netconfcentral logo

ietf-i2nsf-nsf-facing-interface

HTML

ietf-i2nsf-nsf-facing-interface@2017-10-30



  module ietf-i2nsf-nsf-facing-interface {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-facing-interface";

    prefix nsf-facing-interface;

    import ietf-inet-types {
      prefix inet;
    }
    import ietf-yang-types {
      prefix yang;
    }

    organization
      "IETF I2NSF (Interface to Network Security Functions)
     Working Group";

    contact
      "WG Web: <http://tools.ietf.org/wg/i2nsf>
     WG List: <mailto:i2nsf@ietf.org>

     WG Chair: Adrian Farrel
     <mailto:Adrain@olddog.co.uk>

     WG Chair: Linda Dunbar
     <mailto:Linda.duhbar@huawei.com>

     Editor: Jingyong Tim Kim
     <mailto:timkim@skku.edu>

     Editor: Jaehoon Paul Jeong
     <mailto:pauljeong@skku.edu>

     Editor: Susan Hares
     <mailto:shares@ndzh.com>";

    description
      "This module defines a YANG data module for network security
     functions.";

    revision "2017-10-30" {
      description "The third revision";
      reference
        "draft-ietf-i2nsf-capability-00";

    }


    typedef sec-event-format {
      type enumeration {
        enum "unknown" {
          value 0;
          description
            "If SecEventFormat is unknown";
        }
        enum "guid" {
          value 1;
          description
            "If SecEventFormat is GUID
              (Generic Unique IDentifier)";
        }
        enum "uuid" {
          value 2;
          description
            "If SecEventFormat is UUID
              (Universal Unique IDentifier)";
        }
        enum "uri" {
          value 3;
          description
            "If SecEventFormat is URI
              (Uniform Resource Identifier)";
        }
        enum "fqdn" {
          value 4;
          description
            "If SecEventFormat is FQDN
              (Fully Qualified Domain Name)";
        }
        enum "fqpn" {
          value 5;
          description
            "If SecEventFormat is FQPN
              (Fully Qualified Path Name)";
        }
      }
      description
        "This is used for SecEventFormat.";
    }

    typedef ingress-action {
      type enumeration {
        enum "pass" {
          value 0;
          description
            "If ingress action is pass";
        }
        enum "drop" {
          value 1;
          description
            "If ingress action is drop";
        }
        enum "reject" {
          value 2;
          description
            "If ingress action is reject";
        }
        enum "alert" {
          value 3;
          description
            "If ingress action is alert";
        }
        enum "mirror" {
          value 4;
          description
            "If ingress action is mirror";
        }
      }
      description
        "This is used for ingress action.";
    }

    typedef egress-action {
      type enumeration {
        enum "invoke-signaling" {
          value 0;
          description
            "If egress action is invoke signaling";
        }
        enum "tunnel-encapsulation" {
          value 1;
          description
            "If egress action is tunnel encapsulation";
        }
        enum "forwarding" {
          value 2;
          description
            "If egress action is forwarding";
        }
        enum "redirection" {
          value 3;
          description
            "If egress action is redirection";
        }
      }
      description
        "This is used for egress action.";
    }

    identity ECA-OBJECT-TYPE {
      base 
      description "TBD";
    }

    identity ECA-EVENT-TYPE {
      base ECA-OBJECT-TYPE;
      description "TBD";
    }

    identity ECA-CONDITION-TYPE {
      base ECA-OBJECT-TYPE;
      description "TBD";
    }

    identity ECA-ACTION-TYPE {
      base ECA-OBJECT-TYPE;
      description "TBD";
    }

    identity EVENT-USER-TYPE {
      base ECA-EVENT-TYPE;
      description "TBD";
    }

    identity EVENT-DEV-TYPE {
      base ECA-EVENT-TYPE;
      description "TBD";
    }

    identity EVENT-SYS-TYPE {
      base ECA-EVENT-TYPE;
      description "TBD";
    }

    identity EVENT-TIME-TYPE {
      base ECA-EVENT-TYPE;
      description "TBD";
    }

    grouping i2nsf-eca-object-type {
      description "TBD";
      leaf entity-class {
        type identityref {
          base ECA-OBJECT-TYPE;
        }
        description "TBD";
      }

      leaf eca-object-id {
        type string;
        description "TBD";
      }
    }  // grouping i2nsf-eca-object-type

    grouping i2nsf-event-type {
      description "TBD";
      leaf manual {
        type string;
        description
          "This is manual for event.
          Vendors can write instructions for event
          that vendor made";
      }

      leaf sec-event-content {
        type string;
        mandatory true;
        description
          "This is a mandatory string that contains the content
          of the SecurityEvent. The format of the content
          is specified in the SecEventFormat class
          attribute, and the type of event is defined in the
          SecEventType class attribute. An example of the
          SecEventContent attribute is a string hrAdmin,
          with the SecEventFormat set to 1 (GUID) and the
          SecEventType attribute set to 5 (new logon).";
      }

      leaf sec-event-format {
        type sec-event-format;
        mandatory true;
        description
          "This is a mandatory uint 8 enumerated integer, which
          is used to specify the data type of the
          SecEventContent attribute. The content is
          specified in the SecEventContent class attribute,
          and the type of event is defined in the
          SecEventType class attribute. An example of the
          SecEventContent attribute is string hrAdmin,
          with the SecEventFormat attribute set to 1 (GUID)
          and the SecEventType attribute set to 5
          (new logon).";
      }

      leaf sec-event-type {
        type string;
        mandatory true;
        description
          "This is a mandatory uint 8 enumerated integer, which
          is used to specify the type of event that involves
          this user. The content and format are specified in
          the SecEventContent and SecEventFormat class
          attributes, respectively. An example of the
          SecEventContent attribute is string hrAdmin,
          with the SecEventFormat attribute set to 1 (GUID)
          and the SecEventType attribute set to 5
         (new logon).";
      }
    }  // grouping i2nsf-event-type

    container generic-nsf {
      description
        "Configuration for Generic Network Security Functions.";
      list i2nsf-security-policy {
        key "policy-name";
        description
          "policy is a list
       including a set of security rules according to certain logic,
       i.e., their similarity or mutual relations, etc. The network
       security policy is able to apply over both the unidirectional
       and bidirectional traffic across the NSF.";
        leaf policy-name {
          type string;
          mandatory true;
          description
            "The name of the policy.
           This must be unique.";
        }

