draft-ietf-i2nsf-registration-interface-dm-07.txt   draft-ietf-i2nsf-registration-interface-dm-08.txt 
I2NSF Working Group S. Hyun I2NSF Working Group S. Hyun
Internet-Draft Myongji University Internet-Draft Myongji University
Intended status: Standards Track J. Jeong Intended status: Standards Track J. Jeong
Expires: September 10, 2020 T. Roh Expires: October 1, 2020 T. Roh
S. Wi S. Wi
Sungkyunkwan University Sungkyunkwan University
J. Park J. Park
ETRI ETRI
March 9, 2020 March 30, 2020
I2NSF Registration Interface YANG Data Model I2NSF Registration Interface YANG Data Model
draft-ietf-i2nsf-registration-interface-dm-07 draft-ietf-i2nsf-registration-interface-dm-08
Abstract Abstract
This document defines an information model and a YANG data model for This document defines an information model and a YANG data model for
Registration Interface between Security Controller and Developer's Registration Interface between Security Controller and Developer's
Management System (DMS) in the Interface to Network Security Management System (DMS) in the Interface to Network Security
Functions (I2NSF) framework to register Network Security Functions Functions (I2NSF) framework to register Network Security Functions
(NSF) of the DMS into the Security Controller. The objective of (NSF) of the DMS into the Security Controller. The objective of
these information and data models is to support NSF capability these information and data models is to support NSF capability
registration and query via I2NSF Registration Interface. registration and query via I2NSF Registration Interface.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2020. This Internet-Draft will expire on October 1, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 30 skipping to change at page 2, line 30
5.1.1. NSF Capability Information . . . . . . . . . . . . . 6 5.1.1. NSF Capability Information . . . . . . . . . . . . . 6
5.1.2. NSF Access Information . . . . . . . . . . . . . . . 8 5.1.2. NSF Access Information . . . . . . . . . . . . . . . 8
5.2. NSF Capability Query . . . . . . . . . . . . . . . . . . 8 5.2. NSF Capability Query . . . . . . . . . . . . . . . . . . 8
6. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 8 6. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . 8 6.1. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . 8
6.1.1. Definition of Symbols in Tree Diagrams . . . . . . . 9 6.1.1. Definition of Symbols in Tree Diagrams . . . . . . . 9
6.1.2. I2NSF Registration Interface . . . . . . . . . . . . 9 6.1.2. I2NSF Registration Interface . . . . . . . . . . . . 9
6.1.3. NSF Capability Information . . . . . . . . . . . . . 11 6.1.3. NSF Capability Information . . . . . . . . . . . . . 11
6.1.4. NSF Access Information . . . . . . . . . . . . . . . 12 6.1.4. NSF Access Information . . . . . . . . . . . . . . . 12
6.2. YANG Data Modules . . . . . . . . . . . . . . . . . . . . 12 6.2. YANG Data Modules . . . . . . . . . . . . . . . . . . . . 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.1. Normative References . . . . . . . . . . . . . . . . . . 18 9.1. Normative References . . . . . . . . . . . . . . . . . . 19
9.2. Informative References . . . . . . . . . . . . . . . . . 20 9.2. Informative References . . . . . . . . . . . . . . . . . 20
Appendix A. XML Example of Registration Interface Data Model . . 22 Appendix A. XML Example of Registration Interface Data Model . . 22
A.1. Example 1: Registration for Capabilities of General A.1. Example 1: Registration for Capabilities of General
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 22 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 22
A.2. Example 2: Registration for Capabilities of Time based A.2. Example 2: Registration for Capabilities of Time based
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 23 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 23
A.3. Example 3: Registration for Capabilities of Web Filter . 25 A.3. Example 3: Registration for Capabilities of Web Filter . 25
A.4. Example 4: Registration for Capabilities of VoIP/VoLTE A.4. Example 4: Registration for Capabilities of VoIP/VoLTE
Filter . . . . . . . . . . . . . . . . . . . . . . . . . 27 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 27
A.5. Example 5: Registration for Capabilities of HTTP and A.5. Example 5: Registration for Capabilities of HTTP and
HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 28 HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 28
A.6. Example 6: Query for Capabilities of Time based Firewall 30 A.6. Example 6: Query for Capabilities of Time based Firewall 30
Appendix B. NSF Lifecycle Management in NFV Environments . . . . 32 Appendix B. NSF Lifecycle Management in NFV Environments . . . . 32
Appendix C. Changes from draft-ietf-i2nsf-registration- Appendix C. Changes from draft-ietf-i2nsf-registration-
interface-dm-05 . . . . . . . . . . . . . . . . . . 32 interface-dm-07 . . . . . . . . . . . . . . . . . . 32
Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 32 Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 32
Appendix E. Contributors . . . . . . . . . . . . . . . . . . . . 32 Appendix E. Contributors . . . . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33
1. Introduction 1. Introduction
A number of Network Security Functions (NSF) may exist in the A number of Network Security Functions (NSF) may exist in the
Interface to Network Security Functions (I2NSF) framework [RFC8329]. Interface to Network Security Functions (I2NSF) framework [RFC8329].
