draft-ietf-i2nsf-registration-interface-dm-02.txt   draft-ietf-i2nsf-registration-interface-dm-03.txt 
I2NSF Working Group S. Hyun I2NSF Working Group S. Hyun
Internet-Draft Chosun University Internet-Draft Chosun University
Intended status: Standards Track J. Jeong Intended status: Standards Track J. Jeong
Expires: September 12, 2019 T. Roh Expires: September 29, 2019 T. Roh
S. Wi S. Wi
Sungkyunkwan University Sungkyunkwan University
J. Park J. Park
ETRI ETRI
March 11, 2019 March 28, 2019
I2NSF Registration Interface YANG Data Model I2NSF Registration Interface YANG Data Model
draft-ietf-i2nsf-registration-interface-dm-02 draft-ietf-i2nsf-registration-interface-dm-03
Abstract Abstract
This document defines an information model and a YANG data model for This document defines an information model and a YANG data model for
Interface to Network Security Functions (I2NSF) Registration Interface to Network Security Functions (I2NSF) Registration
Interface between Security Controller and Developer's Management Interface between Security Controller and Developer's Management
System (DMS). The objective of these information and data models is System (DMS). The objective of these information and data models is
to support NSF capability registration and query via I2NSF to support NSF capability registration and query via I2NSF
Registration Interface. Registration Interface.
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2019. This Internet-Draft will expire on September 29, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 9 skipping to change at page 3, line 9
Appendix A. XML Example of Registration Interface Data Model . . 19 Appendix A. XML Example of Registration Interface Data Model . . 19
A.1. Example 1: Registration for Capabilities of General A.1. Example 1: Registration for Capabilities of General
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 19 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 19
A.2. Example 2: Registration for Capabilities of Time based A.2. Example 2: Registration for Capabilities of Time based
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 20 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 20
A.3. Example 3: Registration for Capabilities of Web Filter . 22 A.3. Example 3: Registration for Capabilities of Web Filter . 22
A.4. Example 4: Registration for Capabilities of VoIP/VoLTE A.4. Example 4: Registration for Capabilities of VoIP/VoLTE
Filter . . . . . . . . . . . . . . . . . . . . . . . . . 24 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 24
A.5. Example 5: Registration for Capabilities of HTTP and A.5. Example 5: Registration for Capabilities of HTTP and
HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 26 HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 25
A.6. Example 6: Query for Capabilities of Time based Firewall 28 A.6. Example 6: Query for Capabilities of Time based Firewall 27
Appendix B. NSF Lifecycle Managmenet in NFV Environments . . . . 29 Appendix B. NSF Lifecycle Managmenet in NFV Environments . . . . 29
Appendix C. Changes from draft-ietf-i2nsf-registration- Appendix C. Changes from draft-ietf-i2nsf-registration-
interface-dm-01 . . . . . . . . . . . . . . . . . . 29 interface-dm-02 . . . . . . . . . . . . . . . . . . 29
Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 29 Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 29
Appendix E. Contributors . . . . . . . . . . . . . . . . . . . . 30 Appendix E. Contributors . . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
A number of network security functions may exist in Interface to A number of network security functions may exist in Interface to
Network Security Functions (I2NSF) framework [RFC8329]. Since these Network Security Functions (I2NSF) framework [RFC8329]. Since these
NSFs likely have different security capabilities, it is important to NSFs likely have different security capabilities, it is important to
register the security capabilities of each NSF into the security register the security capabilities of each NSF into the security
controller. In addition, it is required to search NSFs of some controller. In addition, it is required to search NSFs of some
required security capabilities on demand. As an example, if required security capabilities on demand. As an example, if
skipping to change at page 12, line 23 skipping to change at page 12, line 23
This module contains the network access information of an NSF that is This module contains the network access information of an NSF that is
required to enable network communications with the NSF. required to enable network communications with the NSF.