        container time-zone {
          description
            "This can be used to apply rules according to time";
          leaf start-time {
            type yang:date-and-time;
            description
              "This is start time for time zone";
          }

          leaf end-time {
            type yang:date-and-time;
            description
              "This is end time for time zone";
          }
        }  // container time-zone

        list eca-policy-rules {
          key "rule-id";
          description
            "This is a rule for network security functions.";
          leaf rule-id {
            type uint8;
            mandatory true;
            description
              "The id of the rule.
             This must be unique.";
          }

          leaf rule-description {
            type string;
            description
              "This description gives more information about
             rules.";
          }

          leaf rule-rev {
            type uint8;
            description
              "This shows rule version.";
          }

          leaf rule-priority {
            type uint8;
            description
              "The priority keyword comes with a mandatory
             numeric value which can range from 1 till 255.";
          }

          leaf-list policy-event-clause-agg-ptr {
            type instance-identifier;
            must
              'derived-from-or-self (/event-clause-container/
            event-clause-list/entity-class, "ECA-EVENT-TYPE")';
            description "TBD";
          }

          leaf-list policy-condition-clause-agg-ptr {
            type instance-identifier;
            must
              'derived-from-or-self (/condition-clause-container/
            condition-clause-list/entity-class, "ECA-CONDITION-TYPE")';
            description "TBD";
          }

          leaf-list policy-action-clause-agg-ptr {
            type instance-identifier;
            must
              'derived-from-or-self (/action-clause-container/
            action-clause-list/entity-class, "ECA-ACTION-TYPE")';
            description "TBD";
          }
        }  // list eca-policy-rules

        container resolution-strategy {
          description
            "The resolution strategies can be used to
            specify how to resolve conflicts that occur between
            the actions of the same or different policy rules that
            are matched and contained in this particular NSF";
          choice resolution-strategy-type {
            description
              "Vendors can use YANG data model to configure rules";
            leaf first-matching-rule {
              type boolean;
              description
                "If the resolution strategy is first matching rule";
            }
            leaf last-matching-rule {
              type boolean;
              description
                "If the resolution strategy is last matching rule";
            }
          }  // choice resolution-strategy-type
        }  // container resolution-strategy

        container default-action {
          description
            "This default action can be used to specify a predefined
            action when no other alternative action was matched
            by the currently executing I2NSF Policy Rule. An analogy
            is the use of a default statement in a C switch statement.";
          leaf default-action-type {
            type ingress-action;
            description
              "Ingress action type: permit, deny, and mirror.";
          }
        }  // container default-action
      }  // list i2nsf-security-policy
    }  // container generic-nsf

    container event-clause-container {
      description "TBD";
      list event-clause-list {
        key "eca-object-id";
        description
          " This is abstract. An event is defined as any important
          occurrence in time of a change in the system being
          managed, and/or in the environment of the system being
          managed. When used in the context of policy rules for
          a flow-based NSF, it is used to determine whether the
          Condition clause of the Policy Rule can be evaluated
          or not. Examples of an I2NSF event include time and
          user actions (e.g., logon, logoff, and actions that
          violate any ACL.).";
        uses i2nsf-eca-object-type {
          refine entity-class {
            default 'ECA-EVENT-TYPE';
          }
        }

        uses i2nsf-event-type;
      }  // list event-clause-list
    }  // container event-clause-container

    container condition-clause-container {
      description "TBD";
      list condition-clause-list {
        key "eca-object-id";
        description
          " This is abstract.  A condition is defined as a set
          of attributes, features, and/or values that are to be
          compared with a set of known attributes, features,
          and/or values in order to determine whether or not the
          set of Actions in that (imperative) I2NSF Policy Rule
          can be executed or not. Examples of I2NSF Conditions
          include matching attributes of a packet or flow, and
          comparing the internal state of an NSF to a desired
          state.";
        uses i2nsf-eca-object-type {
          refine entity-class {
            default 'ECA-CONDITION-TYPE';
          }
        }

        choice condition-type {
          description
            "Vendors can use YANG data model to configure rules
            by concreting this condition type";
          case packet-security-condition {
            leaf packet-manual {
              type string;
              description
                "This is manual for packet condition.
                Vendors can write instructions for packet condition
                that vendor made";
            }

            container packet-security-mac-condition {
              description
                "The purpose of this Class is to represent packet MAC
               packet header information that can be used as part of
               a test to determine if the set of Policy Actions in
               this ECA Policy Rule should be execute or not.";
              leaf-list pkt-sec-cond-mac-dest {
                type yang:phys-address;
                description
                  "The MAC destination address (6 octets long).";
              }

              leaf-list pkt-sec-cond-mac-src {
                type yang:phys-address;
                description
                  "The MAC source address (6 octets long).";
              }

              leaf-list pkt-sec-cond-mac-8021q {
                type string;
                description
                  "This is an optional string attribute, and defines
                   The 802.1Q tab value (2 octets long).";
              }

              leaf-list pkt-sec-cond-mac-ether-type {
                type string;
                description
                  "The EtherType field (2 octets long). Values up to
                   and including 1500 indicate the size of the
                   payload in octets; values of 1536 and above
                   define which protocol is encapsulated in the
                   payload of the frame.";
              }

              leaf-list pkt-sec-cond-mac-tci {
                type string;
                description
                  "This is an optional string attribute, and defines
                  the Tag Control Information. This consists of a 3
                  bit user priority field, a drop eligible indicator
                  (1 bit), and a VLAN identifier (12 bits).";
              }
            }  // container packet-security-mac-condition

            container packet-security-ipv4-condition {
              description
                "The purpose of this Class is to represent IPv4
                 packet header information that can be used as
                 part of a test to determine if the set of Policy
                 Actions in this ECA Policy Rule should be executed
                 or not.";
              leaf-list pkt-sec-cond-ipv4-header-length {
                type uint8;
                description
                  "The IPv4 packet header consists of 14 fields,
                   of which 13 are required.";
              }

              leaf-list pkt-sec-cond-ipv4-tos {
                type uint8;
                description
                  "The ToS field could specify a datagram's priority
                   and request a route for low-delay,
                   high-throughput, or highly-reliable service..";
              }

