Network Working Group W. Pan Internet-Draft L. Xia Intended status: Standards Track Huawei Expires: April 18, 2019 October 15, 2018 Configuration of Advanced Security Functions with I2NSF Security Controller draft-dong-i2nsf-asf-config-01 Abstract This draft defines a network security function (NSF-) facing interface of the security controller for the purpose of configuring some advanced security functions. These advanced security functions include antivirus, anti-ddos, and intrusion prevention system (IPS). The interface is presented in a YANG data model fashion and can be used to deploy a large amount of NSF blocks that all support above mentioned functions in the software defined network (SDN) based paradigm. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 18, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Pan & Xia Expires April 18, 2019 [Page 1] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 3 3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Data Model Structure . . . . . . . . . . . . . . . . . . . . 3 4.1. Antivirus . . . . . . . . . . . . . . . . . . . . . . . . 3 4.2. Anti-ddos . . . . . . . . . . . . . . . . . . . . . . . . 4 4.3. Intrusion prevention system . . . . . . . . . . . . . . . 6 5. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 7 5.1. Antivirus . . . . . . . . . . . . . . . . . . . . . . . . 7 5.2. Anti-ddos . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3. Intrusion prevention system . . . . . . . . . . . . . . . 20 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 7. Security Considerations . . . . . . . . . . . . . . . . . . . 26 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 9.1. Normative References . . . . . . . . . . . . . . . . . . 26 9.2. Informative References . . . . . . . . . . . . . . . . . 26 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 1. Introduction I2NSF provides a technology and vendor independent way for a centralized security controller in a SDN environment to manage and configure the distributed NSFs [RFC8329]. The NSFs are automatically customized in a programmable manner via a standard interface. In the draft [I-D.ietf-i2nsf-nsf-facing-interface-dm], it proposed a generic NSF-facing interface to manage which action should be applied on which traffic. In addition, there is another draft that defined the NSF-facing interface for management, including configuration and monitoring, of IPsec SAs [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. In this document, we defined another NSF-facing interface for security controller to configure some advanced security functions including the antivirus, anti-ddos, and IPS profiles. With the variety and complexity of the advanced security functions, it is hardly to define all the interfaces to configure each advanced security function. The antivirus, anti-ddos and IPS profiles, these three functions are the most common and well-developed advanced security functions and have been widely used. Standardizing the interface of these three functions can minimize the cost of Pan & Xia Expires April 18, 2019 [Page 2] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 management and configuration of the security controller with a vendor independent way. 2. Terminology 2.1. Key Words The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2.2. Definition of Terms This document uses the terms defined in [I-D.ietf-i2nsf-terminology]. 3. Tree Diagrams A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams is as follows: o Brackets "[" and "]" enclose list keys. o Abbreviations before data node names: "rw" means configuration (read-write) and "ro" state data (read-only). o Symbols after data node names: "?" means an optional node and "*" denotes a "list" and "leaf-list". o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":"). o Ellipsis ("...") stands for contents of subtrees that are not shown. 4. Data Model Structure 4.1. Antivirus The following tree diagram shows the interface for configuring antivirus detections on incoming and outgoing files. The file transfer protocol type, direction of file transfer, and the action applied on the detected virus are able to be configured. In addition, this interface also supports to configure the application and signature exception features to apply specific actions on certain applications and detected virus respectively. The anti-virus also supports to configure a whitelist for trusted files. Pan & Xia Expires April 18, 2019 [Page 3] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 module: ietf-i2nsf-asf-config-antivirus +--rw antivirus +--rw profiles +--rw profile* [name] +--rw name string +--rw description? string +--rw detect* [protocol-type direction] | +--rw protocol-type detect-protocol | +--rw direction detect-direction | +--rw action? detect-action +--rw exception-application* [application-name] | +--rw application-name string | +--rw application-action? detect-action +--rw exception-signature* [signature-id] | +--rw signature-id uint64 | +--rw signature-action? detect-action +--rw whitelists {antivirus-whitelists}? +--rw match-rules | +--rw match-rule* [scope type value] | +--rw scope match-scope | +--rw type match-type | +--rw value string +--rw source-address* inet:ip-address +--rw source-address-range* [start-address end-address] | +--rw start-address inet:ip-address | +--rw end-address inet:ip-address +--rw destination-address* inet:ip-address +--rw destination-address-range* [start-address end-address] +--rw start-address inet:ip-address +--rw end-address inet:ip-address 4.2. Anti-ddos The following tree diagram shows the configuration parameters of DDoS detection and prevention functions of different types of DDoS attacks. * SYN flood: The total number of packets that have the same destination address are counted in a period of time. If the counted packets number exceeds a pre-defined threshold, the prevention function is triggered. The anti-ddos system will alert the user/ administrator, and start up source address inspection or TCP proxy function as configured. * UPD flood: The UDP flood packets normally have the same payload or the payload changes regularly. The anti-ddos system is able to Pan & Xia Expires April 18, 2019 [Page 4] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 automatically learn this payload characteristics, which is so called fingerprint of the UDP flood attack packets. And then if a packet matches the learned fingerprint, it will be discarded. For some UDP flood attack that does not has a fingerprint, a threshold bandwidth will be configured to limit the UDP traffic. If the UDP packet is associated with some TCP packets, the anti-ddos system can trigger the TCP protection measures and use the generated white list to determine whether to discard the UDP packets. * HTTP and HTTPS flood: The detection mechanisms for these two attacks are similar to SYN flood detection. The total number of packets that have the same destination address are counted in a period of time. A threshold is set for the purpose of alerting. * DNS request flood: The anti-ddos system counts the number of DNS request packets that have the same destination address in a period of time. Once this number exceeds a configured threshold, the prevention function is triggered. The anti-ddos system sends a response to the client to ask for another request with a TCP connection, and then verify the source address. * DNS reply flood: The anti-ddos system counts the number of DNS reply packets that have the same destination address in a period of time. Once this number exceeds a configured threshold, the source address inspection is triggered. The anti-ddos ask the sender to send the reply message again with a new query ID and port number. If the second reply message is received and the query ID and port number match with the asked one. This source address will be added into the white list. * ICMP flood: A threshold is configured to limit the rate of ICMP traffic. * SIP flood: The anti-ddos system counts the number of SIP request packets that have the same destination address in a period of time. If the counted packets number exceeds a pre-defined threshold, the source authentication is triggered. The anti-ddos system sends an OPTIONS request packet with a specific branch value to verify whether the source address exists. If the reply message is in response to the OPTIONS packet, this source address will be added into the white list. Pan & Xia Expires April 18, 2019 [Page 5] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 module: ietf-i2nsf-asf-config-antiddos +--rw antiddos +--rw profiles +--rw profile* [name] +--rw name string +--rw description? string +--rw syn-flood* [action] | +--rw action syn-flood-action | +--rw alert-rate? uint32 +--rw udp-flood* [action] | +--rw action udp-flood-action | +--rw alert-rate? uint32 +--rw http-flood* [action] | +--rw action http-flood-action | +--rw alert-rate? uint32 +--rw https-flood* [action] | +--rw action https-flood-action | +--rw alert-rate? uint32 +--rw dns-request-flood* [action] | +--rw action dns-request-flood-action | +--rw alert-rate? uint32 +--rw dns-reply-flood* [action] | +--rw action dns-reply-flood-action | +--rw alert-rate? uint32 +--rw icmp-flood * [action] | +--rw action icmp-flood-action | +--rw alert-rate? uint32 +--rw sip-flood* [action] | +--rw action sip-flood-action | +--rw alert-rate? uint32 +--rw detect-mode? enumeration +--rw baseline-learn +--rw auto-apply? boolean +--rw start? boolean +--rw mode? enumeration +--rw tolerance-value? uint16 +--rw learn-duration? uint32 +--rw learn-interval? uint32 