draft-ietf-i2nsf-capability-data-model-10.txt   draft-ietf-i2nsf-capability-data-model-11.txt 
I2NSF Working Group S. Hares, Ed. I2NSF Working Group S. Hares, Ed.
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Jeong, Ed. Intended status: Standards Track J. Jeong, Ed.
Expires: March 10, 2021 J. Kim Expires: March 12, 2021 J. Kim
Sungkyunkwan University Sungkyunkwan University
R. Moskowitz R. Moskowitz
HTT Consulting HTT Consulting
Q. Lin Q. Lin
Huawei Huawei
September 6, 2020 September 8, 2020
I2NSF Capability YANG Data Model I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-10 draft-ietf-i2nsf-capability-data-model-11
Abstract Abstract
This document defines a YANG data model for the capabilities of This document defines a YANG data model for the capabilities of
various Network Security Functions (NSFs) in the Interface to Network various Network Security Functions (NSFs) in the Interface to Network
Security Functions (I2NSF) framework to centrally manage the Security Functions (I2NSF) framework to centrally manage the
capabilities of the various NSFs. capabilities of the various NSFs.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 10, 2021. This Internet-Draft will expire on March 12, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 18 skipping to change at page 2, line 18
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Network Security Function (NSF) Capabilities . . . . . . 6 4.1. Network Security Function (NSF) Capabilities . . . . . . 6
5. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9 5. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41
7. Security Considerations . . . . . . . . . . . . . . . . . . . 40 7. Security Considerations . . . . . . . . . . . . . . . . . . . 41
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 42
8.1. Normative References . . . . . . . . . . . . . . . . . . 41 8.1. Normative References . . . . . . . . . . . . . . . . . . 42
8.2. Informative References . . . . . . . . . . . . . . . . . 44 8.2. Informative References . . . . . . . . . . . . . . . . . 45
Appendix A. Configuration Examples . . . . . . . . . . . . . . . 45 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 47
A.1. Example 1: Registration for the Capabilities of a General A.1. Example 1: Registration for the Capabilities of a General
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 47
A.2. Example 2: Registration for the Capabilities of a Time- A.2. Example 2: Registration for the Capabilities of a Time-
based Firewall . . . . . . . . . . . . . . . . . . . . . 47 based Firewall . . . . . . . . . . . . . . . . . . . . . 49
A.3. Example 3: Registration for the Capabilities of a Web A.3. Example 3: Registration for the Capabilities of a Web
Filter . . . . . . . . . . . . . . . . . . . . . . . . . 48 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 50
A.4. Example 4: Registration for the Capabilities of a A.4. Example 4: Registration for the Capabilities of a
VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 49 VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 51
A.5. Example 5: Registration for the Capabilities of a HTTP A.5. Example 5: Registration for the Capabilities of a HTTP
and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 50 and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 52
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 51 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 53
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 52 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 54
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55
1. Introduction 1. Introduction
As the industry becomes more sophisticated and network devices (e.g., As the industry becomes more sophisticated and network devices (e.g.,
Internet of Things, Self-driving vehicles, and VoIP/VoLTE Internet of Things, Self-driving vehicles, and smartphone using Voice
smartphones), service providers have a lot of problems described in over IP (VoIP) and Voice over LTE (VoLTE)), service providers have a
[RFC8192]. To resolve these problems, [I-D.ietf-i2nsf-capability] lot of problems described in [RFC8192]. To resolve these problems,
specifies the information model of the capabilities of Network [I-D.ietf-i2nsf-capability] specifies the information model of the
Security Functions (NSFs) in a framework of the Interface to Network capabilities of Network Security Functions (NSFs) in a framework of
Security Functions (I2NSF) [RFC8329]. the Interface to Network Security Functions (I2NSF) [RFC8329].