              leaf-list pkt-sec-cond-ipv4-total-length {
                type uint16;
                description
                  "This 16-bit field defines the entire packet size,
                   including header and data, in bytes.";
              }

              leaf-list pkt-sec-cond-ipv4-id {
                type uint8;
                description
                  "This field is an identification field and is
                   primarily used for uniquely identifying
                   the group of fragments of a single IP datagram.";
              }

              leaf-list pkt-sec-cond-ipv4-fragment {
                type uint8;
                description
                  "IP fragmentation is an Internet Protocol (IP)
                   process that breaks datagrams into smaller pieces
                   (fragments), so that packets may be formed that
                   can pass through a link with a smaller maximum
                   transmission unit (MTU) than the original
                   datagram size.";
              }

              leaf-list pkt-sec-cond-ipv4-fragment-offset {
                type uint16;
                description
                  "Fragment offset field along with Don't Fragment
                   and More Fragment flags in the IP protocol
                   header are used for fragmentation and reassembly
                   of IP datagrams.";
              }

              leaf-list pkt-sec-cond-ipv4-ttl {
                type uint8;
                description
                  "The ttl keyword is used to check for a specific
                   IP time-to-live value in the header of
                   a packet.";
              }

              leaf-list pkt-sec-cond-ipv4-protocol {
                type uint8;
                description
                  "Internet Protocol version 4(IPv4) is the fourth
                   version of the Internet Protocol (IP).";
              }

              leaf-list pkt-sec-cond-ipv4-src {
                type inet:ipv4-address;
                description
                  "Defines the IPv4 Source Address.";
              }

              leaf-list pkt-sec-cond-ipv4-dest {
                type inet:ipv4-address;
                description
                  "Defines the IPv4 Destination Address.";
              }

              leaf pkt-sec-cond-ipv4-ipopts {
                type string;
                description
                  "With the ipopts keyword you can check if
                   a specific ip option is set. Ipopts has
                   to be used at the beginning of a rule.";
              }

              leaf pkt-sec-cond-ipv4-sameip {
                type boolean;
                description
                  "Every packet has a source IP-address and
                   a destination IP-address. It can be that
                   the source IP is the same as
                   the destination IP.";
              }

              leaf-list pkt-sec-cond-ipv4-geoip {
                type string;
                description
                  "The geoip keyword enables you to match on
                   the source, destination or source and destination
                   IP addresses of network traffic and to see to
                   which country it belongs. To do this, Suricata
                   uses GeoIP API with MaxMind database format.";
              }
            }  // container packet-security-ipv4-condition

            container packet-security-ipv6-condition {
              description
                "The purpose of this Class is to represent packet
                 IPv6 packet header information that can be used as
                 part of a test to determine if the set of Policy
                 Actions in this ECA Policy Rule should be executed
                 or not.";
              leaf-list pkt-sec-cond-ipv6-dscp {
                type string;
                description
                  "Differentiated Services Code Point (DSCP)
                   of ipv6.";
              }

              leaf-list pkt-sec-cond-ipv6-ecn {
                type string;
                description
                  "ECN allows end-to-end notification of network
                   congestion without dropping packets.";
              }

              leaf-list pkt-sec-cond-ipv6-traffic-class {
                type uint8;
                description
                  "The bits of this field hold two values. The 6
                   most-significant bits are used for
                   differentiated services, which is used to
                   classify packets.";
              }

              leaf-list pkt-sec-cond-ipv6-flow-label {
                type uint32;
                description
                  "The flow label when set to a non-zero value
                   serves as a hint to routers and switches
                   with multiple outbound paths that these
                   packets should stay on the same path so that
                   they will not be reordered.";
              }

              leaf-list pkt-sec-cond-ipv6-payload-length {
                type uint16;
                description
                  "The size of the payload in octets,
                   including any extension headers.";
              }

              leaf-list pkt-sec-cond-ipv6-next-header {
                type uint8;
                description
                  "Specifies the type of the next header.
                   This field usually specifies the transport
                   layer protocol used by a packet's payload.";
              }

              leaf-list pkt-sec-cond-ipv6-hop-limit {
                type uint8;
                description
                  "Replaces the time to live field of IPv4.";
              }

              leaf-list pkt-sec-cond-ipv6-src {
                type inet:ipv6-address;
                description
                  "The IPv6 address of the sending node.";
              }

              leaf-list pkt-sec-cond-ipv6-dest {
                type inet:ipv6-address;
                description
                  "The IPv6 address of the destination node(s).";
              }
            }  // container packet-security-ipv6-condition

            container packet-security-tcp-condition {
              description
                "The purpose of this Class is to represent packet
                 TCP packet header information that can be used as
                 part of a test to determine if the set of Policy
                 Actions in this ECA Policy Rule should be executed
                 or not.";
              leaf-list pkt-sec-cond-tcp-seq-num {
                type uint32;
                description
                  "If the SYN flag is set (1), then this is the
                   initial sequence number.";
              }

              leaf-list pkt-sec-cond-tcp-ack-num {
                type uint32;
                description
                  "If the ACK flag is set then the value of this
                   field is the next sequence number that the sender
                   is expecting.";
              }

              leaf-list pkt-sec-cond-tcp-window-size {
                type uint16;
                description
                  "The size of the receive window, which specifies
                   the number of windows size units
                   (by default,bytes) (beyond the segment
                   identified by the sequence number in the
                   acknowledgment field) that the sender of this
                   segment is currently willing to recive.";
              }

              leaf-list pkt-sec-cond-tcp-flags {
                type uint8;
                description
                  "This is a mandatory string attribute, and defines
                   the nine Control bit flags (9 bits).";
              }
            }  // container packet-security-tcp-condition

            container packet-security-udp-condition {
              description
                "The purpose of this Class is to represent packet UDP
                packet header information that can be used as part
                of a test to determine if the set of Policy Actions
                in this ECA Policy Rule should be executed or not.";
              leaf-list pkt-sec-cond-udp-length {
                type string;
                description
                  "This is a mandatory string attribute, and defines
                  the length in bytes of the UDP header and data
                  (16 bits).";
              }
            }  // container packet-security-udp-condition

            container packet-security-icmp-condition {
              description
                "The internet control message protocol condition.";
              leaf-list pkt-sec-cond-icmp-type {
                type uint8;
                description
                  "ICMP type, see Control messages.";
              }

