draft-ietf-i2nsf-capability-data-model-06.txt   draft-ietf-i2nsf-capability-data-model-07.txt 
I2NSF Working Group S. Hares, Ed. I2NSF Working Group S. Hares, Ed.
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Jeong, Ed. Intended status: Standards Track J. Jeong, Ed.
Expires: January 14, 2021 J. Kim Expires: February 26, 2021 J. Kim
Sungkyunkwan University Sungkyunkwan University
R. Moskowitz R. Moskowitz
HTT Consulting HTT Consulting
Q. Lin Q. Lin
Huawei Huawei
July 13, 2020 August 25, 2020
I2NSF Capability YANG Data Model I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-06 draft-ietf-i2nsf-capability-data-model-07
Abstract Abstract
This document defines a YANG data model for the capabilities of This document defines a YANG data model for the capabilities of
various Network Security Functions (NSFs) in the Interface to Network various Network Security Functions (NSFs) in the Interface to Network
Security Functions (I2NSF) framework to centrally manage the Security Functions (I2NSF) framework to centrally manage the
capabilities of the various NSFs. capabilities of the various NSFs.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 14, 2021. This Internet-Draft will expire on February 26, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Network Security Function (NSF) Capabilities . . . . . . 6 5.1. Network Security Function (NSF) Capabilities . . . . . . 6
6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9
6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
8. Security Considerations . . . . . . . . . . . . . . . . . . . 39 8. Security Considerations . . . . . . . . . . . . . . . . . . . 39
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.1. Normative References . . . . . . . . . . . . . . . . . . 40 9.1. Normative References . . . . . . . . . . . . . . . . . . 40
9.2. Informative References . . . . . . . . . . . . . . . . . 43 9.2. Informative References . . . . . . . . . . . . . . . . . 42
Appendix A. Configuration Examples . . . . . . . . . . . . . . . 44 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 43
A.1. Example 1: Registration for Capabilities of General A.1. Example 1: Registration for Capabilities of General
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 43
A.2. Example 2: Registration for Capabilities of Time based A.2. Example 2: Registration for Capabilities of Time based
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44
A.3. Example 3: Registration for Capabilities of Web Filter . 46 A.3. Example 3: Registration for Capabilities of Web Filter . 45
A.4. Example 4: Registration for Capabilities of VoIP/VoLTE A.4. Example 4: Registration for Capabilities of VoIP/VoLTE
Filter . . . . . . . . . . . . . . . . . . . . . . . . . 46 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 45
A.5. Example 5: Registration for Capabilities of HTTP and A.5. Example 5: Registration for Capabilities of HTTP and
HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 47 HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 46
Appendix B. Changes from draft-ietf-i2nsf-capability-data- Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 47
model-05 . . . . . . . . . . . . . . . . . . . . . . 48 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 47
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 48 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48
Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 49
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49
1. Introduction 1. Introduction
As the industry becomes more sophisticated and network devices (e.g., As the industry becomes more sophisticated and network devices (e.g.,
Internet of Things, Self-driving vehicles, and VoIP/VoLTE Internet of Things, Self-driving vehicles, and VoIP/VoLTE
smartphones), service providers have a lot of problems described in smartphones), service providers have a lot of problems described in
[RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability] [RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability]
specifies the information model of the capabilities of Network specifies the information model of the capabilities of Network
Security Functions (NSFs). Security Functions (NSFs).
skipping to change at page 4, line 52 skipping to change at page 4, line 49
rules where 'E', 'C', and 'A' mean "Event", "Condition", and rules where 'E', 'C', and 'A' mean "Event", "Condition", and
"Action", respectively. The condition involves IPv4 or IPv6 "Action", respectively. The condition involves IPv4 or IPv6
datagrams, and the action includes "Allow" and "Deny" for those datagrams, and the action includes "Allow" and "Deny" for those
datagrams. datagrams.