This document provides a YANG data model [RFC6020][RFC7950] that This document provides a YANG data model [RFC6020][RFC7950] that
defines the capabilities of NSFs to centrally manage the capabilities defines the capabilities of NSFs to centrally manage the capabilities
of those security devices. The security devices can register their of those security devices. The security devices can register their
own capabilities into a Network Operator Management (Mgmt) System own capabilities into a Network Operator Management (Mgmt) System
(i.e., Security Controller) with this YANG data model through the (i.e., Security Controller) with this YANG data model through the
registration interface [RFC8329]. With the capabilities of those registration interface [RFC8329]. With the capabilities of those
security devices maintained centrally, those security devices can be security devices maintained centrally, those security devices can be
more easily managed [RFC8329]. This YANG data model is based on the more easily managed [RFC8329]. This YANG data model is based on the
information model for I2NSF NSF capabilities information model for I2NSF NSF capabilities
skipping to change at page 4, line 27 skipping to change at page 4, line 27
as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy
rules where 'E', 'C', and 'A' mean "Event", "Condition", and rules where 'E', 'C', and 'A' mean "Event", "Condition", and
"Action", respectively. The condition involves IPv4 or IPv6 "Action", respectively. The condition involves IPv4 or IPv6
datagrams, and the action includes "Allow" and "Deny" for those datagrams, and the action includes "Allow" and "Deny" for those
datagrams. datagrams.
Note that the NSF-Facing Interface [RFC8329] is used to configure the Note that the NSF-Facing Interface [RFC8329] is used to configure the
security policy rules of the generic network security functions, and security policy rules of the generic network security functions, and
The configuration of advanced security functions over the NSF-Facing The configuration of advanced security functions over the NSF-Facing
Interface is used to configure the security policy rules of advanced Interface is used to configure the security policy rules of advanced
network security functions (e.g., anti-virus and anti-DDoS attack), network security functions (e.g., anti-virus and Distributed-Denial-
respectively, according to the capabilities of NSFs registered with of-Service (DDoS) attack mitigator), respectively, according to the
the I2NSF Framework. capabilities of NSFs registered with the I2NSF Framework.
+------------------------------------------------------+ +------------------------------------------------------+
| I2NSF User (e.g., Overlay Network Mgmt, Enterprise | | I2NSF User (e.g., Overlay Network Mgmt, Enterprise |
| Network Mgmt, another network domain's mgmt, etc.) | | Network Mgmt, another network domain's mgmt, etc.) |
+--------------------+---------------------------------+ +--------------------+---------------------------------+
I2NSF ^ I2NSF ^
Consumer-Facing Interface | Consumer-Facing Interface |
| |
v I2NSF v I2NSF
+-----------------+------------+ Registration +-------------+ +-----------------+------------+ Registration +-------------+
skipping to change at page 8, line 17 skipping to change at page 8, line 17
Condition capabilities are used to specify capabilities of a set of Condition capabilities are used to specify capabilities of a set of
attributes, features, and/or values that are to be compared with a attributes, features, and/or values that are to be compared with a
set of known attributes, features, and/or values in order to set of known attributes, features, and/or values in order to
determine whether or not the set of actions in that (imperative) determine whether or not the set of actions in that (imperative)
I2NSF policy rule can be executed. The condition capabilities are I2NSF policy rule can be executed. The condition capabilities are
classified in terms of generic network security functions and classified in terms of generic network security functions and
advanced network security functions. The condition capabilities of advanced network security functions. The condition capabilities of
generic network security functions are defined as IPv4 capability, generic network security functions are defined as IPv4 capability,
IPv6 capability, TCP capability, UDP capability, and ICMP capability. IPv6 capability, TCP capability, UDP capability, and ICMP capability.
The condition capabilities of advanced network security functions are The condition capabilities of advanced network security functions are
defined as anti-virus capability, anti-DDoS capability, IPS defined as anti-virus capability, anti-DDoS capability, Intrusion
capability, HTTP capability, and VoIP/VoLTE capability. See Prevention System (IPS) capability, HTTP capability, and VoIP/VoLTE
Section 3.1 (Design Principles and ECA Policy Model Overview) in capability. See Section 3.1 (Design Principles and ECA Policy Model
[I-D.ietf-i2nsf-capability] for more information about the condition Overview) in [I-D.ietf-i2nsf-capability] for more information about
in the ECA policy model. Also, see Section 3.4.3 (I2NSF Condition the condition in the ECA policy model. Also, see Section 3.4.3
Clause Operator Types) in [I-D.ietf-i2nsf-capability] for more (I2NSF Condition Clause Operator Types) in
information about the operator types in an I2NSF condition clause. [I-D.ietf-i2nsf-capability] for more information about the operator
types in an I2NSF condition clause.
