draft-ietf-i2nsf-capability-data-model-08.txt   draft-ietf-i2nsf-capability-data-model-09.txt 
I2NSF Working Group S. Hares, Ed. I2NSF Working Group S. Hares, Ed.
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Jeong, Ed. Intended status: Standards Track J. Jeong, Ed.
Expires: February 26, 2021 J. Kim Expires: March 1, 2021 J. Kim
Sungkyunkwan University Sungkyunkwan University
R. Moskowitz R. Moskowitz
HTT Consulting HTT Consulting
Q. Lin Q. Lin
Huawei Huawei
August 25, 2020 August 28, 2020
I2NSF Capability YANG Data Model I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-08 draft-ietf-i2nsf-capability-data-model-09
Abstract Abstract
This document defines a YANG data model for the capabilities of This document defines a YANG data model for the capabilities of
various Network Security Functions (NSFs) in the Interface to Network various Network Security Functions (NSFs) in the Interface to Network
Security Functions (I2NSF) framework to centrally manage the Security Functions (I2NSF) framework to centrally manage the
capabilities of the various NSFs. capabilities of the various NSFs.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 26, 2021. This Internet-Draft will expire on March 1, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 15 skipping to change at page 2, line 15
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Network Security Function (NSF) Capabilities . . . . . . 6 5.1. Network Security Function (NSF) Capabilities . . . . . . 6
6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 6. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9
6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
8. Security Considerations . . . . . . . . . . . . . . . . . . . 40 8. Security Considerations . . . . . . . . . . . . . . . . . . . 40
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41
9.1. Normative References . . . . . . . . . . . . . . . . . . 41 9.1. Normative References . . . . . . . . . . . . . . . . . . 41
9.2. Informative References . . . . . . . . . . . . . . . . . 43 9.2. Informative References . . . . . . . . . . . . . . . . . 44
Appendix A. Configuration Examples . . . . . . . . . . . . . . . 44 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 45
A.1. Example 1: Registration for Capabilities of General A.1. Example 1: Registration for the Capabilities of a General
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44
A.2. Example 2: Registration for Capabilities of Time based
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45
A.3. Example 3: Registration for Capabilities of Web Filter . 46 A.2. Example 2: Registration for the Capabilities of a Time-
A.4. Example 4: Registration for Capabilities of VoIP/VoLTE based Firewall . . . . . . . . . . . . . . . . . . . . . 47
Filter . . . . . . . . . . . . . . . . . . . . . . . . . 46 A.3. Example 3: Registration for the Capabilities of a Web
A.5. Example 5: Registration for Capabilities of HTTP and Filter . . . . . . . . . . . . . . . . . . . . . . . . . 48
HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 47 A.4. Example 4: Registration for the Capabilities of a
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 48 VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 49
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 48 A.5. Example 5: Registration for the Capabilities of a HTTP
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 50
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 51
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 52
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53
1. Introduction 1. Introduction
As the industry becomes more sophisticated and network devices (e.g., As the industry becomes more sophisticated and network devices (e.g.,
Internet of Things, Self-driving vehicles, and VoIP/VoLTE Internet of Things, Self-driving vehicles, and VoIP/VoLTE
smartphones), service providers have a lot of problems described in smartphones), service providers have a lot of problems described in
[RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability] [RFC8192]. To resolve these problems, [I-D.ietf-i2nsf-capability]
specifies the information model of the capabilities of Network specifies the information model of the capabilities of Network
Security Functions (NSFs). Security Functions (NSFs) in a framework of the Interface to Network
Security Functions (I2NSF) [RFC8329].
This document provides a YANG data model [RFC6020][RFC7950] that This document provides a YANG data model [RFC6020][RFC7950] that
defines the capabilities of NSFs to centrally manage the capabilities defines the capabilities of NSFs to centrally manage the capabilities
of those security devices. The security devices can register their of those security devices. The security devices can register their
own capabilities into a Network Operator Management (Mgmt) System own capabilities into a Network Operator Management (Mgmt) System
(i.e., Security Controller) with this YANG data model through the (i.e., Security Controller) with this YANG data model through the
registration interface [RFC8329]. With the capabilities of those registration interface [RFC8329]. With the capabilities of those
security devices maintained centrally, those security devices can be security devices maintained centrally, those security devices can be
more easily managed [RFC8329]. This YANG data model is based on the more easily managed [RFC8329]. This YANG data model is based on the
information model for I2NSF NSF capabilities information model for I2NSF NSF capabilities
[draft-ietf-i2nsf-capability]. [I-D.ietf-i2nsf-capability].
This YANG data model uses an "Event-Condition-Action" (ECA) policy This YANG data model uses an "Event-Condition-Action" (ECA) policy
model that is used as the basis for the design of I2NSF Policy as model that is used as the basis for the design of I2NSF Policy as
described in [RFC8329] and [draft-ietf-i2nsf-capability]. The "ietf- described in [RFC8329] and [I-D.ietf-i2nsf-capability]. The "ietf-
i2nsf-capability" YANG module defined in this document provides the i2nsf-capability" YANG module defined in this document provides the
following features: following features:
o Definition for general capabilities of network security functions. o Definition for general capabilities of network security functions.
o Definition for event capabilities of generic network security o Definition for event capabilities of generic network security
functions. functions.
o Definition for condition capabilities of generic network security o Definition for condition capabilities of generic network security
functions. functions.
skipping to change at page 3, line 42 skipping to change at page 3, line 42
o Definition for resolution strategy capabilities of generic network o Definition for resolution strategy capabilities of generic network
security functions. security functions.
o Definition for default action capabilities of generic network o Definition for default action capabilities of generic network
security functions. security functions.
