[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00

Network Working Group                                            Y. Dong
Internet-Draft                                                    L. Xia
Intended status: Standards Track                                  Huawei
Expires: January 1, 2019                                   June 30, 2018


    Configuration of Advanced Security Functions with I2NSF Security
                               Controller
                     draft-dong-i2nsf-asf-config-00

Abstract

   This draft defines a network security function (NSF-) facing
   interface of the security controller for the purpose of configuring
   some advanced security functions.  These advanced security functions
   include antivirus, anti-ddos, and intrusion prevention system (IPS).
   The interface is presented in a YANG data model fashion and can be
   used to deploy a large amount of NSF blocks that all support above
   mentioned functions in the software defined network (SDN) based
   paradigm.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 1, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect



Dong & Xia               Expires January 1, 2019                [Page 1]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2
     2.1.  Key Words . . . . . . . . . . . . . . . . . . . . . . . .   2
     2.2.  Definition of Terms . . . . . . . . . . . . . . . . . . .   3
   3.  Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Data Model Structure  . . . . . . . . . . . . . . . . . . . .   3
     4.1.  Antivirus . . . . . . . . . . . . . . . . . . . . . . . .   3
     4.2.  Anti-ddos . . . . . . . . . . . . . . . . . . . . . . . .   4
     4.3.  Intrusion prevention system . . . . . . . . . . . . . . .   6
   5.  YANG Modules  . . . . . . . . . . . . . . . . . . . . . . . .   8
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  28
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  28
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  28
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  28
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  28
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  29
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  29

1.  Introduction

   I2NSF provides a technology and vendor independent way for a
   centralized security controller in a SDN environment to manage and
   configure the distributed NSFs [RFC8329].  The NSFs are automatically
   customized in a programmable manner via a standard interface [I-
   D.ietf-i2nsf-sdn-ipsec-flow-protection].  In the draft [I-D.ietf-
   i2nsf-nsf-facing-interface-dm], it proposed a generic NSF-facing
   interface to manage which action should be applied on which traffic.
   In addition, there is another draft that defined the NSF-facing
   interface for management, including configuration and monitoring, of
   IPsec SAs [I-D.ietf-i2nsf-sdn-ipsec-flow-protection].  In this
   document, we defined another NSF-facing interface for security
   controller to configure some advanced security functions including
   the antivirus, anti-ddos, and IPS profiles.

2.  Terminology

2.1.  Key Words

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].



Dong & Xia               Expires January 1, 2019                [Page 2]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


2.2.  Definition of Terms

   This document uses the terms defined in [I-D.ietf-i2nsf-terminology].

3.  Tree Diagrams

   A simplified graphical representation of the data model is used in
   this document.  The meaning of the symbols in these diagrams is as
   follows:

   o  Brackets "[" and "]" enclose list keys.

   o  Abbreviations before data node names: "rw" means configuration
      (read-write) and "ro" state data (read-only).

   o  Symbols after data node names: "?" means an optional node and "*"
      denotes a "list" and "leaf-list".

   o  Parentheses enclose choice and case nodes, and case nodes are also
      marked with a colon (":").

   o  Ellipsis ("...") stands for contents of subtrees that are not
      shown.

4.  Data Model Structure

4.1.  Antivirus

   The following tree diagram shows the interface for configuring
   antivirus detections on incoming and outgoing files.  The file
   transfer protocol type, direction of file transfer, and the action
   applied on the detected virus are able to be configured.  In
   addition, this interface also supports to configure the application
   and signature exception features to apply specific actions on certain
   applications and detected virus respectively.  The anti-virus also
   supports to configure a whitelist for trusted files.