Since each of these NSFs likely has different security capabilities Since each of these NSFs likely has different security capabilities
from each other, it is important to register the security from each other, it is important to register the security
capabilities of the NSF into the security controller. In addition, capabilities of the NSF into the security controller. In addition,
it is required to search NSFs of some required security capabilities it is required to search NSFs of some required security capabilities
skipping to change at page 12, line 26 skipping to change at page 12, line 26
This module contains the network access information of an NSF that is This module contains the network access information of an NSF that is
required to enable network communications with the NSF. required to enable network communications with the NSF.
6.2. YANG Data Modules 6.2. YANG Data Modules
This section provides YANG modules of the data model for the This section provides YANG modules of the data model for the
registration interface between Security Controller and Developer's registration interface between Security Controller and Developer's
Management System, as defined in Section 5. Management System, as defined in Section 5.
<CODE BEGINS> file "ietf-i2nsf-reg-interface@2020-03-09.yang" <CODE BEGINS> file "ietf-i2nsf-reg-interface@2020-03-30.yang"
module ietf-i2nsf-reg-interface { module ietf-i2nsf-reg-interface {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface";
prefix nsfreg; prefix nsfreg;
// RFC Ed.: replace occurences of XXXX with actual RFC number and
// remove this note
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference "RFC 6991"; reference "RFC 6991";
} }
import ietf-i2nsf-capability { import ietf-i2nsf-capability {
prefix capa; prefix capa;
reference "draft-ietf-i2nsf-capability-data-model-05"; // RFC Ed.: replace YYYY with actual RFC number of
// draft-ietf-i2nsf-capability-data-model and remove this note.
reference "RFC YYYY: I2NSF Capability YANG Data Model";
} }
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
skipping to change at page 13, line 31 skipping to change at page 13, line 37
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2020-03-09" { // RFC Ed.: replace XXXX with actual RFC number and remove
// this note
revision "2020-03-30" {
description "Initial revision"; description "Initial revision";
reference reference
"RFC XXXX: I2NSF Registration Interface YANG Data Model"; "RFC XXXX: I2NSF Registration Interface YANG Data Model";
// RFC Ed.: replace XXXX with actual RFC number and remove
// this note
} }
grouping nsf-performance-capability { grouping nsf-performance-capability {
description description
"Description of the performance capabilities of an NSF"; "Description of the performance capabilities of an NSF";
container processing { container processing {
description description
"Processing power of an NSF in the unit of GHz (gigahertz)"; "Processing power of an NSF in the unit of GHz (gigahertz)";
leaf processing-average { leaf processing-average {
type uint16; type uint16;
units "GHz";
description description
"Average processing power"; "Average processing power";
} }
leaf processing-peak { leaf processing-peak {
type uint16; type uint16;
units "GHz";
description description
"Peak processing power"; "Peak processing power";
} }
} }
container bandwidth { container bandwidth {
description description
"Network bandwidth available on an NSF "Network bandwidth available on an NSF
in the unit of Mbps (megabits per second)"; in the unit of Mbps (megabits per second)";
container outbound { container outbound {
skipping to change at page 15, line 7 skipping to change at page 15, line 19
} }
} }
grouping nsf-capability-info { grouping nsf-capability-info {
description description
"Capability description of an NSF"; "Capability description of an NSF";
container security-capability { container security-capability {
description description
"Description of the security capabilities of an NSF"; "Description of the security capabilities of an NSF";
uses capa:nsf-capabilities; uses capa:nsf-capabilities;
reference "draft-ietf-i2nsf-capability-data-model-05"; // RFC Ed.: replace YYYY with actual RFC number of
// draft-ietf-i2nsf-capability-data-model and remove this note.