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119][RFC8174]. document are to be interpreted as described in [RFC2119].
3. Terminology 3. Terminology
This document uses the terminology described in This document uses the terminology described in [RFC8329].
[draft-ietf-i2nsf-capability][RFC8431]. Especially, the following
terms are from [RFC3444]:
o Data Model: A data model is a representation of concepts of
interest to an environment in a form that is dependent on data
repository, data definition language, query language,
implementation language, and protocol.
o Information Model: An information model is a representation of
concepts of interest to an environment in a form that is
independent of data repository, data definition language, query
language, implementation language, and protocol.
3.1. Tree Diagrams
A simplified graphical representation of the data model is used in This document follows the guidelines of [RFC8407], uses the common
this document. The meaning of the symbols in these diagrams is YANG types defined in [RFC6991], and adopts the Network Management
referred from [RFC8340]. Datastore Architecture (NMDA). The meaning of the symbols in tree
diagrams is defined in [RFC8340].
4. Overview 4. Overview
This section provides as overview of how the YANG data model can be This section provides as overview of how the YANG data model can be
used in the I2NSF framework described in [RFC8329]. Figure 1 shows used in the I2NSF framework described in [RFC8329]. Figure 1 shows
the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF
Framework. As shown in this figure, an NSF Developer's Management Framework. As shown in this figure, an NSF Developer's Management
System can register NSFs and the capabilities that the network System can register NSFs and the capabilities that the network
security device can support. To register NSFs in this way, the security device can support. To register NSFs in this way, the
Developer's Management System utilizes this standardized capability Developer's Management System utilizes this standardized capability
YANG data model through the I2NSF Registration Interface YANG data model through the I2NSF Registration Interface [RFC8329].
[draft-ietf-i2nsf-registration-interface-dm]. That is, this That is, this Registration Interface uses the YANG module described
Registration Interface uses the YANG module described in this in this document to describe the capability of a network security
document to describe the capability of a network security function function that is registered with the Security Controller. With the
that is registered with the Security Controller. With the
capabilities of those network security devices maintained centrally, capabilities of those network security devices maintained centrally,
those security devices can be more easily managed, which can resolve those security devices can be more easily managed, which can resolve
many of the problems described in [RFC8192]. many of the problems described in [RFC8192].
In Figure 1, a new NSF at a Developer's Management Systems has In Figure 1, a new NSF at a Developer's Management Systems has
capabilities of Firewall (FW) and Web Filter (WF), which are denoted capabilities of Firewall (FW) and Web Filter (WF), which are denoted
as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy
rules where 'E', 'C', and 'A' mean "Event", "Condition", and rules where 'E', 'C', and 'A' mean "Event", "Condition", and
"Action", respectively. The condition involves IPv4 or IPv6 "Action", respectively. The condition involves IPv4 or IPv6
datagrams, and the action includes "Allow" and "Deny" for those datagrams, and the action includes "Allow" and "Deny" for those
datagrams. datagrams.
Note that the NSF-Facing Interface is used to configure the security Note that the NSF-Facing Interface [RFC8329] is used to configure the
policy rules of the generic network security functions security policy rules of the generic network security functions, and
[draft-ietf-i2nsf-nsf-facing-interface-dm], and The configuration of The configuration of advanced security functions over the NSF-Facing
advanced security functions over the NSF-Facing Interface is used to Interface is used to configure the security policy rules of advanced
configure the security policy rules of advanced network security network security functions (e.g., anti-virus and anti-DDoS attack),
functions (e.g., anti-virus and anti-DDoS attack), respectively, respectively, according to the capabilities of NSFs registered with
according to the capabilities of NSFs registered with the I2NSF the I2NSF Framework.
Framework.
+------------------------------------------------------+ +------------------------------------------------------+
| I2NSF User (e.g., Overlay Network Mgmt, Enterprise | | I2NSF User (e.g., Overlay Network Mgmt, Enterprise |
| Network Mgmt, another network domain's mgmt, etc.) | | Network Mgmt, another network domain's mgmt, etc.) |
+--------------------+---------------------------------+ +--------------------+---------------------------------+
I2NSF ^ I2NSF ^
Consumer-Facing Interface | Consumer-Facing Interface |
| |
v I2NSF v I2NSF
+-----------------+------------+ Registration +-------------+ +-----------------+------------+ Registration +-------------+
skipping to change at page 6, line 21 skipping to change at page 6, line 21
o If NSFs encounter the suspicious IPv6 packets of malicious users, o If NSFs encounter the suspicious IPv6 packets of malicious users,
they can filter the packets out according to the configured they can filter the packets out according to the configured
security policy rule. Therefore, the security policy rule against security policy rule. Therefore, the security policy rule against
the malicious users' packets can be automatically applied to the malicious users' packets can be automatically applied to
appropriate NSFs without human intervention. appropriate NSFs without human intervention.
5. YANG Tree Diagram 5. YANG Tree Diagram
This section shows a YANG tree diagram of capabilities of network This section shows a YANG tree diagram of capabilities of network
security functions, as defined in the [draft-ietf-i2nsf-capability]. security functions, as defined in the [I-D.ietf-i2nsf-capability].
5.1. Network Security Function (NSF) Capabilities 5.1. Network Security Function (NSF) Capabilities
This section explains a YANG tree diagram of NSF capabilities and its This section explains a YANG tree diagram of NSF capabilities and its
features. Figure 2 shows a YANG tree diagram of NSF capabilities. features. Figure 2 shows a YANG tree diagram of NSF capabilities.
