draft-ietf-i2nsf-registration-interface-dm-05.txt   draft-ietf-i2nsf-registration-interface-dm-06.txt 
I2NSF Working Group S. Hyun I2NSF Working Group S. Hyun
Internet-Draft Chosun University Internet-Draft Myongji University
Intended status: Standards Track J. Jeong Intended status: Standards Track J. Jeong
Expires: January 25, 2020 T. Roh Expires: July 24, 2020 T. Roh
S. Wi S. Wi
Sungkyunkwan University Sungkyunkwan University
J. Park J. Park
ETRI ETRI
July 24, 2019 January 21, 2020
I2NSF Registration Interface YANG Data Model I2NSF Registration Interface YANG Data Model
draft-ietf-i2nsf-registration-interface-dm-05 draft-ietf-i2nsf-registration-interface-dm-06
Abstract Abstract
This document defines an information model and a YANG data model for This document defines an information model and a YANG data model for
Registration Interface between Security Controller and Developer's Registration Interface between Security Controller and Developer's
Management System (DMS) in the Interface to Network Security Management System (DMS) in the Interface to Network Security
Functions (I2NSF) framework to register Network Security Functions Functions (I2NSF) framework to register Network Security Functions
(NSF) of the DMS into the Security Controller. The objective of (NSF) of the DMS into the Security Controller. The objective of
these information and data models is to support NSF capability these information and data models is to support NSF capability
registration and query via I2NSF Registration Interface. registration and query via I2NSF Registration Interface.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 25, 2020. This Internet-Draft will expire on July 24, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 30 skipping to change at page 2, line 30
5.1.1. NSF Capability Information . . . . . . . . . . . . . 6 5.1.1. NSF Capability Information . . . . . . . . . . . . . 6
5.1.2. NSF Access Information . . . . . . . . . . . . . . . 8 5.1.2. NSF Access Information . . . . . . . . . . . . . . . 8
5.2. NSF Capability Query . . . . . . . . . . . . . . . . . . 8 5.2. NSF Capability Query . . . . . . . . . . . . . . . . . . 8
6. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 8 6. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . 8 6.1. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . 8
6.1.1. Definition of Symbols in Tree Diagrams . . . . . . . 9 6.1.1. Definition of Symbols in Tree Diagrams . . . . . . . 9
6.1.2. I2NSF Registration Interface . . . . . . . . . . . . 9 6.1.2. I2NSF Registration Interface . . . . . . . . . . . . 9
6.1.3. NSF Capability Information . . . . . . . . . . . . . 11 6.1.3. NSF Capability Information . . . . . . . . . . . . . 11
6.1.4. NSF Access Information . . . . . . . . . . . . . . . 12 6.1.4. NSF Access Information . . . . . . . . . . . . . . . 12
6.2. YANG Data Modules . . . . . . . . . . . . . . . . . . . . 12 6.2. YANG Data Modules . . . . . . . . . . . . . . . . . . . . 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
9.1. Normative References . . . . . . . . . . . . . . . . . . 19 9.1. Normative References . . . . . . . . . . . . . . . . . . 18
9.2. Informative References . . . . . . . . . . . . . . . . . 20 9.2. Informative References . . . . . . . . . . . . . . . . . 20
Appendix A. XML Example of Registration Interface Data Model . . 22 Appendix A. XML Example of Registration Interface Data Model . . 22
A.1. Example 1: Registration for Capabilities of General A.1. Example 1: Registration for Capabilities of General
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 22 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 22
A.2. Example 2: Registration for Capabilities of Time based A.2. Example 2: Registration for Capabilities of Time based
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 23 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 23
A.3. Example 3: Registration for Capabilities of Web Filter . 25 A.3. Example 3: Registration for Capabilities of Web Filter . 25
A.4. Example 4: Registration for Capabilities of VoIP/VoLTE A.4. Example 4: Registration for Capabilities of VoIP/VoLTE
Filter . . . . . . . . . . . . . . . . . . . . . . . . . 27 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 27
A.5. Example 5: Registration for Capabilities of HTTP and A.5. Example 5: Registration for Capabilities of HTTP and
HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 28 HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 28
A.6. Example 6: Query for Capabilities of Time based Firewall 30 A.6. Example 6: Query for Capabilities of Time based Firewall 30
Appendix B. NSF Lifecycle Managmenet in NFV Environments . . . . 32 Appendix B. NSF Lifecycle Management in NFV Environments . . . . 32
Appendix C. Changes from draft-ietf-i2nsf-registration- Appendix C. Changes from draft-ietf-i2nsf-registration-
interface-dm-04 . . . . . . . . . . . . . . . . . . 32 interface-dm-05 . . . . . . . . . . . . . . . . . . 32
Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 32 Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 32
Appendix E. Contributors . . . . . . . . . . . . . . . . . . . . 32 Appendix E. Contributors . . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33
1. Introduction 1. Introduction
A number of Network Security Functions (NSF) may exist in the A number of Network Security Functions (NSF) may exist in the
Interface to Network Security Functions (I2NSF) framework [RFC8329]. Interface to Network Security Functions (I2NSF) framework [RFC8329].
Since each of these NSFs likely has different security capabilities Since each of these NSFs likely has different security capabilities
from each other, it is important to register the security from each other, it is important to register the security
skipping to change at page 3, line 42 skipping to change at page 3, line 42
[RFC2119] [RFC8174] when, and only when, they appear in all capitals, [RFC2119] [RFC8174] when, and only when, they appear in all capitals,
as shown here. as shown here.
3. Terminology 3. Terminology
This document uses the following terms defined in This document uses the following terms defined in
[i2nsf-terminology], [capability-dm], [RFC8329], [i2nsf-terminology], [capability-dm], [RFC8329],
[supa-policy-data-model], and [supa-policy-info-model] [supa-policy-data-model], and [supa-policy-info-model]
o Network Security Function (NSF): A function that is responsible o Network Security Function (NSF): A function that is responsible
for specific treatment of received packets. A Network Security for a specific treatment of received packets. A Network Security
Function can act at various layers of a protocol stack (e.g., at Function can act at various layers of a protocol stack (e.g., at
the network layer or other OSI layers). Sample Network Security the network layer or other OSI layers). Sample Network Security
Service Functions are as follows: Firewall, Intrusion Prevention/ Service Functions are as follows: Firewall, Intrusion Prevention/
Detection System (IPS/IDS), Deep Packet Inspection (DPI), Detection System (IPS/IDS), Deep Packet Inspection (DPI),
Application Visibility and Control (AVC), network virus and Application Visibility and Control (AVC), network virus and
malware scanning, sandbox, Data Loss Prevention (DLP), Distributed malware scanning, sandbox, Data Loss Prevention (DLP), Distributed
Denial of Service (DDoS) mitigation and TLS proxy. Denial of Service (DDoS) mitigation and TLS proxy.
o Data Model: A data model is a representation of concepts of o Data Model: A data model is a representation of concepts of
interest to an environment in a form that is dependent on data interest to an environment in a form that is dependent on data
skipping to change at page 4, line 32 skipping to change at page 4, line 32
uses Registration Interface to provide NSFs developed by the NSF uses Registration Interface to provide NSFs developed by the NSF
vendor to Security Controller. DMS registers NSFs and their vendor to Security Controller. DMS registers NSFs and their
capabilities to I2NSF framework through Registration Interface. capabilities to I2NSF framework through Registration Interface.
