draft-ietf-i2nsf-capability-data-model-00.txt   draft-ietf-i2nsf-capability-data-model-01.txt 
Network Working Group S. Hares Network Working Group S. Hares
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Jeong Intended status: Standards Track J. Jeong
Expires: October 25, 2018 J. Kim Expires: January 3, 2019 J. Kim
Sungkyunkwan University Sungkyunkwan University
R. Moskowitz R. Moskowitz
HTT Consulting HTT Consulting
Q. Lin Q. Lin
Huawei Huawei
April 23, 2018 July 02, 2018
I2NSF Capability YANG Data Model I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-00 draft-ietf-i2nsf-capability-data-model-01
Abstract Abstract
This document defines a YANG data model for capabilities that enable This document defines a YANG data model for capabilities that enable
an I2NSF user to control various Network Security Functions (NSFs) in an I2NSF user to control various Network Security Functions (NSFs) in
the framework for Interface to Network Security Functions (I2NSF). the framework for Interface to Network Security Functions (I2NSF).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 25, 2018. This Internet-Draft will expire on January 3, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 30 skipping to change at page 2, line 30
5.4. Action Capabilities . . . . . . . . . . . . . . . . . . . 7 5.4. Action Capabilities . . . . . . . . . . . . . . . . . . . 7
5.5. Resolution Strategy Capabilities . . . . . . . . . . . . 7 5.5. Resolution Strategy Capabilities . . . . . . . . . . . . 7
5.6. Default Action Capabilities . . . . . . . . . . . . . . . 7 5.6. Default Action Capabilities . . . . . . . . . . . . . . . 7
5.7. RPC for Acquiring Appropriate Network Security Function . 8 5.7. RPC for Acquiring Appropriate Network Security Function . 8
6. Data Model Structure . . . . . . . . . . . . . . . . . . . . 8 6. Data Model Structure . . . . . . . . . . . . . . . . . . . . 8
6.1. Network Security Function Identification . . . . . . . . 8 6.1. Network Security Function Identification . . . . . . . . 8
6.2. Capabilities of Generic Network Security Function . . . . 9 6.2. Capabilities of Generic Network Security Function . . . . 9
6.2.1. Event Capabilities . . . . . . . . . . . . . . . . . 9 6.2.1. Event Capabilities . . . . . . . . . . . . . . . . . 9
6.2.2. Condition Capabilities . . . . . . . . . . . . . . . 11 6.2.2. Condition Capabilities . . . . . . . . . . . . . . . 11
6.2.3. Action Capabilities . . . . . . . . . . . . . . . . . 14 6.2.3. Action Capabilities . . . . . . . . . . . . . . . . . 14
6.2.4. Resolution Strategy Capabilities . . . . . . . . . . 16 6.2.4. Resolution Strategy Capabilities . . . . . . . . . . 15
6.2.5. Default Action Capabilities . . . . . . . . . . . . . 17 6.2.5. Content Security Capabilities . . . . . . . . . . . . 15
6.2.6. RPC for Acquiring Appropriate Network Security 6.2.6. Attack Mitigation Capabilities . . . . . . . . . . . 16
6.2.7. RPC for Acquiring Appropriate Network Security
Function . . . . . . . . . . . . . . . . . . . . . . 17 Function . . . . . . . . . . . . . . . . . . . . . . 17
7. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 18 7. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 18
7.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 18 7.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 18
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 52
9. Security Considerations . . . . . . . . . . . . . . . . . . . 54 9. Security Considerations . . . . . . . . . . . . . . . . . . . 52
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 54 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 52
11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 54 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 53
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 54 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 53
12.1. Normative References . . . . . . . . . . . . . . . . . . 54 12.1. Normative References . . . . . . . . . . . . . . . . . . 53
12.2. Informative References . . . . . . . . . . . . . . . . . 55 12.2. Informative References . . . . . . . . . . . . . . . . . 53
Appendix A. Example: Extended VoIP-VoLTE Security Function Appendix A. Example: Extended VoIP-VoLTE Security Function
Capabilities Module . . . . . . . . . . . . . . . . 56 Capabilities Module . . . . . . . . . . . . . . . . 55
Appendix B. Example: Configuration XML of Capability Module . . 57 Appendix B. Example: Configuration XML of Capability Module . . 56
B.1. Example: Configuration XML of Generic Network Security B.1. Example: Configuration XML of Generic Network Security
Function Capabilities . . . . . . . . . . . . . . . . . . 57 Function Capabilities . . . . . . . . . . . . . . . . . . 56
B.2. Example: Configuration XML of Extended VoIP/VoLTE B.2. Example: Configuration XML of Extended VoIP/VoLTE
Security Function Capabilities Module . . . . . . . . . . 59 Security Function Capabilities Module . . . . . . . . . . 58
Appendix C. Changes from draft-ietf-i2nsf-capability-data-
model-01 . . . . . . . . . . . . . . . . . . . . . . 59
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60
1. Introduction 1. Introduction
As the industry becomes more sophisticated and network devices (e.g., As the industry becomes more sophisticated and network devices (e.g.,
Internet of Things, Self-driving vehicles, and VoIP/VoLTE Internet of Things, Self-driving vehicles, and VoIP/VoLTE
smartphones), service providers have a lot of problems mentioned in smartphones), service providers have a lot of problems mentioned in
[RFC8192]. To resolve these problems, [i2nsf-nsf-cap-im] specifies [RFC8192]. To resolve these problems, [i2nsf-nsf-cap-im] specifies
the information model of the capabilities of Network Security the information model of the capabilities of Network Security
Functions (NSFs). Functions (NSFs).