reference "RFC YYYY: I2NSF Capability YANG Data Model";
} }
container performance-capability { container performance-capability {
description description
"Description of the performance capabilities of an NSF"; "Description of the performance capabilities of an NSF";
uses nsf-performance-capability; uses nsf-performance-capability;
} }
} }
grouping nsf-access-info { grouping nsf-access-info {
description description
skipping to change at page 16, line 24 skipping to change at page 16, line 38
rpc nsf-capability-query { rpc nsf-capability-query {
description description
"Description of the capabilities that the "Description of the capabilities that the
Security Controller requests to the DMS"; Security Controller requests to the DMS";
input { input {
container query-nsf-capability { container query-nsf-capability {
description description
"Description of the capabilities to request"; "Description of the capabilities to request";
uses capa:nsf-capabilities; uses capa:nsf-capabilities;
reference // RFC Ed.: replace YYYY with actual RFC number of
"draft-ietf-i2nsf-capability-data-model-05"; // draft-ietf-i2nsf-capability-data-model and remove this note.
reference "RFC YYYY: I2NSF Capability YANG Data Model";
} }
} }
output { output {
container nsf-access-info { container nsf-access-info {
description description
"Network access information of an NSF "Network access information of an NSF
with the requested capabilities"; with the requested capabilities";
uses nsf-access-info; uses nsf-access-info;
} }
} }
skipping to change at page 17, line 17 skipping to change at page 17, line 28
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950]. the "YANG Module Names" registry [RFC7950].
Name: ietf-i2nsf-reg-interface Name: ietf-i2nsf-reg-interface
Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface
Prefix: nsfreg Prefix: nsfreg
Reference: RFC XXXX Reference: RFC XXXX
// RFC Ed.: replace XXXX with actual RFC number and remove
// this note
8. Security Considerations 8. Security Considerations
The YANG module specified in this document defines a data schema The YANG module specified in this document defines a data schema
designed to be accessed through network management protocols such as designed to be accessed through network management protocols such as
NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is
the secure transport layer, and the required secure transport is the secure transport layer, and the required secure transport is
Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS,
and the required secure transport is TLS [RFC8446]. and the required secure transport is TLS [RFC8446].
The NETCONF access control model [RFC8341] provides a means of The NETCONF access control model [RFC8341] provides a means of
skipping to change at page 18, line 42 skipping to change at page 19, line 13
its sensitivity/vulnerability: its sensitivity/vulnerability:
o nsf-capability-query: The attacker may exploit this RPC operation o nsf-capability-query: The attacker may exploit this RPC operation
to deteriorate the availability of the DMS and/or gather the to deteriorate the availability of the DMS and/or gather the
information of some interested NSFs from the DMS. information of some interested NSFs from the DMS.
9. References 9. References
9.1. Normative References 9.1. Normative References
[capability-dm]
Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin,
"I2NSF Capability YANG Data Model", draft-ietf-i2nsf-
capability-data-model-05 (work in progress), July 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG
skipping to change at page 20, line 11 skipping to change at page 20, line 34
Documents Containing YANG Data Models", BCP 216, RFC 8407, Documents Containing YANG Data Models", BCP 216, RFC 8407,
DOI 10.17487/RFC8407, October 2018, DOI 10.17487/RFC8407, October 2018,
<https://www.rfc-editor.org/info/rfc8407>. <https://www.rfc-editor.org/info/rfc8407>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
9.2. Informative References 9.2. Informative References
[capability-dm]
Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin,
"I2NSF Capability YANG Data Model", draft-ietf-i2nsf-
capability-data-model-05 (work in progress), July 2019.