For the registered NSFs, Security Controller maintains a catalog For the registered NSFs, Security Controller maintains a catalog
of the capabilities of those NSFs. of the capabilities of those NSFs.
o Updating the capabilities of registered NSFs: After an NSF is o Updating the capabilities of registered NSFs: After an NSF is
registered into Security Controller, some modifications on the registered into Security Controller, some modifications on the
capability of the NSF may be required later. In this case, DMS capability of the NSF may be required later. In this case, DMS
uses Registration Interface to update the capability of the NSF, uses Registration Interface to update the capability of the NSF,
and this update should be reflected on the catalog of NSFs. and this update should be reflected in the catalog of NSFs.
o Querying DMS about some required capabilities: In cases that some o Asking DMS about some required capabilities: In cases that some
security capabilities are required to serve the security service security capabilities are required to serve the security service
request from an I2NSF user, Security Controller searches through request from an I2NSF user, Security Controller searches through
the registered NSFs to find ones that can provide the required the registered NSFs to find ones that can provide the required
capabilities. But Security Controller might fail to find any NSFs capabilities. But Security Controller might fail to find any NSFs
having the required capabilities among the registered NSFs. In having the required capabilities among the registered NSFs. In
this case, Security Controller need to request DMS for additional this case, Security Controller needs to request DMS for additional
NSF(s) that can provide the required security capabilities via NSF(s) that can provide the required security capabilities via
Registration Interface. Registration Interface.
5. Information Model 5. Information Model
The I2NSF registration interface is used by Security Controller and The I2NSF registration interface is used by Security Controller and
Developer's Management System (DMS) in I2NSF framework. The Developer's Management System (DMS) in I2NSF framework. The
following summarizes the operations done through the registration following summarizes the operations done through the registration
interface: interface:
1) DMS registers NSFs and their capabilities to Security Controller 1) DMS registers NSFs and their capabilities to Security Controller
via the registration interface. DMS also uses the registration via the registration interface. DMS also uses the registration
interface to update the capabilities of the NSFs registered interface to update the capabilities of the NSFs registered
previously. previously.
2) In case that Security Controller fails to find any registered NSF 2) In case that Security Controller fails to find some required
that can provide some required capabilities, Security Controller capabilities from any registered NSF that can provide , Security
queries DMS about NSF(s) having the required capabilities via the Controller queries DMS about NSF(s) having the required
registration interface. capabilities via the registration interface.
Figure 1 shows the information model of the I2NSF registration Figure 1 shows the information model of the I2NSF registration
interface, which consists of two submodels: NSF capability interface, which consists of two submodels: NSF capability
registration and NSF capability query. Each submodel is used for the registration and NSF capability query. Each submodel is used for the
operations listed above. The remainder of this section will provide operations listed above. The remainder of this section will provide
in-depth explanations of each submodel. in-depth explanations of each submodel.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| I2NSF Registration Interface Information Model | | I2NSF Registration Interface Information Model |
| | | |
skipping to change at page 6, line 24 skipping to change at page 6, line 24
| NSF | | NSF Capability| | NSF Access | | NSF | | NSF Capability| | NSF Access |
| Name | | Information | | Information | | Name | | Information | | Information |
+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+
Figure 2: NSF Capability Registration Sub-Model Figure 2: NSF Capability Registration Sub-Model
5.1.1. NSF Capability Information 5.1.1. NSF Capability Information
NSF Capability Information basically describes the security NSF Capability Information basically describes the security
capabilities of an NSF. In Figure 3, we show capability objects of capabilities of an NSF. In Figure 3, we show capability objects of
an NSF. Following the information model of NSF capabilities defiend an NSF. Following the information model of NSF capabilities defined
in [capability-dm], we share the same I2NSF security capabilities: in [capability-dm], we share the same I2NSF security capabilities:
Time Capabilities, Event Capabilities, Condition Capabilities, Action Time Capabilities, Event Capabilities, Condition Capabilities, Action
Capabilities, Resolution Strategy Capabilities, Default Action Capabilities, Resolution Strategy Capabilities, Default Action
Capabilities, and IPsec Method [i2nsf-ipsec]. Also, NSF Capability Capabilities, and IPsec Method [i2nsf-ipsec]. Also, NSF Capability
Information additionally contains the performance capabilities of an Information additionally contains the performance capabilities of an
NSF as shown in Figure 3. NSF as shown in Figure 3.
+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
| NSF Capability | | NSF Capability |
| Information | | Information |
skipping to change at page 7, line 39 skipping to change at page 7, line 39
| Resolution | | Default | | IPsec | | Resolution | | Default | | IPsec |
| Strategy | | Action | | Method | | Strategy | | Action | | Method |
| Capabilities| | Capabilities| +-+-+-+-+-+-+ | Capabilities| | Capabilities| +-+-+-+-+-+-+
+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+
Figure 3: NSF Capability Information Figure 3: NSF Capability Information
5.1.1.1. Performance Capabilities 5.1.1.1. Performance Capabilities
This information represents the processing capability of an NSF. This information represents the processing capability of an NSF.
This information can be used to determine whether the NSF is in Assuming that the current workload status of each NSF is being
congestion by comparing this with the workload that the NSF currently collected through NSF monitoring [i2nsf-monitoring], this capability
undergoes. Moreover, this information can specify an available information of the NSF can be used to determine whether the NSF is in
amount of each type of resources such as processing power which are congestion by comparing it with the current workload of the NSF.
available on the NSF. (The registration interface can control the Moreover, this information can specify an available amount of each
usages and limitations of the created instance and make the type of resource, such as processing power which are available on the
appropriate request according to the status.) As illustrated in NSF. (The registration interface can control the usages and
Figure 4, this information consists of two items: Processing and limitations of the created instance and make the appropriate request
Bandwidth. Processing information describes the NSF's available according to the status.) As illustrated in Figure 4, this
processing power. Bandwidth describes the information about information consists of two items: Processing and Bandwidth.
available network amount in two cases, outbound, inbound. This two Processing information describes the NSF's available processing
information can be used for the NSF's instance request. power. Bandwidth describes the information about available network
amount in two cases, outbound, inbound. These two information can be
used for the NSF's instance request.