Dong & Xia               Expires January 1, 2019                [Page 3]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


   module: antivirus
      +--rw antivirus
         +--rw antivirus-enable?   boolean
         +--rw profiles
            +--rw profile* [name]
               +--rw name                               string
               +--rw description?                       string
               +--rw collect-attack-evidence-enable?   boolean
               +--rw sandbox-detection-enable?         boolean
               +--rw heuristic-detection-enable?       boolean
               +--rw detect* [protocol-type]
               |  +--rw protocol-type              identityref
               |  +--rw detect-configuration
               |     +--rw direction?         detect-direction
               |     +--rw action?               detect-action
               +--rw exception-application* [application-name]
               |  +--rw application-name                string
               |  +--rw application-action?      detect-action
               +--rw exception-signature-id*            uint64
               +--rw whitelists {antivirus-whitelists}?
                  +--rw match-rules
                  |  +--rw match-rule* [scope type value]
                  |     +--rw scope                match-scope
                  |     +--rw type                  match-type
                  |     +--rw value                     string
                  +--rw source-address*          inet:ip-address
                  +--rw source-range* [start-address end-address]
                  |  +--rw start-address         inet:ip-address
                  |  +--rw end-address           inet:ip-address
                  +--rw destination-address*     inet:ip-address
                  +--rw destin-range* [start-address end-address]
                     +--rw start-address         inet:ip-address
                     +--rw end-address           inet:ip-address

4.2.  Anti-ddos

   The following tree diagram shows the configuration parameters of DDoS
   detection and prevention functions of different types of DDoS
   attacks.

   * SYN flood: The total number of packets that have the same
   destination address are counted in a period of time.  If the counted
   packets number exceeds a pre-defined threshold, the anti-ddos
   function will alert the user/administrator and start up source
   address inspection.

   * UPD flood: The UDP flood packets normally have the same payload or
   the payload changes regularly.  The anti-ddos system is able to



Dong & Xia               Expires January 1, 2019                [Page 4]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


   automatically learn this payload characteristics, which is so called
   fingerprint of the UDP flood attack packets.  And then if a packet
   matches the learned fingerprint, it will be discarded.  For some UDP
   flood attack that does not has a fingerprint, a threshold bandwidth
   will be configured to limit the UDP traffic.

   * HTTP and HTTPS flood: The detection mechanisms for these two
   attacks are similar to SYN flood detection.  The total number of
   packets that have the same destination address are counted in a
   period of time.  A threshold is set for the purpose of alerting.

   * DNS request flood: The anti-ddos system counts the number of DNS
   request packets that have the same destination address in a period of
   time.  Once this number exceeds a configured threshold, the
   prevention function is triggered.  The anti-ddos utilize the DNS
   retransmission mechanism.  It discards the first request packet, and
   then waits for the retransmission of another DNS request passively.
   Or the anti-ddos system sends a response to the client to ask for
   another request with a TCP connection, and then verify the source
   address.

   * DNS reply flood: The anti-ddos system counts the number of DNS
   reply packets that have the same destination address in a period of
   time.  Once this number exceeds a configured threshold, the source
   address inspection is triggered.  The anti-ddos ask the sender to
   send the reply message again with a new query ID and port number.  If
   the second reply message is received and the query ID and port number
   match with the asked one.  This source address will be added into the
   white list.

   * ICMP flood: A threshold is configured to limit the rate of ICMP
   traffic.

   * SIP flood: A threshold is configured to limit the rate of SIP
   traffic.
















Dong & Xia               Expires January 1, 2019                [Page 5]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


   module: antiddos
      +--rw antiddos-config
         +--rw syn-flood
         |  +--rw alert-rate?       uint32
         +--rw udp-flood
         |  +--rw fingerprint
         |  |  +--rw alert-speed?   uint16
         |  +--rw frag-fingerprint
         |  |  +--rw alert-speed?   uint16
         |  +--rw udp-max-speed
         |     +--rw max-speed?     uint32
         +--rw icmp-flood
         |  +--rw max-speed?        uint32
         +--rw http-flood
         |  +--rw mode?             enumeration
         |  +--rw alert-rate?       uint32
         +--rw https-flood
         |  +--rw alert-rate?       uint32
         +--rw dns-requery-flood
         |  +--rw basic-alert-rate? uint32
         |  +--rw authorized-alert-rate?   uint32
         +--rw dns-reply-flood
         |  +--rw alert-rate?       uint32
         +--rw sip-flood
         |  +--rw alert-rate?       uint32
         +--rw detect-mode?         enumeration
         +--rw baseline-learn
            +--rw auto-apply?       boolean
            +--rw start?            boolean
            +--rw mode?             enumeration
            +--rw tolerance-value?  uint16
            +--rw learn-duration?   uint32
            +--rw learn-interval?   uint32