Note that the NSF-Facing Interface is used to configure the security Note that the NSF-Facing Interface is used to configure the security
policy rules of the generic network security functions policy rules of the generic network security functions
[draft-ietf-i2nsf-nsf-facing-interface-dm], and The configuration of [draft-ietf-i2nsf-nsf-facing-interface-dm], and The configuration of
advanced security functions over the NSF-Facing Interface is used to advanced security functions over the NSF-Facing Interface is used to
configure the security policy rules of advanced network security configure the security policy rules of advanced network security
functions (e.g., anti-virus and anti-DDoS attack) functions (e.g., anti-virus and anti-DDoS attack), respectively,
according to the capabilities of NSFs registered with the I2NSF
[draft-dong-i2nsf-asf-config], respectively, according to the Framework.
capabilities of NSFs registered with the I2NSF Framework.
+------------------------------------------------------+ +------------------------------------------------------+
| I2NSF User (e.g., Overlay Network Mgmt, Enterprise | | I2NSF User (e.g., Overlay Network Mgmt, Enterprise |
| Network Mgmt, another network domain's mgmt, etc.) | | Network Mgmt, another network domain's mgmt, etc.) |
+--------------------+---------------------------------+ +--------------------+---------------------------------+
I2NSF ^ I2NSF ^
Consumer-Facing Interface | Consumer-Facing Interface |
| |
v I2NSF v I2NSF
+-----------------+------------+ Registration +-------------+ +-----------------+------------+ Registration +-------------+
skipping to change at page 9, line 23 skipping to change at page 9, line 23
information about the SDN-based IPsec flow protection in I2NSF. information about the SDN-based IPsec flow protection in I2NSF.
6. YANG Data Modules 6. YANG Data Modules
6.1. I2NSF Capability YANG Data Module 6.1. I2NSF Capability YANG Data Module
This section introduces a YANG data module for network security This section introduces a YANG data module for network security
functions capabilities, as defined in the functions capabilities, as defined in the
[draft-ietf-i2nsf-capability]. [draft-ietf-i2nsf-capability].
<CODE BEGINS> file "ietf-i2nsf-capability@2020-07-13.yang" <CODE BEGINS> file "ietf-i2nsf-capability@2020-08-25.yang"
module ietf-i2nsf-capability { module ietf-i2nsf-capability {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability";
prefix prefix
nsfcap; nsfcap;
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
skipping to change at page 10, line 23 skipping to change at page 10, line 23
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8341; see This version of this YANG module is part of RFC 8341; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2020-07-13"{ revision "2020-08-25"{
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Capability YANG Data Model"; "RFC XXXX: I2NSF Capability YANG Data Model";
} }
/* /*
* Identities * Identities
*/ */
identity event { identity event {
skipping to change at page 13, line 28 skipping to change at page 13, line 28
identity geography { identity geography {
base context-capability; base context-capability;
description description
"Identity for geography condition capability"; "Identity for geography condition capability";
} }
identity ipv4-capability { identity ipv4-capability {
base condition; base condition;
description description
"Identity for IPv4 condition capabilities"; "Identity for IPv4 condition capability";
reference reference
"RFC 791: Internet Protocol"; "RFC 791: Internet Protocol";
} }
identity exact-ipv4-header-length { identity exact-ipv4-header-length {
base ipv4-capability; base ipv4-capability;
description description
"Identity for exact-match IPv4 header-length "Identity for exact-match IPv4 header-length
condition capability"; condition capability";
reference reference
skipping to change at page 21, line 28 skipping to change at page 21, line 28
base udp-capability; base udp-capability;
description description
"Identity for range-match UDP total-length condition capability"; "Identity for range-match UDP total-length condition capability";
reference reference
"RFC 768: User Datagram Protocol - Total Length"; "RFC 768: User Datagram Protocol - Total Length";
} }
identity icmp-capability { identity icmp-capability {
base condition; base condition;
description description
"Identity for ICMP condition capabilities"; "Identity for ICMP condition capability";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity icmp-type { identity icmp-type {
base icmp-capability; base icmp-capability;
description description
"Identity for ICMP type condition capability"; "Identity for ICMP type condition capability";
reference reference
"RFC 792: Internet Control Message Protocol"; "RFC 792: Internet Control Message Protocol";
} }
identity icmpv6-capability { identity icmpv6-capability {
base condition; base condition;
description description
"Identity for ICMPv6 condition capabilities"; "Identity for ICMPv6 condition capability";
