]> Huawei

101 Software Avenue, Yuhuatai District Nanjing Jiangsu 210012 China Frank.xialiang@huawei.com

Huawei

Huawei Industrial Base Shenzhen Guangdong 518129 China linqiushi@huawei.com

Security Interface to Network Security Functions (I2NSF) Policy Object This document describes policy objects used in the Interface to Network Security Functions (I2NSF) policy rules and defines the attributes of each policy object.

I2NSF policy consists of policy rules that are used to provision NSF instances. The I2NSF policy rule is defined by using "Event-Condition-Action" (ECA) model described in Framework for Interface to Network Security Functions. In the ECA model, a condition is used to determine whether or not the predefined actions should be executed. A condition usually consists of several attributes. Information Model of NSFs Capabilities describes or illustrates attributes of different Condition subclasses. When configuring policy rules by using attributes, it is no surprise to see that the same value of an attribute or the same value set of several attributes are configured for several times or more. And modifications of the policy rules are also very complex and time-consuming. To facilitate the provisioning of NSF instances, this document describes a set of policy objects which are reusable and can be referenced by variable I2NSF policy rules. A policy object can be identified by a set of data items, such as IP addresses, TCP/UDP ports, and domain names. Each policy object is predefined and named in order to be used in I2NSF policy rules. By defining policy objects, the creation and maintenance of policy rules are greatly simplified. A policy object can be referenced in different policy rules as required to provide re-usability. And a policy rule can reference several policy objects. The modification of a policy object will be propagated to the I2NSF policy rules that reference this object. No modification should be made to the related policy rules. In this document, a set of policy objects are described, and for each policy object, several related attributes are defined.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

This document uses the terminology described in Interface to Network Security Functions (I2NSF) Terminology.

Policy objects are collections of commonly used condition attributes. Different policy objects consist of different attributes. For each policy object, a description of this policy object may be an optional attribute. The following figure shows the policy objects defined in this document.

An address object is a collection of IPv4/IPv6 addresses or MAC addresses. It consists of the following attributes:

This attribute defines the unique name of the address object.

This attribute defines a set of IPv4/IPv6 addresses or MAC addresses, or a range of contiguous IPv4/IPv6 addresses. The IPv4 address range can be defined by IPv4 address with wildcard mask, or IPv4 address with subnet mask (subnet mask address or length of the subnet mask), or the start address and the end address of the IPv4 address range. The IPv6 address range can be defined by IPv6 address with length of the prefix, or the start address and the end address of the IPv6 address range.

An address group object is composed of several address items that require the same policy enforcement. An address item can be an IPv4/IPv6 address, or a MAC address, or a range of contiguous IPv4/IPv6 addresses, or existing address object, or existing address group object. An address group object consists of the following attributes:

This attribute defines the unique name of the address group object.

This attribute refers to the existing address objects or existing address group objects identified by their unique names.

This attribute is the same as the addressRange attribute of address object. It can define a set of IPv4/IPv6 addresses or MAC addresses, or a range of contiguous IPv4/IPv6 addresses. The IPv4 address range can be defined by IPv4 address with wildcard mask, or IPv4 address with subnet mask (subnet mask address or length of the subnet mask), or the start address and the end address of the IPv4 address range. The IPv6 address range can be defined by IPv6 address with length of the prefix, or the start address and the end address of the IPv6 address range.

A domain group object is a collection of domain names that require the same policy enforcement. It consists of the following attributes:

This attribute defines the unique name of the domain group object.

This attribute defines a set of domain names. The domain name can be matched in two modes: exact match and suffix match. Thus a domain name can be added by using the full string of the domain name (e.g., www.example.com) or a domain name begins with a wildcard (e.g., *.example.com).

A region object is an IPv4/IPv6 address of a geographical region or a collection of IPv4/IPv6 addresses located in the same geographical region. A set of region objects which can be referenced directly should be predefined by NSFs. A region object consists of the following attributes:

This attribute defines the unique name of the region object.