Action capabilities are used to specify the capabilities that Action capabilities are used to specify the capabilities that
describe the control and monitoring aspects of flow-based NSFs when describe the control and monitoring aspects of flow-based NSFs when
the event and condition clauses are satisfied. The action the event and condition clauses are satisfied. The action
capabilities are defined as ingress-action capability, egress-action capabilities are defined as ingress-action capability, egress-action
capability, and log-action capability. See Section 3.1 (Design capability, and log-action capability. See Section 3.1 (Design
Principles and ECA Policy Model Overview) in Principles and ECA Policy Model Overview) in
[I-D.ietf-i2nsf-capability] for more information about the action in [I-D.ietf-i2nsf-capability] for more information about the action in
the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow
Security Policy Structure) in [RFC8329] for more information about Security Policy Structure) in [RFC8329] for more information about
skipping to change at page 9, line 9 skipping to change at page 9, line 10
strategy. strategy.
Default action capabilities are used to specify the capabilities that Default action capabilities are used to specify the capabilities that
describe how to execute I2NSF policy rules when no rule matches a describe how to execute I2NSF policy rules when no rule matches a
packet. The default action capabilities are defined as pass, drop, packet. The default action capabilities are defined as pass, drop,
alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy
and Default Action) in [I-D.ietf-i2nsf-capability] for more and Default Action) in [I-D.ietf-i2nsf-capability] for more
information about the default action. information about the default action.
IPsec method capabilities are used to specify capabilities of how to IPsec method capabilities are used to specify capabilities of how to
support an Internet Key Exchange (IKE) for the security support an Internet Key Exchange (IKE) [RFC7296] for the security
communication. The default action capabilities are defined as IKE or communication. The default action capabilities are defined as IKE or
IKE-less. See [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for more IKE-less. See [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for more
information about the SDN-based IPsec flow protection in I2NSF. information about the SDN-based IPsec flow protection in I2NSF.
5. YANG Data Model of I2NSF NSF Capability 5. YANG Data Model of I2NSF NSF Capability
This section introduces a YANG module for NSFs' capabilities, as This section introduces a YANG module for NSFs' capabilities, as
defined in the [I-D.ietf-i2nsf-capability]. defined in the [I-D.ietf-i2nsf-capability].
This YANG module imports from [RFC6991]. It makes references to [RFC This YANG module imports from [RFC6991]. It makes references to [RFC
0768][IANA-Protocol-Numbers][RFC0791][RFC0792][RFC0793][RFC3261][RFC4 0768][IANA-Protocol-Numbers][RFC0791][RFC0792][RFC0793][RFC3261][RFC4
443][RFC8200][RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf- 443][RFC8200][RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf-
monitoring-data-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. monitoring-data-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection].
<CODE BEGINS> file "ietf-i2nsf-capability@2020-09-06.yang" <CODE BEGINS> file "ietf-i2nsf-capability@2020-09-08.yang"
module ietf-i2nsf-capability { module ietf-i2nsf-capability {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability";
prefix prefix
nsfcap; nsfcap;
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
skipping to change at page 10, line 23 skipping to change at page 10, line 25
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
http://trustee.ietf.org/license-info). http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
revision "2020-09-06"{ revision "2020-09-08"{
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Capability YANG Data Model"; "RFC XXXX: I2NSF Capability YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
} }
/* /*
* Identities * Identities
*/ */
identity event { identity event {
description description
"Base identity for I2NSF policy events."; "Base identity for I2NSF policy events.";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - Event"; Monitoring YANG Data Model - Event";
// RFC Ed.: replace the above draft with an actual RFC in the
// YANG module and remove this note.