+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
| Performance | | Performance |
| Capabilities | | Capabilities |
+-+-+-+-^-+-+-+-+-+ +-+-+-+-^-+-+-+-+-+
| |
+----------------------------+ +----------------------------+
| | | |
| | | |
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+
skipping to change at page 9, line 29 skipping to change at page 9, line 29
Parentheses enclose choice and case nodes, and case nodes are also Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":"). marked with a colon (":").
Ellipsis ("...") stands for contents of subtrees that are not Ellipsis ("...") stands for contents of subtrees that are not
shown. shown.
6.1.2. I2NSF Registration Interface 6.1.2. I2NSF Registration Interface
module : ietf-i2nsf-reg-interface module : ietf-i2nsf-reg-interface
+--rw nsf-capability-registration +--rw nsf-capability-registration
| uses i2nsf-nsf-registrations | uses nsf-registrations
rpcs : rpcs :
+---x nsf-capability-query +---x i2nsf-capability-query
| uses i2nsf-nsf-capability-query | uses nsf-capability-query
Figure 5: YANG Tree of I2NSF Registration Interface Figure 5: YANG Tree of I2NSF Registration Interface
The I2NSF registration interface is used for the following purposes. The I2NSF registration interface is used for the following purposes.
Developer's Management System (DMS) registers NSFs and their Developer's Management System (DMS) registers NSFs and their
capabilities into Security Controller via the registration interface. capabilities into Security Controller via the registration interface.
In case that Security Controller fails to find any NSF among the In case that Security Controller fails to find any NSF among the
registered NSFs which can provide some required capabilities, registered NSFs which can provide some required capabilities,
Security Controller uses the registration interface to query DMS Security Controller uses the registration interface to query DMS
about NSF(s) having the required capabilities. The following about NSF(s) having the required capabilities. The following
sections describe the YANG data models to support these operations. sections describe the YANG data models to support these operations.
6.1.2.1. NSF Capability Registration 6.1.2.1. NSF Capability Registration
This section expands the i2nsf-nsf-registrations in Figure 5. This section expands the i2nsf-nsf-registrations in Figure 5.
NSF Capability Registration NSF Capability Registration
+--rw i2nsf-nsf-registrations +--rw nsf-registrations
+--rw i2nsf-nsf-capability-registration* [nsf-name] +--rw nsf-information* [capability-name]
+--rw nsf-name string +--rw capability-name string
+--rw nsf-capability-info +--rw nsf-capability-info
| uses i2nsf-nsf-capability-info | uses nsf-capability-info
+--rw i2nsf-capability +--rw security-capability
| uses ietf-i2nsf-capability | uses ietf-i2nsf-capability
+--rw nsf-performance-capability +--rw performance-capability
| uses i2nsf-nsf-performance-capability | uses performance-capability
+--rw nsf-access-info +--rw nsf-access-info
| uses i2nsf-nsf-access-info | uses nsf-access-info
+--rw nsf-instance-name +--rw capability-name
+--rw i2nsf-nsf-address nsf-address +--rw ip
+--rw nsf-port-number +--rw port
Figure 6: YANG Tree of NSF Capability Registration Figure 6: YANG Tree of NSF Capability Registration Module
When registering an NSF to Security Controller, DMS uses this module When registering an NSF to Security Controller, DMS uses this module
to describe what capabilities the NSF can offer. DMS includes the to describe what capabilities the NSF can offer. DMS includes the
network access information of the NSF which is required to make a network access information of the NSF which is required to make a
network connection with the NSF as well as the capability description network connection with the NSF as well as the capability description
of the NSF. of the NSF.
6.1.2.2. NSF Capability Query 6.1.2.2. NSF Capability Query
This section expands the i2nsf-nsf-capability-query in Figure 5. This section expands the nsf-capability-query in Figure 5.
NSF Capability Query I2NSF Capability Query
+---x i2nsf-nsf-capability-query +---x nsf-capability-query
+---w input +---w input
| +---w query-i2nsf-capability-info | +---w query-nsf-capability
| | uses ietf-i2nsf-capability | | uses ietf-i2nsf-capability
+--ro output +--ro output
+--ro nsf-access-info +--ro nsf-access-info
| uses i2nsf-nsf-access-info | uses nsf-access-info
+--rw nsf-instance-name +--rw capability-name
+--rw i2nsf-nsf-address nsf-address +--rw ip
+--rw nsf-port-number +--rw port
Figure 7: YANG Tree of NSF Capability Query Figure 7: YANG Tree of NSF Capability Query Module
Security Controller may require some additional capabilities to Security Controller may require some additional capabilities to
provide the security service requested by an I2NSF user, but none of provide the security service requested by an I2NSF user, but none of
the registered NSFs has the required capabilities. In this case, the registered NSFs has the required capabilities. In this case,
Security Controller makes a description of the required capabilities Security Controller makes a description of the required capabilities
using this module and then queries DMS about which NSF(s) can provide using this module and then queries DMS about which NSF(s) can provide
these capabilities. Use NETCONF RPCs to send a NSF capability query. these capabilities. Use NETCONF RPCs to send a NSF capability query.
Input data is query-i2nsf-capability-info and output data is nsf- Input data is query-i2nsf-capability-info and output data is nsf-
access-info. In Figure 7, the ietf-i2nsf-capability refers to the access-info. In Figure 7, the ietf-i2nsf-capability refers to the
module defined in [capability-dm]. module defined in [capability-dm].
6.1.3. NSF Capability Information 6.1.3. NSF Capability Information
This section expands the i2nsf-nsf-capability-info in Figure 6 and This section expands the nsf-capability-info in Figure 6 and
Figure 7. Figure 7.
NSF Capability Information NSF Capability Information
+--rw i2nsf-nsf-capability-info +--rw nsf-capability-info
+--rw i2nsf-capability +--rw security-capability
| uses ietf-i2nsf-capability | uses ietf-i2nsf-capability
+--rw nsf-performance-capability +--rw performance-capability
| uses i2nsf-nsf-performance-capability | uses nsf-performance-capability
Figure 8: YANG Tree of I2NSF NSF Capability Information Figure 8: YANG Tree of I2NSF NSF Capability Information
In Figure 8, the ietf-i2nsf-capability refers to the module defined In Figure 8, the ietf-i2nsf-capability refers to the module defined
in [capability-dm]. The i2nsf-nsf-performance-capability is used to in [capability-dm]. The performance-capability is used to specify
specify the performance capability of an NSF. the performance capability of an NSF.