4.3.  Intrusion prevention system

   The following tree diagram shows the interface for configuring the
   IPS.  This interface supports to configure a set of IPS signature-
   based filters to detect known type of attacks and to respond with
   user defined actions such as sending an alert or block the matched
   packets.  The IPS is also able to be configured for preventing DNS
   and HTTP protocol by checking the DNS request packets and HTTP
   headers respectively.

   module: intrusion-prevention-system
      +--rw ips-config
         +--rw ips-enable?             boolean
         +--rw profiles



Dong & Xia               Expires January 1, 2019                [Page 6]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


            +--rw profile* [name]
               +--rw name                  string
               +--rw description?          string
               +--rw collect-attack-evidence-enable?  boolean
               +--rw associated-check-enable?         boolean
               +--rw domain-filter
               |  +--rw domain-filter-enable?   boolean
               |  +--rw action?                 action-type
               +--rw signature-sets
               |  +--rw signature-set* [name]
               |     +--rw name                        string
               |     +--rw action                  action-type
               |     +--rw application
               |     |  +--rw all-application         boolean
               |     |  +--rw specifed-application*   string
               |     +--rw target?                 target-type
               |     +--rw severity*           severity-type
               |     +--rw operating-system*
               |     |          operating-system-type
               |     +--rw protocol
               |     |  +--rw all-protocol         boolean
               |     |  +--rw specifed-protocol*   string
               |     +--rw category
               |        +--rw all-category         boolean
               |        +--rw specifed-category* [name]
               |           +--rw name                string
               |           +--rw all-sub-category    boolean
               |           +--rw sub-category* [name]
               |              +--rw name    string
               +--rw exception-signatures
               |  +--rw exception-signature* [id]
               |     +--rw id              uint32
               |     +--rw action?         action-type
               |     +--rw timeout?        uint32
               +--rw protocol-controlling
                  +--rw dns-check
                  |  +--rw malformed-packet-check-action    action-type
                  |  +--rw domain-name-check-action        action-type
                  |  +--rw domain-name-length-check
                  |  |  +--rw max-length                   unit16
                  |  |  +--rw action                       action-type
                  |  +--rw request-times-check
                  |  |  +--rw max-time                    unit16
                  |  |  +--rw action                      action-type
                  |  +--rw request-type-check* [start-type end-type]
                  |     +--rw start-type  unit32
                  |     +--rw end-type    unit32
                  |     +--rw action      action-type



Dong & Xia               Expires January 1, 2019                [Page 7]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


                  +--rw http-check
                     +--rw multi-host-check-action?      action-type
                     +--rw ssh-over-http-check-action?   action-type
                     +--rw x-online-host
                     |  +--rw check-type-action
                     |  |  +--rw type?         http-check-type
                     |  |  +--rw action?           action-type
                     |  +--rw blacklist*               string
                     +--rw x-forwarded-for
                        +--rw check-type-action
                        |  +--rw type?         http-check-type
                        |  +--rw action?           action-type
                        +--rw whitelist*       inet:ip-address