} }
identity system-event-capability { identity system-event-capability {
base event; base event;
description description
"Identity for system event"; "Identity for system event";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System event"; Monitoring YANG Data Model - System event";
} }
identity system-alarm-capability { identity system-alarm-capability {
base event; base event;
description description
"Identity for system alarm"; "Identity for system alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm"; Monitoring YANG Data Model - System alarm";
} }
identity access-violation { identity access-violation {
base system-event-capability; base system-event-capability;
description description
"Identity for access violation event"; "Identity for access violation event";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System event for access Monitoring YANG Data Model - System event for access
violation"; violation";
} }
identity configuration-change { identity configuration-change {
base system-event-capability; base system-event-capability;
description description
"Identity for configuration change event"; "Identity for configuration change event";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System event for configuration Monitoring YANG Data Model - System event for configuration
change"; change";
} }
identity memory-alarm { identity memory-alarm {
base system-alarm-capability; base system-alarm-capability;
description description
"Identity for memory alarm"; "Identity for memory alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for memory"; Monitoring YANG Data Model - System alarm for memory";
} }
identity cpu-alarm { identity cpu-alarm {
base system-alarm-capability; base system-alarm-capability;
description description
"Identity for CPU alarm"; "Identity for CPU alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for CPU"; Monitoring YANG Data Model - System alarm for CPU";
} }
identity disk-alarm { identity disk-alarm {
base system-alarm-capability; base system-alarm-capability;
description description
"Identity for disk alarm"; "Identity for disk alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for disk"; Monitoring YANG Data Model - System alarm for disk";
} }
identity hardware-alarm { identity hardware-alarm {
base system-alarm-capability; base system-alarm-capability;
description description
"Identity for hardware alarm"; "Identity for hardware alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for hardware"; Monitoring YANG Data Model - System alarm for hardware";
} }
identity interface-alarm { identity interface-alarm {
base system-alarm-capability; base system-alarm-capability;
description description
"Identity for interface alarm"; "Identity for interface alarm";
reference reference
"draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF
Monitoring YANG Data Model - System alarm for interface"; Monitoring YANG Data Model - System alarm for interface";
} }
identity condition { identity condition {
description description
"Base identity for policy conditions"; "Base identity for policy conditions";
} }
identity context-capability { identity context-capability {
base condition; base condition;
description description
"Identity for context condition capabilities"; "Identity for context condition capabilities for an NSF";
reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - The operating context of an NSF.";
} }
identity acl-number { identity access-control-list {
base context-capability; base context-capability;
description description
"Identity for ACL number condition capability"; "Identity for Access Control List (ACL) condition capability";
reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - The context of an NSF.
RFC 8519: YANG Data Model for Network Access Control Lists
(ACLs) - A user-ordered set of rules used to configure the
forwarding behavior in an NSF.";
} }
identity application { identity application-layer-filter {
base context-capability; base context-capability;
description description
"Identity for application condition capability"; "Identity for application-layer-filter condition capability";
reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - An application-layer filtering (e.g., web
filter) as an NSF.";
} }
identity target { identity target {
base context-capability; base context-capability;
description description
"Identity for target condition capability"; "Identity for target condition capability";
reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - A target (or destination) of a policy rule
to be applied by an NSF.
RFC 8519: YANG Data Model for Network Access Control Lists
(ACLs) - An access control for a target (e.g., the
corresponding IP address) in an NSF.";
} }
identity user { identity user {
base context-capability; base context-capability;
description description
"Identity for user condition capability"; "Identity for user condition capability";
reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - A user in an application of a policy rule
to be applied by an NSF.
RFC 8519: YANG Data Model for Network Access Control Lists
(ACLs) - An access control for a user (e.g., the
corresponding IP address) in an NSF.";
} }
identity group { identity group {
base context-capability; base context-capability;
description description
"Identity for group condition capability"; "Identity for group condition capability";
reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - A group (i.e., a set of users) in an
application of a policy rule to be applied by an NSF.
RFC 8519: YANG Data Model for Network Access Control Lists
(ACLs) - An access control for a group (e.g., the
corresponding IP address) in an NSF.";
} }
identity geography { identity geography {
base context-capability; base context-capability;
description description
"Identity for geography condition capability"; "Identity for geography condition capability";
reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - A group (i.e., a set of users) in an
application of a policy rule to be applied by an NSF.
RFC 8519: YANG Data Model for Network Access Control Lists
(ACLs) - An access control for a geographical location
i.e., geolocation (e.g., the corresponding IP address) in
an NSF.
RFC 8805: A Format for Self-Published IP Geolocation Feeds
- An IP address with geolocation information.";
} }
identity ipv4-capability { identity ipv4-capability {
base condition; base condition;
description description
"Identity for IPv4 condition capability"; "Identity for IPv4 condition capability";
reference reference
"RFC 791: Internet Protocol"; "RFC 791: Internet Protocol";
} }
skipping to change at page 23, line 42 skipping to change at page 24, line 48
} }
identity pass { identity pass {
base ingress-action-capability; base ingress-action-capability;
base egress-action-capability; base egress-action-capability;
base default-action-capability; base default-action-capability;
description description
"Identity for pass action capability"; "Identity for pass action capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Ingress, egress, and pass actions Functions - Ingress, egress, and pass actions.