The NSF capabilities in the tree include time capabilities, event The NSF capabilities in the tree include time capabilities, event
capabilities, condition capabilities, action capabilities, resolution capabilities, condition capabilities, action capabilities, resolution
strategy capabilities, and default action capabilities. Those strategy capabilities, and default action capabilities. Those
capabilities can be tailored or extended according to a vendor's capabilities can be tailored or extended according to a vendor's
specific requirements. Refer to the NSF capabilities information specific requirements. Refer to the NSF capabilities information
model for detailed discussion [draft-ietf-i2nsf-capability]. model for detailed discussion [I-D.ietf-i2nsf-capability].
module: ietf-i2nsf-capability module: ietf-i2nsf-capability
+--rw nsf* [nsf-name] +--rw nsf* [nsf-name]
+--rw nsf-name string +--rw nsf-name string
+--rw time-capabilities* enumeration +--rw time-capabilities* enumeration
+--rw event-capabilities +--rw event-capabilities
| +--rw system-event-capability* identityref | +--rw system-event-capability* identityref
| +--rw system-alarm-capability* identityref | +--rw system-alarm-capability* identityref
+--rw condition-capabilities +--rw condition-capabilities
| +--rw generic-nsf-capabilities | +--rw generic-nsf-capabilities
skipping to change at page 7, line 43 skipping to change at page 7, line 43
+--rw ipsec-method* identityref +--rw ipsec-method* identityref
Figure 2: YANG Tree Diagram of Capabilities of Network Security Figure 2: YANG Tree Diagram of Capabilities of Network Security
Functions Functions
Time capabilities are used to specify the capabilities which describe Time capabilities are used to specify the capabilities which describe
when to execute the I2NSF policy rule. The time capabilities are when to execute the I2NSF policy rule. The time capabilities are
defined in terms of absolute time and periodic time. The absolute defined in terms of absolute time and periodic time. The absolute
time means the exact time to start or end. The periodic time means time means the exact time to start or end. The periodic time means
repeated time like day, week, or month. See Section 3.4.6 repeated time like day, week, or month. See Section 3.4.6
(Capability Algebra) in [draft-ietf-i2nsf-capability] for more (Capability Algebra) in [I-D.ietf-i2nsf-capability] for more
information about the time-based condition (e.g., time period) in the information about the time-based condition (e.g., time period) in the
capability algebra. capability algebra.
Event capabilities are used to specify the capabilities that describe Event capabilities are used to specify the capabilities that describe
the event that would trigger the evaluation of the condition clause the event that would trigger the evaluation of the condition clause
of the I2NSF Policy Rule. The defined event capabilities are system of the I2NSF Policy Rule. The defined event capabilities are system
event and system alarm. See Section 3.1 (Design Principles and ECA event and system alarm. See Section 3.1 (Design Principles and ECA
Policy Model Overview) in [draft-ietf-i2nsf-capability] for more Policy Model Overview) in [I-D.ietf-i2nsf-capability] for more
information about the event in the ECA policy model. information about the event in the ECA policy model.
Condition capabilities are used to specify capabilities of a set of Condition capabilities are used to specify capabilities of a set of
attributes, features, and/or values that are to be compared with a attributes, features, and/or values that are to be compared with a
set of known attributes, features, and/or values in order to set of known attributes, features, and/or values in order to
determine whether or not the set of actions in that (imperative) determine whether or not the set of actions in that (imperative)
I2NSF policy rule can be executed. The condition capabilities are I2NSF policy rule can be executed. The condition capabilities are
classified in terms of generic network security functions and classified in terms of generic network security functions and
advanced network security functions. The condition capabilities of advanced network security functions. The condition capabilities of
generic network security functions are defined as IPv4 capability, generic network security functions are defined as IPv4 capability,
IPv6 capability, TCP capability, UDP capability, and ICMP capability. IPv6 capability, TCP capability, UDP capability, and ICMP capability.
The condition capabilities of advanced network security functions are The condition capabilities of advanced network security functions are
defined as anti-virus capability, anti-DDoS capability, IPS defined as anti-virus capability, anti-DDoS capability, IPS
capability, HTTP capability, and VoIP/VoLTE capability. See capability, HTTP capability, and VoIP/VoLTE capability. See
Section 3.1 (Design Principles and ECA Policy Model Overview) in Section 3.1 (Design Principles and ECA Policy Model Overview) in
[draft-ietf-i2nsf-capability] for more information about the [I-D.ietf-i2nsf-capability] for more information about the condition
condition in the ECA policy model. Also, see Section 3.4.3 (I2NSF in the ECA policy model. Also, see Section 3.4.3 (I2NSF Condition
Condition Clause Operator Types) in [draft-ietf-i2nsf-capability] for Clause Operator Types) in [I-D.ietf-i2nsf-capability] for more
more information about the operator types in an I2NSF condition information about the operator types in an I2NSF condition clause.
clause.
Action capabilities are used to specify the capabilities that Action capabilities are used to specify the capabilities that
describe the control and monitoring aspects of flow-based NSFs when describe the control and monitoring aspects of flow-based NSFs when
the event and condition clauses are satisfied. The action the event and condition clauses are satisfied. The action
capabilities are defined as ingress-action capability, egress-action capabilities are defined as ingress-action capability, egress-action
capability, and log-action capability. See Section 3.1 (Design capability, and log-action capability. See Section 3.1 (Design
Principles and ECA Policy Model Overview) in Principles and ECA Policy Model Overview) in
[draft-ietf-i2nsf-capability] for more information about the action [I-D.ietf-i2nsf-capability] for more information about the action in
in the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow
Security Policy Structure) in [RFC8329] for more information about Security Policy Structure) in [RFC8329] for more information about
the ingress and egress actions. In addition, see Section 9.1 (Flow- the ingress and egress actions. In addition, see Section 9.1 (Flow-
Based NSF Capability Characterization) for more information about Based NSF Capability Characterization) for more information about
logging at NSFs. logging at NSFs.