              leaf-list pkt-sec-cond-icmp-code {
                type uint8;
                description
                  "ICMP subtype, see Control messages.";
              }

              leaf-list pkt-sec-cond-icmp-seg-num {
                type uint32;
                description
                  "The icmp Sequence Number.";
              }
            }  // container packet-security-icmp-condition
          }  // case packet-security-condition

          case packet-payload-condition {
            leaf packet-payload-manual {
              type string;
              description
                "This is manual for payload condition.
               Vendors can write instructions for payload condition
               that vendor made";
            }

            leaf-list pkt-payload-content {
              type string;
              description
                "The content keyword is very important in
                 signatures. Between the quotation marks you
                 can write on what you would like the
                 signature to match.";
            }
          }  // case packet-payload-condition

          case target-condition {
            leaf target-manual {
              type string;
              description
                "This is manual for target condition.
                Vendors can write instructions for target condition
                that vendor made";
            }

            container device-sec-context-cond {
              description
                "The device attribute that can identify a device,
                 including the device type (i.e., router, switch,
                 pc, ios, or android) and the device's owner as
                 well.";
              leaf pc {
                type boolean;
                description
                  "If type of a device is PC.";
              }

              leaf mobile-phone {
                type boolean;
                description
                  "If type of a device is mobile-phone.";
              }

              leaf voip-volte-phone {
                type boolean;
                description
                  "If type of a device is voip-volte-phone.";
              }

              leaf tablet {
                type boolean;
                description
                  "If type of a device is tablet.";
              }

              leaf iot {
                type boolean;
                description
                  "If type of a device is Internet of Things.";
              }

              leaf vehicle {
                type boolean;
                description
                  "If type of a device is vehicle.";
              }
            }  // container device-sec-context-cond
          }  // case target-condition

          case users-condition {
            leaf users-manual {
              type string;
              description
                "This is manual for user condition.
                Vendors can write instructions for user condition
                that vendor made";
            }

            container user {
              description
                "The user (or user group) information with which
                 network flow is associated: The user has many
                 attributes such as name, id, password, type,
                 authentication mode and so on. Name/id is often
                 used in the security policy to identify the user.
                 Besides, NSF is aware of the IP address of the
                 user provided by a unified user management system
                 via network. Based on name-address association,
                 NSF is able to enforce the security functions
                 over the given user (or user group)";
              choice user-name {
                description
                  "The name of the user.
                   This must be unique.";
                case tenant {
                  description
                    "Tenant information.";
                  leaf tenant {
                    type uint8;
                    mandatory true;
                    description
                      "User's tenant information.";
                  }
                }  // case tenant

                case vn-id {
                  description
                    "VN-ID information.";
                  leaf vn-id {
                    type uint8;
                    mandatory true;
                    description
                      "User's VN-ID information.";
                  }
                }  // case vn-id
              }  // choice user-name
            }  // container user

            container group {
              description
                "The user (or user group) information with which
                 network flow is associated: The user has many
                 attributes such as name, id, password, type,
                 authentication mode and so on. Name/id is often
                 used in the security policy to identify the user.
                 Besides, NSF is aware of the IP address of the
                 user provided by a unified user management system
                 via network. Based on name-address association,
                 NSF is able to enforce the security functions
                 over the given user (or user group)";
              choice group-name {
                description
                  "The name of the user.
                   This must be unique.";
                case tenant {
                  description
                    "Tenant information.";
                  leaf tenant {
                    type uint8;
                    mandatory true;
                    description
                      "User's tenant information.";
                  }
                }  // case tenant

                case vn-id {
                  description
                    "VN-ID information.";
                  leaf vn-id {
                    type uint8;
                    mandatory true;
                    description
                      "User's VN-ID information.";
                  }
                }  // case vn-id
              }  // choice group-name
            }  // container group
          }  // case users-condition
          leaf context-manual {
            type string;
            description
              "This is manual for context condition.
                Vendors can write instructions for context condition
                that vendor made";
          }

          case gen-context-condition {
            leaf gen-context-manual {
              type string;
              description
                "This is manual for generic context condition.
                Vendors can write instructions for generic context
                condition that vendor made";
            }

            container geographic-location {
              description
                "The location where network traffic is associated
                 with. The region can be the geographic location
                 such as country, province, and city,
                 as well as the logical network location such as
                 IP address, network section, and network domain.";
              leaf-list src-geographic-location {
                type uint32;
                description
                  "This is mapped to ip address. We can acquire
                   source region through ip address stored the
                   database.";
              }

              leaf-list dest-geographic-location {
                type uint32;
                description
                  "This is mapped to ip address. We can acquire
                   destination region through ip address stored
                   the database.";
              }
            }  // container geographic-location
          }  // case gen-context-condition
        }  // choice condition-type
      }  // list condition-clause-list
    }  // container condition-clause-container

    container action-clause-container {
      description "TBD";
      list action-clause-list {
        key "eca-object-id";
        description
          "An action is used to control and monitor aspects of
           flow-based NSFs when the event and condition clauses
           are satisfied. NSFs provide security functions by
           executing various Actions. Examples of I2NSF Actions
           include providing intrusion detection and/or protection,
           web and flow filtering, and deep packet inspection
           for packets and flows.";
        uses i2nsf-eca-object-type {
          refine entity-class {
            default 'ECA-ACTION-TYPE';
          }
        }

        choice action-type {
          description
            "Vendors can use YANG data model to configure rules
            by concreting this action type";
          case ingress-action {
            leaf ingress-manual {
              type string;
              description
                "This is manual for ingress action.
                Vendors can write instructions for ingress action
                that vendor made";
            }

            leaf ingress-action-type {
              type ingress-action;
              description
                "Ingress action type: permit, deny, and mirror.";
            }
          }  // case ingress-action

          case egress-action {
            leaf egress-manual {
              type string;
              description
                "This is manual for egress action.
                Vendors can write instructions for egress action
                that vendor made";
            }

            leaf egress-action-type {
              type egress-action;
              description
                "Egress-action-type: invoke-signaling,
                 tunnel-encapsulation, and forwarding.";
            }
          }  // case egress-action

          case apply-profile {
            leaf profile-manual {
              type string;
              description
                "This is manual for apply profile action.
                Vendors can write instructions for apply
                profile action that vendor made";
            }