skipping to change at page 9, line 35 skipping to change at page 9, line 35
uses i2nsf-net-sec-caps uses i2nsf-net-sec-caps
Figure 3: Data Model Structure for Capabilities of Network Security Figure 3: Data Model Structure for Capabilities of Network Security
Function Function
6.2.1. Event Capabilities 6.2.1. Event Capabilities
The data model for event capabilities has the following structure: The data model for event capabilities has the following structure:
+--rw i2nsf-net-sec-caps +--rw i2nsf-net-sec-caps
+--rw net-sec-capabilities* [nsc-capabilities-name] +--rw net-sec-capabilities
+--rw nsc-capabilities-name string
+--rw rule-description? boolean
+--rw rule-rev? boolean
+--rw rule-priority? boolean
+--rw time +--rw time
| +--rw time-zone | +--rw time-zone
| | +--rw time-zone-offset boolean | | +--rw time-zone-offset? boolean
| +--rw time-interval | +--rw time-inteval
| +--rw absolute-time-interval | +--rw absolute-time-inteval
| | +--rw start-time? boolean | | +--rw start-time? boolean
| | +--rw end-time? boolean | | +--rw end-time? boolean
| +--rw periodic-time-interval | +--rw periodic-time-inteval
| +--rw day? boolean | +--rw day? boolean
| +--rw month? boolean | +--rw month? boolean
+--rw event +--rw event
| +--rw (event-type)? | +--rw usr-event
| +--:(usr-event) | | +--rw usr-sec-event-content? boolean
| | +--rw usr-manual? string | | +--rw usr-sec-event-format
| | +--rw usr-sec-event-content? boolean | | | +--rw unknown? boolean
| | +--rw usr-sec-event-format | | | +--rw guid? boolean
| | | +--rw unknown? boolean | | | +--rw uuid? boolean
| | | +--rw guid? boolean | | | +--rw uri? boolean
| | | +--rw uuid? boolean | | | +--rw fqdn? boolean
| | | +--rw uri? boolean | | | +--rw fqpn? boolean
| | | +--rw fqdn? boolean | | +--rw usr-sec-event-type
| | | +--rw fqpn? boolean | | +--rw unknown? boolean
| | +--rw usr-sec-event-type | | +--rw user-created? boolean
| | +--rw unknown? boolean | | +--rw user-grp-created? boolean
| | +--rw user-created? boolean | | +--rw user-deleted? boolean
| | +--rw user-grp-created? boolean | | +--rw user-grp-deleted? boolean
| | +--rw user-deleted? boolean | | +--rw user-logon? boolean
| | +--rw user-grp-deleted? boolean | | +--rw user-logoff? boolean
| | +--rw user-logon? boolean | | +--rw user-access-request? boolean
| | +--rw user-logoff? boolean | | +--rw user-access-granted? boolean
| | +--rw user-access-request? boolean | | +--rw user-access-violation? boolean
| | +--rw user-access-granted? boolean | +--rw dev-event
| | +--rw user-access-violation? boolean | | +--rw dev-sec-event-content boolean
| +--:(dev-event) | | +--rw dev-sec-event-format
| | +--rw dev-manual? string | | | +--rw unknown? boolean
| | +--rw dev-sec-event-content boolean | | | +--rw guid? boolean
| | +--rw dev-sec-event-format | | | +--rw uuid? boolean
| | | +--rw unknown? boolean | | | +--rw uri? boolean
| | | +--rw guid? boolean | | | +--rw fqdn? boolean
| | | +--rw uuid? boolean | | | +--rw fqpn? boolean
| | | +--rw uri? boolean | | +--rw dev-sec-event-type
| | | +--rw fqdn? boolean | | | +--rw unknown? boolean
| | | +--rw fqpn? boolean | | | +--rw comm-alarm? boolean
| | +--rw dev-sec-event-type | | | +--rw quality-of-service-alarm? boolean
| | | +--rw unknown? boolean | | | +--rw process-err-alarm? boolean
| | | +--rw comm-alarm? boolean | | | +--rw equipment-err-alarm? boolean
| | | +--rw quality-of-service-alarm? boolean | | | +--rw environmental-err-alarm? boolean
| | | +--rw process-err-alarm? boolean | | +--rw dev-sec-event-type-severity
| | | +--rw equipment-err-alarm? boolean | | +--rw unknown? boolean
| | | +--rw environmental-err-alarm? boolean | | +--rw cleared? boolean
| | +--rw dev-sec-event-type-severity | | +--rw indeterminate? boolean
| | +--rw unknown? boolean | | +--rw critical? boolean
| | +--rw cleared? boolean | | +--rw major? boolean
| | +--rw indeterminate? boolean | | +--rw minor? boolean
| | +--rw critical? boolean | | +--rw warning? boolean
| | +--rw major? boolean | +--rw sys-event
| | +--rw minor? boolean | | +--rw sys-sec-event-content? boolean
| | +--rw warning? boolean | | +--rw sys-sec-event-format
| +--:(sys-event) | | | +--rw unknown? boolean
| | +--rw sys-manual? string | | | +--rw guid? boolean
| | +--rw sys-sec-event-content? boolean | | | +--rw uuid? boolean
| | +--rw sys-sec-event-format | | | +--rw uri? boolean
| | | +--rw unknown? boolean | | | +--rw fqdn? boolean
| | | +--rw guid? boolean | | | +--rw fqpn? boolean
| | | +--rw uuid? boolean | | +--rw sys-sec-event-type
| | | +--rw uri? boolean | | +--rw unknown? boolean
| | | +--rw fqdn? boolean | | +--rw audit-log-written-to? boolean
| | | +--rw fqpn? boolean | | +--rw audit-log-cleared? boolean
| | +--rw sys-sec-event-type | | +--rw policy-created? boolean
| | +--rw unknown? boolean | | +--rw policy-edited? boolean
| | +--rw audit-log-written-to? boolean | | +--rw policy-deleted? boolean
| | +--rw audit-log-cleared? boolean | | +--rw policy-executed? boolean
| | +--rw policy-created? boolean | +--rw time-event
| | +--rw policy-edited? boolean | +--rw time-sec-event-begin? boolean
| | +--rw policy-deleted? boolean | +--rw time-sec-event-end? boolean
| | +--rw policy-executed? boolean | +--rw time-sec-event-time-zone? boolean
| +--:(time-event)
| +--rw time-manual? string
| +--rw time-sec-event-begin? boolean
| +--rw time-sec-event-end? boolean
| +--rw time-sec-event-time-zone? boolean
+--rw condition +--rw condition
| ... | ...
+--rw action +--rw action
| ... | ...
+--rw resolution-strategy +--rw resolution-strategy
| ... ...
+--rw default-action
...
Figure 4: Data Model Structure for Event Capabilities of Network Figure 4: Data Model Structure for Event Capabilities of Network
Security Function Security Function
These objects are defined as capabilities of user security event, These objects are defined as capabilities of user security event,
device security event, system security event, and time security device security event, system security event, and time security
event. These objects can be extended according to specific vendor event. These objects can be extended according to specific vendor
event features. We will add additional event objects for more event features. We will add additional event objects for more
generic network security functions. generic network security functions.
6.2.2. Condition Capabilities 6.2.2. Condition Capabilities
The data model for condition capabilities has the following The data model for condition capabilities has the following
structure: structure:
+--rw i2nsf-net-sec-caps +--rw i2nsf-net-sec-caps
+--rw net-sec-capabilities* [nsc-capabilities-name] +--rw net-sec-capabilities
+--rw nsc-capabilities-name string +--rw time
+--rw rule-description? boolean | +--rw time-zone
+--rw rule-rev? boolean | | +--rw time-zone-offset? boolean
+--rw time | +--rw time-inteval
| +--rw time-zone | +--rw absolute-time-inteval
| | +--rw time-zone-offset boolean | | +--rw start-time? boolean
| +--rw time-interval | | +--rw end-time? boolean
| +--rw absolute-time-interval | +--rw periodic-time-inteval
| | +--rw start-time? boolean | +--rw day? boolean
| | +--rw end-time? boolean | +--rw month? boolean
| +--rw periodic-time-interval +--rw event
| +--rw day? boolean | ...