Resolution strategy capabilities are used to specify the capabilities Resolution strategy capabilities are used to specify the capabilities
that describe conflicts that occur between the actions of the same or that describe conflicts that occur between the actions of the same or
different policy rules that are matched and contained in this different policy rules that are matched and contained in this
particular NSF. The resolution strategy capabilities are defined as particular NSF. The resolution strategy capabilities are defined as
First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized
Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE),
and Prioritized Matching Rule with No Errors (PMRN). See and Prioritized Matching Rule with No Errors (PMRN). See
Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in
[draft-ietf-i2nsf-capability] for more information about the [I-D.ietf-i2nsf-capability] for more information about the resolution
resolution strategy. strategy.
Default action capabilities are used to specify the capabilities that Default action capabilities are used to specify the capabilities that
describe how to execute I2NSF policy rules when no rule matches a describe how to execute I2NSF policy rules when no rule matches a
packet. The default action capabilities are defined as pass, drop, packet. The default action capabilities are defined as pass, drop,
alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy
and Default Action) in [draft-ietf-i2nsf-capability] for more and Default Action) in [I-D.ietf-i2nsf-capability] for more
information about the default action. information about the default action.
IPsec method capabilities are used to specify capabilities of how to IPsec method capabilities are used to specify capabilities of how to
support an Internet Key Exchange (IKE) for the security support an Internet Key Exchange (IKE) for the security
communication. The default action capabilities are defined as IKE or communication. The default action capabilities are defined as IKE or
IKE-less. See [draft-ietf-i2nsf-sdn-ipsec-flow-protection] for more IKE-less. See [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for more
information about the SDN-based IPsec flow protection in I2NSF. information about the SDN-based IPsec flow protection in I2NSF.
6. YANG Data Modules 6. YANG Data Model of I2NSF NSF Capability
6.1. I2NSF Capability YANG Data Module This section introduces a YANG module for NSFs' capabilities, as
defined in the [I-D.ietf-i2nsf-capability].
This section introduces a YANG data module for network security This YANG module imports from [RFC6991]. It makes references to [RFC
functions capabilities, as defined in the 0768][RFC0790][RFC0791][RFC0792][RFC0793][RFC3261][RFC4443][RFC8200][
[draft-ietf-i2nsf-capability]. RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf-monitoring-dat
a-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection].
<CODE BEGINS> file "ietf-i2nsf-capability@2020-08-25.yang" <CODE BEGINS> file "ietf-i2nsf-capability@2020-08-28.yang"
module ietf-i2nsf-capability { module ietf-i2nsf-capability {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability";
prefix prefix
nsfcap; nsfcap;
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
WG Chair: Linda Dunbar
<mailto:ldunbar@futurewei.com>
WG Chair: Yoav Nir
<mailto:ynir.ietf@gmail.com>
Editor: Susan Hares
<mailto:shares@ndzh.com>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Jinyong Tim Kim Editor: Jinyong Tim Kim
<mailto:timkim@skku.edu>"; <mailto:timkim@skku.edu>
Editor: Susan Hares
<mailto:shares@ndzh.com>";
description description
"This module describes a capability model for I2NSF devices. "This module is a YANG module for I2NSF Network Security
Functions (NSFs)'s Capabilities.
Copyright (c) 2020 IETF Trust and the persons identified as Copyright (c) 2020 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8341; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2020-08-25"{ revision "2020-08-28"{
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Capability YANG Data Model"; "RFC XXXX: I2NSF Capability YANG Data Model";
} }
/* /*
* Identities * Identities
*/ */
identity event { identity event {
description description
"Base identity for I2NSF policy events."; "Base identity for I2NSF policy events.";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF
- Event"; Monitoring YANG Data Model - Event";
} }
identity system-event-capability { identity system-event-capability {
base event; base event;
description description
"Identity for system events"; "Identity for system event";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF
- System alarm"; Monitoring YANG Data Model - System event";
} }
identity system-alarm-capability { identity system-alarm-capability {
base event; base event;
description description
"Identity for system alarms"; "Identity for system alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF
- System alarm"; Monitoring YANG Data Model - System alarm";
} }
identity access-violation { identity access-violation {
base system-event-capability; base system-event-capability;
description description
"Identity for access violation events"; "Identity for access violation event";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF
- System event"; Monitoring YANG Data Model - System event for access
violation";
} }
identity configuration-change { identity configuration-change {
base system-event-capability; base system-event-capability;
description description
"Identity for configuration change events"; "Identity for configuration change event";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF
- System event"; Monitoring YANG Data Model - System event for configuration
change";
} }
identity memory-alarm { identity memory-alarm {
base system-alarm-capability; base system-alarm-capability;
description description
"Identity for memory alarm events"; "Identity for memory alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF
- System alarm"; Monitoring YANG Data Model - System alarm for memory";
} }
identity cpu-alarm { identity cpu-alarm {
base system-alarm-capability; base system-alarm-capability;
description description
"Identity for CPU alarm events"; "Identity for CPU alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF
- System alarm"; Monitoring YANG Data Model - System alarm for CPU";
} }
identity disk-alarm { identity disk-alarm {
base system-alarm-capability; base system-alarm-capability;
description description