            choice apply-profile-action-type {
              description
                "Advanced action types: Content Security Control
                 and Attack Mitigation Control.";
              case content-security-control {
                description
                  "Content security control is another category of
                 security capabilities applied to application layer.
                 Through detecting the contents carried over the
                 traffic in application layer, these capabilities
                 can realize various security purposes, such as
                 defending against intrusion, inspecting virus,
                 filtering malicious URL or junk email, and blocking
                 illegal web access or data retrieval.";
                container content-security-control-types {
                  description
                    "Content Security types: Antivirus, IPS, IDS,
                    url-filtering, data-filtering, mail-filtering,
                    file-blocking, file-isolate, pkt-capture,
                    application-control, and voip-volte.";
                  leaf antivirus {
                    type boolean;
                    description
                      "Additional inspection of antivirus.";
                  }

                  leaf ips {
                    type boolean;
                    description
                      "Additional inspection of IPS.";
                  }

                  leaf ids {
                    type boolean;
                    description
                      "Additional inspection of IDS.";
                  }

                  leaf url-filtering {
                    type boolean;
                    description
                      "Additional inspection of URL filtering.";
                  }

                  leaf data-filtering {
                    type boolean;
                    description
                      "Additional inspection of data filtering.";
                  }

                  leaf mail-filtering {
                    type boolean;
                    description
                      "Additional inspection of mail filtering.";
                  }

                  leaf file-blocking {
                    type boolean;
                    description
                      "Additional inspection of file blocking.";
                  }

                  leaf file-isolate {
                    type boolean;
                    description
                      "Additional inspection of file isolate.";
                  }

                  leaf pkt-capture {
                    type boolean;
                    description
                      "Additional inspection of packet capture.";
                  }

                  leaf application-control {
                    type boolean;
                    description
                      "Additional inspection of app control.";
                  }

                  leaf voip-volte {
                    type boolean;
                    description
                      "Additional inspection of VoIP/VoLTE.";
                  }
                }  // container content-security-control-types
              }  // case content-security-control

              case attack-mitigation-control {
                description
                  "This category of security capabilities is
                   specially used to detect and mitigate various
                   types of network attacks.";
                choice attack-mitigation-control-type {
                  description
                    "Attack-mitigation types: DDoS-attack and
                     Single-packet attack.";
                  case ddos-attack {
                    description
                      "A distributed-denial-of-service (DDoS) is
                       where the attack source is more than one,
                       often thousands of unique IP addresses.";
                    container ddos-attack-type {
                      description
                        "DDoS-attack types: Network Layer
                        DDoS Attacks and Application Layer
                        DDoS Attacks.";
                      container network-layer-ddos-attack {
                        description
                          "Network layer DDoS-attack.";
                        container network-layer-ddos-attack-type {
                          description
                            "Network layer DDoS attack types:
                             Syn Flood Attack, UDP Flood Attack,
                             ICMP Flood Attack, IP Fragment Flood,
                             IPv6 Related Attacks, and etc";
                          leaf syn-flood {
                            type boolean;
                            description
                              "Additional Inspection of
                               Syn Flood Attack.";
                          }

                          leaf udp-flood {
                            type boolean;
                            description
                              "Additional Inspection of
                               UDP Flood Attack.";
                          }

                          leaf icmp-flood {
                            type boolean;
                            description
                              "Additional Inspection of
                               ICMP Flood Attack.";
                          }

                          leaf ip-frag-flood {
                            type boolean;
                            description
                              "Additional Inspection of
                               IP Fragment Flood.";
                          }

                          leaf ipv6-related {
                            type boolean;
                            description
                              "Additional Inspection of
                               IPv6 Related Attacks.";
                          }
                        }  // container network-layer-ddos-attack-type
                      }  // container network-layer-ddos-attack

                      container app-layer-ddos-attack {
                        description
                          "Application layer DDoS-attack.";
                        container app-ddos-attack-types {
                          description
                            "Application layer DDoS-attack types:
                             Http Flood Attack, Https Flood Attack,
                             DNS Flood Attack, and
                             DNS Amplification Flood Attack,
                             SSL DDoS Attack, and etc.";
                          leaf http-flood {
                            type boolean;
                            description
                              "Additional Inspection of
                               Http Flood Attack.";
                          }

                          leaf https-flood {
                            type boolean;
                            description
                              "Additional Inspection of
                               Https Flood Attack.";
                          }

                          leaf dns-flood {
                            type boolean;
                            description
                              "Additional Inspection of
                               DNS Flood Attack.";
                          }

                          leaf dns-amp-flood {
                            type boolean;
                            description
                              "Additional Inspection of
                               DNS Amplification Flood Attack.";
                          }

                          leaf ssl-ddos {
                            type boolean;
                            description
                              "Additional Inspection of
                               SSL Flood Attack.";
                          }
                        }  // container app-ddos-attack-types
                      }  // container app-layer-ddos-attack
                    }  // container ddos-attack-type
                  }  // case ddos-attack

                  case single-packet-attack {
                    description
                      "Single Packet Attacks.";
                    container single-packet-attack-type {
                      description
                        "DDoS-attack types: Scanning Attack,
                         Sniffing Attack, Malformed Packet Attack,
                         Special Packet Attack, and etc.";
                      container scan-and-sniff-attack {
                        description
                          "Scanning and Sniffing Attack.";
                        container scan-and-sniff-attack-types {
                          description
                            "Scanning and sniffing attack types:
                             IP Sweep attack, Port Scanning,
                             and etc.";
                          leaf ip-sweep {
                            type boolean;
                            description
                              "Additional Inspection of
                               IP Sweep Attack.";
                          }

                          leaf port-scanning {
                            type boolean;
                            description
                              "Additional Inspection of
                               Port Scanning Attack.";
                          }
                        }  // container scan-and-sniff-attack-types
                      }  // container scan-and-sniff-attack

                      container malformed-packet-attack {
                        description
                          "Malformed Packet Attack.";
                        container malformed-packet-attack-types {
                          description
                            "Malformed packet attack types:
                             Ping of Death Attack, Teardrop Attack,
                             and etc.";
                          leaf ping-of-death {
                            type boolean;
                            description
                              "Additional Inspection of
                               Ping of Death Attack.";
                          }