This attribute defines the longitude and latitude of the region. It consists of two sub-attributes:

This attribute defines the longitude of the region.

This attribute defines the latitude of the region.

This attribute defines a set of IPv4/IPv6 addresses or a range of contiguous IPv4/IPv6 addresses. And an IP address can only belong to one region object. The IPv4 address range can be defined by IPv4 address with wildcard mask, IPv4 address with subnet mask (subnet mask address or length of the subnet mask), or the start address and the end address of the IPv4 address range. The IPv6 address range can be defined by IPv6 address with length of the prefix, or the start address and the end address of the IPv6 address range.

A region group object is a collection of region objects that require the same policy enforcement. It consists of the following attributes:

This attribute defines the unique name of the region group object.

This attribute refers to the existing region objects or region group objects identified by their unique names.

A service object is one or more services that can be identified by certain information, such as protocol type, source port number and destination port number. A set of well-known services should be predefined by NSFs as service objects to support direct reference. A service object consists of the following attributes:

This attribute defines the unique name of the service object.

This attribute defined a set of services. A service can be defined by the following sub-attributes.

This attribute defines the protocol type of the service. The value of this attribute is selected from six types of protocols: TCP, UDP, SCTP, ICMP, ICMPv6 or IP.

This attribute defines the protocol number for IP protocol. The protocol number is the protocol field value in IP packet which identifies which kind of upper layer protocol is used.

This attribute defines the source port number range for TCP, UDP or SCTP protocol. A single port number or a range of port numbers can be set.

This attribute defines the destination port number range for TCP, UDP or SCTP protocol. A single port number or a range of port numbers can be set.

This attribute defines the ICMP/ICMPv6 type for ICMP or ICMPv6 protocol. The ICMP/ICMPv6 type can be identified by ICMP/ICMPv6 type number and ICMP/ICMPv6 message code. Thus, this attribute has two sub-attributes: serviceICMPTypeNumber and serviceICMPMessageCode. The serviceICMPTypeNumber Attribute: It defines the ICMP/ICMPv6 type number and shall be defined together with the serviceICMPMessageCode attribute. For example, if the ICMP packet type is Echo, this attribute shall be set to 8 and the serviceICMPMessageCode attribute shall be set to 0. The serviceICMPMessageCode Attribute: It defines the ICMP/ICMPv6 message code and shall be defined together with the serviceICMPTypeNumber attribute. For example, if the ICMP packet type is Echo, this attribute shall be set to 0 and the serviceICMPTypeNumber attribute shall be set to 8.

A service group object is a collection of service objects that require the same policy enforcement. It consists of the following attributes:

This attribute defines the unique name of the service group object.

This attribute refers to the existing service objects or service group objects identified by their unique names.

An application object is a kind of application that can be identified by several features, such as category, subcategory or risk level. A set of well-known application objects should be predefined by NSFs to support direct reference. An application object consists of the following attributes:

This attribute defines the unique name of the application object.

This attribute defines the category of the application. The value of this attribute is selected from a predefined set of categories, e.g., general category, network application category.

This attribute defines the subcategory of the application. The value of this attribute is selected from a predefined set of subcategories, e.g., search engine subcategory, electronic commerce subcategory.

This attribute defines the data transmission model of the application. The value of this attribute is selected from a predefined set of transmission models, e.g., client/server model, peer-to-peer model.

This attribute defines a set of labels for the application. The values of this attribute are selected from a predefined set of labels, e.g., database, encrypted-communication.

This attribute defines a risk level for the application. The value of this attribute is selected from a predefined number of risk levels.

An application group object is a collection of application objects that require the same policy enforcement. It consists of the following attributes:

This attribute defines the unique name of the application group object.

This attribute refers to the existing application objects or application group objects identified by their unique names.

A schedule object is a set of time ranges. There are two kinds of time ranges: periodic time range and absolute time range. A periodic time range occurs every week. An absolute time range occurs only once. A schedule object consists of the following attributes:

This attribute defines the unique name of the schedule object.