4.3. Intrusion prevention system The following tree diagram shows the interface for configuring the IPS. This interface supports to configure a set of IPS signature- based filters to detect known type of attacks and to respond with user defined actions such as sending an alert or block the matched packets. Pan & Xia Expires April 18, 2019 [Page 6] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 module: ietf-i2nsf-asf-config-ips +--rw ips +--rw profiles +--rw profile* [name] +--rw name string +--rw description? string +--rw signature-sets | +--rw signature-set* [name] | +--rw name string | +--rw action? action-type | +--rw application | | +--rw all-application boolean | | +--rw specified-application* string | +--rw target? target-type | +--rw severity* severity-type | +--rw operating-system* operating-system-type | +--rw protocol | | +--rw all-protocol boolean | | +--rw specified-protocol* string | +--rw category | +--rw all-category boolean | +--rw specified-category* [name] | +--rw name string | +--rw all-sub-category boolean | +--rw sub-category* [name] | +--rw name string +--rw exception-signatures +--rw exception-signature* [id] +--rw id uint32 +--rw action? action-type 5. YANG Modules 5.1. Antivirus module ietf-i2nsf-asf-config-antivirus { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-asf-config-antivirus"; prefix asf-config-antivirus; import ietf-inet-types{ prefix inet; } organization "Huawei Technologies"; Pan & Xia Expires April 18, 2019 [Page 7] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 contact "Wei Pan: william.panwei@huawei.com Liang Xia: Frank.xialiang@huawei.com"; description "This module contains a collection of yang definitions for configuring antivirus."; revision 2018-10-15 { description "Init revision."; reference "xxx."; } typedef detect-protocol { type enumeration { enum http { description "HTTP."; } enum ftp { description "FTP."; } enum smtp { description "SMTP."; } enum pop3 { description "POP3."; } enum imap { description "IMAP."; } enum nfs { description "NFS."; } enum smb { description "SMB."; } } description "This is detect protocol type in antivirus profile."; } typedef detect-direction { type enumeration { enum none { description "None."; } enum download { Pan & Xia Expires April 18, 2019 [Page 8] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 description "Download."; } enum upload { description "Upload."; } enum both { description "Both directions."; } } description "This is detect direction type in antivirus profile."; } typedef detect-action { type enumeration { enum alert { description "Permit files and generate virus logs."; } enum allow { description "Permit files."; } enum block { description "Block files and generate virus logs."; } enum declare { description "Permit virus-infected email messages, then add information to announce the detection of viruses and generate virus logs."; } enum delete-attachment { description "Permit virus-infected email messages with deleting there attachments, add information to announce the detection of viruses and generate virus logs."; } } description "This is detect action type in antivirus profile."; } typedef match-scope { type enumeration { enum url { description "URL."; } enum host { description "Host."; } Pan & Xia Expires April 18, 2019 [Page 9] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 enum referer { description "Referer."; } } description "This is antivirus whitelist match scope."; } typedef match-type { type enumeration { enum prefix { description "Prefix."; } enum suffix { description "Suffix."; } enum fuzzy { description "Fuzzy."; } enum exact { description "Exact."; } } description "This is antivirus whitelist match type."; } feature antivirus-whitelists { description "This feature means the antivirus function supports whitelists."; } grouping address-range { description "Address range."; leaf start-address { type inet:ip-address; description "Start address."; } leaf end-address { type inet:ip-address; description "End address."; } } container antivirus { description "Antivirus."; Pan & Xia Expires April 18, 2019 [Page 10] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 container profiles { description "Profiles."; list profile { key "name"; description "Antivirus profile."; leaf name { type string; description "The name of the profile."; } leaf description { type string; description "The description of the profile."; } list detect { key "protocol-type direction"; description "Antivirus detect."; leaf protocol-type { type detect-protocol; description "The protocol type of detect."; } leaf direction { type detect-direction; description "The direction of detect."; } leaf action { type detect-action; description "The action of detect."; } } list exception-application { key "application-name"; description "Exceptional