                          leaf teardrop {
                            type boolean;
                            description
                              "Additional Inspection of
                               Teardrop Attack.";
                          }
                        }  // container malformed-packet-attack-types
                      }  // container malformed-packet-attack

                      container special-packet-attack {
                        description
                          "special Packet Attack.";
                        container special-packet-attack-types {
                          description
                            "Special packet attack types:
                             Oversized ICMP Attack, Tracert Attack,
                             and etc.";
                          leaf oversized-icmp {
                            type boolean;
                            description
                              "Additional Inspection of
                               Oversize ICMP Attack.";
                          }

                          leaf tracert {
                            type boolean;
                            description
                              "Additional Inspection of
                               Tracrt Attack.";
                          }
                        }  // container special-packet-attack-types
                      }  // container special-packet-attack
                    }  // container single-packet-attack-type
                  }  // case single-packet-attack
                }  // choice attack-mitigation-control-type
              }  // case attack-mitigation-control
            }  // choice apply-profile-action-type
          }  // case apply-profile
        }  // choice action-type
      }  // list action-clause-list
    }  // container action-clause-container
  }  // module ietf-i2nsf-nsf-facing-interface

Summary

  
  
Organization IETF I2NSF (Interface to Network Security Functions) Working Group
  
Module ietf-i2nsf-nsf-facing-interface
Version 2017-10-30
File ietf-i2nsf-nsf-facing-interface@2017-10-30.yang
  
Prefix nsf-facing-interface
Namespace urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-facing-interface
  
Cooked /cookedmodules/ietf-i2nsf-nsf-facing-interface/2017-10-30
YANG /src/ietf-i2nsf-nsf-facing-interface@2017-10-30.yang
XSD /xsd/ietf-i2nsf-nsf-facing-interface@2017-10-30.xsd
  
Abstract This module defines a YANG data module for network security functions.
  
Contact
WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>

WG Chair: Adrian Farrel
<mailto:Adrain@olddog.co.uk>

WG Chair: Linda Dunbar
<mailto:Linda.duhbar@huawei.com>

Editor: Jingyong Tim Kim
<mailto:timkim@skku.edu>

Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>

Editor: Susan Hares
<mailto:shares@ndzh.com>

Description

 
This module defines a YANG data module for network security
functions.

Typedefs

Typedef Base type Abstract
egress-action enumeration This is used for egress action.
ingress-action enumeration This is used for ingress action.
sec-event-format enumeration This is used for SecEventFormat.

Groupings

Grouping Objects Abstract
i2nsf-eca-object-type entity-class eca-object-id TBD
i2nsf-event-type manual sec-event-content sec-event-format sec-event-type TBD