This attribute defines a set of time ranges. A time range can be defined by the following sub-attributes.

This attribute defines the type of a time range. The value of this attribute is selected from the two types: periodic, absolute.

For a periodic time range, this attribute defines the start time in a day. For an absolute time range, this attribute defines the start time and start date.

For a periodic time range, this attribute defines the end time in a day. For an absolute time range, this attribute defines the end time and end date.

This attribute defines the days in a week that the periodic time range takes effect.

A user object identifies a person who may access network resources. It is the basis of implementing user-based I2NSF policy. The user objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. User objects that require the same policy enforcement are grouped as user group objects or security group objects. The user group objects are organized as a hierarchical structure. A security group object consists of user objects from different user group objects that require the same policy enforcement. A user object consists of the following attributes:

This attribute refers to the user name that used for user authentication.

This attribute refers to the existing parent user group object to which this user object belongs. The parent user group object is identified by its unique name. A user object can only belong to one user group object.

This attribute refers to the existing security group object to which this user object belongs. The security user group object is identified by its unique name. A user object can belong to several security group objects.

This attribute refers to the authentication domain to which this user object belongs.

If user is authenticated locally on the NSF, this attribute is mandatory. It defines the password corresponding to the user name.

This attribute defines when will this user object expire.

This attribute defines whether this user account identified by the userName and userPassword attribute is allowed to be shared by different persons. If allowed, this user object can be logged on to several devices simultaneously.

This attribute defines whether the user object is bound to IP addresses, or MAC addresses, or IP/MAC address pairs. It is selected from three binding modes: no binding, unidirectional binding, and bidirectional binding. For no binding mode, the user object is not bound to any IP or MAC address or IP/MAC address pair. For unidirectional binding mode, the addresses or address pairs bound to this user object also can be bound to other users. For bidirectional binding mode, the addresses or address pairs bound to this user should not be bound to other bidirectional binding user object.

This attribute defines the bound IP addresses, or MAC addresses, or IP/MAC address pairs. If the userBindingStatus is unidirectional binding or bidirectional binding, this attribute is mandatory.

A user object group is a collection of user objects that require the same policy enforcement and it usually corresponds to a physical entity such as a department. The user group objects are organized as a hierarchical structure. A user group object may belong to another user group object. The user group objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. It consists of the following attributes:

This attribute defines the unique name of the user group object.

This attribute refers to the existing parent user group object to which this user group object belongs. The parent user group object is identified by its unique name. A user group object can only belong to one parent user group object.

This attribute refers to the authentication domain to which this user group object belongs.

This attribute refers to the existing user objects or user group objects which belong to this user group object.

This attribute defines whether the user objects of this user group object are allowed to be shared by different persons. If allowed, all user objects of this user group object can be logged on to several devices simultaneously.

A security group object consists of user objects from different user group objects that require the same policy enforcement. The security group objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. This attribute consists of the following attributes:

This attribute defines the unique name of the security group object.

This attribute refers to the existing parent security group objects to which this security group object belongs. The parent security group objects are identified by their unique names.

This attribute refers to the authentication domain to which this security group object belongs.

This attribute defines the type of the security group object. There are two types: static and dynamic. For static security group, the member objects are fixed and added as required. For dynamic security group, the member objects are dynamically generated by setting filtering rules.

This attribute defines the member objects for static security group object. It refers to the existing user objects or security group objects which belong to this security group object.

This attribute defines the filtering rules for dynamic security group object.

This attribute defines whether the user objects of this security group object are allowed to be shared by different persons. If allowed, all user objects of this security group object can be logged on to several devices simultaneously.

This document requires no IANA actions.

When the policy objects are transmitted, the integrity of these policy objects should be guaranteed. NSFs should verify that the modifications of policy objects come from the authenticated security controller. And NSF should protect the stored policy objects from being tampered.

&RFC2119;