6.1.3.1. NSF Performance Capability 6.1.3.1. NSF Performance Capability
This section expands the i2nsf-nsf-performance-capability in This section expands the nsf-performance-capability in Figure 8.
Figure 8.
NSF Performance Capability NSF Performance Capability
+--rw i2nsf-nsf-performance-capability +--rw nsf-performance-capability
+--rw processing +--rw processing
| +--rw processing-average uint16 | +--rw processing-average uint16
| +--rw processing-peak uint16 | +--rw processing-peak uint16
+--rw bandwidth +--rw bandwidth
| +--rw outbound | +--rw outbound
| | +--rw outbound-average uint16 | | +--rw outbound-average uint16
| | +--rw outbound-peak uint16 | | +--rw outbound-peak uint16
| +--rw inbound | +--rw inbound
| | +--rw inbound-average uint16 | | +--rw inbound-average uint16
| | +--rw inbound-peak uint16 | | +--rw inbound-peak uint16
Figure 9: YANG Tree of I2NSF NSF Performance Capability Figure 9: YANG Tree of I2NSF NSF Performance Capability
This module is used to specify the performance capabilities of an NSF This module is used to specify the performance capabilities of an NSF
when registering or initiating the NSF. when registering or initiating the NSF.
6.1.4. NSF Access Information 6.1.4. NSF Access Information
This section expands the i2nsf-nsf-access-info in Figure 6. This section expands the nsf-access-info in Figure 6.
NSF Access Information NSF Access Information
+--rw i2nsf-nsf-access-info +--rw nsf-access-info
+--rw nsf-instance-name string +--rw capability-name string
+--rw i2nsf-nsf-address nsf-address +--rw ip inet:ip-address
+--rw nsf-port-number inet:port-number +--rw port inet:port-number
Figure 10: YANG Tree of I2NSF NSF Access Informantion Figure 10: YANG Tree of I2NSF NSF Access Informantion
This module contains the network access information of an NSF that is This module contains the network access information of an NSF that is
required to enable network communications with the NSF. required to enable network communications with the NSF.
6.2. YANG Data Modules 6.2. YANG Data Modules
This section provides YANG modules of the data model for the This section provides YANG modules of the data model for the
registration interface between Security Controller and Developer's registration interface between Security Controller and Developer's
Management System, as defined in Section 5. Management System, as defined in Section 5.
<CODE BEGINS> file "ietf-i2nsf-reg-interface@2019-07-24.yang" <CODE BEGINS> file "ietf-i2nsf-reg-interface@2020-01-21.yang"
module ietf-i2nsf-reg-interface { module ietf-i2nsf-reg-interface {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface";
prefix nsfreg; prefix nsfreg;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference "RFC 6991"; reference "RFC 6991";
} }
import ietf-i2nsf-capability { import ietf-i2nsf-capability {
prefix capa; prefix capa;
reference "draft-ietf-i2nsf-capability-data-model-05"; reference "draft-ietf-i2nsf-capability-data-model-05";
} }
organization organization
"IETF I2NSF (Interface to Network Security "IETF I2NSF (Interface to Network Security Functions)
Functions) Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
WG Chair: Linda Dunbar
<mailto:Linda.duhbar@huawei.com>
Editor: Sangwon Hyun Editor: Sangwon Hyun
<mailto:shyun@chosun.ac.kr> <mailto:shyun@mju.ac.kr>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Taekyun Roh Editor: Taekyun Roh
<mailto:tkroh0198@skku.edu> <mailto:tkroh0198@skku.edu>
Editor: Sarang Wi Editor: Sarang Wi
<mailto:dnl9795@skku.edu> <mailto:dnl9795@skku.edu>
Editor: Jung-Soo Park Editor: Jung-Soo Park
<mailto:pjs@etri.re.kr>"; <mailto:pjs@etri.re.kr>";
description description
"This module defines a YANG data model for "This module defines a YANG data model for I2NSF
I2NSF registration interface. registration interface.
Copyright (c) <2019> IETF Trust and the persons Copyright (c) 2020 IETF Trust and the persons
identified as authors of the code. All rights reserved. identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of This version of this YANG module is part of RFC XXXX; see
draft-ietf-i2nsf-registration-interface-dm-05; see the RFC itself for full legal notices.";
the draft itself for full legal notices.";
revision 2019-07-24 { revision "2020-01-21" {
description "The fifth revision"; description "Initial revision";
reference reference
"draft-ietf-i2nsf-registration-interface-dm-05"; "RFC XXXX: I2NSF Registration Interface YANG Data Model";
} }
typedef nsf-address { container nsf-registrations {
type union {
type inet:ipv4-address;
type inet:ipv6-address;
}
description
"IPv4/IPv6 address of this NSF";
}
rpc i2nsf-nsf-capability-query {
description
"Description of the capabilities that the
Security Controller requests to the DMS";
input {
container query-i2nsf-capability-info {
description
"Description of the capabilities to request";
uses "capa:nsf-capabilities";
reference
"draft-ietf-i2nsf-capability-data-model-05";
}
}
output {
container nsf-access-info {
description
"Network access information of an NSF
with the requested capabilities";
uses i2nsf-nsf-access-info;
}
}
}
container i2nsf-nsf-registrations {
description description
"Information of an NSF that DMS registers "Information of an NSF that DMS registers
to Security Controller"; to Security Controller";
list i2nsf-nsf-capability-registration { list nsf-information {
key "nsf-name"; key "capability-name";
description description
"Required information for registration"; "Required information for registration";
leaf nsf-name { leaf capability-name {
type string; type string;
mandatory true; mandatory true;
description description
"Unique name of this registered NSF"; "Unique name of this registered NSF";
} }
container nsf-capability-info { container nsf-capability-info {
description description
"Capability description of this NSF"; "Capability description of this NSF";
uses i2nsf-nsf-capability-info; uses nsf-capability-info;
} }
container nsf-access-info { container nsf-access-info {
description description
"Network access information of this NSF"; "Network access information of this NSF";
uses i2nsf-nsf-access-info; uses nsf-access-info;
} }
} }
} }
grouping i2nsf-nsf-performance-capability {
description
"Description of the performance capailities
of an NSF";
container processing { grouping nsf-performance-capability {
description description
"Processing power of an NSF in the unit of GHz (gigahertz)"; "Description of the performance capabilities
of an NSF";
leaf processing-average { container processing {
type uint16;
description
"Average processing power";
}
leaf processing-peak {
type uint16;
description description
"Peak processing power"; "Processing power of an NSF in the unit of GHz (gigahertz)";
}
}
container bandwidth {
description
"Network bandwidth available on an NSF
in the unit of Gbps (gigabits per second)";
container outbound { leaf processing-average {
description
"Outbound network bandwidth";
leaf outbound-average {
type uint16; type uint16;
description description
"Average outbound bandwidth"; "Average processing power";
} }
leaf outbound-peak { leaf processing-peak {
type uint16; type uint16;
description description
"Peak outbound bandwidth"; "Peak processing power";
} }
} }
container inbound { container bandwidth {
description description
"Inbound network bandwidth"; "Network bandwidth available on an NSF
leaf inbound-average { in the unit of Mbps (megabits per second)";
type uint16;
container outbound {