reference reference
"RFC 4443: Internet Control Message Protocol (ICMPv6) "RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6) Specification for the Internet Protocol Version 6 (IPv6) Specification
- ICMPv6"; - ICMPv6";
} }
identity icmpv6-type { identity icmpv6-type {
base icmpv6-capability; base icmpv6-capability;
description description
"Identity for ICMPv6 type condition capability"; "Identity for ICMPv6 type condition capability";
reference reference
"RFC 4443: Internet Control Message Protocol (ICMPv6) "RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6) Specification for the Internet Protocol Version 6 (IPv6) Specification
- ICMPv6"; - ICMPv6";
} }
identity url-capability { identity url-capability {
base condition; base condition;
description description
"Identity for URL condition capabilities"; "Identity for URL condition capability";
} }
identity pre-defined { identity pre-defined {
base url-capability; base url-capability;
description description
"Identity for URL pre-defined condition capabilities"; "Identity for URL pre-defined condition capability";
} }
identity user-defined { identity user-defined {
base url-capability; base url-capability;
description description
"Identity for URL user-defined condition capabilities"; "Identity for URL user-defined condition capability";
} }
identity log-action-capability { identity log-action-capability {
description description
"Identity for log-action capabilities"; "Identity for log-action capability";
} }
identity rule-log { identity rule-log {
base log-action-capability; base log-action-capability;
description description
"Identity for rule log log-action capability"; "Identity for rule log log-action capability";
} }
identity session-log { identity session-log {
base log-action-capability; base log-action-capability;
description description
"Identity for session log log-action capability"; "Identity for session log log-action capability";
} }
identity ingress-action-capability { identity ingress-action-capability {
description description
"Identity for ingress-action capabilities"; "Identity for ingress-action capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Ingress action"; Functions - Ingress action";
} }
identity egress-action-capability { identity egress-action-capability {
description description
"Base identity for egress-action capabilities"; "Base identity for egress-action capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Egress action"; Functions - Egress action";
} }
identity default-action-capability { identity default-action-capability {
description description
"Identity for default-action capabilities"; "Identity for default-action capability";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model of "draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Default action"; NSFs Capabilities - Default action";
} }
identity pass { identity pass {
base ingress-action-capability; base ingress-action-capability;
base egress-action-capability; base egress-action-capability;
base default-action-capability; base default-action-capability;
description description
skipping to change at page 26, line 29 skipping to change at page 26, line 29
description description
"Identity for Prioritized Matching Rule with No Errors (PMRN) "Identity for Prioritized Matching Rule with No Errors (PMRN)
resolution strategy capability"; resolution strategy capability";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs "draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - Resolution Strategy"; Capabilities - Resolution Strategy";
} }
identity advanced-nsf-capability { identity advanced-nsf-capability {
description description
"Base identity for advanced network security function (NSF) "Base identity for advanced Network Security Function (NSF)
capabilities"; capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Differences from ACL Data Models Functions - Advanced NSF capability";
draft-dong-i2nsf-asf-config-01: Configuration of Advanced
Security Functions with I2NSF Security Controller -
Advanced NSF Capability";
} }
identity anti-virus-capability { identity anti-virus-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF anti-virus capabilities"; "Identity for advanced NSF Anti-Virus capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Differences from ACL Data Models Functions - Advanced NSF Anti-Virus capability";
draft-dong-i2nsf-asf-config-01: Configuration of Advanced
Security Functions with I2NSF Security Controller -
Anti-Virus";
} }
identity anti-ddos-capability { identity anti-ddos-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF anti-ddos capabilities"; "Identity for advanced NSF Anti-DDoS attack capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Differences from ACL Data Models Functions - Advanced NSF Anti-DDoS Attack capability";
draft-dong-i2nsf-asf-config-01: Configuration of Advanced
Security Functions with I2NSF Security Controller -
Anti-DDoS";
} }
identity ips-capability { identity ips-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF Intrusion Prevention System "Identity for advanced NSF Intrusion Prevention System