6.2. YANG Data Modules 6.2. YANG Data Modules
This section introduces a YANG data module for the information model This section introduces a YANG data module for the information model
of the required data for the registration interface between Security of the required data for the registration interface between Security
Controller and Developer's Management System, as defined in Controller and Developer's Management System, as defined in
Section 5. Section 5.
<CODE BEGINS> file "ietf-i2nsf-reg-interface@2019-03-11.yang <CODE BEGINS> file "ietf-i2nsf-reg-interface@2019-03-28.yang"
module ietf-i2nsf-reg-interface{ module ietf-i2nsf-reg-interface{
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface";
prefix "iiregi"; prefix "iiregi";
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference "RFC 6991"; reference "RFC 6991";
} }
import ietf-i2nsf-capability{ import ietf-i2nsf-capability{
prefix capa; prefix capa;
reference "draft-ietf-i2nsf-capability reference "draft-ietf-i2nsf-capability
-data-model-02"; -data-model-04";
} }
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
WG Chair: Linda Dunbar WG List: <mailto:i2nsf@ietf.org>
<mailto:Linda.duhbar@huawei.com>
Editor: Sangwon Hyun WG Chair: Linda Dunbar
<mailto:swhyun77@skku.edu> <mailto:Linda.duhbar@huawei.com>
Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>
Editor: Taekyun Roh Editor: Sangwon Hyun
<mailto:tkroh0198@skku.edu> <mailto:swhyun77@skku.edu>
Editor: Sarang Wi Editor: Jaehoon Paul Jeong
<mailto:dnl9795@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Jung-Soo Park Editor: Taekyun Roh
<mailto:pjs@etri.re.kr>"; <mailto:tkroh0198@skku.edu>
description Editor: Sarang Wi
<mailto:dnl9795@skku.edu>
"It defines a YANG data model for Registration Interface. Editor: Jung-Soo Park
Copyright (c) 2018 IETF Trust and the persons identified as <mailto:pjs@etri.re.kr>";
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or description
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see "It defines a YANG data model for Registration Interface.
the RFC itself for full legal notices."; Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved.
revision 2019-03-11 { Redistribution and use in source and binary forms, with or
description "The third revision"; without modification, is permitted pursuant to, and subject
reference to the license terms contained in, the Simplified BSD License
"RFC XXXX: I2NSF Registration Interface YANG Data Model"; set forth in Section 4.c of the IETF Trust's Legal Provisions
} Relating to IETF Documents
rpc i2nsf-nsf-capability-query { (http://trustee.ietf.org/license-info).
description
"Capability information that the This version of this YANG module is part of RFC XXXX; see
Security Controller the RFC itself for full legal notices.";
sends to the DMS";
input{
container query-i2nsf-capability-info {
description
"i2nsf capability information";
uses "capa:nsf-capabilities";
reference
"draft-ietf-i2nsf-capability
-data-model-02";
}
revision 2019-03-28 {
description "The third revision";
reference
"RFC XXXX: I2NSF Registration Interface YANG Data Model";
} }
output{ rpc i2nsf-nsf-capability-query {
container nsf-access-info { description
description "Capability information that the
"nsf access information"; Security Controller
uses i2nsf-nsf-access-info; sends to the DMS";
input{
container query-i2nsf-capability-info {
description
"i2nsf capability information";
uses "capa:nsf-capabilities";
reference
"draft-ietf-i2nsf-capability
-data-model-04";
}
}
output{
container nsf-access-info {
description
"nsf access information";
uses i2nsf-nsf-access-info;
}
} }
}
}
container i2nsf-nsf-registrations{
description
"i2nsf-nsf-registrations";
list i2nsf-nsf-capability-registration {
key "nsf-name";
description
"Requeired information for registration";
leaf nsf-name {
type string;
mandatory true;
description
"nsf-name";
}
container nsf-capability-info {
description
"nsf-capability-information";
uses i2nsf-nsf-capability-info;
}
container nsf-access-info {
description
"nsf-access-info";
uses i2nsf-nsf-access-info;
} }
} container i2nsf-nsf-registrations{
}
grouping i2nsf-nsf-performance-capability {
description
"NSF performance capailities";
container processing{
description
"processing info";
leaf processing-average{
type uint16;
description
"processing-average";
}