description description
"Average inbound bandwidth"; "Outbound network bandwidth";
leaf outbound-average {
type uint32;
units "Mbps";
description
"Average outbound bandwidth";
}
leaf outbound-peak {
type uint32;
units "Mbps";
description
"Peak outbound bandwidth";
}
} }
leaf inbound-peak { container inbound {
type uint16;
description description
"Peak inbound bandwidth"; "Inbound network bandwidth";
leaf inbound-average {
type uint32;
units "Mbps";
description
"Average inbound bandwidth";
}
leaf inbound-peak {
type uint32;
units "Mbps";
description
"Peak inbound bandwidth";
} }
} }
} }
} }
grouping i2nsf-nsf-capability-info {
grouping nsf-capability-info {
description description
"Capability description of an NSF"; "Capability description of an NSF";
container i2nsf-capability { container security-capability {
description description
"Description of the security capabilities of an NSF"; "Description of the security capabilities of an NSF";
uses "capa:nsf-capabilities"; uses "capa:nsf-capabilities";
reference "draft-ietf-i2nsf-capability-data-model-05"; reference "draft-ietf-i2nsf-capability-data-model-05";
}
container nsf-performance-capability {
description
"Description of the performance capabilities of an NSF";
uses i2nsf-nsf-performance-capability;
}
} }
container performance-capability {
description
"Description of the performance capabilities of an NSF";
uses nsf-performance-capability;
}
}
grouping i2nsf-nsf-access-info { grouping nsf-access-info {
description
"Information required to access an NSF";
leaf capability-name {
type string;
description description
"Information required to access an NSF"; "Unique name of this NSF's capability";
leaf nsf-instance-name { }
type string; leaf ip {
description type inet:ip-address;
"Unique name of this NSF instance"; description
} "IPv4/IPv6 address of this NSF";
leaf i2nsf-nsf-address { }
type nsf-address; leaf port {
type inet:port-number;
description
"Port available on this NSF";
}
}
rpc nsf-capability-query {
description
"Description of the capabilities that the
Security Controller requests to the DMS";
input {
container query-nsf-capability {
description description
"IPv4/IPv6 address of this NSF"; "Description of the capabilities to request";
} uses "capa:nsf-capabilities";
leaf nsf-port { reference
type inet:port-number; "draft-ietf-i2nsf-capability-data-model-05";
}
}
output {
container nsf-access-info {
description description
"Port available on this NSF"; "Network access information of an NSF
with the requested capabilities";
uses nsf-access-info;
} }
}
} }
} }
<CODE ENDS> <CODE ENDS>
Figure 11: Registration Interface YANG Data Model Figure 11: Registration Interface YANG Data Model
7. IANA Considerations 7. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
skipping to change at page 18, line 5 skipping to change at page 17, line 39
operations and content. operations and content.
There are a number of data nodes defined in this YANG module that are There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config) in some network environments. Write operations (e.g., edit-config)
to these data nodes without proper protection can have a negative to these data nodes without proper protection can have a negative
effect on network operations. These are the subtrees and data nodes effect on network operations. These are the subtrees and data nodes
and their sensitivity/vulnerability: and their sensitivity/vulnerability:
o i2nsf-nsf-registrations: The attacker may exploit this to register o nsf-registrations: The attacker may exploit this to register a
a compromised or malicious NSF instead of a legitimate NSF to the compromised or malicious NSF instead of a legitimate NSF to the
Security Controller. Security Controller.
o i2nsf-nsf-performance-capability: The attacker may provide o nsf-performance-capability: The attacker may provide incorrect
incorrect information of the performance capability of any target information of the performance capability of any target NSF by
NSF by illegally modifying this. illegally modifying this.
o i2nsf-nsf-capability-info: The attacker may provide incorrect o nsf-capability-info: The attacker may provide incorrect
information of the security capability of any target NSF by information of the security capability of any target NSF by
illegally modifying this. illegally modifying this.
o i2nsf-nsf-access-info: The attacker may provide incorrect network o nsf-access-info: The attacker may provide incorrect network access
access information of any target NSF by illegally modifying this. information of any target NSF by illegally modifying this.
Some of the readable data nodes in this YANG module may be considered Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or important to control read access (e.g., via get, get-config, or
notification) to these data nodes. These are the subtrees and data notification) to these data nodes. These are the subtrees and data
nodes and their sensitivity/vulnerability: nodes and their sensitivity/vulnerability:
o i2nsf-nsf-registrations: The attacker may try to gather some o nsf-registrations: The attacker may try to gather some sensitive
sensitive information of a registered NSF by sniffing this. information of a registered NSF by sniffing this.
o i2nsf-nsf-performance-capability: The attacker may gather the o nsf-performance-capability: The attacker may gather the
performance capability information of any target NSF and misuse performance capability information of any target NSF and misuse
the information for subsequent attacks. the information for subsequent attacks.
o i2nsf-nsf-capability-info: The attacker may gather the security o nsf-capability-info: The attacker may gather the security
capability information of any target NSF and misuse the capability information of any target NSF and misuse the
information for subsequent attacks. information for subsequent attacks.
o i2nsf-nsf-access-info: The attacker may gather the network access o nsf-access-info: The attacker may gather the network access
information of any target NSF and misuse the information for information of any target NSF and misuse the information for
subsequent attacks. subsequent attacks.
The RPC operation in this YANG module may be considered sensitive or The RPC operation in this YANG module may be considered sensitive or
vulnerable in some network environments. It is thus important to vulnerable in some network environments. It is thus important to
control access to this operation. The following is the operation and control access to this operation. The following is the operation and
its sensitivity/vulnerability: its sensitivity/vulnerability:
o i2nsf-nsf-capability-query: The attacker may exploit this RPC o nsf-capability-query: The attacker may exploit this RPC operation
operation to deteriorate the availability of the DMS and/or gather to deteriorate the availability of the DMS and/or gather the
the information of some interested NSFs from the DMS. information of some interested NSFs from the DMS.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 20, line 34 skipping to change at page 20, line 20
[capability-dm] [capability-dm]
Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin,
"I2NSF Capability YANG Data Model", draft-ietf-i2nsf- "I2NSF Capability YANG Data Model", draft-ietf-i2nsf-
capability-data-model-05 (work in progress), July 2019. capability-data-model-05 (work in progress), July 2019.