5.  YANG Modules

  module ietf-antivirus {
    yang-version 1.1;

    namespace "urn:ietf:params:xml:ns:yang:ietf-antivirus";
    prefix "antivirus";

    import ietf-inet-types {
      prefix "inet";
    }

    organization
      "Huawei Technologies";

    contact
      "Yue Dong: dongyue6@huawei.com";
      "Liang Xia: Frank.xialiang@huawei.com";

    description
      "This module contains a collection of yang definitions
      for configuring antivirus";

    identity detect-protocol {
      description
        "Base type of antivirus detect protocol.";
    }

    identity http {
      base detect-protocol;
      description "Http protocol.";
    }

    identity ftp {



Dong & Xia               Expires January 1, 2019                [Page 8]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


      base detect-protocol;
      description "Ftp protocol.";
    }

    identity smtp {
      base detect-protocol;
      description "Smtp protocol.";
    }

    identity pop3 {
      base detect-protocol;
      description "Pop3 protocol.";
    }

    identity imap {
      base detect-protocol;
      description "Imap protocol.";
    }

    identity nfs {
      base detect-protocol;
      description "Smb protocol.";
    }

    identity smb {
      base detect-protocol;
      description "Smb protocol.";
    }

    //typedef

    typedef detect-action {
      type enumeration {
        enum alert;
        enum allow;
        enum block;
        enum declare;
        enum delete-attachment;
        enum block-source-ip;
      }
      description
        "This is detect action type in antivirus profile.";
    }

    typedef detect-direction {
      type enumeration {
        enum none;
        enum download;



Dong & Xia               Expires January 1, 2019                [Page 9]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


        enum upload;
        enum both;
      }
      description
        "This is detect direction type in antivirus profile.";
    }

    typedef match-scope {
      type enumeration {
        enum url;
        enum host;
        enum referer;
      }
      description "This is antivirus whitelist match scope.";
    }

    typedef match-type {
      type enumeration {
        enum prefix;
        enum suffix;
        enum fuzzy;
        enum exact;
      }
      description "This is antivirus whitelist match type.";
    }

    //features

    feature sandbox-detect {
      description
        "This feature means the antivirus function supports
        sandbox detection.";
    }

    feature heuristic-detect {
      description
        "This feature means the antivirus function supports
        heuristic detection.";
    }

    feature antivirus-whitelists {
      description
        "This feature means the antivirus function supports
        whitelists.";
    }

    //groupings




Dong & Xia               Expires January 1, 2019               [Page 10]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


    grouping address-range {
      leaf start-address {
        type inet:ip-address;
        description
          "Start address.";
      }

      leaf end-address {
        type inet:ip-address;
        description
          "End address.";
      }
    }

    //configuration

    container antivirus {
      leaf antivirus-enable {
        type boolean;
        description
          "Enable/disable the antivirus.";
      }

      container profiles {
        list profile {
          key "name";

          leaf name {
            type string {
              length "1..32";
            }
            description "The name of the profile.";
          }

          leaf description {
            type string {
              length "1..128";
            }
            description "The description of the profile.";
          }

          leaf collect-attack-evidence-enable {
            type boolean;
            description "Enable/disable collect attack evidence.";
          }

          leaf sandbox-detection-enable {
            if-feature sandbox-detect;



Dong & Xia               Expires January 1, 2019               [Page 11]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


            type boolean;
            description "Enable/disable interworking detect.";
          }

          leaf heuristic-detection-enable {
            if-feature heuristic-detect;
            type boolean;
            description "Enable/disable heuristic detect.";
          }

          list detect {
            key "protocol-type";

            leaf protocol-type {
              type identityref {
                base detect-protocol;
              }
              description "The protocol type of detect.";
            }

            container detect-configuration {
              uses antivirus-detect;
              description "The configuration of antivirus detect.";
            }
          }

          list exception-application {
            key "application-name";

            leaf application-name {
              type string {
                length "1..32";
              }
              description "The exception name of application.";
            }

            leaf application-action {
              type detect-action;
              description "The exception action of application.";
            }
          }

        leaf-list exception-signature-id {
          type uint64;
          description
            "The exception id of antivirus signature, the action
            is allow.";
        }