| +--rw month? boolean +--rw condition
+--rw event | +--rw packet-security-condition
| ... | | +--rw packet-security-mac-condition
+--rw condition | | | +--rw pkt-sec-cond-mac-dest? boolean
| +--rw (condition-type)? | | | +--rw pkt-sec-cond-mac-src? boolean
| +--:(packet-security-condition) | | | +--rw pkt-sec-cond-mac-8021q? boolean
| | +--rw packet-manual? string | | | +--rw pkt-sec-cond-mac-ether-type? boolean
| | +--rw packet-security-mac-condition | | | +--rw pkt-sec-cond-mac-tci? string
| | | +--rw pkt-sec-cond-mac-dest? boolean | | +--rw packet-security-ipv4-condition
| | | +--rw pkt-sec-cond-mac-src? boolean | | | +--rw pkt-sec-cond-ipv4-header-length? boolean
| | | +--rw pkt-sec-cond-mac-8021q? boolean | | | +--rw pkt-sec-cond-ipv4-tos? boolean
| | | +--rw pkt-sec-cond-mac-ether-type? boolean | | | +--rw pkt-sec-cond-ipv4-total-length? boolean
| | | +--rw pkt-sec-cond-mac-tci? string | | | +--rw pkt-sec-cond-ipv4-id? boolean
| | +--rw packet-security-ipv4-condition | | | +--rw pkt-sec-cond-ipv4-fragment? boolean
| | | +--rw pkt-sec-cond-ipv4-header-length? boolean | | | +--rw pkt-sec-cond-ipv4-fragment-offset? boolean
| | | +--rw pkt-sec-cond-ipv4-tos? boolean | | | +--rw pkt-sec-cond-ipv4-ttl? boolean
| | | +--rw pkt-sec-cond-ipv4-total-length? boolean | | | +--rw pkt-sec-cond-ipv4-protocol? boolean
| | | +--rw pkt-sec-cond-ipv4-id? boolean | | | +--rw pkt-sec-cond-ipv4-src? boolean
| | | +--rw pkt-sec-cond-ipv4-fragment? boolean | | | +--rw pkt-sec-cond-ipv4-dest? boolean
| | | +--rw pkt-sec-cond-ipv4-fragment-offset? boolean | | | +--rw pkt-sec-cond-ipv4-ipopts? boolean
| | | +--rw pkt-sec-cond-ipv4-ttl? boolean | | | +--rw pkt-sec-cond-ipv4-sameip? boolean
| | | +--rw pkt-sec-cond-ipv4-protocol? boolean | | | +--rw pkt-sec-cond-ipv4-geoip? boolean
| | | +--rw pkt-sec-cond-ipv4-src? boolean | | +--rw packet-security-ipv6-condition
| | | +--rw pkt-sec-cond-ipv4-dest? boolean | | | +--rw pkt-sec-cond-ipv6-dscp? boolean
| | | +--rw pkt-sec-cond-ipv4-ipopts? boolean | | | +--rw pkt-sec-cond-ipv6-ecn? boolean
| | | +--rw pkt-sec-cond-ipv4-sameip? boolean | | | +--rw pkt-sec-cond-ipv6-traffic-class? boolean
| | | +--rw pkt-sec-cond-ipv4-geoip? boolean | | | +--rw pkt-sec-cond-ipv6-flow-label? boolean
| | +--rw packet-security-ipv6-condition | | | +--rw pkt-sec-cond-ipv6-payload-length? boolean
| | | +--rw pkt-sec-cond-ipv6-dscp? boolean | | | +--rw pkt-sec-cond-ipv6-next-header? boolean
| | | +--rw pkt-sec-cond-ipv6-ecn? boolean | | | +--rw pkt-sec-cond-ipv6-hop-limit? boolean
| | | +--rw pkt-sec-cond-ipv6-traffic-class? boolean | | | +--rw pkt-sec-cond-ipv6-src? boolean
| | | +--rw pkt-sec-cond-ipv6-flow-label? boolean | | | +--rw pkt-sec-cond-ipv6-dest? boolean
| | | +--rw pkt-sec-cond-ipv6-payload-length? boolean | | +--rw packet-security-tcp-condition
| | | +--rw pkt-sec-cond-ipv6-next-header? boolean | | | +--rw pkt-sec-cond-tcp-src-port? boolean
| | | +--rw pkt-sec-cond-ipv6-hop-limit? boolean | | | +--rw pkt-sec-cond-tcp-dest-port? boolean
| | | +--rw pkt-sec-cond-ipv6-src? boolean | | | +--rw pkt-sec-cond-tcp-seq-num? boolean
| | | +--rw pkt-sec-cond-ipv6-dest? boolean | | | +--rw pkt-sec-cond-tcp-ack-num? boolean
| | +--rw packet-security-tcp-condition | | | +--rw pkt-sec-cond-tcp-window-size? boolean
| | | +--rw pkt-sec-cond-tcp-src-port? boolean | | | +--rw pkt-sec-cond-tcp-flags? boolean
| | | +--rw pkt-sec-cond-tcp-dest-port? boolean | | +--rw packet-security-udp-condition
| | | +--rw pkt-sec-cond-tcp-seq-num? boolean | | | +--rw pkt-sec-cond-udp-src-port? boolean
| | | +--rw pkt-sec-cond-tcp-ack-num? boolean | | | +--rw pkt-sec-cond-udp-dest-port? boolean
| | | +--rw pkt-sec-cond-tcp-window-size? boolean | | | +--rw pkt-sec-cond-udp-length? boolean
| | | +--rw pkt-sec-cond-tcp-flags? boolean | | +--rw packet-security-icmp-condition
| | +--rw packet-security-udp-condition | | +--rw pkt-sec-cond-icmp-type? boolean
| | | +--rw pkt-sec-cond-udp-src-port? boolean | | +--rw pkt-sec-cond-icmp-code? boolean
| | | +--rw pkt-sec-cond-udp-dest-port? boolean | | +--rw pkt-sec-cond-icmp-seg-num? boolean
| | | +--rw pkt-sec-cond-udp-length? boolean | +--rw packet-payload-condition
| | +--rw packet-security-icmp-condition | | +--rw pkt-payload-content? boolean
| | +--rw pkt-sec-cond-icmp-type? boolean | +--rw acl-number? boolean
| | +--rw pkt-sec-cond-icmp-code? boolean | +--rw application-condition
| | +--rw pkt-sec-cond-icmp-seg-num? boolean | | +--rw application-object? boolean
| +--:(packet-payload-condition) | | +--rw application-group? boolean
| | +--rw packet-payload-manual? string | | +--rw application-label? boolean
| | +--rw pkt-payload-content? boolean | | +--rw category
| +--:(target-condition) | | +--rw application-category? boolean
| | +--rw target-manual? string | +--rw target-condition
| | +--rw device-sec-context-cond? boolean | | +--rw device-sec-context-cond? boolean
| +--:(users-condition) | +--rw users-condition
| | +--rw users-manual? string | | +--rw user
| | +--rw user | | | +--rw (user-name)?
| | | +--rw (user-name)? | | | +--:(tenant)
| | | +--:(tenant) | | | | +--rw tenant? boolean
| | | | +--rw tenant? boolean | | | +--:(vn-id)
| | | +--:(vn-id) | | | +--rw vn-id? boolean
| | | +--rw vn-id? boolean | | +--rw group
| | +--rw group | | +--rw (group-name)?
| | +--rw (group-name)? | | | +--:(tenant)
| | +--:(tenant) | | | | +--rw tenant? boolean
| | | +--rw tenant? boolean | | | +--:(vn-id)
| | +--:(vn-id) | | | +--rw vn-id? boolean
| | +--rw vn-id? boolean | | +--rw security-grup boolean
| +--:(context-condition) | +--rw url-category-condition
| | +--rw context-manual? string | | +--rw pre-defined-category? boolean
| +--:(gen-context-condition) | | +--rw user-defined-category? boolean
| +--rw gen-context-manual? string | +--rw context-condition
| +--rw geographic-location | | +--rw temp? string
| +--rw src-geographic-location? boolean | +--rw gen-context-condition
| +--rw dest-geographic-location? boolean | +--rw geographic-location
+--rw action | +--rw src-geographic-location? boolean
| ... | +--rw dest-geographic-location? boolean
+--rw resolution-strategy +--rw action
| ... | ...