[i2nsf-ipsec] [i2nsf-ipsec]
Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "Software-Defined Networking (SDN)-based IPsec Garcia, "Software-Defined Networking (SDN)-based IPsec
Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-
protection-05 (work in progress), July 2019. protection-07 (work in progress), August 2019.
[i2nsf-monitoring]
Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz,
"I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf-
nsf-monitoring-data-model-02 (work in progress), November
2019.
[i2nsf-terminology] [i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
Birkholz, "Interface to Network Security Functions (I2NSF) Birkholz, "Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-08 (work in Terminology", draft-ietf-i2nsf-terminology-08 (work in
progress), July 2019. progress), July 2019.
[nfv-framework] [nfv-framework]
"Network Functions Virtualisation (NFV); Architectureal "Network Functions Virtualisation (NFV); Architectureal
Framework", ETSI GS NFV 002 ETSI GS NFV 002 V1.1.1, Framework", ETSI GS NFV 002 ETSI GS NFV 002 V1.1.1,
October 2013. October 2013.
[nvo3-vxlan-gpe] [nvo3-vxlan-gpe]
Maino, Ed., F., Kreeger, Ed., L., and U. Elzur, Ed., Maino, Ed., F., Kreeger, Ed., L., and U. Elzur, Ed.,
"Generic Protocol Extension for VXLAN", draft-ietf-nvo3- "Generic Protocol Extension for VXLAN", draft-ietf-nvo3-
vxlan-gpe-06 (work in progress), April 2018. vxlan-gpe-09 (work in progress), December 2019.
[RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
S., and N. Bahadur, "A YANG Data Model for Routing S., and N. Bahadur, "A YANG Data Model for Routing
Information Base (RIB)", RFC 8431, September 2018. Information Base (RIB)", RFC 8431, September 2018.
[supa-policy-data-model] [supa-policy-data-model]
Halpern, J., Strassner, J., and S. van der Meer, "Generic Halpern, J., Strassner, J., and S. van der Meer, "Generic
Policy Data Model for Simplified Use of Policy Policy Data Model for Simplified Use of Policy
Abstractions (SUPA)", draft-ietf-supa-generic-policy-data- Abstractions (SUPA)", draft-ietf-supa-generic-policy-data-
model-04 (work in progress), June 2017. model-04 (work in progress), June 2017.
skipping to change at page 22, line 16 skipping to change at page 22, line 16
This section describes XML examples of the I2NSF Registration This section describes XML examples of the I2NSF Registration
Interface data model under the assumption of registering several Interface data model under the assumption of registering several
types of NSFs and querying NSF capability. types of NSFs and querying NSF capability.
A.1. Example 1: Registration for Capabilities of General Firewall A.1. Example 1: Registration for Capabilities of General Firewall
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
general firewall. general firewall.
<i2nsf-nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<i2nsf-nsf-capability-registration> <nsf-information>
<nsf-name>general_firewall_capability</nsf-name> <capability-name>general_firewall_capability</capability-name>
<nsf-capability-info> <nsf-capability-info>
<i2nsf-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capa>capa:ipv4-protocol</ipv4-capa> <ipv4-capa>capa:ipv4-protocol</ipv4-capa>
<ipv4-capa>capa:exact-ipv4-address</ipv4-capa> <ipv4-capa>capa:exact-ipv4-address</ipv4-capa>
<ipv4-capa>capa:range-ipv4-address</ipv4-capa> <ipv4-capa>capa:range-ipv4-address</ipv4-capa>
<tcp-capa>capa:exact-tcp-port-num</tcp-capa> <tcp-capa>capa:exact-tcp-port-num</tcp-capa>
<tcp-capa>capa:range-tcp-port-num</tcp-capa> <tcp-capa>capa:range-tcp-port-num</tcp-capa>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
<ipsec-method>capa:ikeless</ipsec-method> <ipsec-method>capa:ikeless</ipsec-method>
</i2nsf-capability> </security-capability>
<nsf-performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</nsf-performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<nsf-instance-name>general_firewall</nsf-instance-name> <capability-name>general_firewall</capability-name>
<i2nsf-nsf-address>2001:DB8:8:4::2</i2nsf-nsf-address> <ip>2001:DB8:8:4::2</ip>
<nsf-port-address>3000</nsf-port-address> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</i2nsf-nsf-capability-registration> </nsf-information>
</i2nsf-nsf-registrations> </nsf-registrations>
Figure 12: Configuration XML for Registration of General Firewall Figure 12: Configuration XML for Registration of General Firewall
Figure 12 shows the configuration XML for registering the general Figure 12 shows the configuration XML for registering the general
firewall and its capabilities as follows. firewall and its capabilities as follows.
1. The instance name of the NSF is general_firewall. 1. The instance name of the NSF is general_firewall.
2. The NSF can inspect protocol, exact IPv4 address, and range IPv4 2. The NSF can inspect protocol, exact IPv4 address, and range IPv4
address for IPv4 packets. address for IPv4 packets.
skipping to change at page 23, line 48 skipping to change at page 23, line 48
7. The location of the NSF is 2001:DB8:8:4::2. 7. The location of the NSF is 2001:DB8:8:4::2.
8. The port of the NSF is 3000. 8. The port of the NSF is 3000.
A.2. Example 2: Registration for Capabilities of Time based Firewall A.2. Example 2: Registration for Capabilities of Time based Firewall
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
time-based firewall. time-based firewall.
<i2nsf-nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<i2nsf-nsf-capability-registration> <nsf-information>
<nsf-name>time_based_firewall_capability</nsf-name> <capability-name>time_based_firewall_capability</capability-name>
<nsf-capability-info> <nsf-capability-info>
<i2nsf-capability> <security-capability>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capa>capa:ipv4-protocol</ipv4-capa> <ipv4-capa>capa:ipv4-protocol</ipv4-capa>
<ipv4-capa>capa:exact-ipv4-address</ipv4-capa> <ipv4-capa>capa:exact-ipv4-address</ipv4-capa>
<ipv4-capa>capa:range-ipv4-address</ipv4-capa> <ipv4-capa>capa:range-ipv4-address</ipv4-capa>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
<ipsec-method>capa:ike</ipsec-method> <ipsec-method>capa:ike</ipsec-method>
</i2nsf-capability> </security-capability>
<nsf-performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</nsf-performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<nsf-instance-name>time_based_firewall</nsf-instance-name> <capability-name>time_based_firewall</capability-name>
<i2nsf-nsf-address>2001:DB8:8:4::3</i2nsf-nsf-address> <ip>2001:DB8:8:4::3</ip>
<nsf-port-address>3000</nsf-port-address> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</i2nsf-nsf-capability-registration> </nsf-information>
</i2nsf-nsf-registrations> </nsf-registrations>
Figure 13: Configuration XML for Registration of Time based Firewall Figure 13: Configuration XML for Registration of Time based Firewall
Figure 13 shows the configuration XML for registering the time-based Figure 13 shows the configuration XML for registering the time-based
firewall and its capabilities as follows. firewall and its capabilities as follows.