Dong & Xia               Expires January 1, 2019               [Page 12]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


          container whitelists {
            description "The whitelist of antivirus.";

            if-feature antivirus-whitelists;
            container match-rules {
              description "The match rules of antivirus whitelist.";

              list match-rule {
                key "scope type value";

                leaf scope {
                  type match-scope;
                  description
                    "The scope of antivirus whitelist match rule.";
                }

                leaf type {
                  type match-type;
                  description
                    "The type of antivirus whitelist match rule.";
                }

                leaf value {
                  type string {
                    length "1..128";
                  }
                  description
                    "The value of antivirus whitelist match rule.";
                }
              }
            }

            leaf-list source-address {
              type inet:ip-address;
              description "The source-address of whitelist.";
            }

            list source-address-range {
              key "start-address end-address";
              uses address-range;
            }

            leaf-list destination-address {
              type inet:ip-address;
              description "The destination-address of whitelist.";
            }

            list destination-address-range {



Dong & Xia               Expires January 1, 2019               [Page 13]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


              key "start-address end-address";
              uses address-range;
            }
          }
        }
      }
    }
  }

  module ietf-antiddos {
    yang-version 1.1;

    namespace "urn:ietf:params:xml:ns:yang:ietf-antiddos";
    prefix "antiddos";

    import ietf-inet-types {
      prefix "inet";
    }

    organization
      "Huawei Technologies";

    contact
      "Yue Dong: dongyue6@huawei.com";
      "Liang Xia: Frank.xialiang@huawei.com";

    description
      "This module contains a collection of yang definitions
      for configuring anti-ddos";

    container antiddos-config {
      container syn-flood {
        leaf alert-rate {
          description "syn-flood source-detect alert-rate";
          type uint32 {
            range "1..80000000";
          }
          units pps;
        }
      }

      container udp-flood {
        container fingerprint {
          description
            "anti-ddos udp-flood dynamic-fingerprint-learn";

          leaf  alert-speed {
            description



Dong & Xia               Expires January 1, 2019               [Page 14]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


              "udp-flood dynamic-fingerprint-learn alert-speed";
            type uint16 {
              range "1..10240";
            }
            units Mbps;
          }
        }

        container frag-fingerprint {
          description
            "anti-ddos udp-frag-flood dynamic-fingerprint-learn";

          leaf  alert-speed {
            description
              "udp-frag-flood dynamic-fingerprint-learn alert-speed";
            type uint16 {
              range "1..10240";
            }
            units Mbps;
          }
        }

        container udp-max-speed{
          description "anti-ddos udp-max-speed";

          leaf max-speed {
            description "udp max speed";
            type uint32 {
              range "1..10240";
            }
            units Mbps;
          }
        }
      }

      container icmp-flood {
        leaf max-speed {
          description "icmp max speed";
          type uint32 {
            range "1..1200000";
          }
          units pps;
        }
      }

      container http-flood {
        leaf mode {
          description "anti-ddos http flood source detect mode";



Dong & Xia               Expires January 1, 2019               [Page 15]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


          type enumeration {
            enum advanced {
              description "Indicate advanced source detection";
            }

            enum basic {
              description "Indicate basic source detection";
            }

            enum redirect {
              description "Indicate redirect source detection";
            }
          }
        }

        leaf alert-rate  {
          description "https-flood source-detect alert-rate";
          type uint32 {
            range "1..80000000";
          }
          units pps;
        }
      }

      container https-flood {
        leaf alert-rate  {
          description "https-flood source-detect alert-rate";
          type uint32 {
            range "1..80000000";
          }
          units pps;
        }
      }

      container dns-request-flood {
        leaf basic-alert-rate {
          description
            "dns-requery-flood source-detect basic alert-rate";
          type uint32 {
            range "1..80000000";
          }
          units pps;
        }

        leaf authorized-alert-rate {
          description
            "dns-requery-flood source-detect authorized alert-rate";
          type uint32 {