leaf processing-peak{
type uint16;
description
"processing peak";
}
}
container bandwidth{
description description
"bandwidth info"; "i2nsf-nsf-registrations";
container outbound{ list i2nsf-nsf-capability-registration {
description key "nsf-name";
"outbound"; description
leaf outbound-average{ "Requeired information for registration";
type uint16; leaf nsf-name {
type string;
mandatory true;
description description
"outbound-average"; "nsf-name";
}
container nsf-capability-info {
description
"nsf-capability-information";
uses i2nsf-nsf-capability-info;
}
container nsf-access-info {
description
"nsf-access-info";
uses i2nsf-nsf-access-info;
}
} }
leaf outbound-peak{ }
type uint16;
description grouping i2nsf-nsf-performance-capability {
"outbound-peak";
}
}
container inbound{
description description
"inbound"; "NSF performance capailities";
leaf inbound-average{ container processing{
description
"processing info";
leaf processing-average{
type uint16; type uint16;
description description
"inbound-average"; "processing-average";
}
leaf processing-peak{
type uint16;
description
"processing peak";
}
}
container bandwidth{
description
"bandwidth info";
container outbound{
description
"outbound";
leaf outbound-average{
type uint16;
description
"outbound-average";
}
leaf outbound-peak{
type uint16;
description
"outbound-peak";
}
} }
leaf inbound-peak{ container inbound{
type uint16; description
description "inbound";
"inbound-peak"; leaf inbound-average{
type uint16;
description
"inbound-average";
}
leaf inbound-peak{
type uint16;
description
"inbound-peak";
}
} }
} }
} }
} grouping i2nsf-nsf-capability-info {
grouping i2nsf-nsf-capability-info {
description
"Detail information of an NSF";
container i2nsf-capability {
description description
"ietf i2nsf capability information"; "Detail information of an NSF";
uses "capa:nsf-capabilities"; container i2nsf-capability {
reference "draft-ietf-i2nsf-capability description
-data-model-02"; "ietf i2nsf capability information";
} uses "capa:nsf-capabilities";
container nsf-performance-capability { reference "draft-ietf-i2nsf-capability
description -data-model-04";
"performance capability"; }
uses i2nsf-nsf-performance-capability; container nsf-performance-capability {
} description
} "performance capability";
uses i2nsf-nsf-performance-capability;
}
}
grouping i2nsf-nsf-access-info { grouping i2nsf-nsf-access-info {
description description
"NSF access information"; "NSF access information";
leaf nsf-instance-name { leaf nsf-instance-name {
type string; type string;
description description
"nsf-instance-name"; "nsf-instance-name";
} }
leaf nsf-address { leaf nsf-address {
type inet:ipv4-address; type inet:ipv4-address;
mandatory true; mandatory true;
description description
"nsf-address"; "nsf-address";
} }
leaf nsf-port-address { leaf nsf-port-address {
type inet:port-number; type inet:port-number;
description description
"nsf-port-address"; "nsf-port-address";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
Figure 11: Registration Interface YANG Data Model Figure 11: Registration Interface YANG Data Model
7. IANA Considerations 7. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface
skipping to change at page 19, line 31 skipping to change at page 19, line 31
<nsf-capability-info> <nsf-capability-info>
<i2nsf-capability> <i2nsf-capability>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capa>capa:ipv4-protocol</ipv4-capa> <ipv4-capa>capa:ipv4-protocol</ipv4-capa>
<ipv4-capa>capa:exact-ipv4-address</ipv4-capa> <ipv4-capa>capa:exact-ipv4-address</ipv4-capa>
<ipv4-capa>capa:range-ipv4-address</ipv4-capa> <ipv4-capa>capa:range-ipv4-address</ipv4-capa>
<tcp-capa>capa:exact-tcp-port-num</tcp-capa> <tcp-capa>capa:exact-tcp-port-num</tcp-capa>
<tcp-capa>capa:range-tcp-port-num</tcp-capa> <tcp-capa>capa:range-tcp-port-num</tcp-capa>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
<ipsec-method>ikeless</ipsec-method>
</i2nsf-capability> </i2nsf-capability>
<nsf-performance-capability> <nsf-performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
skipping to change at page 20, line 33 skipping to change at page 20, line 34
2. The NSF can inspect protocol, exact IPv4 address, and range IPv4 2. The NSF can inspect protocol, exact IPv4 address, and range IPv4
address for IPv4 packets. address for IPv4 packets.