+--rw default-action +--rw resolution-strategy
... ...
Figure 5: Data Model Structure for Condition Capabilities of Network Figure 5: Data Model Structure for Condition Capabilities of Network
Security Function Security Function
These objects are defined as capabilities of packet security These objects are defined as capabilities of packet security
condition, packet payload security condition, target security condition, packet payload security condition, target security
condition, user security condition, context condition, and generic condition, user security condition, context condition, and generic
context condition. These objects can be extended according to context condition. These objects can be extended according to
specific vendor condition features. We will add additional condition specific vendor condition features. We will add additional condition
objects for more generic network security functions. objects for more generic network security functions.
6.2.3. Action Capabilities 6.2.3. Action Capabilities
The data model for action capabilities has the following structure: The data model for action capabilities has the following structure:
+--rw i2nsf-net-sec-caps +--rw i2nsf-net-sec-caps
+--rw net-sec-capabilities* [nsc-capabilities-name] +--rw net-sec-capabilities
+--rw nsc-capabilities-name string
+--rw rule-description? boolean
+--rw rule-rev? boolean
+--rw rule-priority? boolean
+--rw time +--rw time
| +--rw time-zone | +--rw time-zone
| | +--rw time-zone-offset boolean | | +--rw time-zone-offset? boolean
| +--rw time-interval | +--rw time-inteval
| +--rw absolute-time-interval | +--rw absolute-time-inteval
| | +--rw start-time? boolean | | +--rw start-time? boolean
| | +--rw end-time? boolean | | +--rw end-time? boolean
| +--rw periodic-time-interval | +--rw periodic-time-inteval
| +--rw day? boolean | +--rw day? boolean
| +--rw month? boolean | +--rw month? boolean
+--rw event +--rw event
| ... | ...
+--rw condition +--rw condition
| ... | ...
+--rw action +--rw action
| +--rw (action-type)? | +--rw rule-log? boolean
| +--:(ingress-action) | +--rw session-log? boolean
| | +--rw ingress-manual? string | +--rw ingress-action
| | +--rw ingress-action-type | | +--rw ingress-action-type
| | +--rw pass? boolean | | +--rw pass? boolean
| | +--rw drop? boolean | | +--rw drop? boolean
| | +--rw reject? boolean | | +--rw reject? boolean
| | +--rw alert? boolean | | +--rw alert? boolean
| | +--rw mirror? boolean | | +--rw mirror? boolean
| +--:(egress-action) | +--rw egress-action
| +--rw egress-manual? string | +--rw egress-action-type
| +--rw egress-action-type | +--rw invoke-signaling? boolean
| +--rw invoke-signaling? boolean | +--rw tunnel-encapsulation? boolean
| +--rw tunnel-encapsulation? boolean | +--rw forwarding? boolean
| +--rw forwarding? boolean | +--rw redirection? boolean
| +--rw redirection? boolean
+--rw resolution-strategy +--rw resolution-strategy
| ... ...
+--rw default-action
...
Figure 6: Data Model Structure for Action Capabilities of Network Figure 6: Data Model Structure for Action Capabilities of Network
Security Function Security Function
These objects are defined capabilities as ingress action, egress These objects are defined capabilities as ingress action, egress
action, and apply profile action. These objects can be extended action, and apply profile action. These objects can be extended
according to specific vendor action feature. We will add additional according to specific vendor action feature. We will add additional
action objects for more generic network security functions. action objects for more generic network security functions.
6.2.4. Resolution Strategy Capabilities 6.2.4. Resolution Strategy Capabilities
The data model for resolution strategy capabilities has the following The data model for resolution strategy capabilities has the following
structure: structure:
+--rw i2nsf-net-sec-caps +--rw i2nsf-net-sec-caps
+--rw net-sec-capabilities* [nsc-capabilities-name] +--rw net-sec-capabilities
+--rw nsc-capabilities-name string
+--rw rule-description? boolean
+--rw rule-rev? boolean
+--rw rule-priority? boolean
+--rw time +--rw time
| +--rw time-zone | +--rw time-zone
| | +--rw time-zone-offset boolean | | +--rw time-zone-offset? boolean
| +--rw time-interval | +--rw time-inteval
| +--rw absolute-time-interval | +--rw absolute-time-inteval
| | +--rw start-time? boolean | | +--rw start-time? boolean
| | +--rw end-time? boolean | | +--rw end-time? boolean
| +--rw periodic-time-interval | +--rw periodic-time-inteval
| +--rw day? boolean | +--rw day? boolean
| +--rw month? boolean | +--rw month? boolean
+--rw event +--rw event
| ... | ...
+--rw condition +--rw condition
| ... | ...
+--rw action +--rw action
| ... | ...
+--rw resolution-strategy +--rw resolution-strategy
| +--rw first-matching-rule? boolean +--rw first-matching-rule? boolean
| +--rw last-matching-rule? boolean +--rw last-matching-rule? boolean
+--rw default-action
...
Figure 7: Data Model Structure for Resolution Strategy Capabilities Figure 7: Data Model Structure for Resolution Strategy Capabilities
of Network Security Function of Network Security Function
These objects are defined capabilities as first-matching-rule and These objects are defined capabilities as first-matching-rule and
last-matching-rule. These objects can be extended according to last-matching-rule. These objects can be extended according to
specific vendor resolution strategy features. We will add additional specific vendor resolution strategy features. We will add additional
resolution strategy objects for more generic network security resolution strategy objects for more generic network security
functions. functions.
6.2.5. Default Action Capabilities 6.2.5. Content Security Capabilities
The data model for default action capabilities has the following The data model for content security capabilities has the following
structure: structure:
+--rw i2nsf-net-sec-caps +--rw complete-nsf-capabilities
+--rw net-sec-capabilities* [nsc-capabilities-name] +--rw con-sec-control-capabilities
+--rw nsc-capabilities-name string | +--rw anti-virus? boolean
+--rw rule-description? boolean | +--rw ips? boolean
+--rw rule-rev? boolean | +--rw ids? boolean
+--rw rule-priority? boolean | +--rw url-filter? boolean
+--rw time | +--rw data-filter? boolean
| +--rw time-zone | +--rw mail-filter? boolean
| | +--rw time-zone-offset boolean | +--rw sql-filter? boolean
| +--rw time-interval | +--rw file-blocking? boolean
| +--rw absolute-time-interval | +--rw file-isolate? boolean
| | +--rw start-time? boolean | +--rw pkt-capture? boolean
| | +--rw end-time? boolean | +--rw application-behavior? boolean
| +--rw periodic-time-interval | +--rw voip-volte? boolean
| +--rw day? boolean +--rw attack-mitigation-capabilities
| +--rw month? boolean ...
+--rw event
| ...
+--rw condition
| ...
+--rw action
| ...
+--rw resolution-strategy
| ...
+--rw default-action
+--rw default-action-type
+--rw ingress-action-type
+--rw pass? boolean
+--rw drop? boolean
+--rw reject? boolean
+--rw alert? boolean
+--rw mirror? boolean
Figure 8: Data Model Structure for Default Action Capabilities of Figure 8: Data Model Structure for Content Security Capabilities of
Network Security Function Network Security Function
6.2.6. RPC for Acquiring Appropriate Network Security Function Content security is composed of a number of distinct security
Capabilities; each such Capability protects against a specific type
of threat in the application layer. Content security is a type of
Generic Network Security Function (GNSF), which summarizes a well-
defined set of security Capabilities.
