--- 1/draft-ietf-i2nsf-capability-data-model-06.txt 2020-08-25 06:13:11.199822118 -0700 +++ 2/draft-ietf-i2nsf-capability-data-model-07.txt 2020-08-25 06:13:11.279824144 -0700 @@ -1,24 +1,24 @@ I2NSF Working Group S. Hares, Ed. Internet-Draft Huawei Intended status: Standards Track J. Jeong, Ed. -Expires: January 14, 2021 J. Kim +Expires: February 26, 2021 J. Kim Sungkyunkwan University R. Moskowitz HTT Consulting Q. Lin Huawei - July 13, 2020 + August 25, 2020 I2NSF Capability YANG Data Model - draft-ietf-i2nsf-capability-data-model-06 + draft-ietf-i2nsf-capability-data-model-07 Abstract This document defines a YANG data model for the capabilities of various Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework to centrally manage the capabilities of the various NSFs. Status of This Memo @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 14, 2021. + This Internet-Draft will expire on February 26, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -56,40 +56,38 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Network Security Function (NSF) Capabilities . . . . . . 6 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 8. Security Considerations . . . . . . . . . . . . . . . . . . . 39 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 9.1. Normative References . . . . . . . . . . . . . . . . . . 40 - 9.2. Informative References . . . . . . . . . . . . . . . . . 43 - Appendix A. Configuration Examples . . . . . . . . . . . . . . . 44 + 9.2. Informative References . . . . . . . . . . . . . . . . . 42 + Appendix A. Configuration Examples . . . . . . . . . . . . . . . 43 A.1. Example 1: Registration for Capabilities of General - Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44 + Firewall . . . . . . . . . . . . . . . . . . . . . . . . 43 A.2. Example 2: Registration for Capabilities of Time based - Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 - A.3. Example 3: Registration for Capabilities of Web Filter . 46 + Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44 + A.3. Example 3: Registration for Capabilities of Web Filter . 45 A.4. Example 4: Registration for Capabilities of VoIP/VoLTE - Filter . . . . . . . . . . . . . . . . . . . . . . . . . 46 + Filter . . . . . . . . . . . . . . . . . . . . . . . . . 45 A.5. Example 5: Registration for Capabilities of HTTP and - HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 47 - Appendix B. Changes from draft-ietf-i2nsf-capability-data- - model-05 . . . . . . . . . . . . . . . . . . . . . . 48 - Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 48 - Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 49 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 + HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 46 + Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 47 + Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 47 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 1. Introduction As the industry becomes more sophisticated and network devices (e.g., Internet of Things, Self-driving vehicles, and VoIP/VoLTE smartphones), service providers have a lot of problems described in [RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability] specifies the information model of the capabilities of Network Security Functions (NSFs). @@ -182,24 +180,23 @@ rules where 'E', 'C', and 'A' mean "Event", "Condition", and "Action", respectively. The condition involves IPv4 or IPv6 datagrams, and the action includes "Allow" and "Deny" for those datagrams. Note that the NSF-Facing Interface is used to configure the security policy rules of the generic network security functions [draft-ietf-i2nsf-nsf-facing-interface-dm], and The configuration of advanced security functions over the NSF-Facing Interface is used to configure the security policy rules of advanced network security - functions (e.g., anti-virus and anti-DDoS attack) - - [draft-dong-i2nsf-asf-config], respectively, according to the - capabilities of NSFs registered with the I2NSF Framework. + functions (e.g., anti-virus and anti-DDoS attack), respectively, + according to the capabilities of NSFs registered with the I2NSF + Framework. +------------------------------------------------------+ | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | | Network Mgmt, another network domain's mgmt, etc.) | +--------------------+---------------------------------+ I2NSF ^ Consumer-Facing Interface | | v I2NSF +-----------------+------------+ Registration +-------------+ @@ -376,21 +373,21 @@ information about the SDN-based IPsec flow protection in I2NSF. 6. YANG Data Modules 6.1. I2NSF Capability YANG Data Module This section introduces a YANG data module for network security functions capabilities, as defined in the [draft-ietf-i2nsf-capability]. - file "ietf-i2nsf-capability@2020-07-13.yang" + file "ietf-i2nsf-capability@2020-08-25.yang" module ietf-i2nsf-capability { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; prefix