Hi Linda,
My group checked your questions below and prepared answers as follows.
On Fri, Aug 18, 2017 at 6:37 AM, Linda Dunbar <[email protected]>
wrote:
> Paul,
>
> Thanks.
>
>
>
> Also the “source” and “destination” of the “policy-rule*” in the general
> data model (page 7) shouldn’t be “string”, should it refer to the
> policy-endpoint-groups specified on Page 5 instead?
>
>
>
>
>
> +--rw policy-rule* [policy-rule-id]
>
> | +--rw policy-rule-id string
>
> | +--rw name? string
>
> | +--rw date? yang:date-and-time
>
> | +--rw source?
> policy-endpoint-groups
>
> | +--rw destination?
> policy-endpoint-groups
>
> | +--rw exception? string
>
> | +--rw action? string
>
> | +--rw precedence? uint8
>
>
>
=> Yes, you are right. The source and destination fields have the type of
policy-endpoint-groups according to
the information model of Consumer-Facing Interface:
https://tools.ietf.org/html/draft-kumar-i2nsf-client-
facing-interface-im-03#page-14
More actually, we need to use a reference (called leafref) to the
policy-endpoint-groups's variable as follows:
+-rw security-policy-instance
+-rw policy-rule* [policy-rule-id]
| +-rw policy-rule-id uint16
| +-rw name? string
| +-rw date? yang:date-and-time
| +-rw source? -> /ietf-i2nsf-consumer-facing-
interface/threat-prevention/threat-feed/threat-feed-id
| +-rw destination? -> /ietf-i2nsf-consumer-facing-
interface/policy-endpoint-groups/user-group/user-group-id
| +-rw exception? boolean
| +-rw exception-detail? string
+-rw action* [action-id]
.
.
.
+-rw policy-instance* [policy-instance-id]
+-rw policy-instance-id string
+-rw name? string
+-rw date? yang:date-and-time
+-rw rules? -> /ietf-i2nsf-consumer-facing-
interface/security-policy-instance/policy-rule/policy-rule-id
+-rw scheduling? -> /ietf-i2nsf-consumer-facing-
interface/security-policy-instance/policy-calendar/policy-calendar-id
+-rw owner? string
In the above partial data tree, source refers to threat-feed-id as
an attack source and destination refers to
user-group-id as a protected destination.
In the same way, we let the fields of rules and scheduling have the
type of leafref as a reference.
> On page 7, your “policy-instance” has both “policy-rule*” and
> “policy-instance*” listed under. Is it intended? Or typeo?
>
=> The current information model uses these duplicate name of
policy-instance to represent a security policy instance.
So we rename the first policy-instance as security-policy-instance
above:
I attach the data tree and yang code for the security-policy-instance
for your reference.
Thanks.
Best Regards,
Paul
>
>
> Thanks, Linda
>
>
>
>
>
> *From:* Mr. Jaehoon Paul Jeong [mailto:[email protected]]
> *Sent:* Wednesday, August 16, 2017 7:41 AM
> *To:* Linda Dunbar <[email protected]>
> *Cc:* [email protected]; draft-jeong-i2nsf-consumer-fac
> [email protected]; [email protected];
> [email protected]
> *Subject:* Re: [I2nsf] questions & comments to
> draft-jeong-i2nsf-consumer-facing-interface-dm-03
>
>
>
> Hi Linda,
>
> You are right.
>
> In the revision, we authors will revise the Consumer-Facing Interface data
> model
>
> such that it lists individual values for rules.
>
> Also, we will explicitly list the 'Policy Endpoint Group' and
> 'Custom-List'.
>
>
>
> Thanks for your good points.
>
>
>
> Best Regards,
>
> Paul
>
>
>
> On Wed, Aug 16, 2017 at 8:03 AM, Linda Dunbar <[email protected]>
> wrote:
>
> Paul, Eunsoo, Tae-Jin, Rakesh, and Sue,
>
>
>
> Thank you very much for the updated i2nsf-consumer-facing-interface-dm03,
> which matches much better with the i2nsf-consumer-facing-im draft.
>
>
>
> Just a few questions.