6.2.6. Attack Mitigation Capabilities
The data model for attack mitigation capabilities has the following
structure:
+--rw complete-nsf-capabilities
...
+--rw attack-mitigation-capabilities
+--rw (attack-mitigation-control-type)?
+--:(ddos-attack)
| +--rw (ddos-attack-type)?
| +--:(network-layer-ddos-attack)
| | +--rw network-layer-ddos-attack-types
| | +--rw syn-flood-attack? boolean
| | +--rw udp-flood-attack? boolean
| | +--rw icmp-flood-attack? boolean
| | +--rw ip-fragment-flood-attack? boolean
| | +--rw ipv6-related-attack? boolean
| +--:(app-layer-ddos-attack)
| +--rw app-layer-ddos-attack-types
| +--rw http-flood-attack? boolean
| +--rw https-flood-attack? boolean
| +--rw dns-flood-attack? boolean
| +--rw dns-amp-flood-attack? boolean
| +--rw ssl-flood-attack? boolean
+--:(single-packet-attack)
+--rw (single-packet-attack-type)?
+--:(scan-and-sniff-attack)
| +--rw ip-sweep-attack? boolean
| +--rw port-scanning-attack? boolean
+--:(malformed-packet-attack)
| +--rw ping-of-death-attack? boolean
| +--rw teardrop-attack? boolean
+--:(special-packet-attack)
+--rw oversized-icmp-attack? boolean
+--rw tracert-attack? boolean
Figure 9: Data Model Structure for Attack Mitigation Capabilities of
Network Security Function
Attack mitigation is composed of a number of GNSFs; each one protects
against a specific type of network attack. Attack Mitigation
security is a type of GNSF, which summarizes a well-defined set of
security Capabilities.
6.2.7. RPC for Acquiring Appropriate Network Security Function
The data model for RPC for Acquiring Appropriate Network Security The data model for RPC for Acquiring Appropriate Network Security
Function has the following structure: Function has the following structure:
rpcs: rpcs:
+---x call-appropriate-nsf +---x call-appropriate-nsf
+---w input +---w input
| +---w nsf-type nsf-type | +---w nsf-type nsf-type
| +---w target-device | +---w target-device
| +---w pc? boolean | +---w pc? boolean
skipping to change at page 18, line 24 skipping to change at page 18, line 24
| +---w iot? boolean | +---w iot? boolean
| +---w vehicle? boolean | +---w vehicle? boolean
+--ro output +--ro output
+--ro nsf-address +--ro nsf-address
+--ro (nsf-address-type)? +--ro (nsf-address-type)?
+--:(ipv4-address) +--:(ipv4-address)
| +--ro ipv4-address inet:ipv4-address | +--ro ipv4-address inet:ipv4-address
+--:(ipv6-address) +--:(ipv6-address)
+--ro ipv6-address inet:ipv6-address +--ro ipv6-address inet:ipv6-address
Figure 9: RPC for Acquiring Appropriate Network Security Function Figure 10: RPC for Acquiring Appropriate Network Security Function
This shows a RPC for acquiring an appropriate network security This shows a RPC for acquiring an appropriate network security
function according to type of NSF and/or target devices. If the SFF function according to type of NSF and/or target devices. If the SFF
[i2nsf-sfc]does not have the location information of network security [i2nsf-sfc]does not have the location information of network security
functions that it should send in own cache table, this can be used to functions that it should send in own cache table, this can be used to
acquire the information. These objects are defined as input data acquire the information. These objects are defined as input data
(i.e., NSF type and target devices) and output data (i.e., location (i.e., NSF type and target devices) and output data (i.e., location
information of NSF). information of NSF).
7. YANG Modules 7. YANG Modules
7.1. I2NSF Capability YANG Data Module 7.1. I2NSF Capability YANG Data Module
This section introduces a YANG module for the information model of This section introduces a YANG module for the information model of
network security functions, as defined in the [i2nsf-nsf-cap-im]. network security functions, as defined in the [i2nsf-nsf-cap-im].
<CODE BEGINS> file "ietf-i2nsf-capability@2018-03-23.yang" <CODE BEGINS> file "ietf-i2nsf-capability@2018-07-02.yang"
module ietf-i2nsf-capability { module ietf-i2nsf-capability {
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability";
prefix prefix
i2nsf-capability; i2nsf-capability;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
} }
skipping to change at page 19, line 31 skipping to change at page 19, line 31
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Jinyong Tim Kim Editor: Jinyong Tim Kim
<mailto:timkim@skku.edu>"; <mailto:timkim@skku.edu>";
description description
"This module describes a capability model "This module describes a capability model
for I2NSF devices."; for I2NSF devices.";
revision "2018-03-23"{ revision "2018-07-02"{
description "The fifth revision"; description "The fifth revision";
reference reference
"draft-ietf-i2nsf-capability-00"; "draft-ietf-i2nsf-capability-00";
} }
grouping i2nsf-nsf-location { grouping i2nsf-nsf-location {
description description
"This provides a location for capabilities."; "This provides a location for capabilities.";
container nsf-address { container nsf-address {
description description
skipping to change at page 22, line 29 skipping to change at page 22, line 29
description description
"This is type of NSF."; "This is type of NSF.";
} }
uses i2nsf-nsf-location; uses i2nsf-nsf-location;
uses i2nsf-it-resources; uses i2nsf-it-resources;
} }
grouping i2nsf-net-sec-caps { grouping i2nsf-net-sec-caps {
description description
"i2nsf-net-sec-caps"; "i2nsf-net-sec-caps";
list net-sec-capabilities { container net-sec-capabilities {
key "nsc-capabilities-name";
description description
"net-sec-capabilities"; "net-sec-capabilities";
leaf nsc-capabilities-name {
type string;
mandatory true;
description
"nsc-capabilities-name";
}
leaf rule-description {
type boolean;
description
"This is rule-description.";
}
leaf rule-rev {
type boolean;
description
"This is rule-revision";
}
leaf rule-priority {
type boolean;
description
"This is rule-priority";
}
container time { container time {
description description
"This is capabilities for time"; "This is capabilities for time";
container time-zone { container time-zone {
description description
"This can be used to apply rules "This can be used to apply rules
according to time zone"; according to time zone";
leaf time-zone-offset { leaf time-zone-offset {
skipping to change at page 24, line 25 skipping to change at page 23, line 50
" This is abstract. An event is defined as any important " This is abstract. An event is defined as any important
occurrence in time of a change in the system being occurrence in time of a change in the system being
managed, and/or in the environment of the system being managed, and/or in the environment of the system being
managed. When used in the context of policy rules for managed. When used in the context of policy rules for
a flow-based NSF, it is used to determine whether the a flow-based NSF, it is used to determine whether the
Condition clause of the Policy Rule can be evaluated Condition clause of the Policy Rule can be evaluated
or not. Examples of an I2NSF event include time and or not. Examples of an I2NSF event include time and
user actions (e.g., logon, logoff, and actions that user actions (e.g., logon, logoff, and actions that
violate any ACL.)."; violate any ACL.).";
choice event-type { container usr-event {
description description "TBD";
"Vendors can use YANG data model to configure rules
by concreting this event type";
case usr-event {
leaf usr-manual {
type string;
description
"This is manual for user event.