draft-ietf-i2nsf-capability-05: Information Model of draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Actions and default action"; NSFs Capabilities - Actions and default action.";
} }
identity drop { identity drop {
base ingress-action-capability; base ingress-action-capability;
base egress-action-capability; base egress-action-capability;
base default-action-capability; base default-action-capability;
description description
"Identity for drop action capability"; "Identity for drop action capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Ingress, egress, and drop actions Functions - Ingress, egress, and drop actions.
draft-ietf-i2nsf-capability-05: Information Model of draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Actions and default action"; NSFs Capabilities - Actions and default action.";
} }
identity alert { identity alert {
base ingress-action-capability; base ingress-action-capability;
base egress-action-capability; base egress-action-capability;
base default-action-capability; base default-action-capability;
description description
"Identity for alert action capability"; "Identity for alert action capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Ingress, egress, and alert actions Functions - Ingress, egress, and alert actions.
draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF
NSF Monitoring YANG Data Model - Alarm (i.e., alert) NSF Monitoring YANG Data Model - Alarm (i.e., alert).
draft-ietf-i2nsf-capability-05: Information Model of draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Actions and default action"; NSFs Capabilities - Actions and default action.";
} }
identity mirror { identity mirror {
base ingress-action-capability; base ingress-action-capability;
base egress-action-capability; base egress-action-capability;
base default-action-capability; base default-action-capability;
description description
"Identity for mirror action capability"; "Identity for mirror action capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Ingress, egress, and mirror actions Functions - Ingress, egress, and mirror actions.
draft-ietf-i2nsf-capability-05: Information Model of draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Actions and default action"; NSFs Capabilities - Actions and default action.";
} }
identity invoke-signaling { identity invoke-signaling {
base egress-action-capability; base egress-action-capability;
description description
"Identity for invoke signaling action capability"; "Identity for invoke signaling action capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Invoke-signaling action"; Functions - Invoke-signaling action";
} }
identity tunnel-encapsulation { identity tunnel-encapsulation {
base egress-action-capability; base egress-action-capability;
description description
"Identity for tunnel encapsulation action capability"; "Identity for tunnel encapsulation action capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Tunnel-encapsulation action"; Functions - Tunnel-encapsulation action";
} }
skipping to change at page 26, line 25 skipping to change at page 27, line 30
NSFs Capabilities - Resolution Strategy"; NSFs Capabilities - Resolution Strategy";
} }
identity pmre { identity pmre {
base resolution-strategy-capability; base resolution-strategy-capability;
description description
"Identity for Prioritized Matching Rule with Errors (PMRE) "Identity for Prioritized Matching Rule with Errors (PMRE)
resolution strategy capability"; resolution strategy capability";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs "draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - Resolution Strategy"; Capabilities - Resolution Strategy";
} }
identity pmrn { identity pmrn {
base resolution-strategy-capability; base resolution-strategy-capability;
description description
"Identity for Prioritized Matching Rule with No Errors (PMRN) "Identity for Prioritized Matching Rule with No Errors (PMRN)
resolution strategy capability"; resolution strategy capability";
reference reference
"draft-ietf-i2nsf-capability-05: Information Model of NSFs "draft-ietf-i2nsf-capability-05: Information Model of NSFs
Capabilities - Resolution Strategy"; Capabilities - Resolution Strategy";
} }
identity advanced-nsf-capability { identity advanced-nsf-capability {
description description
"Base identity for advanced Network Security Function (NSF) "Base identity for advanced Network Security Function (NSF)
capability. This can be used for advanced NSFs such as capability. This can be used for advanced NSFs such as
Anti-Virus, Anti-DDoS Attack, IPS, and VoIP/VoLTE Security Anti-Virus, Anti-DDoS Attack, IPS, and VoIP/VoLTE Security
Service."; Service.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF capability"; Functions - Advanced NSF capability";
} }
identity anti-virus-capability { identity anti-virus-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF Anti-Virus capability. "Identity for advanced NSF Anti-Virus capability.
