draft-ietf-i2nsf-capability-data-model-07.txt   draft-ietf-i2nsf-capability-data-model-08.txt 
skipping to change at page 1, line 15 skipping to change at page 1, line 15
Intended status: Standards Track J. Jeong, Ed. Intended status: Standards Track J. Jeong, Ed.
Expires: February 26, 2021 J. Kim Expires: February 26, 2021 J. Kim
Sungkyunkwan University Sungkyunkwan University
R. Moskowitz R. Moskowitz
HTT Consulting HTT Consulting
Q. Lin Q. Lin
Huawei Huawei
August 25, 2020 August 25, 2020
I2NSF Capability YANG Data Model I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-07 draft-ietf-i2nsf-capability-data-model-08
Abstract Abstract
This document defines a YANG data model for the capabilities of This document defines a YANG data model for the capabilities of
various Network Security Functions (NSFs) in the Interface to Network various Network Security Functions (NSFs) in the Interface to Network
Security Functions (I2NSF) framework to centrally manage the Security Functions (I2NSF) framework to centrally manage the
capabilities of the various NSFs. capabilities of the various NSFs.
Status of This Memo Status of This Memo
skipping to change at page 2, line 21 skipping to change at page 2, line 21
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Network Security Function (NSF) Capabilities . . . . . . 6 5.1. Network Security Function (NSF) Capabilities . . . . . . 6
6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9
6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
8. Security Considerations . . . . . . . . . . . . . . . . . . . 39 8. Security Considerations . . . . . . . . . . . . . . . . . . . 40
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41
9.1. Normative References . . . . . . . . . . . . . . . . . . 40 9.1. Normative References . . . . . . . . . . . . . . . . . . 41
9.2. Informative References . . . . . . . . . . . . . . . . . 42 9.2. Informative References . . . . . . . . . . . . . . . . . 43
Appendix A. Configuration Examples . . . . . . . . . . . . . . . 43 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 44
A.1. Example 1: Registration for Capabilities of General A.1. Example 1: Registration for Capabilities of General
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 43
A.2. Example 2: Registration for Capabilities of Time based
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44
A.3. Example 3: Registration for Capabilities of Web Filter . 45 A.2. Example 2: Registration for Capabilities of Time based
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45
A.3. Example 3: Registration for Capabilities of Web Filter . 46
A.4. Example 4: Registration for Capabilities of VoIP/VoLTE A.4. Example 4: Registration for Capabilities of VoIP/VoLTE
Filter . . . . . . . . . . . . . . . . . . . . . . . . . 45 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 46
A.5. Example 5: Registration for Capabilities of HTTP and A.5. Example 5: Registration for Capabilities of HTTP and
HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 46 HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 47
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 47 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 48
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 47 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 48
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49
1. Introduction 1. Introduction
As the industry becomes more sophisticated and network devices (e.g., As the industry becomes more sophisticated and network devices (e.g.,
Internet of Things, Self-driving vehicles, and VoIP/VoLTE Internet of Things, Self-driving vehicles, and VoIP/VoLTE
smartphones), service providers have a lot of problems described in smartphones), service providers have a lot of problems described in
[RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability] [RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability]
specifies the information model of the capabilities of Network specifies the information model of the capabilities of Network
Security Functions (NSFs). Security Functions (NSFs).
skipping to change at page 26, line 30 skipping to change at page 26, line 30
"Identity for Prioritized Matching Rule with No Errors (PMRN) "Identity for Prioritized Matching Rule with No Errors (PMRN)
resolution strategy capability"; resolution strategy capability";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs "draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - Resolution Strategy"; Capabilities - Resolution Strategy";
} }
identity advanced-nsf-capability { identity advanced-nsf-capability {
description description
"Base identity for advanced Network Security Function (NSF) "Base identity for advanced Network Security Function (NSF)
capability"; capability. This can be used for advanced NSFs such as
Anti-Virus, Anti-DDoS Attack, IPS, and VoIP/VoLTE Security
Service.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF capability"; Functions - Advanced NSF capability";
} }
identity anti-virus-capability { identity anti-virus-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF Anti-Virus capability"; "Identity for advanced NSF Anti-Virus capability.
This can be used for an extension point for Anti-Virus
as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-Virus capability"; Functions - Advanced NSF Anti-Virus capability";
} }
identity anti-ddos-capability { identity anti-ddos-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF Anti-DDoS attack capability"; "Identity for advanced NSF Anti-DDoS Attack capability.