1. The instance name of the NSF is time_based_firewall. 1. The instance name of the NSF is time_based_firewall.
2. The NSF can enforce the security policy rule according to 2. The NSF can enforce the security policy rule according to
absolute time and periodic time. absolute time and periodic time.
skipping to change at page 25, line 34 skipping to change at page 25, line 34
7. The location of the NSF is 2001:DB8:8:4::3. 7. The location of the NSF is 2001:DB8:8:4::3.
8. The port of the NSF is 3000. 8. The port of the NSF is 3000.
A.3. Example 3: Registration for Capabilities of Web Filter A.3. Example 3: Registration for Capabilities of Web Filter
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
web filter. web filter.
<i2nsf-nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<i2nsf-nsf-capability-registration> <nsf-information>
<nsf-name>web_filter_capability</nsf-name> <capability-name>web_filter</capability-name>
<nsf-capability-info> <nsf-capability-info>
<i2nsf-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<url-capa>capa:user-defined</url-capa> <url-capa>capa:user-defined</url-capa>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
<ipsec-method>capa:ikeless</ipsec-method> <ipsec-method>capa:ikeless</ipsec-method>
</i2nsf-capability> </security-capability>
<nsf-performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</nsf-performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<nsf-instance-name>web_filter</nsf-instance-name> <capability-name>web_filter</capability-name>
<i2nsf-nsf-address>2001:DB8:8:4::4</i2nsf-nsf-address> <ip>2001:DB8:8:4::4</ip>
<nsf-port-address>3000</nsf-port-address> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</i2nsf-nsf-capability-registration> </nsf-information>
</i2nsf-nsf-registrations> </nsf-registrations>
Figure 14: Configuration XML for Registration of Web Filter Figure 14: Configuration XML for Registration of Web Filter
Figure 14 shows the configuration XML for registering the web filter, Figure 14 shows the configuration XML for registering the web filter,
and its capabilities are as follows. and its capabilities are as follows.
1. The instance name of the NSF is web_filter. 1. The instance name of the NSF is web_filter.
2. The NSF can inspect url for http and https packets. 2. The NSF can inspect url for http and https packets.
skipping to change at page 27, line 12 skipping to change at page 27, line 12
6. The location of the NSF is 2001:DB8:8:4::4. 6. The location of the NSF is 2001:DB8:8:4::4.
7. The port of the NSF is 3000. 7. The port of the NSF is 3000.
A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
VoIP/VoLTE filter. VoIP/VoLTE filter.
<i2nsf-nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<i2nsf-nsf-capability-registration> <nsf-information>
<nsf-name>voip_volte_filter_capability</nsf-name> <capability-name>voip_volte_filter</capability-name>
<nsf-capability-info> <nsf-capability-info>
<i2nsf-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<voip-volte-capa>capa:voice-id</voip-volte-capa> <voip-volte-capa>capa:voice-id</voip-volte-capa>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
<ipsec-method>capa:ikeless</ipsec-method> <ipsec-method>capa:ikeless</ipsec-method>
</i2nsf-capability> </security-capability>
<nsf-performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</nsf-performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<nsf-instance-name>voip_volte_filter</nsf-instance-name> <capability-name>voip_volte_filter</capability-name>
<i2nsf-nsf-address>2001:DB8:8:4::5</i2nsf-nsf-address> <ip>2001:DB8:8:4::5</ip>
<nsf-port-address>3000</nsf-port-address> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</i2nsf-nsf-capability-registration> </nsf-information>
</i2nsf-nsf-registrations> </nsf-registrations>
Figure 15: Configuration XML for Registration of VoIP/VoLTE Filter Figure 15: Configuration XML for Registration of VoIP/VoLTE Filter
Figure 15 shows the configuration XML for registering VoIP/VoLTE Figure 15 shows the configuration XML for registering VoIP/VoLTE
filter, and its capabilities are as follows. filter, and its capabilities are as follows.
1. The instance name of the NSF is voip_volte_filter. 1. The instance name of the NSF is voip_volte_filter.
2. The NSF can inspect voice id for VoIP/VoLTE packets. 2. The NSF can inspect voice id for VoIP/VoLTE packets.
skipping to change at page 28, line 37 skipping to change at page 28, line 37
6. The location of the NSF is 2001:DB8:8:4::5. 6. The location of the NSF is 2001:DB8:8:4::5.
7. The port of the NSF is 3000. 7. The port of the NSF is 3000.
A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood
Mitigation Mitigation
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
http and https flood mitigation. http and https flood mitigation.
<i2nsf-nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<i2nsf-nsf-capability-registration> <nsf-information>
<nsf-name> <capability-name>
http_and_h ttps_flood_mitigation_capability http_and_https_flood_mitigation
</nsf-name> </capability-name>
<nsf-capability-info> <nsf-capability-info>
<i2nsf-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<antiddos-capa>capa:http-flood-action</antiddos-capa> <antiddos-capa>capa:http-flood-action</antiddos-capa>
<antiddos-capa>capa:https-flood-action</antiddos-capa> <antiddos-capa>capa:https-flood-action</antiddos-capa>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
<ipsec-method>capa:ike</ipsec-method> <ipsec-method>capa:ike</ipsec-method>
</i2nsf-capability> </security-capability>
<nsf-performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</nsf-performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<nsf-instance-name> <capability-name>
http_and_https_flood_mitigation http_and_https_flood_mitigation
</nsf-instance-name> </capability-name>
<i2nsf-nsf-address>2001:DB8:8:4::6</i2nsf-nsf-address> <ip>2001:DB8:8:4::6</ip>
<nsf-port-address>3000</nsf-port-address> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</i2nsf-nsf-capability-registration> </nsf-information>
</i2nsf-nsf-registrations> </nsf-registrations>
Figure 16: Configuration XML for Registration of of HTTP and HTTPS Figure 16: Configuration XML for Registration of of HTTP and HTTPS
Flood Mitigation Flood Mitigation
Figure 16 shows the configuration XML for registering the http and Figure 16 shows the configuration XML for registering the http and
https flood mitigator, and its capabilities are as follows. https flood mitigator, and its capabilities are as follows.