(IPS) capabilities"; (IPS) capabilities";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Differences from ACL Data Models Functions - Advanced NSF IPS capability";
draft-dong-i2nsf-asf-config-01: Configuration of Advanced
Security Functions with I2NSF Security Controller -
Intrusion Prevention System";
} }
identity voip-volte-capability { identity voip-volte-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF VoIP/VoLTE capabilities"; "Identity for advanced NSF VoIP/VoLTE capability";
reference reference
"RFC 3261: SIP: Session Initiation Protocol "RFC 3261: SIP: Session Initiation Protocol
RFC 8329: Framework for Interface to Network Security RFC 8329: Framework for Interface to Network Security
Functions - Differences from ACL Data Models Functions - Advanced NSF VoIP/VoLTE capability";
draft-dong-i2nsf-asf-config-01: Configuration of Advanced
Security Functions with I2NSF Security Controller";
} }
identity detect { identity detect {
base anti-virus-capability; base anti-virus-capability;
description description
"Identity for advanced NSF Anti-Virus detection capability"; "Identity for advanced NSF Anti-Virus Detection capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-Virus Detection capability";
Anti-Virus";
} }
identity exception-application { identity exception-application {
base anti-virus-capability; base anti-virus-capability;
description description
"Identity for advanced NSF Anti-Virus exception application "Identity for advanced NSF Anti-Virus Exception Application
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-Virus Exception Application
Anti-Virus"; capability";
} }
identity exception-signature { identity exception-signature {
base anti-virus-capability; base anti-virus-capability;
description description
"Identity for advanced NSF Anti-Virus exception signature "Identity for advanced NSF Anti-Virus Exception Signature
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-Virus Exception Signature
Anti-Virus"; capability";
} }
identity whitelists { identity whitelists {
base anti-virus-capability; base anti-virus-capability;
description description
"Identity for advanced NSF Anti-Virus whitelists capability"; "Identity for advanced NSF Anti-Virus Whitelists capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-Virus Whitelists capability";
Anti-virus";
} }
identity syn-flood-action { identity syn-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS syn flood action "Identity for advanced NSF Anti-DDoS SYN Flood Action
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS SYN Flood Action
Anti-DDoS"; capability";
} }
identity udp-flood-action { identity udp-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF anti-DDoS UDP flood action "Identity for advanced NSF Anti-DDoS UDP Flood Action
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS UDP Flood Action
Anti-DDoS"; capability";
} }
identity http-flood-action { identity http-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF anti-DDoS http flood action "Identity for advanced NSF anti-DDoS HTTP Flood Action
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS HTTP Flood Action
Anti-DDoS"; capability";
} }
identity https-flood-action { identity https-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS https flood action "Identity for advanced NSF Anti-DDoS HTTPS Flood Action
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS HTTPS Flood Action
Anti-DDoS"; capability";
} }
identity dns-request-flood-action { identity dns-request-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF anti-DDoS dns request "Identity for advanced NSF Anti-DDoS DNS Request Flood
flood action capability"; Action Aapability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS DNS Request Flood
Anti-DDoS"; Action capability";
} }
identity dns-reply-flood-action { identity dns-reply-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS DNS reply flood action "Identity for advanced NSF Anti-DDoS DNS Reply Flood
capability"; Action capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS DNS Reply Flood
Anti-DDoS"; Action capability";
} }
identity icmp-flood-action { identity icmp-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS ICMP flood action "Identity for advanced NSF Anti-DDoS ICMP Flood Action
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS ICMP Flood Action
Anti-DDoS"; capability";
} }
identity icmpv6-flood-action { identity icmpv6-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS ICMPv6 flood action "Identity for advanced NSF Anti-DDoS ICMPv6 Flood Action
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS ICMPv6 Flood Action
Anti-DDoS"; capability";
} }
identity sip-flood-action { identity sip-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS SIP flood action "Identity for advanced NSF Anti-DDoS SIP Flood Action
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS SIP Flood Action
Anti-DDoS"; capability";
} }