Dong & Xia               Expires January 1, 2019               [Page 16]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


            range "1..80000000";
          }
          units pps;
        }
      }

      contianer dns-reply-flood {
        leaf alert-rate {
          description "dns-reply-flood source-detect alert-rate";
          type uint32 {
            range "1..80000000";
          }
          units pps;
        }
      }

      container sip-flood {
        leaf alert-rate {
          description "sip-flood source-detect alert-rate";
          type uint32 {
            range "1..80000000";
          }
          units pps;
        }
      }

      leaf detect-mode {
        description "DDoS detect mode";
        type enumeration {
          enum detect-clean {
            description "Detect DDoS attacks and defend against them";
          }

          enum detect-only{
            description "Detect DDoS attacks only";
          }
        }
      }

      container baseline-learn {
        leaf auto-apply {
          description "Apply baseline learning results";
          type boolean;
        }

        leaf start {
          description "Enable baseline learning";
          type boolean;



Dong & Xia               Expires January 1, 2019               [Page 17]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


        }

        leaf mode {
          description "Indicate the baseline learning mode";
          type enumeration {
            enum loop {
              description
                "Indicate that baseline learning is performed periodically";
            }
          }
        }

        leaf tolerance-value {
          description "Indicate the baseline learning tolerance value";
          type uint16 {
            range "0..4000";
          }
        }

        leaf learn-duration {
          description "Indicate the baseline learning duration";
          type uint32 {
            range "1..1200000";
          }
          units minutes;
        }

        leaf learn-interval {
          description "Indicate the interval for baseline learning";
          type uint32 {
            range "1..1200000";
          }
          units minutes;
        }
      }
    }
  }

  module ietf-ips {
    yang-version 1.1;

    namespace "urn:ietf:params:xml:ns:yang:ietf-ips";
    prefix "ips";

    import ietf-inet-types {
      prefix "inet";
    }




Dong & Xia               Expires January 1, 2019               [Page 18]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


    organization
      "Huawei Technologies";

    contact
      "Yue Dong: dongyue6@huawei.com";
      "Liang Xia: Frank.xialiang@huawei.com";

    description
      "This module contains a collection of yang definitions for
      configuring ips";

    typedef operating-system-type {
      type enumeration {
        enum android;
        enum ios;
        enum unix-like;
        enum windows;
        enum other;
      }
      description "The operating system type.";
    }

    typedef severity-type {
      type enumeration {
        enum high;
        enum medium;
        enum low;
        enum information;
      }
      description "The severity filter type.";
    }

    typedef target-type {
      type enumeration {
        enum both;
        enum client;
        enum server;
      }
      description "The target type.";
    }

    typedef action-type {
      type enumeration {
        enum default-type;
        enum alert;
        enum block;
        enum allow;
        enum block-source-ip;



Dong & Xia               Expires January 1, 2019               [Page 19]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


        enum block-destination-ip;
      }
      description "The action type.";
    }

    typedef block-ip-type {
      type enumeration {
        enum block-source-ip;
        enum block-destination-ip;
        enum block-both;
      }
      description "The block ip type.";
    }

    typedef condition-operation {
      type enumeration {
        enum pattern-match;
        enum equal;
        enum greater-than;
        enum less-than;
        enum not-equal;
        enum prefix-match;
      }
      description "The operation type of condition.";
    }

    typedef check-scope-type {
      type enumeration {
        enum flow;
        enum message;
        enum packet;
      }
      description "The checked scope type.";
    }

    typedef check-sequence-type {
      type enumeration {
        enum sequential;
        enum random-order;
      }
      description "The checked sequence type.";
    }

    typedef correlation-type {
      type enumeration {
        enum source;
        enum destination;
        enum source-destination;



Dong & Xia               Expires January 1, 2019               [Page 20]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


      }
      description "The correlation by type.";
    }

    typedef state-type {
      type enumeration {
        enum enable;
        enum disable;
        enum retired;
      }
      description "The status type.";
    }

    typedef http-check-type {
      type enumeration {
        enum any;
        enum multiple;
        enum blacklist;
        enum whitelist;
      }
      description "The http check type.";
    }

    typedef direction-type {
      type enumeration {
        enum both;
        enum from-client;
        enum from-server;
      }
      description "The direction type of packets.";
    }

    container ips-config {
      leaf ips-enable {
        type boolean;
        description
          "Enable/disable the IPS function."
      }

      container profiles {
        list profile {
          key "name";

          leaf name {
            type string;
            description "The name of a profile.";
          }