3. The NSF can inspect exact port number and range port number for 3. The NSF can inspect exact port number and range port number for
tcp packets. tcp packets.
4. The NSF can control whether the packets are allowed to pass, 4. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
5. The NSF can have processing power and bandwidth. 5. The NSF can support IPsec not through IKEv2, but through a
Security Controller.
6. The location of the NSF is 221.159.112.100. 6. The NSF can have processing power and bandwidth.
7. The port of the NSF is 3000. 7. The location of the NSF is 221.159.112.100.
8. The port of the NSF is 3000.
A.2. Example 2: Registration for Capabilities of Time based Firewall A.2. Example 2: Registration for Capabilities of Time based Firewall
This section shows a configuration example for capabilities This section shows a configuration example for capabilities
registration of time based firewall. registration of time based firewall.
<i2nsf-nsf-registrations <i2nsf-nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<i2nsf-nsf-capability-registration> <i2nsf-nsf-capability-registration>
skipping to change at page 21, line 21 skipping to change at page 21, line 25
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
<ipsec-method>ike</ipsec-method>
</i2nsf-capability> </i2nsf-capability>
<nsf-performance-capability> <nsf-performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
skipping to change at page 22, line 16 skipping to change at page 22, line 21
2. The NSF can execute the security policy rule according to 2. The NSF can execute the security policy rule according to
absolute time and periodic time. absolute time and periodic time.
3. The NSF can inspect protocol, exact IPv4 address, and range IPv4 3. The NSF can inspect protocol, exact IPv4 address, and range IPv4
address for IPv4 packets. address for IPv4 packets.
4. The NSF can control whether the packets are allowed to pass, 4. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
5. The NSF can have processing power and bandwidth. 5. The NSF can support IPsec through IKEv2.
6. The location of the NSF is 221.159.112.110. 6. The NSF can have processing power and bandwidth.
7. The port of the NSF is 3000. 7. The location of the NSF is 221.159.112.110.
8. The port of the NSF is 3000.
A.3. Example 3: Registration for Capabilities of Web Filter A.3. Example 3: Registration for Capabilities of Web Filter
This section shows a configuration example for capabilities This section shows a configuration example for capabilities
registration of web filter. registration of web filter.
<i2nsf-nsf-registrations <i2nsf-nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<i2nsf-nsf-capability-registration> <i2nsf-nsf-capability-registration>
<nsf-name>web_filter_capability</nsf-name> <nsf-name>web_filter_capability</nsf-name>
<nsf-capability-info> <nsf-capability-info>
<i2nsf-capability> <i2nsf-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<http-capa>capa:url</http-capa> <url-capa>capa:user-defined</url-capa>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
<ipsec-method>ikeless</ipsec-method>
</i2nsf-capability> </i2nsf-capability>
<nsf-performance-capability> <nsf-performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
skipping to change at page 24, line 15 skipping to change at page 23, line 45
Figure 14 shows the configuration XML for registration of web filter Figure 14 shows the configuration XML for registration of web filter
and its capabilities are as follows. and its capabilities are as follows.
1. The instance name of the NSF is web_filter. 1. The instance name of the NSF is web_filter.
2. The NSF can inspect url for http and https packets. 2. The NSF can inspect url for http and https packets.
3. The NSF can control whether the packets are allowed to pass, 3. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
4. The NSF can have processing power and bandwidth. 4. The NSF can support IPsec not through IKEv2, but through a
Security Controller.