Vendors can write instructions for user event
that vendor made";
}
leaf usr-sec-event-content { leaf usr-sec-event-content {
type boolean; type boolean;
description description
"This is a mandatory string that contains the content "This is a mandatory string that contains the content
of the UserSecurityEvent. The format of the content of the UserSecurityEvent. The format of the content
is specified in the usrSecEventFormat class is specified in the usrSecEventFormat class
attribute, and the type of event is defined in the attribute, and the type of event is defined in the
usrSecEventType class attribute. An example of the usrSecEventType class attribute. An example of the
usrSecEventContent attribute is a string hrAdmin, usrSecEventContent attribute is a string hrAdmin,
with the usrSecEventFormat set to 1 (GUID) and the with the usrSecEventFormat set to 1 (GUID) and the
skipping to change at page 27, line 29 skipping to change at page 26, line 43
this user. The content and format are specified in this user. The content and format are specified in
the usrSecEventContent and usrSecEventFormat class the usrSecEventContent and usrSecEventFormat class
attributes, respectively. An example of the attributes, respectively. An example of the
usrSecEventContent attribute is string hrAdmin, usrSecEventContent attribute is string hrAdmin,
with the usrSecEventFormat attribute set to 1 (GUID) with the usrSecEventFormat attribute set to 1 (GUID)
and the usrSecEventType attribute set to 5 and the usrSecEventType attribute set to 5
(new logon)."; (new logon).";
} }
} }
case dev-event { container dev-event {
leaf dev-manual { description "TBD";
type string;
description
"This is manual for device event.
Vendors can write instructions for device event
that vendor made";
}
leaf dev-sec-event-content { leaf dev-sec-event-content {
type boolean; type boolean;
mandatory true; mandatory true;
description description
"This is a mandatory string that contains the content "This is a mandatory string that contains the content
of the DeviceSecurityEvent. The format of the of the DeviceSecurityEvent. The format of the
content is specified in the devSecEventFormat class content is specified in the devSecEventFormat class
attribute, and the type of event is defined in the attribute, and the type of event is defined in the
devSecEventType class attribute. An example of the devSecEventType class attribute. An example of the
skipping to change at page 30, line 39 skipping to change at page 29, line 49
description description
"If devSecEventTypeSeverity is minor"; "If devSecEventTypeSeverity is minor";
} }
leaf warning { leaf warning {
type boolean; type boolean;
description description
"If devSecEventTypeSeverity is warning"; "If devSecEventTypeSeverity is warning";
} }
} }
} }
case sys-event { container sys-event {
leaf sys-manual { description "TBD";
type string;
description
"This is manual for system event.
Vendors can write instructions for system event
that vendor made";
}
leaf sys-sec-event-content { leaf sys-sec-event-content {
type boolean; type boolean;
description description
"This is a mandatory string that contains a content "This is a mandatory string that contains a content
of the SystemSecurityEvent. The format of a content of the SystemSecurityEvent. The format of a content
is specified in a sysSecEventFormat class attribute, is specified in a sysSecEventFormat class attribute,
and the type of event is defined in the and the type of event is defined in the
sysSecEventType class attribute. An example of the sysSecEventType class attribute. An example of the
sysSecEventContent attribute is string sysadmin3, sysSecEventContent attribute is string sysadmin3,
with the sysSecEventFormat attribute set to 1(GUID), with the sysSecEventFormat attribute set to 1(GUID),
skipping to change at page 33, line 10 skipping to change at page 32, line 14
is that policy is deleted"; is that policy is deleted";
} }
leaf policy-executed{ leaf policy-executed{
type boolean; type boolean;
description description
"If sysSecEventTypeSeverity "If sysSecEventTypeSeverity
is that policy is executed"; is that policy is executed";
} }
} }
} }
case time-event { container time-event {
leaf time-manual { description "TBD";
type string;
description
"This is manual for time event.
Vendors can write instructions for time event
that vendor made";
}
leaf time-sec-event-begin { leaf time-sec-event-begin {
type boolean; type boolean;
description description
"This is a mandatory DateTime attribute, and "This is a mandatory DateTime attribute, and
represents the beginning of a time period. represents the beginning of a time period.
It has a value that has a date and/or a time It has a value that has a date and/or a time
component (as in the Java or Python libraries)."; component (as in the Java or Python libraries).";
} }
leaf time-sec-event-end { leaf time-sec-event-end {
skipping to change at page 33, line 47 skipping to change at page 32, line 46
} }
leaf time-sec-event-time-zone { leaf time-sec-event-time-zone {
type boolean; type boolean;
description description
"This is a mandatory string attribute, and defines a "This is a mandatory string attribute, and defines a
time zone that this event occurred in using the time zone that this event occurred in using the
format specified in ISO8601."; format specified in ISO8601.";
} }
} }
}
} }
container condition { container condition {
description description
" This is abstract. A condition is defined as a set " This is abstract. A condition is defined as a set
of attributes, features, and/or values that are to be of attributes, features, and/or values that are to be
compared with a set of known attributes, features, compared with a set of known attributes, features,
and/or values in order to determine whether or not the and/or values in order to determine whether or not the
set of Actions in that (imperative) I2NSF Policy Rule set of Actions in that (imperative) I2NSF Policy Rule
can be executed or not. Examples of I2NSF Conditions can be executed or not. Examples of I2NSF Conditions
include matching attributes of a packet or flow, and include matching attributes of a packet or flow, and
comparing the internal state of an NSF to a desired state."; comparing the internal state of an NSF to a desired state.";
choice condition-type { container packet-security-condition {
description description "TBD";
"Vendors can use YANG data model to configure rules
by concreting this condition type";
case packet-security-condition {
leaf packet-manual {
type string;
description
"This is manual for packet condition.
Vendors can write instructions for packet condition
that vendor made";
}
container packet-security-mac-condition { container packet-security-mac-condition {
description description
"The purpose of this Class is to represent packet MAC "The purpose of this Class is to represent packet MAC
packet header information that can be used as part of packet header information that can be used as part of
a test to determine if the set of Policy Actions in a test to determine if the set of Policy Actions in
this ECA Policy Rule should be execute or not."; this ECA Policy Rule should be execute or not.";
leaf pkt-sec-cond-mac-dest { leaf pkt-sec-cond-mac-dest {
type boolean; type boolean;
skipping to change at page 40, line 29 skipping to change at page 39, line 23
} }
} }
container packet-security-udp-condition { container packet-security-udp-condition {
description description
"The purpose of this Class is to represent packet UDP "The purpose of this Class is to represent packet UDP
packet header information that can be used as part packet header information that can be used as part
of a test to determine if the set of Policy Actions of a test to determine if the set of Policy Actions
in this ECA Policy Rule should be executed or not."; in this ECA Policy Rule should be executed or not.";
leaf-list pkt-sec-cond-udp-src-port { leaf pkt-sec-cond-udp-src-port {
type boolean; type boolean;
description description
"This is a mandatory string attribute, and "This is a mandatory string attribute, and
defines the UDP Source Port number (16 bits)."; defines the UDP Source Port number (16 bits).";
} }
leaf-list pkt-sec-cond-udp-dest-port { leaf pkt-sec-cond-udp-dest-port {
type boolean; type boolean;
description description
"This is a mandatory string attribute, and "This is a mandatory string attribute, and
defines the UDP Destination Port number (16 bits)."; defines the UDP Destination Port number (16 bits).";
} }
leaf pkt-sec-cond-udp-length { leaf pkt-sec-cond-udp-length {
type boolean; type boolean;
description description
"This is a mandatory string attribute, and defines "This is a mandatory string attribute, and defines
skipping to change at page 41, line 28 skipping to change at page 40, line 22
} }
leaf pkt-sec-cond-icmp-seg-num { leaf pkt-sec-cond-icmp-seg-num {
type boolean; type boolean;
description description
"The icmp Sequence Number."; "The icmp Sequence Number.";
} }
} }
} }
case packet-payload-condition { container packet-payload-condition {
leaf packet-payload-manual { description "TBD";
type string;
description
"This is manual for payload condition.