This can be used for an extension point for Anti-Virus This can be used for an extension point for Anti-Virus
as an advanced NSF."; as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
skipping to change at page 27, line 26 skipping to change at page 28, line 32
This can be used for an extension point for Anti-DDoS This can be used for an extension point for Anti-DDoS
Attack as an advanced NSF."; Attack as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS Attack capability"; Functions - Advanced NSF Anti-DDoS Attack capability";
} }
identity ips-capability { identity ips-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF Intrusion Prevention System "Identity for advanced NSF IPS capabilities. This can be
(IPS) capabilities. This can be used for an extension used for an extension point for IPS as an advanced NSF.";
point for IPS as an advanced NSF.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF IPS capability"; Functions - Advanced NSF IPS capability";
} }
identity voip-volte-capability { identity voip-volte-capability {
base advanced-nsf-capability; base advanced-nsf-capability;
description description
"Identity for advanced NSF VoIP/VoLTE Security Service "Identity for advanced NSF VoIP/VoLTE Security Service
capability. This can be used for an extension point capability. This can be used for an extension point
skipping to change at page 33, line 6 skipping to change at page 34, line 10
} }
identity ike { identity ike {
base ipsec-capability; base ipsec-capability;
description description
"Identity for an IPsec Internet Key Exchange (IKE) "Identity for an IPsec Internet Key Exchange (IKE)
capability"; capability";
reference reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08:
Software-Defined Networking (SDN)-based IPsec Flow Software-Defined Networking (SDN)-based IPsec Flow
Protection - IPsec method with IKE"; Protection - IPsec method with IKE.
RFC 7296: Internet Key Exchange Protocol Version 2
(IKEv2) - IKE as a component of IPsec used for
performing mutual authentication and establishing and
maintaining Security Associations (SAs).";
} }
identity ikeless { identity ikeless {
base ipsec-capability; base ipsec-capability;
description description
"Identity for an IPsec without Internet Key Exchange (IKE) "Identity for an IPsec without Internet Key Exchange (IKE)
capability"; capability";
reference reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08:
Software-Defined Networking (SDN)-based IPsec Flow Software-Defined Networking (SDN)-based IPsec Flow
skipping to change at page 33, line 29 skipping to change at page 34, line 37
/* /*
* Grouping * Grouping
*/ */
grouping nsf-capabilities { grouping nsf-capabilities {
description description
"Network Security Function (NSF) Capabilities"; "Network Security Function (NSF) Capabilities";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure.
draft-ietf-i2nsf-capability-05: Information Model of draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Capability Information Model Design"; NSFs Capabilities - Capability Information Model Design.";
leaf-list time-capabilities { leaf-list time-capabilities {
type enumeration { type enumeration {
enum absolute-time { enum absolute-time {
description description
"absolute time capabilities. "absolute time capabilities.
If a network security function has the absolute time If a network security function has the absolute time
capability, the network security function supports capability, the network security function supports
rule execution according to absolute time."; rule execution according to absolute time.";
} }
skipping to change at page 34, line 16 skipping to change at page 35, line 23
container event-capabilities { container event-capabilities {
description description
"Capabilities of events. "Capabilities of events.
If a network security function has the event capabilities, If a network security function has the event capabilities,
the network security function supports rule execution the network security function supports rule execution
according to system event and system alarm."; according to system event and system alarm.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure.
draft-ietf-i2nsf-capability-05: Information Model of draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Design Principles and ECA Policy NSFs Capabilities - Design Principles and ECA Policy
Model Overview Model Overview.
draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF
NSF Monitoring YANG Data Model - System Alarm and NSF Monitoring YANG Data Model - System Alarm and
System Events"; System Events.";
leaf-list system-event-capability { leaf-list system-event-capability {
type identityref { type identityref {
base system-event-capability; base system-event-capability;
} }
description description
"System event capabilities"; "System event capabilities";
} }
leaf-list system-alarm-capability { leaf-list system-alarm-capability {
skipping to change at page 35, line 4 skipping to change at page 36, line 13
"Conditions capabilities."; "Conditions capabilities.";
container generic-nsf-capabilities { container generic-nsf-capabilities {
description description
"Conditions capabilities. "Conditions capabilities.
If a network security function has the condition If a network security function has the condition
capabilities, the network security function capabilities, the network security function
supports rule execution according to conditions of supports rule execution according to conditions of
IPv4, IPv6, TCP, UDP, ICMP, ICMPv6, and payload."; IPv4, IPv6, TCP, UDP, ICMP, ICMPv6, and payload.";
reference reference
"RFC 791: Internet Protocol - IPv4 "RFC 791: Internet Protocol - IPv4.
RFC 792: Internet Control Message Protocol - ICMP RFC 792: Internet Control Message Protocol - ICMP.