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
action-clause-container container TBD
   action-clause-list list An action is used to control and monitor aspects of flow-based NSFs when the event and condition clauses are satisfied. NSFs provide security functions by executing various Actions. Examples of I2NSF Actions include providing intrusion detection and/or pr...
      action-type choice Vendors can use YANG data model to configure rules by concreting this action type
         apply-profile case profile-manual apply-profile-action-type
            apply-profile-action-type choice Advanced action types: Content Security Control and Attack Mitigation Control.
               attack-mitigation-control case This category of security capabilities is specially used to detect and mitigate various types of network attacks.
                  attack-mitigation-control-type choice Attack-mitigation types: DDoS-attack and Single-packet attack.
                     ddos-attack case A distributed-denial-of-service (DDoS) is where the attack source is more than one, often thousands of unique IP addresses.
                        ddos-attack-type container DDoS-attack types: Network Layer DDoS Attacks and Application Layer DDoS Attacks.
                           app-layer-ddos-attack container Application layer DDoS-attack.
                              app-ddos-attack-types container Application layer DDoS-attack types: Http Flood Attack, Https Flood Attack, DNS Flood Attack, and DNS Amplification Flood Attack, SSL DDoS Attack, and etc.
                                 dns-amp-flood leaf Additional Inspection of DNS Amplification Flood Attack.
                                 dns-flood leaf Additional Inspection of DNS Flood Attack.
                                 http-flood leaf Additional Inspection of Http Flood Attack.
                                 https-flood leaf Additional Inspection of Https Flood Attack.
                                 ssl-ddos leaf Additional Inspection of SSL Flood Attack.
                           network-layer-ddos-attack container Network layer DDoS-attack.
                              network-layer-ddos-attack-type container Network layer DDoS attack types: Syn Flood Attack, UDP Flood Attack, ICMP Flood Attack, IP Fragment Flood, IPv6 Related Attacks, and etc
                                 icmp-flood leaf Additional Inspection of ICMP Flood Attack.
                                 ip-frag-flood leaf Additional Inspection of IP Fragment Flood.
                                 ipv6-related leaf Additional Inspection of IPv6 Related Attacks.
                                 syn-flood leaf Additional Inspection of Syn Flood Attack.
                                 udp-flood leaf Additional Inspection of UDP Flood Attack.
                     single-packet-attack case Single Packet Attacks.
                        single-packet-attack-type container DDoS-attack types: Scanning Attack, Sniffing Attack, Malformed Packet Attack, Special Packet Attack, and etc.
                           malformed-packet-attack container Malformed Packet Attack.
                              malformed-packet-attack-types container Malformed packet attack types: Ping of Death Attack, Teardrop Attack, and etc.
                                 ping-of-death leaf Additional Inspection of Ping of Death Attack.
                                 teardrop leaf Additional Inspection of Teardrop Attack.
                           scan-and-sniff-attack container Scanning and Sniffing Attack.
                              scan-and-sniff-attack-types container Scanning and sniffing attack types: IP Sweep attack, Port Scanning, and etc.
                                 ip-sweep leaf Additional Inspection of IP Sweep Attack.
                                 port-scanning leaf Additional Inspection of Port Scanning Attack.
                           special-packet-attack container special Packet Attack.
                              special-packet-attack-types container Special packet attack types: Oversized ICMP Attack, Tracert Attack, and etc.
                                 oversized-icmp leaf Additional Inspection of Oversize ICMP Attack.
                                 tracert leaf Additional Inspection of Tracrt Attack.
               content-security-control case Content security control is another category of security capabilities applied to application layer. Through detecting the contents carried over the traffic in application layer, these capabilities can realize various security purposes, such as defending a...
                  content-security-control-types container Content Security types: Antivirus, IPS, IDS, url-filtering, data-filtering, mail-filtering, file-blocking, file-isolate, pkt-capture, application-control, and voip-volte.
                     antivirus leaf Additional inspection of antivirus.
                     application-control leaf Additional inspection of app control.
                     data-filtering leaf Additional inspection of data filtering.
                     file-blocking leaf Additional inspection of file blocking.
                     file-isolate leaf Additional inspection of file isolate.
                     ids leaf Additional inspection of IDS.
                     ips leaf Additional inspection of IPS.
                     mail-filtering leaf Additional inspection of mail filtering.
                     pkt-capture leaf Additional inspection of packet capture.
                     url-filtering leaf Additional inspection of URL filtering.
                     voip-volte leaf Additional inspection of VoIP/VoLTE.
            profile-manual leaf This is manual for apply profile action. Vendors can write instructions for apply profile action that vendor made
         egress-action case egress-manual egress-action-type
            egress-action-type leaf Egress-action-type: invoke-signaling, tunnel-encapsulation, and forwarding.
            egress-manual leaf This is manual for egress action. Vendors can write instructions for egress action that vendor made
         ingress-action case ingress-manual ingress-action-type
            ingress-action-type leaf Ingress action type: permit, deny, and mirror.
            ingress-manual leaf This is manual for ingress action. Vendors can write instructions for ingress action that vendor made
      eca-object-id leaf TBD
      entity-class leaf TBD
condition-clause-container container TBD
   condition-clause-list list This is abstract. A condition is defined as a set of attributes, features, and/or values that are to be compared with a set of known attributes, features, and/or values in order to determine whether or not the set of Actions in that (imperative) I2NSF P...
      condition-type choice Vendors can use YANG data model to configure rules by concreting this condition type
         context-condition case context-manual
            context-manual leaf This is manual for context condition. Vendors can write instructions for context condition that vendor made
         gen-context-condition case gen-context-manual geographic-location
            gen-context-manual leaf This is manual for generic context condition. Vendors can write instructions for generic context condition that vendor made
            geographic-location container The location where network traffic is associated with. The region can be the geographic location such as country, province, and city, as well as the logical network location such as IP address, network section, and network domain.
               dest-geographic-location leaf-list This is mapped to ip address. We can acquire destination region through ip address stored the database.
               src-geographic-location leaf-list This is mapped to ip address. We can acquire source region through ip address stored the database.
         packet-payload-condition case packet-payload-manual pkt-payload-content
            packet-payload-manual leaf This is manual for payload condition. Vendors can write instructions for payload condition that vendor made
            pkt-payload-content leaf-list The content keyword is very important in signatures. Between the quotation marks you can write on what you would like the signature to match.
         packet-security-condition case packet-manual packet-security-mac-condition packet-security-ipv4-condition packet-security-ipv6-condition packet-security-tcp-condition packet-security-udp-condition packet-security-icmp-condition
            packet-manual leaf This is manual for packet condition. Vendors can write instructions for packet condition that vendor made
            packet-security-icmp-condition container The internet control message protocol condition.
               pkt-sec-cond-icmp-code leaf-list ICMP subtype, see Control messages.
               pkt-sec-cond-icmp-seg-num leaf-list The icmp Sequence Number.
               pkt-sec-cond-icmp-type leaf-list ICMP type, see Control messages.
            packet-security-ipv4-condition container The purpose of this Class is to represent IPv4 packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not.
               pkt-sec-cond-ipv4-dest leaf-list Defines the IPv4 Destination Address.
               pkt-sec-cond-ipv4-fragment leaf-list IP fragmentation is an Internet Protocol (IP) process that breaks datagrams into smaller pieces (fragments), so that packets may be formed that can pass through a link with a smaller maximum transmission unit (MTU) than the original datagram size.
               pkt-sec-cond-ipv4-fragment-offset leaf-list Fragment offset field along with Don't Fragment and More Fragment flags in the IP protocol header are used for fragmentation and reassembly of IP datagrams.
               pkt-sec-cond-ipv4-geoip leaf-list The geoip keyword enables you to match on the source, destination or source and destination IP addresses of network traffic and to see to which country it belongs. To do this, Suricata uses GeoIP API with MaxMind database format.
               pkt-sec-cond-ipv4-header-length leaf-list The IPv4 packet header consists of 14 fields, of which 13 are required.
               pkt-sec-cond-ipv4-id leaf-list This field is an identification field and is primarily used for uniquely identifying the group of fragments of a single IP datagram.