identity detect-mode { identity detect-mode {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS detection mode "Identity for advanced NSF Anti-DDoS Detection Mode
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS Detection Mode
Anti-DDoS"; capability";
} }
identity baseline-learning { identity baseline-learning {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS baseline learning "Identity for advanced NSF Anti-DDoS Baseline Learning
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF Anti-DDoS Baseline Learning
Anti-DDoS"; capability";
} }
identity signature-set { identity signature-set {
base ips-capability; base ips-capability;
description description
"Identity for advanced NSF IPS signature set capability"; "Identity for advanced NSF IPS Signature Set capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF IPS Signature Set capability";
Intrusion Prevention System";
} }
identity ips-exception-signature { identity ips-exception-signature {
base ips-capability; base ips-capability;
description description
"Identity for advanced NSF IPS exception signature "Identity for advanced NSF IPS Exception Signature
capability"; capability";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of Advanced "RFC 8329: Framework for Interface to Network Security
Security Functions with I2NSF Security Controller - Functions - Advanced NSF IPS Exception Signature Set
Intrusion Prevention System"; capability";
} }
identity voice-id { identity voice-id {
base voip-volte-capability; base voip-volte-capability;
description description
"Identity for advanced NSF VoIP/VoLTE voice-id capability"; "Identity for advanced NSF VoIP/VoLTE Voice-ID capability";
reference reference
"RFC 3261: SIP: Session Initiation Protocol"; "RFC 3261: SIP: Session Initiation Protocol";
} }
identity user-agent { identity user-agent {
base voip-volte-capability; base voip-volte-capability;
description description
"Identity for advanced NSF VoIP/VoLTE user agent capability"; "Identity for advanced NSF VoIP/VoLTE User Agent capability";
reference reference
"RFC 3261: SIP: Session Initiation Protocol"; "RFC 3261: SIP: Session Initiation Protocol";
} }
identity ipsec-capability { identity ipsec-capability {
description description
"Base identity for an IPsec capabilities"; "Base identity for an IPsec capability";
} }
identity ike { identity ike {
base ipsec-capability; base ipsec-capability;
description description
"Identity for an IPSec Internet Key Exchange (IKE) "Identity for an IPSec Internet Key Exchange (IKE)
capability"; capability";
} }
identity ikeless { identity ikeless {
base ipsec-capability; base ipsec-capability;
description description
skipping to change at page 33, line 34 skipping to change at page 33, line 18
} }
description description
"System event capabilities"; "System event capabilities";
} }
leaf-list system-alarm-capability { leaf-list system-alarm-capability {
type identityref { type identityref {
base system-alarm-capability; base system-alarm-capability;
} }
description description
"System alarm Capabilities"; "System alarm capabilities";
} }
} }
container condition-capabilities { container condition-capabilities {
description description
"Conditions capabilities."; "Conditions capabilities.";
container generic-nsf-capabilities { container generic-nsf-capabilities {
description description
"Conditions capabilities. "Conditions capabilities.
skipping to change at page 35, line 39 skipping to change at page 35, line 21
"RFC 768: User Datagram Protocol - UDP"; "RFC 768: User Datagram Protocol - UDP";
} }
} }
container advanced-nsf-capabilities { container advanced-nsf-capabilities {
description description
"Advanced Network Security Function (NSF) capabilities, "Advanced Network Security Function (NSF) capabilities,
such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE."; such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Differences from ACL Data Models Functions - Advanced NSF capabilities";
draft-dong-i2nsf-asf-config-01: Configuration of
Advanced Security Functions with I2NSF Security
Controller";
leaf-list anti-virus-capability { leaf-list anti-virus-capability {
type identityref { type identityref {
base anti-virus-capability; base anti-virus-capability;
} }
description description
"Anti-virus capabilities"; "Anti-Virus capabilities";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of "RFC 8329: Framework for Interface to Network Security
Advanced Security Functions with I2NSF Security Functions - Advanced NSF Anti-Virus capabilities";
Controller"; }
}
leaf-list anti-ddos-capability { leaf-list anti-ddos-capability {
type identityref { type identityref {
base anti-ddos-capability; base anti-ddos-capability;
} }
description description
"Anti-ddos capabilities"; "Anti-DDoS Attack capabilities";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of "RFC 8329: Framework for Interface to Network Security
Advanced Security Functions with I2NSF Security Functions - Advanced NSF Anti-DDoS Attack capabilities";
Controller";
} }
leaf-list ips-capability { leaf-list ips-capability {
type identityref { type identityref {
