draft-ietf-i2nsf-capability-data-model-03.txt   draft-ietf-i2nsf-capability-data-model-04.txt 
I2NSF Working Group S. Hares I2NSF Working Group S. Hares
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Jeong Intended status: Standards Track J. Jeong
Expires: September 12, 2019 J. Kim Expires: September 29, 2019 J. Kim
Sungkyunkwan University Sungkyunkwan University
R. Moskowitz R. Moskowitz
HTT Consulting HTT Consulting
Q. Lin Q. Lin
Huawei Huawei
March 11, 2019 March 28, 2019
I2NSF Capability YANG Data Model I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-03 draft-ietf-i2nsf-capability-data-model-04
Abstract Abstract
This document defines a YANG data model for capabilities of various This document defines a YANG data model for capabilities of various
Network Security Functions (NSFs) in Interface to Network Security Network Security Functions (NSFs) in Interface to Network Security
Functions (I2NSF) framework to cetrally manage capabilities of varios Functions (I2NSF) framework to cetrally manage capabilities of varios
NSFs. NSFs.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2019. This Internet-Draft will expire on September 29, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Capabilities of Network Security Function . . . . . . . . 6 5.1. Capabilities of Network Security Function . . . . . . . . 6
6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 8 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9
6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
8. Security Considerations . . . . . . . . . . . . . . . . . . . 37 8. Security Considerations . . . . . . . . . . . . . . . . . . . 39
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 39
9.1. Normative References . . . . . . . . . . . . . . . . . . 37 9.1. Normative References . . . . . . . . . . . . . . . . . . 39
9.2. Informative References . . . . . . . . . . . . . . . . . 39 9.2. Informative References . . . . . . . . . . . . . . . . . 40
Appendix A. Changes from draft-ietf-i2nsf-capability-data- Appendix A. Changes from draft-ietf-i2nsf-capability-data-
model-02 . . . . . . . . . . . . . . . . . . . . . . 40 model-03 . . . . . . . . . . . . . . . . . . . . . . 42
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 40 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 42
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 40 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42
1. Introduction 1. Introduction
As the industry becomes more sophisticated and network devices (e.g., As the industry becomes more sophisticated and network devices (e.g.,
Internet of Things, Self-driving vehicles, and VoIP/VoLTE Internet of Things, Self-driving vehicles, and VoIP/VoLTE
smartphones), service providers have a lot of problems mentioned in smartphones), service providers have a lot of problems mentioned in
[RFC8192]. To resolve these problems, [i2nsf-nsf-cap-im] specifies [RFC8192]. To resolve these problems, [i2nsf-nsf-cap-im] specifies
the information model of the capabilities of Network Security the information model of the capabilities of Network Security
Functions (NSFs). Functions (NSFs).
skipping to change at page 7, line 19 skipping to change at page 7, line 19
| +--rw system-event-capa* identityref | +--rw system-event-capa* identityref
| +--rw system-alarm-capa* identityref | +--rw system-alarm-capa* identityref
+--rw condition-capabilities +--rw condition-capabilities
| +--rw generic-nsf-capabilities | +--rw generic-nsf-capabilities
| | +--rw ipv4-capa* identityref | | +--rw ipv4-capa* identityref
| | +--rw ipv6-capa* identityref | | +--rw ipv6-capa* identityref
| | +--rw tcp-capa* identityref | | +--rw tcp-capa* identityref
| | +--rw udp-capa* identityref | | +--rw udp-capa* identityref
| | +--rw icmp-capa* identityref | | +--rw icmp-capa* identityref
| +--rw advanced-nsf-capabilities | +--rw advanced-nsf-capabilities
| +--rw antivirus-capa* identityref | | +--rw antivirus-capa* identityref
| +--rw antiddos-capa* identityref | | +--rw antiddos-capa* identityref
| +--rw ips-capa* identityref | | +--rw ips-capa* identityref
| +--rw http-capa* identityref | | +--rw url-capa* identityref
| +--rw voip-volte-capa* identityref | | +--rw voip-volte-capa* identityref
| +--rw context-capabilities* identityref
+--rw action-capabilities +--rw action-capabilities
| +--rw ingress-action-capa* identityref | +--rw ingress-action-capa* identityref
| +--rw egress-action-capa* identityref | +--rw egress-action-capa* identityref
| +--rw log-action-capa* identityref | +--rw log-action-capa* identityref
+--rw resolution-strategy-capabilities* identityref +--rw resolution-strategy-capabilities* identityref
+--rw default-action-capabilities* identityref +--rw default-action-capabilities* identityref
+--rw ipsec-method* identityref
Figure 2: YANG Tree Diagram for Capabilities of Network Security Figure 2: YANG Tree Diagram for Capabilities of Network Security
Functions Functions
This YANG tree diagram shows capabilities of network security This YANG tree diagram shows capabilities of network security
functions. functions.
