jin Ahn (Korea Telecom) Se-Hui Lee (Korea Telecom) Key words for use in RFCs to Indicate Requirement LevelsYANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)Information Model of NSFs CapabilitiesA YANG Data Model for Routing Information Base (RIB)Generic Policy Information Model for
Simplified Use of Policy Abstractions (SUPA) Framework for Interface to Network Security Functions
The following changes are made from draft-kim-i2nsf-nsf-facing-interface-data-model-03:
Event/Condition/Action Policies are changed to Event/Condition/Action Clauses.
Resolution Strategy mechanism is added to specify how to resolve conflicts that occur between the actions of the same or different policy rules that are matched and contained in this particular NSF.
Default Action mechanism is added to specify a predefined action when no other alternative action was matched by the currently executing I2NSF Policy Rule.
Introduction stating is added that the data model structure can be mapped to draft-ietf-i2nsf-capability.
Identities are added for combining the overlaped attributes as one "Identity" so that only one "Identity" is appearing.
Aggregations for Event, Condition, and Action Object are added for reusing the objects.