YANG-based configuration modeling - The SecSIP IPS case study -
12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops
We present our experience with the development of an XML-based configuration model for an Intrusion Prevention System (IPS) dedicated to the Session Initiation Protocol (SIP) used in voice over IP signaling. In previous works [AL-IM09, AL-NOMS10] we have presented the SecSIP framework, a prevention system for SIP-based networks, which adopts a rule-based approach for specifying preventions on SIP protocol activities to stop attacks exploiting known vulnerability before reaching their targets.
... ng their targets. The SecSIP framework relies on a proprietary language called VeTo to express the prevention rules. SecSIP uses a plain text configuration file in which specifications are authored and managed manually. While extending the deployment of the framework beyond our own lab, support for remote configuration was required. Given the promise of Netconf, we naturally turned our investigations towards this protocol and embraced the YANG data-modeling framework. In this paper we present the modeling result on the SecSIP configuration interface and share our experience with both YANG and Netconf. The first part of the paper is dedicated to the description of the data to be modeled, namely VeTo policies. The second part presents the Yang model built for VeTo policies and the Netconf framework put in place. Lessons learned during both modeling and coding phases are presented in a third part of the presentation. Finally some conclusions are given and future work is outlined.