The NSF includes NSF capabilities. The NSF capabilities include time The NSF includes NSF capabilities. The NSF capabilities include time
capabilities, event capabilities, condition capabilities, action capabilities, event capabilities, condition capabilities, action
capabilities, resolution strategy capabilities, and default action capabilities, resolution strategy capabilities, and default action
skipping to change at page 8, line 47 skipping to change at page 8, line 49
resolution strategy capability is described in detail in resolution strategy capability is described in detail in
[i2nsf-nsf-cap-im]. [i2nsf-nsf-cap-im].
Default action capabilities are used to specify capabilities how to Default action capabilities are used to specify capabilities how to
execute I2NSF policy rule when no rule matches a packet. The default execute I2NSF policy rule when no rule matches a packet. The default
action capabilities are defined as pass, drop, reject, alert, and action capabilities are defined as pass, drop, reject, alert, and
mirror. The default action capability can be extended according to mirror. The default action capability can be extended according to
specific vendor action features. The default action capability is specific vendor action features. The default action capability is
described in detail in [i2nsf-nsf-cap-im]. described in detail in [i2nsf-nsf-cap-im].
IPsec method capabilities are used to specify capabilities how to
support an Internet key exchange for the security communication. The
default action capabilities are defined as ike and ikeless. The
default action capability can be extended according to specific
vendor action features. The default action capability is described
in detail in [draft-ietf-i2nsf-sdn-ipsec-flow-protection].
6. YANG Data Modules 6. YANG Data Modules
6.1. I2NSF Capability YANG Data Module 6.1. I2NSF Capability YANG Data Module
This section introduces an YANG data module for capabilities of This section introduces an YANG data module for capabilities of
network security functions, as defined in the [i2nsf-nsf-cap-im]. network security functions, as defined in the [i2nsf-nsf-cap-im].
<CODE BEGINS> file "ietf-i2nsf-capability@2019-03-11.yang" <CODE BEGINS> file "ietf-i2nsf-capability@2019-03-28.yang"
module ietf-i2nsf-capability { module ietf-i2nsf-capability {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability";
prefix prefix
iicapa; iicapa;
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
skipping to change at page 10, line 11 skipping to change at page 10, line 18
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8341; see This version of this YANG module is part of RFC 8341; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2019-03-11"{ revision "2019-03-28"{
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Capability YANG Data Model"; "RFC XXXX: I2NSF Capability YANG Data Model";
} }
/* /*
* Identities * Identities
*/ */
identity event { identity event {
skipping to change at page 12, line 26 skipping to change at page 12, line 32
reference reference
"draft-hong-i2nsf-nsf-monitoring-data-model-06 "draft-hong-i2nsf-nsf-monitoring-data-model-06
- System alarm"; - System alarm";
} }
identity condition { identity condition {
description description
"Base identity for conditions of policy"; "Base identity for conditions of policy";
} }
identity context-capa {
base condition;
description
"Identity for capabilities of context condition";
}
identity acl-number {
base context-capa;
description
"Identity for acl number capability
of context condition";
}
identity application {
base context-capa;
description
"Identity for application capability
of context condition";
}
identity target {
base context-capa;
description
"Identity for target capability
of context condition";
}
identity user {
base context-capa;
description
"Identity for user capability
of context condition";
}
identity group {
base context-capa;
description
"Identity for group capability
of context condition";
}
identity geography {
base context-capa;
description
"Identity for geography capability
of context condition";
}
identity ipv4-capa { identity ipv4-capa {
base condition; base condition;
description description
"Identity for capabilities of IPv4 condition"; "Identity for capabilities of IPv4 condition";
reference reference
"RFC 791: Internet Protocol"; "RFC 791: Internet Protocol";
} }