application."; leaf application-name { type string; description "The name of exceptional application."; } leaf application-action { type detect-action; description "The action of exceptional application."; Pan & Xia Expires April 18, 2019 [Page 11] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 } } list exception-signature { key "signature-id"; description "Exceptional signature."; leaf signature-id { type uint64; description "The exception id of antivirus signature."; } leaf signature-action { type detect-action; description "The action of exceptional signature."; } } container whitelists { if-feature antivirus-whitelists; description "The whitelist of antivirus."; container match-rules { description "The match rules of antivirus whitelist."; list match-rule { key "scope type value"; description "The match rule of antivirus whitelist."; leaf scope { type match-scope; description "The scope of antivirus whitelist match rule."; } leaf type { type match-type; description "The type of antivirus whitelist match rule."; } leaf value { type string; description "The value of antivirus whitelist match rule."; } } } Pan & Xia Expires April 18, 2019 [Page 12] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 leaf-list source-address { type inet:ip-address; description "The source-address of whitelist."; } list source-address-range { key "start-address end-address"; description "The source-address range of whitelist."; uses address-range; } leaf-list destination-address { type inet:ip-address; description "The destination-address of whitelist."; } list destination-address-range { key "start-address end-address"; description "The destination-address range of whitelist."; uses address-range; } } } } } } 5.2. Anti-ddos module ietf-i2nsf-asf-config-antiddos { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-asf-config-antiddos"; prefix asf-config-antiddos; organization "Huawei Technologies"; contact "Wei Pan: william.panwei@huawei.com Liang Xia: Frank.xialiang@huawei.com"; description "This module contains a collection of yang definitions for configuring anti-ddos."; revision 2018-10-15 { Pan & Xia Expires April 18, 2019 [Page 13] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 description "Init revision."; reference "xxx."; } typedef syn-flood-action { type enumeration { enum tcp-proxy { description "TCP proxy function."; } enum tcp-source-authentication { description "Authenticate the source addresses of TCP packets."; } } description "This is detect action type of syn-flood."; } typedef udp-flood-action { type enumeration { enum fingerprint-learning { description "Learn the fingerprint of UDP packets."; } enum udp-tcp-association { description "Authenticate the source addresses of TCP packets associated with UDP packets."; } enum traffic-limit { description "Limit the UDP traffic."; } } description "This is detect action type of udp-flood."; } typedef http-flood-action { type enumeration { enum source-authentication-meta-refresh { description "Authenticate the source addresses of HTTP packets by a way of meta-refresh."; } enum source-authentication-code-based { Pan & Xia Expires April 18, 2019 [Page 14] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 description "Authenticate the source addresses of HTTP packets by a way of code-based."; } enum source-authentication-302-redirect { description "Authenticate the source addresses of HTTP packets by a way of 302-redirect."; } } description "This is detect action type of http-flood."; } typedef https-flood-action { type enumeration { enum source-authentication { description "Authenticate the source addresses of HTTPS packets."; } } description "This is detect action type of https-flood."; } typedef dns-request-flood-action { type enumeration { enum source-authentication-dns-cache-server { description "Authenticate the source addresses of DNS request packets for the DNS Cache Server."; } enum source-authentication-dns-authoritative-server { description "Authenticate the source addresses of DNS request packets for the DNS Authoritative Server."; } } description "This is detect action type of dns-request-flood."; } typedef dns-reply-flood-action { type enumeration { enum source-authentication { description "Authenticate the source addresses of DNS reply packets."; } Pan & Xia Expires April 18, 2019 [Page 15] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 } description "This is detect action type of dns-reply-flood."; } typedef icmp-flood-action { type enumeration { enum traffic-limit { description "Limit the ICMP traffic."; } } description "This is detect action type of icmp-flood."; } typedef sip-flood-action { type enumeration { enum source-authentication { description "Authenticate the source addresses of SIP packets."; } } description "This is detect action type