1. The instance name of the NSF is http_and_https_flood_mitigation. 1. The instance name of the NSF is http_and_https_flood_mitigation.
2. The NSF can control the amount of packets for http and https 2. The NSF can control the amount of packets for http and https
skipping to change at page 31, line 7 skipping to change at page 31, line 7
7. The port of the NSF is 3000. 7. The port of the NSF is 3000.
A.6. Example 6: Query for Capabilities of Time based Firewall A.6. Example 6: Query for Capabilities of Time based Firewall
This section shows an XML example for querying the capabilities of This section shows an XML example for querying the capabilities of
time-based firewall. time-based firewall.
<rpc message-id="101" <rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<i2nsf-nsf-capability-query <nsf-capability-query
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:capa="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<query-i2nsf-capability-info> <query-i2nsf-capability-info>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capa>capa:ipv4-protocol</ipv4-capa> <ipv4-capa>capa:ipv4-protocol</ipv4-capa>
<ipv4-capa>capa:exact-ipv4-address</ipv4-capa> <ipv4-capa>capa:exact-ipv4-address</ipv4-capa>
<ipv4-capa>capa:range-ipv4-address</ipv4-capa> <ipv4-capa>capa:range-ipv4-address</ipv4-capa>
skipping to change at page 31, line 30 skipping to change at page 31, line 30
<action-capabilities> <action-capabilities>
<ingress-action-capa>capa:pass</ingress-action-capa> <ingress-action-capa>capa:pass</ingress-action-capa>
<ingress-action-capa>capa:drop</ingress-action-capa> <ingress-action-capa>capa:drop</ingress-action-capa>
<ingress-action-capa>capa:alert</ingress-action-capa> <ingress-action-capa>capa:alert</ingress-action-capa>
<egress-action-capa>capa:pass</egress-action-capa> <egress-action-capa>capa:pass</egress-action-capa>
<egress-action-capa>capa:drop</egress-action-capa> <egress-action-capa>capa:drop</egress-action-capa>
<egress-action-capa>capa:alert</egress-action-capa> <egress-action-capa>capa:alert</egress-action-capa>
</action-capabilities> </action-capabilities>
<ipsec-method>capa:ikeless</ipsec-method> <ipsec-method>capa:ikeless</ipsec-method>
</query-i2nsf-capability-info> </query-i2nsf-capability-info>
</i2nsf-nsf-capability-query> </nsf-capability-query>
</rpc> </rpc>
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<nsf-access-info <nsf-access-info
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface">
<nsf-instance-name>time-based-firewall</nsf-instance-name> <capability-name>time-based-firewall</capability-name>
<i2nsf-nsf-address>2001:DB8:8:4::7</i2nsf-nsf-address> <ip>2001:DB8:8:4::7</ip>
<nsf-port-address>8080</nsf-port-address> <port>8080</port>
</nsf-access-info> </nsf-access-info>
</rpc-reply> </rpc-reply>
Figure 17: Configuration XML for Query of Time-based Firewall Figure 17: Configuration XML for Query of Time-based Firewall
Figure 17 shows the XML configuration for querying the capabilities Figure 17 shows the XML configuration for querying the capabilities
of the time-based firewall. of the time-based firewall.
Appendix B. NSF Lifecycle Managmenet in NFV Environments Appendix B. NSF Lifecycle Management in NFV Environments
Network Functions Virtualization (NFV) can be used to implement I2NSF Network Functions Virtualization (NFV) can be used to implement I2NSF
framework. In NFV environments, NSFs are deployed as virtual network framework. In NFV environments, NSFs are deployed as virtual network
functions (VNFs). Security Controller can be implemented as an functions (VNFs). Security Controller can be implemented as an
Element Management (EM) of the NFV architecture, and is connected Element Management (EM) of the NFV architecture, and is connected
with the VNF Manager (VNFM) via the Ve-Vnfm interface with the VNF Manager (VNFM) via the Ve-Vnfm interface
[nfv-framework]. Security Controller can use this interface for the [nfv-framework]. Security Controller can use this interface for the
purpose of the lifecycle management of NSFs. If some NSFs need to be purpose of the lifecycle management of NSFs. If some NSFs need to be
instantiated to enforce security policies in the I2NSF framework, instantiated to enforce security policies in the I2NSF framework,
Security Controller could request the VNFM to instantiate them Security Controller could request the VNFM to instantiate them
through the Ve-Vnfm interface. Or if an NSF, running as a VNF, is through the Ve-Vnfm interface. Or if an NSF, running as a VNF, is
not used by any traffic flows for a time period, Security Controller not used by any traffic flows for a time period, Security Controller
may request deinstantiating it through the interface for efficient may request deinstantiating it through the interface for efficient
resource utilization. resource utilization.
Appendix C. Changes from draft-ietf-i2nsf-registration-interface-dm-04 Appendix C. Changes from draft-ietf-i2nsf-registration-interface-dm-05
The following changes have been made from draft-ietf-i2nsf- The following changes have been made from draft-ietf-i2nsf-
registration-interface-dm-04: registration-interface-dm-05:
o This version is revised according to the comments from Reshad o This version is revised according to the comments from Reshad
Rahman who reviewed this document as a YANG doctor. Rahman who reviewed this document as a YANG doctor.
Appendix D. Acknowledgments Appendix D. Acknowledgments
This work was supported by Institute of Information & Communications This work was supported by Institute of Information & Communications
Technology Planning & Evaluation (IITP) grant funded by the Korea Technology Planning & Evaluation (IITP) grant funded by the Korea
MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Security Intelligence Technology Development for the Customized Security Intelligence Technology Development for the Customized
skipping to change at page 33, line 9 skipping to change at page 33, line 9
o Chaehong Chung (Sungkyunkwan University) o Chaehong Chung (Sungkyunkwan University)
o Susan Hares (Huawei) o Susan Hares (Huawei)
o Diego R. Lopez (Telefonica) o Diego R. Lopez (Telefonica)
Authors' Addresses Authors' Addresses
Sangwon Hyun Sangwon Hyun
Department of Computer Engineering Department of Computer Engineering
Chosun University Myongji University
309, Pilmun-daero, Dong-gu 116 Myongji-ro, Cheoin-gu
Gwangju, Jeollanam-do 61452 Yongin, Gyeonggi-do 17058
Republic of Korea Republic of Korea
EMail: shyun@chosun.ac.kr EMail: shyun@mju.ac.kr
Jaehoon Paul Jeong Jaehoon Paul Jeong
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
Phone: +82 31 299 4957 Phone: +82 31 299 4957
Fax: +82 31 290 7996 Fax: +82 31 290 7996
 End of changes. 121 change blocks. 
329 lines changed or deleted 328 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/