Dong & Xia               Expires January 1, 2019               [Page 21]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


          leaf description {
            type string;
            description "The description of a profile.";
          }

          leaf collect-attack-evidence-enable {
            type boolean;
            description "Enable/disable attack evidence collection.";
          }

          leaf associated-check-enable {
            type boolean;
            description "Enable/disable associate check.";
          }

          container domain-filter {
            leaf domain-filter-enable {
              type boolean;
              description
                "The commanding and controlling domain filter is enable
                or disable.";
             }

            leaf action {
              when "./domain-filter-enable = 'true' ";
              type action-type;
              description
                "The action type of a commanding and controlling domain
                filter.";
            }
          }

          container signature-sets {
            list signature-set {
              key "name";

              leaf name {
                type string;
                description "The name of a signature set.";
              }

              leaf action {
                type action-type;
                description "The action for a signature set.";
              }

              container application {
                leaf all-application {



Dong & Xia               Expires January 1, 2019               [Page 22]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


                  type boolean;
                  mandatory true;
                  description
                    "The all application filtering conditions of a
                    signature set.";
                }

                leaf-list specifed-application {
                  when "./all-application = 'false'";
                  type string;
                  description
                    "The specifed application filtering conditions of
                    a signature set.";
                }
              }

              leaf-leaf target {
                type target-type;
                description
                  "The target type of a signature set.";
              }

              leaf-list severity {
                type severity-type;
                description
                  "The severity type of a signature set.";
              }

              leaf-list operating-system {
                type operating-system-type;
                description
                  "The operating system of a signature set.";
              }

              container protocol {
                leaf all-protocol {
                  type boolean;
                  mandatory true;
                  description
                    "The all protocol filtering conditions of a
                    signature set.";
                }

                leaf-list specifed-protocol {
                  when "./all-protocol = 'false'";
                  type string;
                  description
                    "The specifed protocol filtering conditions of



Dong & Xia               Expires January 1, 2019               [Page 23]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


                    a signature set.";
                }
              }

              container category {
                leaf all-category {
                  type boolean;
                  mandatory true;
                  description
                    "The all category filtering conditions of
                    a signature set.";
                }

                list specifed-category {
                  key "name";
                  when "../all-category = 'false'";

                  leaf name {
                    type string;
                    description
                      "The specifed name of category
                      filtering conditions of a signature set.";
                  }

                  leaf all-sub-category {
                    type boolean;
                    mandatory true;
                    description
                      "The all sub-category filtering
                      conditions of a signature set.";
                  }

                  list sub-category {
                    key "name";

                    leaf name {
                      type string;
                      description
                        "The specifed name of sub-category filtering
                        conditions of a signature set.";
                    }
                  }
                }
              }
            }
          }

          container exception-signature {



Dong & Xia               Expires January 1, 2019               [Page 24]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


            list exception-signature {
              key "id";

              leaf id {
                type uint32;
                description "The ID of an exception signature.";
              }

              leaf action {
                type action-type;
                description
                  "This action type of an exception signature.";
              }

              leaf timeout {
                when "./action = 'block-source-ip' \
                     or ./action = 'block-destination-ip'";
                type uint32;
                units 'minute';
                description
                  "The blocking time of an exception signature.";
              }
            }
          }

          container protocol-controlling {
            containter dns-check {
              leaf malformed-packet-check-action {
                type action-type;
                description
                  "The action taking on the checked malformed packets.";
              }

              leaf domain-name-check-action {
                type action-type;
                description
                  "The action taking if the domain name has anomaly
                  characters";
              }

              container domain-name-length-check {
                leaf max-length {
                  type unit16;
                  description
                    "Maximum length allowed for domain name";
                }

                leaf action {



Dong & Xia               Expires January 1, 2019               [Page 25]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