identity exact-ipv4-header-length { identity exact-ipv4-header-length {
base ipv4-capa; base ipv4-capa;
skipping to change at page 21, line 12 skipping to change at page 22, line 16
identity icmp-type { identity icmp-type {
base icmp-capa; base icmp-capa;
description description
"Identity for icmp type capability "Identity for icmp type capability
of icmp condition"; of icmp condition";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity http-capa { identity url-capa {
base condition; base condition;
description description
"Identity for capabilities of http condition"; "Identity for capabilities of url condition";
} }
identity uri { identity pre-defined {
base http-capa; base url-capa;
description description
"Identity for uri capabilities of "Identity for pre-defined capabilities of
http condition"; url condition";
} }
identity url { identity user-defined {
base http-capa; base url-capa;
description description
"Identity for url capabilities of "Identity for user-defined capabilities of
http condition"; url condition";
} }
identity log-action-capa { identity log-action-capa {
description description
"Identity for capabilities of log action"; "Identity for capabilities of log action";
} }
identity rule-log { identity rule-log {
base log-action-capa; base log-action-capa;
description description
skipping to change at page 30, line 33 skipping to change at page 31, line 38
identity user-agent { identity user-agent {
base voip-volte-capa; base voip-volte-capa;
description description
"Identity for user agent capabilities "Identity for user agent capabilities
of VoIP/VoLTE"; of VoIP/VoLTE";
reference reference
"RFC 3261: SIP: Session Initiation Protocol"; "RFC 3261: SIP: Session Initiation Protocol";
} }
identity ipsec-capa {
description
"Base identity for an IPsec";
}
identity ike {
base ipsec-capa;
description
"Identity for an IKE";
}
identity ikeless {
base ipsec-capa;
description
"Identity for an IKEless";
}
/* /*
* Grouping * Grouping
*/ */
grouping nsf-capabilities { grouping nsf-capabilities {
description description
"Capabilities of network security funtion"; "Capabilities of network security funtion";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure
skipping to change at page 34, line 32 skipping to change at page 36, line 7
base ips-capa; base ips-capa;
} }
description description
"Capabilities for an ips"; "Capabilities for an ips";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of "draft-dong-i2nsf-asf-config-01: Configuration of
Advanced Security Functions with I2NSF Security Advanced Security Functions with I2NSF Security
Controller"; Controller";
} }
leaf-list http-capa { leaf-list url-capa {
type identityref { type identityref {
base http-capa; base url-capa;
} }
description description
"Capabilities for a http"; "Capabilities for a url category";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of "draft-dong-i2nsf-asf-config-01: Configuration of
Advanced Security Functions with I2NSF Security Advanced Security Functions with I2NSF Security
Controller"; Controller";
} }
leaf-list voip-volte-capa { leaf-list voip-volte-capa {
type identityref { type identityref {
base voip-volte-capa; base voip-volte-capa;
} }
description description
"Capabilities for a voip and volte"; "Capabilities for a voip and volte";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of "draft-dong-i2nsf-asf-config-01: Configuration of
Advanced Security Functions with I2NSF Security Advanced Security Functions with I2NSF Security
Controller"; Controller";
} }
} }
leaf-list context-capabilities {
type identityref {
base context-capa;
}
description
"Capabilities for a context security";
}
} }
container action-capabilities { container action-capabilities {
description description
"Capabilities of actions. "Capabilities of actions.
If network security function has If network security function has
the action capabilities, the network security function the action capabilities, the network security function
supports rule execution according to actions."; supports rule execution according to actions.";
leaf-list ingress-action-capa { leaf-list ingress-action-capa {
type identityref { type identityref {
skipping to change at page 36, line 20 skipping to change at page 38, line 4
base default-action-capa; base default-action-capa;
} }
description description
"Capabilities for a default action. "Capabilities for a default action.