nsfcap; organization "IETF I2NSF (Interface to Network Security Functions) @@ -423,21 +420,21 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 8341; see the RFC itself for full legal notices."; - revision "2020-07-13"{ + revision "2020-08-25"{ description "Initial revision."; reference "RFC XXXX: I2NSF Capability YANG Data Model"; } /* * Identities */ identity event { @@ -572,21 +569,21 @@ identity geography { base context-capability; description "Identity for geography condition capability"; } identity ipv4-capability { base condition; description - "Identity for IPv4 condition capabilities"; + "Identity for IPv4 condition capability"; reference "RFC 791: Internet Protocol"; } identity exact-ipv4-header-length { base ipv4-capability; description "Identity for exact-match IPv4 header-length condition capability"; reference @@ -957,107 +954,107 @@ base udp-capability; description "Identity for range-match UDP total-length condition capability"; reference "RFC 768: User Datagram Protocol - Total Length"; } identity icmp-capability { base condition; description - "Identity for ICMP condition capabilities"; + "Identity for ICMP condition capability"; reference "RFC 792: Internet Control Message Protocol"; } identity icmp-type { base icmp-capability; description "Identity for ICMP type condition capability"; reference "RFC 792: Internet Control Message Protocol"; } identity icmpv6-capability { base condition; description - "Identity for ICMPv6 condition capabilities"; + "Identity for ICMPv6 condition capability"; reference "RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification - ICMPv6"; } identity icmpv6-type { base icmpv6-capability; description "Identity for ICMPv6 type condition capability"; reference "RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification - ICMPv6"; } identity url-capability { base condition; description - "Identity for URL condition capabilities"; + "Identity for URL condition capability"; } identity pre-defined { base url-capability; description - "Identity for URL pre-defined condition capabilities"; + "Identity for URL pre-defined condition capability"; } identity user-defined { base url-capability; description - "Identity for URL user-defined condition capabilities"; + "Identity for URL user-defined condition capability"; } identity log-action-capability { description - "Identity for log-action capabilities"; + "Identity for log-action capability"; } identity rule-log { base log-action-capability; description "Identity for rule log log-action capability"; } identity session-log { base log-action-capability; description "Identity for session log log-action capability"; } identity ingress-action-capability { description - "Identity for ingress-action capabilities"; + "Identity for ingress-action capability"; reference "RFC 8329: Framework for Interface to Network Security Functions - Ingress action"; } identity egress-action-capability { description - "Base identity for egress-action capabilities"; + "Base identity for egress-action capability"; reference "RFC 8329: Framework for Interface to Network Security Functions - Egress action"; } identity default-action-capability { description - "Identity for default-action capabilities"; + "Identity for default-action capability"; reference "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Default action"; } identity pass { base ingress-action-capability; base egress-action-capability; base default-action-capability; description @@ -1199,282 +1196,268 @@ description "Identity for Prioritized Matching Rule with No Errors (PMRN) resolution strategy capability"; reference "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Resolution Strategy"; } identity advanced-nsf-capability { description - "Base identity for advanced network security function (NSF) - capabilities"; + "Base identity for advanced Network Security Function (NSF) + capability"; reference "RFC 8329: Framework for Interface to Network Security - Functions - Differences from ACL Data Models - draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Advanced NSF Capability"; + Functions - Advanced NSF capability"; } identity anti-virus-capability { base advanced-nsf-capability; description - "Identity for advanced NSF anti-virus capabilities"; + "Identity for advanced NSF Anti-Virus capability"; reference "RFC 8329: Framework for Interface to Network Security - Functions - Differences from ACL Data Models - draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-Virus"; + Functions - Advanced NSF Anti-Virus capability"; } identity anti-ddos-capability { base advanced-nsf-capability; description - "Identity for advanced NSF anti-ddos capabilities"; + "Identity for advanced NSF Anti-DDoS attack capability"; reference "RFC 8329: Framework for Interface to Network Security - Functions - Differences from ACL Data Models - draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + Functions - Advanced NSF Anti-DDoS Attack capability"; + } identity ips-capability { base advanced-nsf-capability; description "Identity for advanced NSF Intrusion Prevention System (IPS) capabilities"; reference "RFC 8329: Framework for Interface to Network Security - Functions - Differences from ACL Data Models - draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Intrusion Prevention System"; + Functions - Advanced NSF IPS capability"; } identity voip-volte-capability { base advanced-nsf-capability; description - "Identity for advanced NSF VoIP/VoLTE capabilities"; + "Identity for advanced NSF VoIP/VoLTE capability"; reference "RFC 3261: SIP: Session Initiation Protocol RFC 8329: Framework for Interface to Network Security - Functions - Differences from ACL Data Models - draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller"; + Functions - Advanced NSF VoIP/VoLTE capability"; } identity detect { base anti-virus-capability; description - "Identity for advanced NSF Anti-Virus detection capability"; + "Identity for advanced NSF Anti-Virus Detection capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-Virus"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-Virus Detection capability"; } identity exception-application { base anti-virus-capability; description - "Identity for advanced NSF Anti-Virus exception application + "Identity for advanced NSF Anti-Virus Exception Application capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-Virus"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-Virus Exception Application + capability"; } identity exception-signature { base anti-virus-capability; description - "Identity for advanced NSF Anti-Virus exception signature + "Identity for advanced NSF Anti-Virus Exception Signature capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-Virus"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-Virus Exception Signature + capability"; } identity whitelists { base anti-virus-capability; description - "Identity for advanced NSF Anti-Virus whitelists capability"; + "Identity for advanced NSF Anti-Virus Whitelists capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-virus"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-Virus Whitelists capability"; } identity syn-flood-action { base anti-ddos-capability; description - "Identity for advanced NSF Anti-DDoS syn flood action + "Identity for advanced NSF Anti-DDoS SYN Flood Action capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS SYN Flood Action + capability"; } identity udp-flood-action { base anti-ddos-capability; description - "Identity for advanced NSF anti-DDoS UDP flood action + "Identity for advanced NSF Anti-DDoS UDP Flood Action capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS UDP Flood Action + capability"; } identity http-flood-action { base anti-ddos-capability; description - "Identity for advanced NSF anti-DDoS http flood action + "Identity for advanced NSF anti-DDoS HTTP Flood Action capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS HTTP Flood Action + capability"; } identity https-flood-action { base anti-ddos-capability; description - "Identity for advanced NSF Anti-DDoS https flood action + "Identity for advanced NSF Anti-DDoS HTTPS Flood Action capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS HTTPS Flood Action + capability"; } identity dns-request-flood-action { base anti-ddos-capability; description - "Identity for advanced NSF anti-DDoS dns request - flood action capability"; + "Identity for advanced NSF Anti-DDoS DNS Request Flood + Action Aapability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS DNS Request Flood + Action capability"; } identity dns-reply-flood-action { base anti-ddos-capability; description - "Identity for advanced NSF Anti-DDoS DNS reply flood action - capability"; + "Identity for advanced NSF Anti-DDoS DNS Reply Flood + Action capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS DNS Reply Flood + Action capability"; } + identity icmp-flood-action { base anti-ddos-capability; description - "Identity for advanced NSF Anti-DDoS ICMP flood action + "Identity for advanced NSF Anti-DDoS ICMP Flood Action capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS ICMP Flood Action + capability"; } identity icmpv6-flood-action { base anti-ddos-capability; description - "Identity for advanced NSF Anti-DDoS ICMPv6 flood action + "Identity for advanced NSF Anti-DDoS ICMPv6 Flood Action capability"; + reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS ICMPv6 Flood Action + capability"; } identity sip-flood-action { base anti-ddos-capability; description - "Identity for advanced NSF Anti-DDoS SIP flood action + "Identity for advanced NSF Anti-DDoS SIP Flood Action capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS SIP Flood Action + capability"; } identity detect-mode { base anti-ddos-capability; description - "Identity for advanced NSF Anti-DDoS