of sip-flood."; } container antiddos { description "Anti-ddos."; container profiles { description "Profiles."; list profile { key "name"; description "Anti-ddos profile."; leaf name { type string; description "The name of the profile."; } leaf description { type string; description "The description of the profile."; } list syn-flood { key "action"; description "SYN flood detect."; Pan & Xia Expires April 18, 2019 [Page 16] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 leaf action { type syn-flood-action; description "The action of syn-flood detect."; } leaf alert-rate { type uint32; description "The alert rate of syn-flood detect."; } } list udp-flood { key "action"; description "UDP flood detect."; leaf action { type udp-flood-action; description "The action of udp-flood detect."; } leaf alert-rate { type uint32; description "The alert rate of udp-flood detect."; } } list http-flood { key "action"; description "HTTP flood detect."; leaf action { type http-flood-action; description "The action of http-flood detect."; } leaf alert-rate { type uint32; description "The alert rate of http-flood detect."; } } list https-flood { key "action"; description "HTTPS flood detect."; leaf action { type https-flood-action; description "The action of https-flood detect."; Pan & Xia Expires April 18, 2019 [Page 17] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 } leaf alert-rate { type uint32; description "The alert rate of https-flood detect."; } } list dns-request-flood { key "action"; description "DNS request flood detect."; leaf action { type dns-request-flood-action; description "The action of dns-request-flood detect."; } leaf alert-rate { type uint32; description "The alert rate of dns-request-flood detect."; } } list dns-reply-flood { key "action"; description "DNS reply flood detect."; leaf action { type dns-reply-flood-action; description "The action of dns-reply-flood detect."; } leaf alert-rate { type uint32; description "The alert rate of dns-reply-flood detect."; } } list icmp-flood { key "action"; description "ICMP flood detect."; leaf action { type icmp-flood-action; description "The action of icmp-flood detect."; } leaf alert-rate { Pan & Xia Expires April 18, 2019 [Page 18] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 type uint32; description "The alert rate of icmp-flood detect."; } } list sip-flood { key "action"; description "SIP flood detect."; leaf action { type sip-flood-action; description "The action of sip-flood detect."; } leaf alert-rate { type uint32; description "The alert rate of sip-flood detect."; } } leaf detect-mode { type enumeration { enum detect-clean { description "Detect DDoS attacks and defend against them."; } enum detect-only{ description "Detect DDoS attacks only."; } } description "DDoS detect mode."; } container baseline-learn { description "Alart rate baseline learning."; leaf auto-apply { type boolean; description "Apply baseline learning results."; } leaf start { type boolean; description "Enable baseline learning."; } Pan & Xia Expires April 18, 2019 [Page 19] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 leaf mode { type enumeration { enum loop { description "Indicate that baseline learning is performed periodically."; } enum once { description "Indicate that baseline learning is performed once."; } } description "Indicate the baseline learning mode."; } leaf tolerance-value { type uint16; description "Indicate the baseline learning tolerance value."; } leaf learn-duration { type uint32; description "Indicate the baseline learning duration."; } leaf learn-interval { type uint32; description "Indicate the interval for baseline learning."; } } } } } } 5.3. Intrusion prevention system module ietf-i2nsf-asf-config-ips { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-asf-config-ips"; prefix asf-config-ips; organization Pan & Xia Expires April 18, 2019 [Page 20] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 "Huawei Technologies"; contact "Wei Pan: william.panwei@huawei.com Liang Xia: Frank.xialiang@huawei.com"; description "This module contains a collection of yang definitions for configuring ips."; revision 2018-10-15 { description "Init revision."; reference "xxx."; } typedef action-type { type enumeration { enum default-type { description "Default action type."; } enum alert { description "Alert."; } enum block { description "Block."; } enum allow { description "Allow."; } } description "The action type."; } typedef target-type { type enumeration { enum both { description "Both client and server."; } enum client { description "Client."; } enum server { description "Server."; } } description "The target type."; } Pan & Xia Expires April 18, 2019 [Page 21] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 typedef severity-type { type enumeration { enum