base ips-capability; base ips-capability;
} }
description description
"Intrusion Prevention System (IPS) capabilities"; "Intrusion Prevention System (IPS) capabilities";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of "RFC 8329: Framework for Interface to Network Security
Advanced Security Functions with I2NSF Security Functions - Advanced NSF IPS capabilities";
Controller";
} }
leaf-list url-capability { leaf-list url-capability {
type identityref { type identityref {
base url-capability; base url-capability;
} }
description description
"URL capabilities"; "URL capabilities";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of "RFC 8329: Framework for Interface to Network Security
Advanced Security Functions with I2NSF Security Functions - Advanced NSF URL capabilities";
Controller";
} }
leaf-list voip-volte-capability { leaf-list voip-volte-capability {
type identityref { type identityref {
base voip-volte-capability; base voip-volte-capability;
} }
description description
"VoIP and VoLTE capabilities"; "VoIP/VoLTE capabilities";
reference reference
"draft-dong-i2nsf-asf-config-01: Configuration of "RFC 8329: Framework for Interface to Network Security
Advanced Security Functions with I2NSF Security Functions - Advanced NSF VoIP/VoLTE capabilities";
Controller";
} }
} }
leaf-list context-capabilities { leaf-list context-capabilities {
type identityref { type identityref {
base context-capability; base context-capability;
} }
description description
"Security context capabilities"; "Security context capabilities";
} }
skipping to change at page 38, line 14 skipping to change at page 37, line 36
base resolution-strategy-capability; base resolution-strategy-capability;
} }
description description
"Resolution strategy capabilities. "Resolution strategy capabilities.
The resolution strategies can be used to specify how The resolution strategies can be used to specify how
to resolve conflicts that occur between the actions to resolve conflicts that occur between the actions
of the same or different policy rules that are matched of the same or different policy rules that are matched
for the same packet and by particular NSF"; for the same packet and by particular NSF";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model of "draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Resolution strategy"; NSFs Capabilities - Resolution strategy capabilities";
} }
leaf-list default-action-capabilities { leaf-list default-action-capabilities {
type identityref { type identityref {
base default-action-capability; base default-action-capability;
} }
description description
"Default action capabilities. "Default action capabilities.
A default action is used to execute I2NSF policy rules A default action is used to execute I2NSF policy rules
when no rule matches a packet. The default action is when no rule matches a packet. The default action is
defined as pass, drop, alert, or mirror."; defined as pass, drop, alert, or mirror.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Ingress and egress actions Functions - Ingress and egress actions
draft-ietf-i2nsf-capability-05: Information Model of draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Default action"; NSFs Capabilities - Default action capabilities";
} }
leaf-list ipsec-method { leaf-list ipsec-method {
type identityref { type identityref {
base ipsec-capability; base ipsec-capability;
} }
description description
"IPsec method capabilities"; "IPsec method capabilities";
reference reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08:
skipping to change at page 39, line 5 skipping to change at page 38, line 27
} }
} }
/* /*
* Data nodes * Data nodes
*/ */
list nsf { list nsf {
key "nsf-name"; key "nsf-name";
description description
"The list of Network Security Function (NSF) capabilities"; "The list of Network Security Functions (NSFs)";
leaf nsf-name { leaf nsf-name {
type string; type string;
mandatory true; mandatory true;
description description
"The name of network security function"; "The name of Network Security Function (NSF)";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
Figure 3: YANG Data Module of I2NSF Capability Figure 3: YANG Data Module of I2NSF Capability
7. IANA Considerations 7. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950]. the "YANG Module Names" registry [RFC7950][RFC8525].
name: ietf-i2nsf-capability name: ietf-i2nsf-capability
namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability
prefix: nsfcap prefix: nsfcap
reference: RFC XXXX reference: RFC XXXX
8. Security Considerations 8. Security Considerations
skipping to change at page 40, line 34 skipping to change at page 40, line 9
nodes and their sensitivity/vulnerability: nodes and their sensitivity/vulnerability:
o ietf-i2nsf-capability: An attacker could gather the security o ietf-i2nsf-capability: An attacker could gather the security
capability information of any NSF and use this information to capability information of any NSF and use this information to
evade detection or filtering. evade detection or filtering.