detection mode + "Identity for advanced NSF Anti-DDoS Detection Mode capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS Detection Mode + capability"; } identity baseline-learning { base anti-ddos-capability; description - "Identity for advanced NSF Anti-DDoS baseline learning + "Identity for advanced NSF Anti-DDoS Baseline Learning capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Anti-DDoS"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS Baseline Learning + capability"; } identity signature-set { base ips-capability; description - "Identity for advanced NSF IPS signature set capability"; + "Identity for advanced NSF IPS Signature Set capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Intrusion Prevention System"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF IPS Signature Set capability"; } - identity ips-exception-signature { base ips-capability; description - "Identity for advanced NSF IPS exception signature + "Identity for advanced NSF IPS Exception Signature capability"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of Advanced - Security Functions with I2NSF Security Controller - - Intrusion Prevention System"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF IPS Exception Signature Set + capability"; } identity voice-id { base voip-volte-capability; description - "Identity for advanced NSF VoIP/VoLTE voice-id capability"; + "Identity for advanced NSF VoIP/VoLTE Voice-ID capability"; reference "RFC 3261: SIP: Session Initiation Protocol"; } identity user-agent { base voip-volte-capability; description - "Identity for advanced NSF VoIP/VoLTE user agent capability"; + "Identity for advanced NSF VoIP/VoLTE User Agent capability"; reference "RFC 3261: SIP: Session Initiation Protocol"; } identity ipsec-capability { description - "Base identity for an IPsec capabilities"; + "Base identity for an IPsec capability"; } + identity ike { base ipsec-capability; description "Identity for an IPSec Internet Key Exchange (IKE) capability"; } identity ikeless { base ipsec-capability; description @@ -1538,21 +1522,21 @@ } description "System event capabilities"; } leaf-list system-alarm-capability { type identityref { base system-alarm-capability; } description - "System alarm Capabilities"; + "System alarm capabilities"; } } container condition-capabilities { description "Conditions capabilities."; container generic-nsf-capabilities { description "Conditions capabilities. @@ -1639,83 +1622,75 @@ "RFC 768: User Datagram Protocol - UDP"; } } container advanced-nsf-capabilities { description "Advanced Network Security Function (NSF) capabilities, such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE."; reference "RFC 8329: Framework for Interface to Network Security - Functions - Differences from ACL Data Models - draft-dong-i2nsf-asf-config-01: Configuration of - Advanced Security Functions with I2NSF Security - Controller"; + Functions - Advanced NSF capabilities"; leaf-list anti-virus-capability { type identityref { base anti-virus-capability; } description - "Anti-virus capabilities"; + "Anti-Virus capabilities"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of - Advanced Security Functions with I2NSF Security - Controller"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-Virus capabilities"; } leaf-list anti-ddos-capability { type identityref { base anti-ddos-capability; } description - "Anti-ddos capabilities"; + "Anti-DDoS Attack capabilities"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of - Advanced Security Functions with I2NSF Security - Controller"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF Anti-DDoS Attack capabilities"; } leaf-list ips-capability { type identityref { base ips-capability; } description "Intrusion Prevention System (IPS) capabilities"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of - Advanced Security Functions with I2NSF Security - Controller"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF IPS capabilities"; } leaf-list url-capability { type identityref { base url-capability; } description "URL capabilities"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of - Advanced Security Functions with I2NSF Security - Controller"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF URL capabilities"; } leaf-list voip-volte-capability { type identityref { base voip-volte-capability; } description - "VoIP and VoLTE capabilities"; + "VoIP/VoLTE capabilities"; reference - "draft-dong-i2nsf-asf-config-01: Configuration of - Advanced Security Functions with I2NSF Security - Controller"; + "RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF VoIP/VoLTE capabilities"; } } leaf-list context-capabilities { type identityref { base context-capability; } description "Security context capabilities"; } @@ -1758,37 +1733,37 @@ base resolution-strategy-capability; } description "Resolution strategy capabilities. The resolution strategies can be used to