                  type action-type;
                  description
                    "The action taking if the length of the domain name
                    exceed the max-length.";
                }
              }

              container request-times-check {
                leaf max-time {
                  type unit16;
                  description
                    "The maximum number of request allowed."
                }

                leaf action {
                  type action-type;
                  description
                    "The action taking if the number of request exceed
                    the max-times";
                }
              }

              list request-type-check {
                key "start-type end-type";

                leaf start-type {
                  type unit32;
                  description
                    "The checked start type of dns request-type.";
                }

                leaf end-type {
                  type unit32;
                  description
                    "The checked end type of dns request-type.";
                }

                leaf action {
                  type action-type;
                  description
                    "The action applied.";
                }
              }
            }

            contaienr http-check {
              leaf  multi-host-action {
                type action-type;



Dong & Xia               Expires January 1, 2019               [Page 26]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


                description
                  "The checked action type of http multi-host.";
              }

              leaf ssh-over-http-action {
                type action-type;
                description
                  "The checked action type of http ssh-over-http.";
              }

              container x-online-host {
                description
                  "The checked information of http x-online-host.";

                container check-type-action {
                  description
                    "The checked type and action of http x-online-host.";

                  leaf type {
                    type http-check-type;
                    description "The checked type of http x-online-host.";
                  }

                  leaf action {
                    type action-type;
                    description
                      "The checked action type of http x-online-host.";
                  }
                }

                leaf-list blacklist {
                  type string;
                  description
                    "The checked domain name or IP address of http
                    x-online-host.";
                }
              }

              container x-forwarded-for {
                description
                  "The checked information of http x-forwarded-for.";

                container check-type-action {
                  description
                    "The checked type and action of http x-forwarded-for.";

                  leaf type {
                    type http-check-type;



Dong & Xia               Expires January 1, 2019               [Page 27]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


                    description "The checked type of http x-forwarded-for.";
                  }

                  leaf action {
                    type action-type;
                    description
                      "The checked action type of http x-forwarded-for.";
                  }
                }

                leaf-list whitelist {
                  type inet:ip-address;
                  description
                    "The checked ipv4 address of http x-forwarded-for.";
                }
              }
            }
          }
        }
      }
    }
  }

6.  IANA Considerations

   This document makes no request of IANA.

   Note to RFC Editor: this section may be removed on publication as an
   RFC.

7.  Security Considerations

   TBD.

8.  Acknowledgements

   TBD

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.





Dong & Xia               Expires January 1, 2019               [Page 28]


Internet-Draft    Config. Advanced Sec. Func. in I2NSF         June 2018


9.2.  Informative References

   [I-D.ietf-i2nsf-nsf-facing-interface-dm]
              Kim, J., Jeong, J., Jung-Soo, P., Hares, S., and l.
              linqiushi@huawei.com, "I2NSF Network Security Function-
              Facing Interface YANG Data Model", draft-ietf-i2nsf-nsf-
              facing-interface-dm-00 (work in progress), March 2018.

   [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]
              Lopez, R. and G. Lopez-Millan, "Software-Defined
              Networking (SDN)-based IPsec Flow Protection", draft-ietf-
              i2nsf-sdn-ipsec-flow-protection-01 (work in progress),
              March 2018.

   [I-D.ietf-i2nsf-terminology]
              Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
              Birkholz, "Interface to Network Security Functions (I2NSF)
              Terminology", draft-ietf-i2nsf-terminology-05 (work in
              progress), January 2018.

   [RFC8329]  Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
              Kumar, "Framework for Interface to Network Security
              Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
              <https://www.rfc-editor.org/info/rfc8329>.

Authors' Addresses

   Yue Dong
   Huawei

   Email: dongyue6@huawei.com


   Liang Xia
   Huawei

   Email: frank.xialiang@huawei.com














Dong & Xia               Expires January 1, 2019               [Page 29]


Html markup produced by rfcmarkup 1.127, available from https://tools.ietf.org/tools/rfcmarkup/