9. References 9. References
9.1. Normative References 9.1. Normative References
[draft-dong-i2nsf-asf-config]
Pan, W. and L. Xia, "Configuration of Advanced Security
Functions with I2NSF Security Controller", draft-dong-
i2nsf-asf-config-01 (work in progress), October 2018.
[draft-ietf-i2nsf-capability] [draft-ietf-i2nsf-capability]
Xia, L., Strassner, J., Basile, C., and D. Lopez, Xia, L., Strassner, J., Basile, C., and D. Lopez,
"Information Model of NSFs Capabilities", draft-ietf- "Information Model of NSFs Capabilities", draft-ietf-
i2nsf-capability-05 (work in progress), April 2019. i2nsf-capability-05 (work in progress), April 2019.
[draft-ietf-i2nsf-nsf-monitoring-data-model] [draft-ietf-i2nsf-nsf-monitoring-data-model]
Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz,
"I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf-
nsf-monitoring-data-model-03 (work in progress), May 2020. nsf-monitoring-data-model-03 (work in progress), May 2020.
skipping to change at page 41, line 27 skipping to change at page 40, line 41
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>. <https://www.rfc-editor.org/info/rfc3261>.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
Information Models and Data Models", RFC 3444, Information Models and Data Models", RFC 3444,
DOI 10.17487/RFC3444, January 2003, DOI 10.17487/RFC3444, January 2003,
<https://www.rfc-editor.org/info/rfc3444>. <https://www.rfc-editor.org/info/rfc3444>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
skipping to change at page 43, line 5 skipping to change at page 42, line 28
[RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
S., and N. Bahadur, "A YANG Data Model for the Routing S., and N. Bahadur, "A YANG Data Model for the Routing
Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431,
September 2018, <https://www.rfc-editor.org/info/rfc8431>. September 2018, <https://www.rfc-editor.org/info/rfc8431>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>.
9.2. Informative References 9.2. Informative References
[draft-ietf-i2nsf-nsf-facing-interface-dm] [draft-ietf-i2nsf-nsf-facing-interface-dm]
Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG "I2NSF Network Security Function-Facing Interface YANG
Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-09 Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-09
(work in progress), May 2020. (work in progress), May 2020.
[draft-ietf-i2nsf-registration-interface-dm] [draft-ietf-i2nsf-registration-interface-dm]
Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF
skipping to change at page 48, line 39 skipping to change at page 47, line 39
1. The name of the NSF is http_and_https_flood_mitigation. 1. The name of the NSF is http_and_https_flood_mitigation.
2. The location of the NSF is 221.159.112.140. 2. The location of the NSF is 221.159.112.140.
3. The NSF can control the amount of packets for http and https 3. The NSF can control the amount of packets for http and https
packets. packets.
4. The NSF can control whether the packets are allowed to pass, 4. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
Appendix B. Changes from draft-ietf-i2nsf-capability-data-model-05 Appendix B. Acknowledgments
The following changes are made from draft-ietf-i2nsf-capability-data-
model-05:
o The version is revised according to the comments from Romans
Danyliw for his AD review.
Appendix C. Acknowledgments
This work was supported by Institute of Information & Communications This work was supported by Institute of Information & Communications
Technology Planning & Evaluation (IITP) grant funded by the Korea Technology Planning & Evaluation (IITP) grant funded by the Korea
MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Security Intelligence Technology Development for the Customized Security Intelligence Technology Development for the Customized
Security Service Provisioning). Security Service Provisioning).
Appendix D. Contributors Appendix C. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document. The following are Many people actively contributed to this document. The following are
considered co-authors: considered co-authors:
o Hyoungshick Kim (Sungkyunkwan University) o Hyoungshick Kim (Sungkyunkwan University)
o Daeyoung Hyun (Sungkyunkwan University) o Daeyoung Hyun (Sungkyunkwan University)
o Dongjin Hong (Sungkyunkwan University) o Dongjin Hong (Sungkyunkwan University)
 End of changes. 93 change blocks. 
175 lines changed or deleted 146 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/