specify how to resolve conflicts that occur between the actions of the same or different policy rules that are matched for the same packet and by particular NSF"; reference "draft-ietf-i2nsf-capability-05: Information Model of - NSFs Capabilities - Resolution strategy"; + NSFs Capabilities - Resolution strategy capabilities"; } leaf-list default-action-capabilities { type identityref { base default-action-capability; } description "Default action capabilities. A default action is used to execute I2NSF policy rules when no rule matches a packet. The default action is defined as pass, drop, alert, or mirror."; reference "RFC 8329: Framework for Interface to Network Security Functions - Ingress and egress actions draft-ietf-i2nsf-capability-05: Information Model of - NSFs Capabilities - Default action"; + NSFs Capabilities - Default action capabilities"; } leaf-list ipsec-method { type identityref { base ipsec-capability; } description "IPsec method capabilities"; reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: @@ -1797,47 +1772,47 @@ } } /* * Data nodes */ list nsf { key "nsf-name"; description - "The list of Network Security Function (NSF) capabilities"; + "The list of Network Security Functions (NSFs)"; leaf nsf-name { type string; mandatory true; description - "The name of network security function"; + "The name of Network Security Function (NSF)"; } } } Figure 3: YANG Data Module of I2NSF Capability 7. IANA Considerations This document requests IANA to register the following URI in the "IETF XML Registry" [RFC3688]: Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability Registrant Contact: The IESG. XML: N/A; the requested URI is an XML namespace. This document requests IANA to register the following YANG module in - the "YANG Module Names" registry [RFC7950]. + the "YANG Module Names" registry [RFC7950][RFC8525]. name: ietf-i2nsf-capability namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability prefix: nsfcap reference: RFC XXXX 8. Security Considerations @@ -1872,25 +1847,20 @@ nodes and their sensitivity/vulnerability: o ietf-i2nsf-capability: An attacker could gather the security capability information of any NSF and use this information to evade detection or filtering. 9. References 9.1. Normative References - [draft-dong-i2nsf-asf-config] - Pan, W. and L. Xia, "Configuration of Advanced Security - Functions with I2NSF Security Controller", draft-dong- - i2nsf-asf-config-01 (work in progress), October 2018. - [draft-ietf-i2nsf-capability] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", draft-ietf- i2nsf-capability-05 (work in progress), April 2019. [draft-ietf-i2nsf-nsf-monitoring-data-model] Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- nsf-monitoring-data-model-03 (work in progress), May 2020. @@ -1909,20 +1879,24 @@ A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, . [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, DOI 10.17487/RFC3444, January 2003, . + [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, + DOI 10.17487/RFC3688, January 2004, + . + [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, . [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . @@ -1982,20 +1956,25 @@ [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, S., and N. Bahadur, "A YANG Data Model for the Routing Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, September 2018, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . + [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., + and R. Wilton, "YANG Library", RFC 8525, + DOI 10.17487/RFC8525, March 2019, + . + 9.2. Informative References [draft-ietf-i2nsf-nsf-facing-interface-dm] Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, "I2NSF Network Security Function-Facing Interface YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-09 (work in progress), May 2020. [draft-ietf-i2nsf-registration-interface-dm] Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF @@ -2196,37 +2175,29 @@ 1. The name of the NSF is http_and_https_flood_mitigation. 2. The location of the NSF is 221.159.112.140. 3. The NSF can control the amount of packets for http and https packets. 4. The NSF can control whether the packets are allowed to pass, drop, or alert. -Appendix B. Changes from draft-ietf-i2nsf-capability-data-model-05 - - The following changes are made from draft-ietf-i2nsf-capability-data- - model-05: - - o The version is revised according to the comments from Romans - Danyliw for his AD review. - -Appendix C. Acknowledgments +Appendix B. Acknowledgments This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning). -Appendix D. Contributors +Appendix C. Contributors This document is made by the group effort of I2NSF working group. Many people actively contributed to this document. The following are considered co-authors: o Hyoungshick Kim (Sungkyunkwan University) o Daeyoung Hyun (Sungkyunkwan University) o Dongjin Hong (Sungkyunkwan University)