Vendors can write instructions for payload condition
that vendor made";
}
leaf pkt-payload-content { leaf pkt-payload-content {
type boolean; type boolean;
description description
"The content keyword is very important in "The content keyword is very important in
signatures. Between the quotation marks you signatures. Between the quotation marks you
can write on what you would like the can write on what you would like the
signature to match."; signature to match.";
} }
} }
case target-condition { leaf acl-number {
leaf target-manual { type boolean;
type string; description
"This is acl-number.";
}
container application-condition {
description
"TBD";
leaf application-object {
type boolean;
description description
"This is manual for target condition. "This is application object.";
Vendors can write instructions for target condition }
that vendor made"; leaf application-group {
type boolean;
description
"This is application group.";
} }
leaf application-label {
type boolean;
description
"This is application label.";
}
container category {
description
"TBD";
leaf application-category {
type boolean;
description
"TBD";
}
}
}
container target-condition {
description "TBD";
leaf device-sec-context-cond { leaf device-sec-context-cond {
type boolean; type boolean;
description description
"The device attribute that can identify a device, "The device attribute that can identify a device,
including the device type (i.e., router, switch, including the device type (i.e., router, switch,
pc, ios, or android) and the device's owner as pc, ios, or android) and the device's owner as
well."; well.";
} }
} }
case users-condition { container users-condition {
leaf users-manual { description "TBD";
type string;
description
"This is manual for user condition.
Vendors can write instructions for user condition
that vendor made";
}
container user{ container user{
description description
"The user (or user group) information with which "The user (or user group) information with which
network flow is associated: The user has many network flow is associated: The user has many
attributes such as name, id, password, type, attributes such as name, id, password, type,
authentication mode and so on. Name/id is often authentication mode and so on. Name/id is often
used in the security policy to identify the user. used in the security policy to identify the user.
Besides, NSF is aware of the IP address of the Besides, NSF is aware of the IP address of the
user provided by a unified user management system user provided by a unified user management system
skipping to change at page 44, line 8 skipping to change at page 43, line 23
description description
"VN-ID information."; "VN-ID information.";
leaf vn-id { leaf vn-id {
type boolean; type boolean;
description description
"User's VN-ID information."; "User's VN-ID information.";
} }
} }
} }
leaf security-grup {
type boolean;
mandatory true;
description
"security-grup.";
}
} }
} }
case context-condition {
leaf context-manual { container url-category-condition {
type string; description
"TBD";
leaf pre-defined-category {
type boolean;
description description
"This is manual for context condition. "This is pre-defined-category.";
Vendors can write instructions for context condition }
that vendor made"; leaf user-defined-category {
type boolean;
description
"This user-defined-category.";
} }
} }
case gen-context-condition {
leaf gen-context-manual { container context-condition {
description "TBD";
leaf temp {
type string; type string;
description description
"This is manual for generic context condition. "This is temp for context condition.";
Vendors can write instructions for generic context
condition that vendor made";
} }
}
container gen-context-condition {
description "TBD";
container geographic-location { container geographic-location {
description description
"The location where network traffic is associated "The location where network traffic is associated
with. The region can be the geographic location with. The region can be the geographic location
such as country, province, and city, such as country, province, and city,
as well as the logical network location such as as well as the logical network location such as
IP address, network section, and network domain."; IP address, network section, and network domain.";
leaf src-geographic-location { leaf src-geographic-location {
skipping to change at page 45, line 4 skipping to change at page 44, line 33
database."; database.";
} }
leaf dest-geographic-location { leaf dest-geographic-location {
type boolean; type boolean;
description description
"This is mapped to ip address. We can acquire "This is mapped to ip address. We can acquire
destination region through ip address stored destination region through ip address stored
the database."; the database.";
} }
} }
} }
}
} }
container action { container action {
description description
"An action is used to control and monitor aspects of "An action is used to control and monitor aspects of
flow-based NSFs when the event and condition clauses flow-based NSFs when the event and condition clauses
are satisfied. NSFs provide security functions by are satisfied. NSFs provide security functions by
executing various Actions. Examples of I2NSF Actions executing various Actions. Examples of I2NSF Actions
include providing intrusion detection and/or protection, include providing intrusion detection and/or protection,
web and flow filtering, and deep packet inspection web and flow filtering, and deep packet inspection
for packets and flows."; for packets and flows.";
choice action-type { leaf rule-log {
description type boolean;
"Vendors can use YANG data model to configure rules description
by concreting this action type"; "rule-log";
case ingress-action { }
leaf ingress-manual { leaf session-log {
type string; type boolean;
description description
"This is manual for ingress action. "session-log";
Vendors can write instructions for ingress action }
that vendor made";
} container ingress-action {
description "TBD";
container ingress-action-type { container ingress-action-type {
description description
"Ingress action type: permit, deny, and mirror."; "Ingress action type: permit, deny, and mirror.";
leaf pass { leaf pass {
type boolean; type boolean;
description description
"If ingress action is pass"; "If ingress action is pass";
} }
leaf drop { leaf drop {
type boolean; type boolean;
skipping to change at page 46, line 4 skipping to change at page 45, line 32
} }
leaf reject { leaf reject {
type boolean; type boolean;
description description
"If ingress action is reject"; "If ingress action is reject";
} }
leaf alert { leaf alert {
type boolean; type boolean;
description description
"If ingress action is alert"; "If ingress action is alert";
} }
leaf mirror { leaf mirror {
type boolean; type boolean;
description description
"If ingress action is mirror"; "If ingress action is mirror";
} }
} }
} }
case egress-action { container egress-action {
leaf egress-manual { description "TBD";
type string;
description
"This is manual for egress action.