5. The location of the NSF is 221.159.112.120. 5. The NSF can have processing power and bandwidth.
6. The port of the NSF is 3000. 6. The location of the NSF is 221.159.112.120.
7. The port of the NSF is 3000.
A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter
This section shows a configuration example for capabilities This section shows a configuration example for capabilities
registration of VoIP/VoLTE filter. registration of VoIP/VoLTE filter.
<i2nsf-nsf-registrations <i2nsf-nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<i2nsf-nsf-capability-registration> <i2nsf-nsf-capability-registration>
skipping to change at page 25, line 25 skipping to change at page 24, line 32
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
<ipsec-method>ikeless</ipsec-method>
</i2nsf-capability> </i2nsf-capability>
<nsf-performance-capability> <nsf-performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
skipping to change at page 26, line 15 skipping to change at page 25, line 22
Figure 15 shows the configuration XML for registration of VoIP/VoLTE Figure 15 shows the configuration XML for registration of VoIP/VoLTE
filter and its capabilities are as follows. filter and its capabilities are as follows.
1. The instance name of the NSF is voip_volte_filter. 1. The instance name of the NSF is voip_volte_filter.
2. The NSF can inspect voice id for VoIP/VoLTE packets. 2. The NSF can inspect voice id for VoIP/VoLTE packets.
3. The NSF can control whether the packets are allowed to pass, 3. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
4. The NSF can have processing power and bandwidth. 4. The NSF can support IPsec not through IKEv2, but through a
Security Controller.
5. The location of the NSF is 221.159.112.130. 5. The NSF can have processing power and bandwidth.
6. The port of the NSF is 3000. 6. The location of the NSF is 221.159.112.130.
7. The port of the NSF is 3000.
A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood
Mitigation Mitigation
This section shows a configuration example for capabilities This section shows a configuration example for capabilities
registration of http and https flood mitigation. registration of http and https flood mitigation.
<i2nsf-nsf-registrations <i2nsf-nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<i2nsf-nsf-capability-registration> <i2nsf-nsf-capability-registration>
<nsf-name> <nsf-name>
http_and_https_flood_mitigation_capability http_and_h ttps_flood_mitigation_capability
</nsf-name> </nsf-name>
<nsf-capability-info> <nsf-capability-info>
<i2nsf-capability> <i2nsf-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<antiddos-capa>capa:http-flood-action</antiddos-capa> <antiddos-capa>capa:http-flood-action</antiddos-capa>
<antiddos-capa>capa:https-flood-action</antiddos-capa> <antiddos-capa>capa:https-flood-action</antiddos-capa>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities>
<action-capabilities> </condition-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <action-capabilities>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
</action-capabilities> <egress-action-capa>capa:alert</egress-action-capa>
</i2nsf-capability> </action-capabilities>
<ipsec-method>ike</ipsec-method>
</i2nsf-capability>
<nsf-performance-capability> <nsf-performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
skipping to change at page 27, line 43 skipping to change at page 27, line 11
filter and its capabilities are as follows. filter and its capabilities are as follows.
1. The instance name of the NSF is http_and_https_flood_mitigation. 1. The instance name of the NSF is http_and_https_flood_mitigation.
2. The NSF can control the amount of packets for http and https 2. The NSF can control the amount of packets for http and https
packets. packets.
3. The NSF can control whether the packets are allowed to pass, 3. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
4. The NSF can have processing power and bandwidth. 4. The NSF can support IPsec through IKEv2.
5. The location of the NSF is 221.159.112.140. 5. The NSF can have processing power and bandwidth.
6. The port of the NSF is 3000. 6. The location of the NSF is 221.159.112.140.
7. The port of the NSF is 3000.
A.6. Example 6: Query for Capabilities of Time based Firewall A.6. Example 6: Query for Capabilities of Time based Firewall
This section shows a configuration example for capabilities query of This section shows a configuration example for capabilities query of
Time based Firewall. Time based Firewall.