RFC 793: Transmission Control Protocol - TCP RFC 793: Transmission Control Protocol - TCP.
RFC 768: User Datagram Protocol - UDP RFC 768: User Datagram Protocol - UDP.
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - IPv6 Specification - IPv6.
RFC 4443: Internet Control Message Protocol (ICMPv6) RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6) Specification for the Internet Protocol Version 6 (IPv6) Specification
- ICMPv6 - ICMPv6.
RFC 8329: Framework for Interface to Network Security RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure Functions - I2NSF Flow Security Policy Structure.
draft-ietf-i2nsf-capability-05: Information Model of draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Design Principles and ECA Policy NSFs Capabilities - Design Principles and ECA Policy
Model Overview"; Model Overview.";
leaf-list ipv4-capability { leaf-list ipv4-capability {
type identityref { type identityref {
base ipv4-capability; base ipv4-capability;
} }
description description
"IPv4 packet capabilities"; "IPv4 packet capabilities";
reference reference
"RFC 791: Internet Protocol"; "RFC 791: Internet Protocol";
} }
skipping to change at page 37, line 24 skipping to change at page 38, line 32
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF Anti-DDoS Attack capabilities"; Functions - Advanced NSF Anti-DDoS Attack capabilities";
} }
leaf-list ips-capability { leaf-list ips-capability {
type identityref { type identityref {
base ips-capability; base ips-capability;
} }
description description
"Intrusion Prevention System (IPS) capabilities"; "IPS capabilities";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Advanced NSF IPS capabilities"; Functions - Advanced NSF IPS capabilities";
} }
leaf-list url-capability { leaf-list url-capability {
type identityref { type identityref {
base url-capability; base url-capability;
} }
description description
skipping to change at page 38, line 16 skipping to change at page 39, line 24
base context-capability; base context-capability;
} }
description description
"Security context capabilities"; "Security context capabilities";
} }
} }
container action-capabilities { container action-capabilities {
description description
"Action capabilities. "Action capabilities.
If a network security function has the action If a network security function has the action capabilities,
capabilities, the network security function supports the network security function supports the attendant
the attendant actions for policy rules."; actions for policy rules.";
leaf-list ingress-action-capability { leaf-list ingress-action-capability {
type identityref { type identityref {
base ingress-action-capability; base ingress-action-capability;
} }
description description
"Ingress-action capabilities"; "Ingress-action capabilities";
} }
leaf-list egress-action-capability { leaf-list egress-action-capability {
skipping to change at page 39, line 23 skipping to change at page 40, line 30
type identityref { type identityref {
base default-action-capability; base default-action-capability;
} }
description description
"Default action capabilities. "Default action capabilities.
A default action is used to execute I2NSF policy rules A default action is used to execute I2NSF policy rules
when no rule matches a packet. The default action is when no rule matches a packet. The default action is
defined as pass, drop, alert, or mirror."; defined as pass, drop, alert, or mirror.";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Ingress and egress actions Functions - Ingress and egress actions.
draft-ietf-i2nsf-capability-05: Information Model of draft-ietf-i2nsf-capability-05: Information Model of
NSFs Capabilities - Default action capabilities"; NSFs Capabilities - Default action capabilities.";
} }
leaf-list ipsec-method { leaf-list ipsec-method {
type identityref { type identityref {
base ipsec-capability; base ipsec-capability;
} }
description description
"IPsec method capabilities"; "IPsec method capabilities";
reference reference
"draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08:
skipping to change at page 40, line 19 skipping to change at page 41, line 27
<CODE ENDS> <CODE ENDS>
Figure 3: YANG Data Module of I2NSF Capability Figure 3: YANG Data Module of I2NSF Capability
6. IANA Considerations 6. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
ID: yang:ietf-i2nsf-capability
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability
Registrant Contact: The IESG. Filename: [ TBD-at-Registration ]
XML: N/A; the requested URI is an XML namespace. Reference: [ RFC-to-be ]
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950][RFC8525]: the "YANG Module Names" registry [RFC7950][RFC8525]:
name: ietf-i2nsf-capability Name: ietf-i2nsf-capability
namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability File: [ TBD-at-Registration ]
prefix: nsfcap Maintained by IANA? N
reference: RFC XXXX Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability
Prefix: nsfcap
// RFC Ed.: replace XXXX with an actual RFC number and remove Module:
// this note. Reference: [ RFC-to-be ]
7. Security Considerations 7. Security Considerations
The YANG module specified in this document defines a data schema The YANG module specified in this document defines a data schema
designed to be accessed through network management protocols such as designed to be accessed through network management protocols such as
NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is
the secure transport layer, and the required transport secure the secure transport layer, and the required transport secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the required transport secure transport is TLS is HTTPS, and the required transport secure transport is TLS
[RFC8446]. [RFC8446].