This can be used for an extension point for Anti-DDoS
Attack as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS Attack capability"; Functions - Advanced NSF Anti-DDoS Attack capability";
} }
identity ips-capability { identity ips-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF Intrusion Prevention System "Identity for advanced NSF Intrusion Prevention System
(IPS) capabilities"; (IPS) capabilities. This can be used for an extension
point for IPS as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF IPS capability"; Functions - Advanced NSF IPS capability";
} }
identity voip-volte-capability { identity voip-volte-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF VoIP/VoLTE capability"; "Identity for advanced NSF VoIP/VoLTE Security Service
capability. This can be used for an extension point
for VoIP/VoLTE Security Service as an advanced NSF.";
reference reference
"RFC 3261: SIP: Session Initiation Protocol "RFC 3261: SIP: Session Initiation Protocol
RFC 8329: Framework for Interface to Network Security RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF VoIP/VoLTE capability"; Functions - Advanced NSF VoIP/VoLTE security service
capability";
} }
identity detect { identity detect {
base anti-virus-capability; base anti-virus-capability;
description description
"Identity for advanced NSF Anti-Virus Detection capability"; "Identity for advanced NSF Anti-Virus Detection capability.
This can be used for an extension point for Anti-Virus
Detection as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-Virus Detection capability"; Functions - Advanced NSF Anti-Virus Detection capability";
} }
identity exception-application { identity exception-application {
base anti-virus-capability; base anti-virus-capability;
description description
"Identity for advanced NSF Anti-Virus Exception Application "Identity for advanced NSF Anti-Virus Exception Application
capability"; capability. This can be used for an extension point for
Anti-Virus Exception Application as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-Virus Exception Application Functions - Advanced NSF Anti-Virus Exception Application
capability"; capability";
} }
identity exception-signature { identity exception-signature {
base anti-virus-capability; base anti-virus-capability;
description description
"Identity for advanced NSF Anti-Virus Exception Signature "Identity for advanced NSF Anti-Virus Exception Signature
capability"; capability. This can be used for an extension point for
Anti-Virus Exception Signature as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-Virus Exception Signature Functions - Advanced NSF Anti-Virus Exception Signature
capability"; capability";
} }
identity whitelists { identity allow-list {
base anti-virus-capability; base anti-virus-capability;
description description
"Identity for advanced NSF Anti-Virus Whitelists capability"; "Identity for advanced NSF Anti-Virus Allow List capability.
This can be used for an extension point for Anti-Virus
Allow List as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-Virus Whitelists capability"; Functions - Advanced NSF Anti-Virus Allow List capability";
} }
identity syn-flood-action { identity syn-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS SYN Flood Action "Identity for advanced NSF Anti-DDoS SYN Flood Action
capability"; capability. This can be used for an extension point for
Anti-DDoS SYN Flood Action as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS SYN Flood Action Functions - Advanced NSF Anti-DDoS SYN Flood Action
capability"; capability";
} }
identity udp-flood-action { identity udp-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS UDP Flood Action "Identity for advanced NSF Anti-DDoS UDP Flood Action
capability"; capability. This can be used for an extension point for
Anti-DDoS UDP Flood Action as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS UDP Flood Action Functions - Advanced NSF Anti-DDoS UDP Flood Action
capability"; capability";
} }
identity http-flood-action { identity http-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF anti-DDoS HTTP Flood Action "Identity for advanced NSF Anti-DDoS HTTP Flood Action
capability"; capability. This can be used for an extension point for
Anti-DDoS HTTP Flood Action as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS HTTP Flood Action Functions - Advanced NSF Anti-DDoS HTTP Flood Action
capability"; capability";
} }
identity https-flood-action { identity https-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS HTTPS Flood Action "Identity for advanced NSF Anti-DDoS HTTPS Flood Action
capability"; capability. This can be used for an extension point for
Anti-DDoS HTTPS Flood Action as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS HTTPS Flood Action Functions - Advanced NSF Anti-DDoS HTTPS Flood Action
capability"; capability";
} }
identity dns-request-flood-action { identity dns-request-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS DNS Request Flood "Identity for advanced NSF Anti-DDoS DNS Request Flood
Action Aapability"; Action capability. This can be used for an extension
point for Anti-DDoS DNS Request Flood Action as an
advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS DNS Request Flood Functions - Advanced NSF Anti-DDoS DNS Request Flood
Action capability"; Action capability";
} }
identity dns-reply-flood-action { identity dns-reply-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS DNS Reply Flood "Identity for advanced NSF Anti-DDoS DNS Reply Flood
Action capability"; Action capability. This can be used for an extension
point for Anti-DDoS DNS Reply Flood Action as an
advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS DNS Reply Flood Functions - Advanced NSF Anti-DDoS DNS Reply Flood
Action capability"; Action capability";
} }
identity icmp-flood-action { identity icmp-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS ICMP Flood Action "Identity for advanced NSF Anti-DDoS ICMP Flood Action
capability"; capability. This can be used for an extension point
for Anti-DDoS ICMP Flood Action as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS ICMP Flood Action Functions - Advanced NSF Anti-DDoS ICMP Flood Action
capability"; capability";
} }
identity icmpv6-flood-action { identity icmpv6-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS ICMPv6 Flood Action "Identity for advanced NSF Anti-DDoS ICMPv6 Flood Action
capability"; capability. This can be used for an extension point
for Anti-DDoS ICMPv6 Flood Action as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS ICMPv6 Flood Action Functions - Advanced NSF Anti-DDoS ICMPv6 Flood Action
capability"; capability";
} }
identity sip-flood-action { identity sip-flood-action {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS SIP Flood Action "Identity for advanced NSF Anti-DDoS SIP Flood Action
capability"; capability. This can be used for an extension point
for Anti-DDoS SIP Flood Action as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS SIP Flood Action Functions - Advanced NSF Anti-DDoS SIP Flood Action
capability"; capability";
} }
identity detect-mode { identity detect-mode {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS Detection Mode "Identity for advanced NSF Anti-DDoS Detection Mode
capability"; capability. This can be used for an extension point
for Anti-DDoS Detection Mode as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS Detection Mode Functions - Advanced NSF Anti-DDoS Detection Mode
capability"; capability";
} }
identity baseline-learning { identity baseline-learning {
base anti-ddos-capability; base anti-ddos-capability;
description description
"Identity for advanced NSF Anti-DDoS Baseline Learning "Identity for advanced NSF Anti-DDoS Baseline Learning
capability"; capability. This can be used for an extension point
for Anti-DDoS Baseline Learning as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS Baseline Learning Functions - Advanced NSF Anti-DDoS Baseline Learning
capability"; capability";
} }
identity signature-set { identity signature-set {
base ips-capability; base ips-capability;
description description
"Identity for advanced NSF IPS Signature Set capability"; "Identity for advanced NSF IPS Signature Set capability.