"Identity for disk alarm events"; "Identity for disk alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF
- System alarm"; Monitoring YANG Data Model - System alarm for disk";
} }
identity hardware-alarm { identity hardware-alarm {
base system-alarm-capability; base system-alarm-capability;
description description
"Identity for hardware alarm events"; "Identity for hardware alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF
- System alarm"; Monitoring YANG Data Model - System alarm for hardware";
} }
identity interface-alarm { identity interface-alarm {
base system-alarm-capability; base system-alarm-capability;
description description
"Identity for interface alarm events"; "Identity for interface alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF
- System alarm"; Monitoring YANG Data Model - System alarm for interface";
} }
identity condition { identity condition {
description description
"Base identity for policy conditions"; "Base identity for policy conditions";
} }
identity context-capability { identity context-capability {
base condition; base condition;
description description
skipping to change at page 23, line 32 skipping to change at page 23, line 32
identity pass { identity pass {
base ingress-action-capability; base ingress-action-capability;
base egress-action-capability; base egress-action-capability;
base default-action-capability; base default-action-capability;
description description
"Identity for pass action capability"; "Identity for pass action capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Ingress, egress, and pass actions Functions - Ingress, egress, and pass actions
draft-ietf-i2nsf-capability-05: Information Model of draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Actions and default action"; NSFs Capabilities - Actions and default action";
} }
identity drop { identity drop {
base ingress-action-capability; base ingress-action-capability;
base egress-action-capability; base egress-action-capability;
base default-action-capability; base default-action-capability;
description description
"Identity for drop action capability"; "Identity for drop action capability";
reference reference
skipping to change at page 32, line 38 skipping to change at page 32, line 38
"Base identity for an IPsec capability"; "Base identity for an IPsec capability";
reference reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08:
Software-Defined Networking (SDN)-based IPsec Flow Software-Defined Networking (SDN)-based IPsec Flow
Protection - IPsec methods such as IKE and IKE-less"; Protection - IPsec methods such as IKE and IKE-less";
} }
identity ike { identity ike {
base ipsec-capability; base ipsec-capability;
description description
"Identity for an IPSec Internet Key Exchange (IKE) "Identity for an IPsec Internet Key Exchange (IKE)
capability"; capability";
reference reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08:
Software-Defined Networking (SDN)-based IPsec Flow Software-Defined Networking (SDN)-based IPsec Flow
Protection - IPsec method with IKE"; Protection - IPsec method with IKE";
} }
identity ikeless { identity ikeless {
base ipsec-capability; base ipsec-capability;
description description
"Identity for an IPSec without Internet Key Exchange (IKE) "Identity for an IPsec without Internet Key Exchange (IKE)
capability"; capability";
reference reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08:
Software-Defined Networking (SDN)-based IPsec Flow Software-Defined Networking (SDN)-based IPsec Flow
Protection - IPsec method without IKE"; Protection - IPsec method without IKE";
} }
/* /*
* Grouping * Grouping
*/ */
skipping to change at page 40, line 10 skipping to change at page 40, line 10
<CODE ENDS> <CODE ENDS>
Figure 3: YANG Data Module of I2NSF Capability Figure 3: YANG Data Module of I2NSF Capability
7. IANA Considerations 7. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability
Registrant Contact: The IESG.
Registrant Contact: The IESG. XML: N/A; the requested URI is an XML namespace.
XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950][RFC8525]. the "YANG Module Names" registry [RFC7950][RFC8525]:
name: ietf-i2nsf-capability
namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability
prefix: nsfcap
reference: RFC XXXX name: ietf-i2nsf-capability
namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability
prefix: nsfcap
reference: RFC XXXX
8. Security Considerations 8. Security Considerations
The YANG module specified in this document defines a data schema The YANG module specified in this document defines a data schema
designed to be accessed through network management protocols such as designed to be accessed through network management protocols such as
NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is
the secure transport layer, and the required transport secure the secure transport layer, and the required transport secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the required transport secure transport is TLS is HTTPS, and the required transport secure transport is TLS
[RFC8446]. [RFC8446].
skipping to change at page 41, line 19 skipping to change at page 41, line 15
nodes and their sensitivity/vulnerability: nodes and their sensitivity/vulnerability:
o ietf-i2nsf-capability: An attacker could gather the security o ietf-i2nsf-capability: An attacker could gather the security
capability information of any NSF and use this information to capability information of any NSF and use this information to
evade detection or filtering. evade detection or filtering.
9. References 9. References
9.1. Normative References 9.1. Normative References
[draft-ietf-i2nsf-capability] [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
Xia, L., Strassner, J., Basile, C., and D. Lopez, DOI 10.17487/RFC0768, August 1980,
"Information Model of NSFs Capabilities", draft-ietf- <https://www.rfc-editor.org/info/rfc768>.
i2nsf-capability-05 (work in progress), April 2019.
[draft-ietf-i2nsf-nsf-monitoring-data-model] [RFC0790] Postel, J., "Assigned numbers", RFC 790,
Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, DOI 10.17487/RFC0790, September 1981,
"I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- <https://www.rfc-editor.org/info/rfc790>.
nsf-monitoring-data-model-03 (work in progress), May 2020.
[draft-ietf-i2nsf-sdn-ipsec-flow-protection] [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- DOI 10.17487/RFC0791, September 1981,
Garcia, "Software-Defined Networking (SDN)-based IPsec <https://www.rfc-editor.org/info/rfc791>.
Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-
protection-08 (work in progress), June 2020. [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, DOI 10.17487/RFC0792, September 1981,
<https://www.rfc-editor.org/info/rfc792>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
skipping to change at page 42, line 9 skipping to change at page 42, line 9
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
Information Models and Data Models", RFC 3444, Information Models and Data Models", RFC 3444,
DOI 10.17487/RFC3444, January 2003, DOI 10.17487/RFC3444, January 2003,
<https://www.rfc-editor.org/info/rfc3444>. <https://www.rfc-editor.org/info/rfc3444>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
Reserved for Documentation", RFC 3849,
DOI 10.17487/RFC3849, July 2004,
<https://www.rfc-editor.org/info/rfc3849>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", STD 89,
RFC 4443, DOI 10.17487/RFC4443, March 2006,
<https://www.rfc-editor.org/info/rfc4443>.
[RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks
Reserved for Documentation", RFC 5737,
DOI 10.17487/RFC5737, January 2010,
<https://www.rfc-editor.org/info/rfc5737>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC768] Postel, J., "User Datagram Protocol", RFC 768, August [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1980. RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>.
[RFC790] Postel, J., "Assigned Numbers", RFC 790, September 1981.
[RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981.
[RFC792] Postel, J., "Internet Control Message Protocol", RFC 792,
September 1981.
[RFC793] Postel, J., "Transmission Control Protocol", RFC 793,
September 1981.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R.,
and J. Jeong, "Interface to Network Security Functions and J. Jeong, "Interface to Network Security Functions
(I2NSF): Problem Statement and Use Cases", RFC 8192, (I2NSF): Problem Statement and Use Cases", RFC 8192,
DOI 10.17487/RFC8192, July 2017, DOI 10.17487/RFC8192, July 2017,
<https://www.rfc-editor.org/info/rfc8192>. <https://www.rfc-editor.org/info/rfc8192>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200, (IPv6) Specification", STD 86, RFC 8200,
DOI 10.17487/RFC8200, July 2017, DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>. <https://www.rfc-editor.org/info/rfc8200>.
skipping to change at page 43, line 24 skipping to change at page 43, line 30
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341, Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018, DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>. <https://www.rfc-editor.org/info/rfc8341>.
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of
Documents Containing YANG Data Models", BCP 216, RFC 8407,
DOI 10.17487/RFC8407, October 2018,
<https://www.rfc-editor.org/info/rfc8407>.
[RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
S., and N. Bahadur, "A YANG Data Model for the Routing S., and N. Bahadur, "A YANG Data Model for the Routing
Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431,
September 2018, <https://www.rfc-editor.org/info/rfc8431>. September 2018, <https://www.rfc-editor.org/info/rfc8431>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525, and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019, DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>. <https://www.rfc-editor.org/info/rfc8525>.
9.2. Informative References 9.2. Informative References
[draft-ietf-i2nsf-nsf-facing-interface-dm] [I-D.ietf-i2nsf-capability]
Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, Xia, L., Strassner, J., Basile, C., and D. Lopez,
"I2NSF Network Security Function-Facing Interface YANG "Information Model of NSFs Capabilities", draft-ietf-
Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-09 i2nsf-capability-05 (work in progress), April 2019.
(work in progress), May 2020.
[draft-ietf-i2nsf-registration-interface-dm] [I-D.ietf-i2nsf-nsf-monitoring-data-model]
Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz,
Registration Interface YANG Data Model", draft-ietf-i2nsf- "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf-
registration-interface-dm (work in progress), March 2020. nsf-monitoring-data-model-03 (work in progress), May 2020.
[I-D.ietf-i2nsf-sdn-ipsec-flow-protection]
Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia,
"Software-Defined Networking (SDN)-based IPsec Flow
Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
(work in progress), June 2020.
Appendix A. Configuration Examples Appendix A. Configuration Examples
This section shows configuration examples of "ietf-i2nsf-capability" This section shows configuration examples of "ietf-i2nsf-capability"
module for capabilities registration of general firewall. module for capabilities registration of general firewall.
A.1. Example 1: Registration for Capabilities of General Firewall A.1. Example 1: Registration for the Capabilities of a General Firewall
This section shows a configuration example for capabilities This section shows a configuration example for the capabilities
registration of general firewall. registration of a general firewall in either an IPv4 network or an
IPv6 network.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>general_firewall</nsf-name> <nsf-name>general_firewall</nsf-name>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>ipv4-protocol</ipv4-capability> <ipv4-capability>ipv4-protocol</ipv4-capability>
<ipv4-capability>exact-ipv4-address</ipv4-capability> <ipv4-capability>exact-ipv4-address</ipv4-capability>
<ipv4-capability>range-ipv4-address</ipv4-capability> <ipv4-capability>range-ipv4-address</ipv4-capability>
<tcp-capability>exact-fourth-layer-port-num</tcp-capability> <tcp-capability>exact-fourth-layer-port-num</tcp-capability>
<tcp-capability>range-fourth-layer-port-num</tcp-capability> <tcp-capability>range-fourth-layer-port-num</tcp-capability>
skipping to change at page 44, line 36 skipping to change at page 45, line 37
<action-capabilities> <action-capabilities>
<ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability> <egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability> <egress-action-capability>alert</egress-action-capability>
</action-capabilities> </action-capabilities>
</nsf> </nsf>
Figure 4: Configuration XML for Capabilities Registration of General Figure 4: Configuration XML for the Capabilities Registration of a
Firewall General Firewall in an IPv4 Network
Figure 4 shows the configuration XML for capabilities registration of Figure 4 shows the configuration XML for the capabilities
general firewall and its capabilities are as follows. registration of a general firewall as an NSF in an IPv4 network
[RFC5737]. Its capabilities are as follows.
1. The name of the NSF is general_firewall. 1. The name of the NSF is general_firewall.
2. The NSF can inspect protocol, exact IPv4 address, and range IPv4 2. The NSF can inspect a protocol, an exact IPv4 address, and a
address for IPv4 packets. range of IPv4 addresses for IPv4 packets.