>
>
>
> I noticed that you don’t list individual value for the rules. For example,
> “primary-action” list the “permit”, “deny”, “rate limit”, etc in the
> description:
>
>
>
> leaf primary-action {
>
> type string;
>
> description
>
> "This field identifies the action when a rule
>
> is matched by NSF. The action could be one of
>
> 'PERMIT', 'DENY', 'RATE-LIMIT', 'TRAFFIC-CLASS',
>
> 'AUTHENTICATE-SESSION', 'IPS, 'APP-FIREWALL', etc.";
>
> }
>
>
>
>
>
> In draft-ietf-netmod-acl-model-11, the actions are listed as explicit
> value.
>
>
>
>
>
> Similar paten goes with the definition of “Source” and “destination”. You
> have:
>
>
>
> leaf source {
>
> type string;
>
> description
>
> "This field identifies the source of
>
> the traffic. This could be reference to
>
> either 'Policy Endpoint Group' or
>
> 'Threat-Feed' or 'Custom-List' if Security
>
> Admin wants to specify the source; otherwise,
>
> the default is to match all traffic.";
>
> }
>
>
>
>
>
> Not an expert in the data model, I am wondering if you need to explicitly
> list the 'Policy Endpoint Group', 'Custom-List', etc
>
>
>
>
>
> Thank you very much,
>
>
>
> Linda
>
>
>
>
> _______________________________________________
> I2nsf mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/i2nsf
>
>
>
>
>
> --
>
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Assistant Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: [email protected], [email protected]
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>
> _______________________________________________
> I2nsf mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/i2nsf
>
>
--
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: [email protected], [email protected]
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
<http://cpslab.skku.edu/people-jaehoon-jeong.php>
+--rw security-policy-instance
+--rw policy-rule* [policy-rule-id]
| +--rw policy-rule-id uint16
| +--rw name? string
| +--rw date? yang:date-and-time
| +--rw source? ->
/ietf-i2nsf-consumer-facing-interface/threat-prevention/threat-feed/threat-feed-id
| +--rw destination? ->
/ietf-i2nsf-consumer-facing-interface/policy-endpoint-groups/user-group/user-group-id
| +--rw exception? boolean
| +--rw exception-detail? string
+--rw action* [action-id]
| +--rw action-id uint16
| +--rw name? string
| +--rw date? yang:date-and-time
| +--rw primary-action? string
| +--rw secondary-action? string
+--rw precedence* [precedence-id]
| +--rw precedence-id uint16
| +--rw rule-exist? boolean
+--rw event* [event-id]
| +--rw event-id uint16
| +--rw security-event? string
| +--rw threat-map? string
| +--rw enable? boolean
+--rw condition* [condition-id]
| +--rw condition-id uint16
| +--rw service* [service-id] uint16
| +--rw service-name string
| +--rw service-type string
|
+--rw policy-calendar* [policy-calendar-id]
| +--rw policy-calendar-id uint16
| +--rw name? string
| +--rw date? yang:date-and-time
| +--rw enforcement-type? string
| +--rw begin-time? yang:date-and-time
| +--rw end-time? yang:date-and-time
+--rw policy-instance* [policy-instance-id]
+--rw policy-instance-id string
+--rw name? string
+--rw date? yang:date-and-time
+--rw rules? ->
/ietf-i2nsf-consumer-facing-interface/security-policy-instance/policy-rule/policy-rule-id
+--rw scheduling? ->
/ietf-i2nsf-consumer-facing-interface/security-policy-instance/policy-calendar/policy-calendar-id
+--rw owner? string
container security-policy-instance {
description
"this describes the policy instances.";
list policy-rule {
key "policy-rule-id";
description
"This represents the policy-rule of a
policy instance.";
leaf policy-rule-id {
type uint16;
description
"policy rule id.";
}
leaf name {
type string;
description
"Name of the policy-rule.";
}
leaf date {
type yang:date-and-time;
description
"The date when the rule was created.";
}
leaf source {
type leafref {
path
"/ietf-i2nsf-consumer-facing-interface/threat-prevention/threat-feed/threat-feed-id";
}
description
"This references either end-point-group,
threat-feed, or custom-list.";
}
leaf destination {
type leafref {
path
"/ietf-i2nsf-consumer-facing-interface/policy-endpoint-groups/user-group/user-group-id";
}
description
"This references either end-point-group,
threat-feed, or custom-list.";
}
...
...
...
..._______________________________________________
I2nsf mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/i2nsf