This can be used for an extension point for IPS Signature
Set as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF IPS Signature Set capability"; Functions - Advanced NSF IPS Signature Set capability";
} }
identity ips-exception-signature { identity ips-exception-signature {
base ips-capability; base ips-capability;
description description
"Identity for advanced NSF IPS Exception Signature "Identity for advanced NSF IPS Exception Signature
capability"; capability. This can be used for an extension point for
IPS Exception Signature as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF IPS Exception Signature Set Functions - Advanced NSF IPS Exception Signature Set
capability"; capability";
} }
identity voice-id { identity voice-id {
base voip-volte-capability; base voip-volte-capability;
description description
"Identity for advanced NSF VoIP/VoLTE Voice-ID capability"; "Identity for advanced NSF VoIP/VoLTE Voice-ID capability.
This can be used for an extension point for VoIP/VoLTE
Voice-ID as an advanced NSF.";
reference reference
"RFC 3261: SIP: Session Initiation Protocol"; "RFC 3261: SIP: Session Initiation Protocol
RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF VoIP/VoLTE Security Service
capability";
} }
identity user-agent { identity user-agent {
base voip-volte-capability; base voip-volte-capability;
description description
"Identity for advanced NSF VoIP/VoLTE User Agent capability"; "Identity for advanced NSF VoIP/VoLTE User Agent capability.
This can be used for an extension point for VoIP/VoLTE
User Agent as an advanced NSF.";
reference reference
"RFC 3261: SIP: Session Initiation Protocol"; "RFC 3261: SIP: Session Initiation Protocol
RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF VoIP/VoLTE Security Service
capability";
} }
identity ipsec-capability { identity ipsec-capability {
description description
"Base identity for an IPsec capability"; "Base identity for an IPsec capability";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08:
Software-Defined Networking (SDN)-based IPsec Flow
Protection - IPsec methods such as IKE and IKE-less";
} }
identity ike { identity ike {
base ipsec-capability; base ipsec-capability;
description description
"Identity for an IPSec Internet Key Exchange (IKE) "Identity for an IPSec Internet Key Exchange (IKE)
capability"; capability";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08:
Software-Defined Networking (SDN)-based IPsec Flow
Protection - IPsec method with IKE";
} }
identity ikeless { identity ikeless {
base ipsec-capability; base ipsec-capability;
description description
"Identity for an IPSec without Internet Key Exchange (IKE) "Identity for an IPSec without Internet Key Exchange (IKE)
capability"; capability";
reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08:
Software-Defined Networking (SDN)-based IPsec Flow
Protection - IPsec method without IKE";
} }
/* /*
* Grouping * Grouping
*/ */
grouping nsf-capabilities { grouping nsf-capabilities {
description description
"Network Security Function (NSF) Capabilities"; "Network Security Function (NSF) Capabilities";
reference reference
skipping to change at page 35, line 18 skipping to change at page 36, line 27
description description
"UDP packet capabilities"; "UDP packet capabilities";
reference reference
"RFC 768: User Datagram Protocol - UDP"; "RFC 768: User Datagram Protocol - UDP";
} }
} }
container advanced-nsf-capabilities { container advanced-nsf-capabilities {
description description
"Advanced Network Security Function (NSF) capabilities, "Advanced Network Security Function (NSF) capabilities,
such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE."; such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE.
This container contains the leaf-lists of advanced
NSF capabilities";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF capabilities"; Functions - Advanced NSF capabilities";
leaf-list anti-virus-capability { leaf-list anti-virus-capability {
type identityref { type identityref {
base anti-virus-capability; base anti-virus-capability;
} }
description description
"Anti-Virus capabilities"; "Anti-Virus capabilities";
 End of changes. 41 change blocks. 
48 lines changed or deleted 105 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/