3. The NSF can inspect exact port number and range port number for 3. The NSF can inspect an exact port number and a range of port
fourth layer packets. numbers for the fourth layer packets.
4. The NSF can control whether the packets are allowed to pass, 4. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
A.2. Example 2: Registration for Capabilities of Time based Firewall <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>general_firewall</nsf-name>
<condition-capabilities>
<generic-nsf-capabilities>
<ipv6-capability>ipv6-protocol</ipv6-capability>
<ipv6-capability>exact-ipv6-address</ipv6-capability>
<ipv6-capability>range-ipv6-address</ipv6-capability>
<tcp-capability>exact-fourth-layer-port-num</tcp-capability>
<tcp-capability>range-fourth-layer-port-num</tcp-capability>
</generic-nsf-capabilities>
</condition-capabilities>
<action-capabilities>
<ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
This section shows a configuration example for capabilities Figure 5: Configuration XML for the Capabilities Registration of a
registration of time based firewall. General Firewall in an IPv6 Network
In addition, Figure 5 shows the configuration XML for the
capabilities registration of a general firewall as an NSF in an IPv6
network [RFC3849]. Its capabilities are as follows.
1. The name of the NSF is general_firewall.
2. The NSF can inspect a protocol, an exact IPv6 address, and a
range of IPv6 addresses for IPv6 packets.
3. The NSF can inspect an exact port number and a range of port
numbers for the fourth layer packets.
4. The NSF can control whether the packets are allowed to pass,
drop, or alert.
A.2. Example 2: Registration for the Capabilities of a Time-based
Firewall
This section shows a configuration example for the capabilities
registration of a time-based firewall in either an IPv4 network or an
IPv6 network.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>time_based_firewall</nsf-name> <nsf-name>time_based_firewall</nsf-name>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>ipv4-protocol</ipv4-capability> <ipv4-capability>ipv4-protocol</ipv4-capability>
<ipv4-capability>exact-ipv4-address</ipv4-capability> <ipv4-capability>exact-ipv4-address</ipv4-capability>
<ipv4-capability>range-ipv4-address</ipv4-capability> <ipv4-capability>range-ipv4-address</ipv4-capability>
skipping to change at page 45, line 34 skipping to change at page 47, line 33
<action-capabilities> <action-capabilities>
<ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability> <egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability> <egress-action-capability>alert</egress-action-capability>
</action-capabilities> </action-capabilities>
</nsf> </nsf>
Figure 5: Configuration XML for Capabilities Registration of Time Figure 6: Configuration XML for the Capabilities Registration of a
based Firewall Time-based Firewall in an IPv4 Network
Figure 5 shows the configuration XML for capabilities registration of Figure 6 shows the configuration XML for the capabilities
time based firewall and its capabilities are as follows. registration of a time-based firewall as an NSF in an IPv4 network
[RFC5737]. Its capabilities are as follows.
1. The name of the NSF is time_based_firewall. 1. The name of the NSF is time_based_firewall.
2. The NSF can execute the security policy rule according to 2. The NSF can execute the security policy rule according to
absolute time and periodic time. absolute time and periodic time.
3. The NSF can inspect protocol, exact IPv4 address, and range IPv4 3. The NSF can inspect a protocol, an exact IPv4 address, and a
address for IPv4 packets. range of IPv4 addresses for IPv4 packets.
4. The NSF can control whether the packets are allowed to pass, 4. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
A.3. Example 3: Registration for Capabilities of Web Filter <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>time_based_firewall</nsf-name>
<time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities>
<condition-capabilities>
<generic-nsf-capabilities>
<ipv6-capability>ipv6-protocol</ipv6-capability>
<ipv6-capability>exact-ipv6-address</ipv6-capability>
<ipv6-capability>range-ipv6-address</ipv6-capability>
</generic-nsf-capabilities>
</condition-capabilities>
<action-capabilities>
<ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
This section shows a configuration example for capabilities Figure 7: Configuration XML for the Capabilities Registration of a
registration of web filter. Time-based Firewall in an IPv6 Network
In addition, Figure 7 shows the configuration XML for the
capabilities registration of a time-based firewall as an NSF in an
IPv6 network [RFC3849]. Its capabilities are as follows.
1. The name of the NSF is time_based_firewall.
2. The NSF can execute the security policy rule according to
absolute time and periodic time.
3. The NSF can inspect a protocol, an exact IPv6 address, and a
range of IPv6 addresses for IPv6 packets.
4. The NSF can control whether the packets are allowed to pass,
drop, or alert.
A.3. Example 3: Registration for the Capabilities of a Web Filter
This section shows a configuration example for the capabilities
registration of a web filter.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>web_filter</nsf-name> <nsf-name>web_filter</nsf-name>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<url-capability>user-defined</url-capability> <url-capability>user-defined</url-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability> <egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability> <egress-action-capability>alert</egress-action-capability>
</action-capabilities> </action-capabilities>
</nsf> </nsf>
Figure 6: Configuration XML for Capabilities Registration of Web Figure 8: Configuration XML for the Capabilities Registration of a
Filter Web Filter
Figure 6 shows the configuration XML for capabilities registration of Figure 8 shows the configuration XML for the capabilities
web filter and its capabilities are as follows. registration of a web filter as an NSF. Its capabilities are as
follows.