high { description "High."; } enum medium { description "Medium."; } enum low { description "Low."; } enum information { description "Information."; } } description "The severity filter type."; } typedef operating-system-type { type enumeration { enum android { description "Android OS."; } enum ios { description "IOS."; } enum unix-like { description "UNIX-like OS."; } enum windows { description "Windows OS."; } enum other { description "Other OS."; } } description "The operating system type."; } container ips { description "Intrusion prevention system."; container profiles { description "Profiles."; list profile { key "name"; description "IPS Profile."; leaf name { Pan & Xia Expires April 18, 2019 [Page 22] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 type string; description "The name of a profile."; } leaf description { type string; description "The description of a profile."; } container signature-sets { description "Signature sets."; list signature-set { key "name"; description "Signature set."; leaf name { type string; description "The name of a signature set."; } leaf action { type action-type; description "The action for a signature set."; } container application { description "Application."; leaf all-application { type boolean; mandatory true; description "The all application filtering conditions of the signature set."; } leaf-list specified-application { when "../all-application = 'false'"; type string; description "The specified application filtering conditions of the signature set."; } } leaf target { type target-type; description "The target type of a signature set."; Pan & Xia Expires April 18, 2019 [Page 23] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 } leaf-list severity { type severity-type; description "The severity type of a signature set."; } leaf-list operating-system { type operating-system-type; description "The operating system of a signature set."; } container protocol { description "Protocol."; leaf all-protocol { type boolean; mandatory true; description "The all protocol filtering conditions of a signature set."; } leaf-list specified-protocol { when "../all-protocol = 'false'"; type string; description "The specified protocol filtering conditions of a signature set."; } } container category { description "Category."; leaf all-category { type boolean; mandatory true; description "The all category filtering conditions of t signature set."; } list specified-category { when "../all-category = 'false'"; key "name"; description "Specified category."; Pan & Xia Expires April 18, 2019 [Page 24] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 leaf name { type string; description "The specified name of category filtering conditions of a signature set."; } leaf all-sub-category { type boolean; mandatory true; description "The all sub-category filtering conditions of a signature set."; } list sub-category { when "../all-sub-category = 'false'"; key "name"; description "Sub category."; leaf name { type string; description "The specified name of sub-category filtering conditions of a signature set."; } } } } } } container exception-signatures { description "Exceptional signatures."; list exception-signature { key "id"; description "Exceptional signature."; leaf id { type uint32; description "The ID of an exception signature."; } leaf action { type action-type; description "This action type of an exception signature."; } Pan & Xia Expires April 18, 2019 [Page 25] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 } } } } } } 6. IANA Considerations This document makes no request of IANA. Note to RFC Editor: this section may be removed on publication as an RFC. 7. Security Considerations TBD. 8. Acknowledgements TBD 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . 9.2. Informative References [I-D.ietf-i2nsf-nsf-facing-interface-dm] Kim, J., Jeong, J., Jung-Soo, P., Hares, S., and l. linqiushi@huawei.com, "I2NSF Network Security Function- Facing Interface YANG Data Model", draft-ietf-i2nsf-nsf- facing-interface-dm-00 (work in progress), March 2018. [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] Lopez, R. and G. Lopez-Millan, "Software-Defined Networking (SDN)-based IPsec Flow Protection", draft-ietf- i2nsf-sdn-ipsec-flow-protection-01 (work in progress), March 2018. Pan & Xia Expires April 18, 2019 [Page 26] Internet-Draft Config. Advanced Sec. Func. in I2NSF October 2018 [I-D.ietf-i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Birkholz, "Interface to Network Security Functions (I2NSF) Terminology", draft-ietf-i2nsf-terminology-05 (work in progress), January 2018. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, . Authors' Addresses Wei Pan Huawei Email: william.panwei@huawei.com Liang Xia Huawei Email: frank.xialiang@huawei.com Pan & Xia Expires April 18, 2019 [Page 27]