               pkt-sec-cond-ipv4-ipopts leaf With the ipopts keyword you can check if a specific ip option is set. Ipopts has to be used at the beginning of a rule.
               pkt-sec-cond-ipv4-protocol leaf-list Internet Protocol version 4(IPv4) is the fourth version of the Internet Protocol (IP).
               pkt-sec-cond-ipv4-sameip leaf Every packet has a source IP-address and a destination IP-address. It can be that the source IP is the same as the destination IP.
               pkt-sec-cond-ipv4-src leaf-list Defines the IPv4 Source Address.
               pkt-sec-cond-ipv4-tos leaf-list The ToS field could specify a datagram's priority and request a route for low-delay, high-throughput, or highly-reliable service..
               pkt-sec-cond-ipv4-total-length leaf-list This 16-bit field defines the entire packet size, including header and data, in bytes.
               pkt-sec-cond-ipv4-ttl leaf-list The ttl keyword is used to check for a specific IP time-to-live value in the header of a packet.
            packet-security-ipv6-condition container The purpose of this Class is to represent packet IPv6 packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not.
               pkt-sec-cond-ipv6-dest leaf-list The IPv6 address of the destination node(s).
               pkt-sec-cond-ipv6-dscp leaf-list Differentiated Services Code Point (DSCP) of ipv6.
               pkt-sec-cond-ipv6-ecn leaf-list ECN allows end-to-end notification of network congestion without dropping packets.
               pkt-sec-cond-ipv6-flow-label leaf-list The flow label when set to a non-zero value serves as a hint to routers and switches with multiple outbound paths that these packets should stay on the same path so that they will not be reordered.
               pkt-sec-cond-ipv6-hop-limit leaf-list Replaces the time to live field of IPv4.
               pkt-sec-cond-ipv6-next-header leaf-list Specifies the type of the next header. This field usually specifies the transport layer protocol used by a packet's payload.
               pkt-sec-cond-ipv6-payload-length leaf-list The size of the payload in octets, including any extension headers.
               pkt-sec-cond-ipv6-src leaf-list The IPv6 address of the sending node.
               pkt-sec-cond-ipv6-traffic-class leaf-list The bits of this field hold two values. The 6 most-significant bits are used for differentiated services, which is used to classify packets.
            packet-security-mac-condition container The purpose of this Class is to represent packet MAC packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be execute or not.
               pkt-sec-cond-mac-8021q leaf-list This is an optional string attribute, and defines The 802.1Q tab value (2 octets long).
               pkt-sec-cond-mac-dest leaf-list The MAC destination address (6 octets long).
               pkt-sec-cond-mac-ether-type leaf-list The EtherType field (2 octets long). Values up to and including 1500 indicate the size of the payload in octets; values of 1536 and above define which protocol is encapsulated in the payload of the frame.
               pkt-sec-cond-mac-src leaf-list The MAC source address (6 octets long).
               pkt-sec-cond-mac-tci leaf-list This is an optional string attribute, and defines the Tag Control Information. This consists of a 3 bit user priority field, a drop eligible indicator (1 bit), and a VLAN identifier (12 bits).
            packet-security-tcp-condition container The purpose of this Class is to represent packet TCP packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not.
               pkt-sec-cond-tcp-ack-num leaf-list If the ACK flag is set then the value of this field is the next sequence number that the sender is expecting.
               pkt-sec-cond-tcp-flags leaf-list This is a mandatory string attribute, and defines the nine Control bit flags (9 bits).
               pkt-sec-cond-tcp-seq-num leaf-list If the SYN flag is set (1), then this is the initial sequence number.
               pkt-sec-cond-tcp-window-size leaf-list The size of the receive window, which specifies the number of windows size units (by default,bytes) (beyond the segment identified by the sequence number in the acknowledgment field) that the sender of this segment is currently willing to recive.
            packet-security-udp-condition container The purpose of this Class is to represent packet UDP packet header information that can be used as part of a test to determine if the set of Policy Actions in this ECA Policy Rule should be executed or not.
               pkt-sec-cond-udp-length leaf-list This is a mandatory string attribute, and defines the length in bytes of the UDP header and data (16 bits).
         target-condition case target-manual device-sec-context-cond
            device-sec-context-cond container The device attribute that can identify a device, including the device type (i.e., router, switch, pc, ios, or android) and the device's owner as well.
               iot leaf If type of a device is Internet of Things.
               mobile-phone leaf If type of a device is mobile-phone.
               pc leaf If type of a device is PC.
               tablet leaf If type of a device is tablet.
               vehicle leaf If type of a device is vehicle.
               voip-volte-phone leaf If type of a device is voip-volte-phone.
            target-manual leaf This is manual for target condition. Vendors can write instructions for target condition that vendor made
         users-condition case users-manual user group
            group container The user (or user group) information with which network flow is associated: The user has many attributes such as name, id, password, type, authentication mode and so on. Name/id is often used in the security policy to identify the user. Besides, NSF is aw...
               group-name choice The name of the user. This must be unique.
                  tenant case Tenant information.
                     tenant leaf User's tenant information.
                  vn-id case VN-ID information.
                     vn-id leaf User's VN-ID information.
            user container The user (or user group) information with which network flow is associated: The user has many attributes such as name, id, password, type, authentication mode and so on. Name/id is often used in the security policy to identify the user. Besides, NSF is aw...
               user-name choice The name of the user. This must be unique.
                  tenant case Tenant information.
                     tenant leaf User's tenant information.
                  vn-id case VN-ID information.
                     vn-id leaf User's VN-ID information.
            users-manual leaf This is manual for user condition. Vendors can write instructions for user condition that vendor made
      eca-object-id leaf TBD
      entity-class leaf TBD
event-clause-container container TBD
   event-clause-list list This is abstract. An event is defined as any important occurrence in time of a change in the system being managed, and/or in the environment of the system being managed. When used in the context of policy rules for a flow-based NSF, it is used to det...
      eca-object-id leaf TBD
      entity-class leaf TBD
      manual leaf This is manual for event. Vendors can write instructions for event that vendor made
      sec-event-content leaf This is a mandatory string that contains the content of the SecurityEvent. The format of the content is specified in the SecEventFormat class attribute, and the type of event is defined in the SecEventType class attribute. An example of the SecEventConten...
      sec-event-format leaf This is a mandatory uint 8 enumerated integer, which is used to specify the data type of the SecEventContent attribute. The content is specified in the SecEventContent class attribute, and the type of event is defined in the SecEventType class attribute. ...
      sec-event-type leaf This is a mandatory uint 8 enumerated integer, which is used to specify the type of event that involves this user. The content and format are specified in the SecEventContent and SecEventFormat class attributes, respectively. An example of the SecEventCon...
generic-nsf container Configuration for Generic Network Security Functions.
   i2nsf-security-policy list policy is a list including a set of security rules according to certain logic, i.e., their similarity or mutual relations, etc. The network security policy is able to apply over both the unidirectional and bidirectional traffic across the NSF.
      default-action container This default action can be used to specify a predefined action when no other alternative action was matched by the currently executing I2NSF Policy Rule. An analogy is the use of a default statement in a C switch statement.
         default-action-type leaf Ingress action type: permit, deny, and mirror.
      eca-policy-rules list This is a rule for network security functions.
         policy-action-clause-agg-ptr leaf-list TBD
         policy-condition-clause-agg-ptr leaf-list TBD
         policy-event-clause-agg-ptr leaf-list TBD
         rule-description leaf This description gives more information about rules.
         rule-id leaf The id of the rule. This must be unique.
         rule-priority leaf The priority keyword comes with a mandatory numeric value which can range from 1 till 255.
         rule-rev leaf This shows rule version.
      policy-name leaf The name of the policy. This must be unique.
      resolution-strategy container The resolution strategies can be used to specify how to resolve conflicts that occur between the actions of the same or different policy rules that are matched and contained in this particular NSF
         resolution-strategy-type choice Vendors can use YANG data model to configure rules
            fmr case first-matching-rule
               first-matching-rule leaf If the resolution strategy is first matching rule
            lmr case last-matching-rule
               last-matching-rule leaf If the resolution strategy is last matching rule
      time-zone container This can be used to apply rules according to time
         end-time leaf This is end time for time zone
         start-time leaf This is start time for time zone