Vendors can write instructions for egress action
that vendor made";
}
container egress-action-type { container egress-action-type {
description description
"Egress-action-type: invoke-signaling, "Egress-action-type: invoke-signaling,
tunnel-encapsulation, and forwarding."; tunnel-encapsulation, and forwarding.";
leaf invoke-signaling { leaf invoke-signaling {
type boolean; type boolean;
description description
"If egress action is invoke signaling"; "If egress action is invoke signaling";
} }
leaf tunnel-encapsulation { leaf tunnel-encapsulation {
skipping to change at page 46, line 47 skipping to change at page 46, line 21
description description
"If egress action is forwarding"; "If egress action is forwarding";
} }
leaf redirection { leaf redirection {
type boolean; type boolean;
description description
"If egress action is redirection"; "If egress action is redirection";
} }
} }
} }
}
} }
container resolution-strategy { container resolution-strategy {
description description
"The resolution strategies can be used to "The resolution strategies can be used to
specify how to resolve conflicts that occur between specify how to resolve conflicts that occur between
the actions of the same or different policy rules that the actions of the same or different policy rules that
are matched and contained in this particular NSF"; are matched and contained in this particular NSF";
leaf first-matching-rule { leaf first-matching-rule {
type boolean; type boolean;
description description
"If the resolution strategy is first matching rule"; "If the resolution strategy is first matching rule";
} }
leaf last-matching-rule { leaf last-matching-rule {
type boolean; type boolean;
description description
"If the resolution strategy is last matching rule"; "If the resolution strategy is last matching rule";
} }
} }
container default-action {
description
"This default action can be used to specify a predefined
action when no other alternative action was matched
by the currently executing I2NSF Policy Rule. An analogy
is the use of a default statement in a C switch statement.";
container default-action-type {
description
"Ingress action type: permit, deny, and mirror.";
container ingress-action-type {
description
"Ingress action type: permit, deny, and mirror.";
leaf pass {
type boolean;
description
"If ingress action is pass";
}
leaf drop {
type boolean;
description
"If ingress action is drop";
}
leaf reject {
type boolean;
description
"If ingress action is reject";
}
leaf alert {
type boolean;
description
"If ingress action is alert";
}
leaf mirror {
type boolean;
description
"If ingress action is mirror";
}
}
}
}
} }
} }
grouping i2nsf-con-sec-control-caps { grouping i2nsf-con-sec-control-caps {
description description
"i2nsf-con-sec-control-caps"; "i2nsf-con-sec-control-caps";
container con-sec-control-capabilities { container con-sec-control-capabilities {
description description
"content-security-control-capabilities"; "content-security-control-capabilities";
skipping to change at page 52, line 50 skipping to change at page 51, line 28
list nsf { list nsf {
key "nsf-name"; key "nsf-name";
description description
"nsf-name"; "nsf-name";
leaf nsf-name { leaf nsf-name {
type string; type string;
mandatory true; mandatory true;
description description
"nsf-name"; "nsf-name";
} }
uses capabilities-information; uses capabilities-information;
container generic-nsf-capabilities { container generic-nsf-capabilities {
description description
"generic-nsf-capabilities"; "generic-nsf-capabilities";
uses i2nsf-net-sec-caps; uses i2nsf-net-sec-caps;
} }
container complete-nsf-capabilities {
description
"generic-nsf-capabilities";
uses i2nsf-con-sec-control-caps;
uses i2nsf-attack-mitigation-control-caps;
}
} }
rpc call-appropriate-nsf { rpc call-appropriate-nsf {
description description
"We can acquire appropriate NSF that we want "We can acquire appropriate NSF that we want
If we give type of NSF that we want to use, If we give type of NSF that we want to use,
we acquire the location information of NSF"; we acquire the location information of NSF";
input { input {
leaf nsf-type { leaf nsf-type {
skipping to change at page 53, line 35 skipping to change at page 52, line 25
uses i2nsf-it-resources; uses i2nsf-it-resources;
} }
output { output {
uses i2nsf-nsf-location; uses i2nsf-nsf-location;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
Figure 10: YANG Data Module of I2NSF Capability Figure 11: YANG Data Module of I2NSF Capability
8. IANA Considerations 8. IANA Considerations
No IANA considerations exist for this document at this time. URL No IANA considerations exist for this document at this time. URL
will be added. will be added.
9. Security Considerations 9. Security Considerations
This document introduces no additional security threats and SHOULD This document introduces no additional security threats and SHOULD
follow the security requirements as stated in [RFC8329]. follow the security requirements as stated in [RFC8329].
skipping to change at page 57, line 16 skipping to change at page 56, line 16
leaf sip-header-user-agent { leaf sip-header-user-agent {
type boolean; type boolean;
description description
"SIP header user agent."; "SIP header user agent.";
} }
} }
} }
} }
Figure 11: Example: Extended VoIP-VoLTE Security Function Figure 12: Example: Extended VoIP-VoLTE Security Function
Capabilities Module Capabilities Module
Appendix B. Example: Configuration XML of Capability Module Appendix B. Example: Configuration XML of Capability Module
This section gives a xml examples for a configuration of Capability This section gives a xml examples for a configuration of Capability
module according to a requirement. module according to a requirement.
B.1. Example: Configuration XML of Generic Network Security Function B.1. Example: Configuration XML of Generic Network Security Function
Capabilities Capabilities
skipping to change at page 58, line 51 skipping to change at page 57, line 51
<alert>true</alert> <alert>true</alert>
</ingress-action-type> </ingress-action-type>
</action> </action>
</net-sec-control-capabilities> </net-sec-control-capabilities>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</nsf> </nsf>
</config> </config>
</edit-config> </edit-config>
</rpc> </rpc>
Figure 12: Example: Configuration XML for Generic Network Security Figure 13: Example: Configuration XML for Generic Network Security
Function Capability Function Capability
B.2. Example: Configuration XML of Extended VoIP/VoLTE Security B.2. Example: Configuration XML of Extended VoIP/VoLTE Security
Function Capabilities Module Function Capabilities Module
This section gives a xml example for extended VoIP-VoLTE security This section gives a xml example for extended VoIP-VoLTE security
function capabilities (See Figure 11) configuration according to a function capabilities (See Figure 12) configuration according to a
requirement. requirement.
Requirement: Register VoIP/VoLTe security function according to Requirement: Register VoIP/VoLTe security function according to
requirements. requirements.
1. The location of the NSF is 221.159.112.151. 1. The location of the NSF is 221.159.112.151.
2. The NSF can obtain the best effect if the packet was generated by 2. The NSF can obtain the best effect if the packet was generated by
VoIP-VoLTE phone. VoIP-VoLTE phone.
skipping to change at page 60, line 38 skipping to change at page 59, line 38
<alert>true</alert> <alert>true</alert>
</ingress-action-type> </ingress-action-type>
</action> </action>
</net-sec-control-capabilities> </net-sec-control-capabilities>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</nsf> </nsf>
</config> </config>
</edit-config> </edit-config>
</rpc> </rpc>
Figure 13: Example: Configuration XML for Extended VoIP/VoLTE Figure 14: Example: Configuration XML for Extended VoIP/VoLTE
Security Function Capabilities Security Function Capabilities
Appendix C. Changes from draft-ietf-i2nsf-capability-data-model-01
The following changes are made from draft-ietf-i2nsf-capability-data-
model-00:
1. We have clarified and simplified capabilities.
2. We added additional condition capabilities for application and
url.
3. We replaced unnecessary leaf-list component to leaf component.
4. We replaced the list component to the container component for
net-sec-capabilities.
5. We modified the choice-case structure into a container structure
to allow for the selection of multiple catalogues for condition
and action clauses.
6. We added complete-nsf-capabilities such as content capabilities
and attack mitigation capabilities.
Authors' Addresses Authors' Addresses
Susan Hares Susan Hares
Huawei Huawei
7453 Hickory Hill 7453 Hickory Hill
Saline, MI 48176 Saline, MI 48176
USA USA
Phone: +1-734-604-0332 Phone: +1-734-604-0332
EMail: shares@ndzh.com EMail: shares@ndzh.com
 End of changes. 70 change blocks. 
472 lines changed or deleted 440 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/