A default action is used to execute I2NSF policy rule A default action is used to execute I2NSF policy rule
when no rule matches a packet. The default action is when no rule matches a packet. The default action is
defined as pass, drop, reject, alert, and mirror."; defined as pass, drop, reject, alert, and mirror.";
reference reference
"draft-ietf-i2nsf-capability-04: Information Model "draft-ietf-i2nsf-capability-04: Information Model
of NSFs Capabilities - Default action"; of NSFs Capabilities - Default action";
}
leaf-list ipsec-method {
type identityref {
base ipsec-capa;
}
description
"Capabilities for an IPsec method";
reference
" draft-ietf-i2nsf-sdn-ipsec-flow-protection-04";
} }
} }
/* /*
* Data nodes * Data nodes
*/ */
container nsf { container nsf {
description description
"The list of capabilities of "The list of capabilities of
skipping to change at page 39, line 7 skipping to change at page 40, line 44
[RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
S., and N. Bahadur, "A YANG Data Model for Routing S., and N. Bahadur, "A YANG Data Model for Routing
Information Base (RIB)", RFC RFC8431, September 2018. Information Base (RIB)", RFC RFC8431, September 2018.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
9.2. Informative References 9.2. Informative References
[draft-ietf-i2nsf-sdn-ipsec-flow-protection]
Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "Software-Defined Networking (SDN)-based IPsec
Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-
protection-04 (work in progress), March 2019.
[i2nsf-advanced-nsf-dm] [i2nsf-advanced-nsf-dm]
Pan, W. and L. Xia, "Configuration of Advanced Security Pan, W. and L. Xia, "Configuration of Advanced Security
Functions with I2NSF Security Controller", draft-dong- Functions with I2NSF Security Controller", draft-dong-
i2nsf-asf-config-01 (work in progress), October 2018. i2nsf-asf-config-01 (work in progress), October 2018.
[i2nsf-nsf-cap-im] [i2nsf-nsf-cap-im]
Xia, L., Strassner, J., Basile, C., and D. Lopez, Xia, L., Strassner, J., Basile, C., and D. Lopez,
"Information Model of NSFs Capabilities", draft-ietf- "Information Model of NSFs Capabilities", draft-ietf-
i2nsf-capability-04 (work in progress), October 2018. i2nsf-capability-04 (work in progress), October 2018.
[i2nsf-nsf-yang] [i2nsf-nsf-yang]
Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG "I2NSF Network Security Function-Facing Interface YANG
Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-01 Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-04
(work in progress), July 2018. (work in progress), March 2019.
[i2nsf-terminology] [i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
Birkholz, "Interface to Network Security Functions (I2NSF) Birkholz, "Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-07 (work in Terminology", draft-ietf-i2nsf-terminology-07 (work in
progress), January 2019. progress), January 2019.
[supa-policy-info-model] [supa-policy-info-model]
Strassner, J., Halpern, J., and S. Meer, "Generic Policy Strassner, J., Halpern, J., and S. Meer, "Generic Policy
Information Model for Simplified Use of Policy Information Model for Simplified Use of Policy
Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- Abstractions (SUPA)", draft-ietf-supa-generic-policy-info-
model-03 (work in progress), May 2017. model-03 (work in progress), May 2017.
Appendix A. Changes from draft-ietf-i2nsf-capability-data-model-02 Appendix A. Changes from draft-ietf-i2nsf-capability-data-model-03
The following changes are made from draft-ietf-i2nsf-capability-data- The following changes are made from draft-ietf-i2nsf-capability-data-
model-03: model-03:
o We revised this YANG data module according to guidelines for o We added a leaf-list for IPsec method capabilities (e.g., ike and
authors and reviewers of YANG data model documents [RFC6087]. ikeless).
o We changed the structure of the overall YANG data module.
o We changed enumeration type to identity type for scalable
components.
o We added a description for the YANG tree diagram of the YANG data
module.
o We revised overall sentences of this YANG data model document. o We changed http capa fields to url category capa fields.
o We added configuration examples to make it easier for reviewers to o We added context capa fields (e.g., acl number, application,
understand. target, users, group, and geography).
Appendix B. Acknowledgments Appendix B. Acknowledgments
This work was supported by Institute for Information & communications This work was supported by Institute for Information & communications
Technology Promotion (IITP) grant funded by the Korea government Technology Promotion (IITP) grant funded by the Korea government
(MSIP) (No.R-20160222-002755, Cloud based Security Intelligence (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence
Technology Development for the Customized Security Service Technology Development for the Customized Security Service
Provisioning). Provisioning).
Appendix C. Contributors Appendix C. Contributors
 End of changes. 32 change blocks. 
50 lines changed or deleted 143 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/