skipping to change at page 41, line 29 skipping to change at page 42, line 36
nodes and their sensitivity/vulnerability: nodes and their sensitivity/vulnerability:
o ietf-i2nsf-capability: An attacker could gather the security o ietf-i2nsf-capability: An attacker could gather the security
capability information of any NSF and use this information to capability information of any NSF and use this information to
evade detection or filtering. evade detection or filtering.
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-i2nsf-capability]
Xia, L., Strassner, J., Basile, C., and D. Lopez,
"Information Model of NSFs Capabilities", draft-ietf-
i2nsf-capability-05 (work in progress), April 2019.
[I-D.ietf-i2nsf-nsf-monitoring-data-model]
Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz,
"I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf-
nsf-monitoring-data-model-03 (work in progress), May 2020.
[I-D.ietf-i2nsf-sdn-ipsec-flow-protection]
Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia,
"Software-Defined Networking (SDN)-based IPsec Flow
Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
(work in progress), June 2020.
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
DOI 10.17487/RFC0768, August 1980, DOI 10.17487/RFC0768, August 1980,
<https://www.rfc-editor.org/info/rfc768>. <https://www.rfc-editor.org/info/rfc768>.
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
DOI 10.17487/RFC0791, September 1981, DOI 10.17487/RFC0791, September 1981,
<https://www.rfc-editor.org/info/rfc791>. <https://www.rfc-editor.org/info/rfc791>.
[RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, DOI 10.17487/RFC0792, September 1981, RFC 792, DOI 10.17487/RFC0792, September 1981,
skipping to change at page 43, line 5 skipping to change at page 44, line 28
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R.,
and J. Jeong, "Interface to Network Security Functions and J. Jeong, "Interface to Network Security Functions
skipping to change at page 44, line 5 skipping to change at page 45, line 33
[RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
S., and N. Bahadur, "A YANG Data Model for the Routing S., and N. Bahadur, "A YANG Data Model for the Routing
Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431,
September 2018, <https://www.rfc-editor.org/info/rfc8431>. September 2018, <https://www.rfc-editor.org/info/rfc8431>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8519] Jethanandani, M., Agarwal, S., Huang, L., and D. Blair,
"YANG Data Model for Network Access Control Lists (ACLs)",
RFC 8519, DOI 10.17487/RFC8519, March 2019,
<https://www.rfc-editor.org/info/rfc8519>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525, and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019, DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>. <https://www.rfc-editor.org/info/rfc8525>.
8.2. Informative References [RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W.
Kumari, "A Format for Self-Published IP Geolocation
[I-D.ietf-i2nsf-capability] Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
Xia, L., Strassner, J., Basile, C., and D. Lopez, <https://www.rfc-editor.org/info/rfc8805>.
"Information Model of NSFs Capabilities", draft-ietf-
i2nsf-capability-05 (work in progress), April 2019.
[I-D.ietf-i2nsf-nsf-monitoring-data-model]
Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz,
"I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf-
nsf-monitoring-data-model-03 (work in progress), May 2020.
[I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 8.2. Informative References
Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia,
"Software-Defined Networking (SDN)-based IPsec Flow
Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08
(work in progress), June 2020.
[IANA-Protocol-Numbers] [IANA-Protocol-Numbers]
"Assigned Internet Protocol Numbers", Available: "Assigned Internet Protocol Numbers", Available:
https://www.iana.org/assignments/protocol- https://www.iana.org/assignments/protocol-
numbers/protocol-numbers.xhtml, September 2020. numbers/protocol-numbers.xhtml, September 2020.
Appendix A. Configuration Examples Appendix A. Configuration Examples
This section shows configuration examples of "ietf-i2nsf-capability" This section shows configuration examples of "ietf-i2nsf-capability"
module for capabilities registration of general firewall. module for capabilities registration of general firewall.
 End of changes. 76 change blocks. 
114 lines changed or deleted 185 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/