[i2nsf-ipsec] [i2nsf-ipsec]
Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "Software-Defined Networking (SDN)-based IPsec Garcia, "Software-Defined Networking (SDN)-based IPsec
Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-
protection-07 (work in progress), August 2019. protection-07 (work in progress), August 2019.
[i2nsf-monitoring] [i2nsf-monitoring]
Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz,
"I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf-
nsf-monitoring-data-model-02 (work in progress), November nsf-monitoring-data-model-02 (work in progress), November
skipping to change at page 32, line 21 skipping to change at page 32, line 21
with the VNF Manager (VNFM) via the Ve-Vnfm interface with the VNF Manager (VNFM) via the Ve-Vnfm interface
[nfv-framework]. Security Controller can use this interface for the [nfv-framework]. Security Controller can use this interface for the
purpose of the lifecycle management of NSFs. If some NSFs need to be purpose of the lifecycle management of NSFs. If some NSFs need to be
instantiated to enforce security policies in the I2NSF framework, instantiated to enforce security policies in the I2NSF framework,
Security Controller could request the VNFM to instantiate them Security Controller could request the VNFM to instantiate them
through the Ve-Vnfm interface. Or if an NSF, running as a VNF, is through the Ve-Vnfm interface. Or if an NSF, running as a VNF, is
not used by any traffic flows for a time period, Security Controller not used by any traffic flows for a time period, Security Controller
may request deinstantiating it through the interface for efficient may request deinstantiating it through the interface for efficient
resource utilization. resource utilization.
Appendix C. Changes from draft-ietf-i2nsf-registration-interface-dm-05 Appendix C. Changes from draft-ietf-i2nsf-registration-interface-dm-07
The following changes have been made from draft-ietf-i2nsf- The following changes have been made from draft-ietf-i2nsf-
registration-interface-dm-06: registration-interface-dm-07:
o This version is revised according to the comments from Reshad o This version is revised according to the comments from Reshad
Rahman who reviewed this document as a YANG doctor. Rahman who reviewed this document as a YANG doctor.
o The data definition statements (i.e., container nsf-registrations) o draft-ietf-i2nsf-capability-data-model is cited as a normative
are moved after the groupings and before the rpc statements. reference according to the guideline at
https://tools.ietf.org/html/rfc8407#section-3.9
o This version checked the indentations over the entire YANG module o For the references to draft-ietf-i2nsf-capability-data-model in
and corrected three indentation errors such as uses capa:nsf- the YANG model, they are qualified with a note to the editor that
capabilities, uses nsf-capability-info, and uses nsf-access-info. the draft will become an RFC, so the actual RFC number of the
draft needs to be used.
o The editor's notes are put to request to replace XXXX with the
actual RFC number of this document (i.e., draft-ietf-i2nsf-
registration-interface-dm) when the document is published.
o Leaf nodes (i.e., processing-average and processing-peak) under
container processing have unit GHz explicitly with units "GHz".
Appendix D. Acknowledgments Appendix D. Acknowledgments
This work was supported by Institute of Information & Communications This work was supported by Institute of Information & Communications
Technology Planning & Evaluation (IITP) grant funded by the Korea Technology Planning & Evaluation (IITP) grant funded by the Korea
MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based MSIT (Ministry of Science and ICT) (No. 2016-0-00078, Cloud Based
Security Intelligence Technology Development for the Customized Security Intelligence Technology Development for the Customized
Security Service Provisioning). Security Service Provisioning).
Appendix E. Contributors Appendix E. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document. The following are Many people actively contributed to this document. The following are
considered co-authors: considered co-authors:
o Jinyong Tim Kim (Sungkyunkwan University) o Jinyong Tim Kim (Sungkyunkwan University)
 End of changes. 25 change blocks. 
28 lines changed or deleted 55 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/