1. The name of the NSF is web_filter. 1. The name of the NSF is web_filter.
2. The NSF can inspect url for http and https packets. 2. The NSF can inspect url for http and https packets.
3. The NSF can control whether the packets are allowed to pass, 3. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE
Filter
This section shows a configuration example for capabilities This section shows a configuration example for the capabilities
registration of VoIP/VoLTE filter. registration of a VoIP/VoLTE filter.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>voip_volte_filter</nsf-name> <nsf-name>voip_volte_filter</nsf-name>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<voip-volte-capability>voice-id</voip-volte-capability> <voip-volte-capability>voice-id</voip-volte-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability> <egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability> <egress-action-capability>alert</egress-action-capability>
</action-capabilities> </action-capabilities>
</nsf> </nsf>
Figure 7: Configuration XML for Capabilities Registration of VoIP/ Figure 9: Configuration XML for the Capabilities Registration of a
VoLTE Filter VoIP/VoLTE Filter
Figure 7 shows the configuration XML for capabilities registration of Figure 9 shows the configuration XML for the capabilities
VoIP/VoLTE filter and its capabilities are as follows. registration of a VoIP/VoLTE filter as an NSF. Its capabilities are
as follows.
1. The name of the NSF is voip_volte_filter. 1. The name of the NSF is voip_volte_filter.
2. The NSF can inspect voice id for VoIP/VoLTE packets. 2. The NSF can inspect a voice id for VoIP/VoLTE packets.
3. The NSF can control whether the packets are allowed to pass, 3. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood A.5. Example 5: Registration for the Capabilities of a HTTP and HTTPS
Mitigation Flood Mitigator
This section shows a configuration example for capabilities This section shows a configuration example for the capabilities
registration of http and https flood mitigation. registration of a HTTP and HTTPS flood mitigator.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>http_and_https_flood_mitigation</nsf-name> <nsf-name>http_and_https_flood_mitigation</nsf-name>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<anti-ddos-capability>http-flood-action</anti-ddos-capability> <anti-ddos-capability>http-flood-action</anti-ddos-capability>
<anti-ddos-capability>https-flood-action</anti-ddos-capability> <anti-ddos-capability>https-flood-action</anti-ddos-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability> <egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability> <egress-action-capability>alert</egress-action-capability>
</action-capabilities> </action-capabilities>
</nsf> </nsf>
Figure 8: Configuration XML for Capabilities Registration of HTTP and Figure 10: Configuration XML for the Capabilities Registration of a
HTTPS Flood Mitigation HTTP and HTTPS Flood Mitigator
Figure 8 shows the configuration XML for capabilities registration of Figure 10 shows the configuration XML for the capabilities
http and https flood mitigation and its capabilities are as follows. registration of a HTTP and HTTPS flood mitigator as an NSF. Its
capabilities are as follows.
1. The name of the NSF is http_and_https_flood_mitigation. 1. The name of the NSF is http_and_https_flood_mitigation.
2. The location of the NSF is 221.159.112.140. 2. The IPv4 address of the NSF is assumed to be 192.0.2.11
[RFC5737]. Also, the IPv6 address of the NSF is assumed to be
2001:DB8:0:1::11 [RFC3849].
3. The NSF can control the amount of packets for http and https 3. The NSF can control the amount of packets for HTTP and HTTPS
packets. packets, which are routed to the NSF's IPv4 address or the NSF's
IPv6 address.
4. The NSF can control whether the packets are allowed to pass, 4. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
Appendix B. Acknowledgments Appendix B. Acknowledgments
This work was supported by Institute of Information & Communications This work was supported by Institute of Information & Communications
Technology Planning & Evaluation (IITP) grant funded by the Korea Technology Planning & Evaluation (IITP) grant funded by the Korea
MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Security Intelligence Technology Development for the Customized Security Intelligence Technology Development for the Customized
Security Service Provisioning). Security Service Provisioning). This work was supported in part by
the IITP (2020-0-00395, Standard Development of Blockchain based
Network Management Automation Technology).
Appendix C. Contributors Appendix C. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document. The following are Many people actively contributed to this document, such as Acee
considered co-authors: Lindem, Roman Danyliw, and Tom Petch. The authors sincerely
appreciate their contributions.
o Hyoungshick Kim (Sungkyunkwan University) The following are co-authors of this document:
o Daeyoung Hyun (Sungkyunkwan University) Hyoungshick Kim
Department of Computer Science and Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
o Dongjin Hong (Sungkyunkwan University) EMail: hyoung@skku.edu
o Liang Xia (Huawei) Daeyoung Hyun
Department of Computer Science and Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
o Jung-Soo Park (ETRI) EMail: dyhyun@skku.edu
o Tae-Jin Ahn (Korea Telecom) Dongjin Hong
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
o Se-Hui Lee (Korea Telecom) EMail: dong.jin@skku.edu
Liang Xia
Huawei
101 Software Avenue
Nanjing, Jiangsu 210012
China
EMail: Frank.Xialiang@huawei.com
Jung-Soo Park
Electronics and Telecommunications Research Institute
218 Gajeong-Ro, Yuseong-Gu
Daejeon, 34129
Republic of Korea
EMail: pjs@etri.re.kr
Tae-Jin Ahn
Korea Telecom
70 Yuseong-Ro, Yuseong-Gu
Daejeon, 305-811
Republic of Korea
EMail: taejin.ahn@kt.com
Se-Hui Lee
Korea Telecom
70 Yuseong-Ro, Yuseong-Gu
Daejeon, 305-811
Republic of Korea
EMail: sehuilee@kt.com
Authors' Addresses Authors' Addresses
Susan Hares (editor) Susan Hares (editor)
Huawei Huawei
7453 Hickory Hill 7453 Hickory Hill
Saline, MI 48176 Saline, MI 48176
USA USA
Phone: +1-734-604-0332 Phone: +1-734-604-0332
 End of changes. 107 change blocks. 
238 lines changed or deleted 373 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/