<rpc message-id="101" <rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<i2nsf-nsf-capability-query <i2nsf-nsf-capability-query
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<query-i2nsf-capability-info> <query-i2nsf-capability-info>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capa>capa:ipv4-protocol</ipv4-capa> <ipv4-capa>capa:ipv4-protocol</ipv4-capa>
<ipv4-capa>capa:exact-ipv4-address</ipv4-capa> <ipv4-capa>capa:exact-ipv4-address</ipv4-capa>
<ipv4-capa>capa:range-ipv4-address</ipv4-capa> <ipv4-capa>capa:range-ipv4-address</ipv4-capa>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
</query-i2nsf-capability-info> <ipsec-method>ikeless</ipsec-method>
</query-i2nsf-capability-info>
</i2nsf-nsf-capability-query> </i2nsf-nsf-capability-query>
</rpc> </rpc>
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<nsf-access-info <nsf-access-info
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface">
<nsf-instance-name>time-based-firewall</nsf-instance-name> <nsf-instance-name>time-based-firewall</nsf-instance-name>
<nsf-address>221.159.223.250</nsf-address> <nsf-address>221.159.223.250</nsf-address>
<nsf-port-address>8080</nsf-port-address> <nsf-port-address>8080</nsf-port-address>
skipping to change at page 29, line 24 skipping to change at page 29, line 21
with the VNF Manager (VNFM) via the Ve-Vnfm interface with the VNF Manager (VNFM) via the Ve-Vnfm interface
[nfv-framework]. Security Controller can use this interface for the [nfv-framework]. Security Controller can use this interface for the
purpose of the lifecycle management of NSFs. If some NSFs need to be purpose of the lifecycle management of NSFs. If some NSFs need to be
instantiated to enforce security policies in the I2NSF framework, instantiated to enforce security policies in the I2NSF framework,
Security Controller could request the VNFM to instantiate them Security Controller could request the VNFM to instantiate them
through the Ve-Vnfm interface. Or if an NSF, running as a VNF, is through the Ve-Vnfm interface. Or if an NSF, running as a VNF, is
not used by any traffic flows for a time period, Security Controller not used by any traffic flows for a time period, Security Controller
may request deinstantiating it through the interface for efficient may request deinstantiating it through the interface for efficient
resource utilization. resource utilization.
Appendix C. Changes from draft-ietf-i2nsf-registration-interface-dm-01 Appendix C. Changes from draft-ietf-i2nsf-registration-interface-dm-02
The following changes have been made from draft-ietf-i2nsf- The following changes have been made from draft-ietf-i2nsf-
registration-interface-dm-01: registration-interface-dm-02:
o Section 4 has been revised to clarify major objectives of the
I2NSF registration interface: NSF capability registration, NSF
capability query.
o Section 5 has been revised to describe the above-mentioned major
operations of the I2NSF registration interface. Section 5.1
describes the information model for registering NSFs and their
capabilities. Section 5.2 describes the information model for
querying NSFs based on a description of required capabilities.
o In section 6, the data model has been revised according to the
revised information model.
o Appendix A. has been revised to describe the XML examples of the o Appendix A. added an IPsec field in the XML examples of the
registration interface data model in five NSF Registration registration interface data model for five NSF Registration
examples and one NSF Capability Query example. examples and one NSF Capability Query example.
Appendix D. Acknowledgments Appendix D. Acknowledgments
This work was supported by Institute for Information & communications This work was supported by Institute for Information & communications
Technology Promotion(IITP) grant funded by the Korea government(MSIP) Technology Promotion(IITP) grant funded by the Korea government(MSIP)
(No.R-20160222-002755, Cloud based Security Intelligence Technology (No.R-20160222-002755, Cloud based Security Intelligence Technology
Development for the Customized Security Service Provisioning). Development for the Customized Security Service Provisioning).
Appendix E. Contributors Appendix E. Contributors
 End of changes. 63 change blocks. 
247 lines changed or deleted 258 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/