--- 1/draft-ietf-i2nsf-capability-data-model-07.txt 2020-08-25 10:13:18.113941501 -0700 +++ 2/draft-ietf-i2nsf-capability-data-model-08.txt 2020-08-25 10:13:18.197943630 -0700 @@ -4,21 +4,21 @@ Intended status: Standards Track J. Jeong, Ed. Expires: February 26, 2021 J. Kim Sungkyunkwan University R. Moskowitz HTT Consulting Q. Lin Huawei August 25, 2020 I2NSF Capability YANG Data Model - draft-ietf-i2nsf-capability-data-model-07 + draft-ietf-i2nsf-capability-data-model-08 Abstract This document defines a YANG data model for the capabilities of various Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework to centrally manage the capabilities of the various NSFs. Status of This Memo @@ -56,38 +56,38 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Network Security Function (NSF) Capabilities . . . . . . 6 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 39 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 40 - 9.2. Informative References . . . . . . . . . . . . . . . . . 42 - Appendix A. Configuration Examples . . . . . . . . . . . . . . . 43 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 40 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 + 9.2. Informative References . . . . . . . . . . . . . . . . . 43 + Appendix A. Configuration Examples . . . . . . . . . . . . . . . 44 A.1. Example 1: Registration for Capabilities of General - Firewall . . . . . . . . . . . . . . . . . . . . . . . . 43 - A.2. Example 2: Registration for Capabilities of Time based Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44 - A.3. Example 3: Registration for Capabilities of Web Filter . 45 + A.2. Example 2: Registration for Capabilities of Time based + Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 + A.3. Example 3: Registration for Capabilities of Web Filter . 46 A.4. Example 4: Registration for Capabilities of VoIP/VoLTE - Filter . . . . . . . . . . . . . . . . . . . . . . . . . 45 + Filter . . . . . . . . . . . . . . . . . . . . . . . . . 46 A.5. Example 5: Registration for Capabilities of HTTP and - HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 46 - Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 47 - Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 47 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 + HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 47 + Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 48 + Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 48 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 1. Introduction As the industry becomes more sophisticated and network devices (e.g., Internet of Things, Self-driving vehicles, and VoIP/VoLTE smartphones), service providers have a lot of problems described in [RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability] specifies the information model of the capabilities of Network Security Functions (NSFs). @@ -1197,279 +1197,334 @@ "Identity for Prioritized Matching Rule with No Errors (PMRN) resolution strategy capability"; reference "draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Resolution Strategy"; } identity advanced-nsf-capability { description "Base identity for advanced Network Security Function (NSF) - capability"; + capability. This can be used for advanced NSFs such as + Anti-Virus, Anti-DDoS Attack, IPS, and VoIP/VoLTE Security + Service."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF capability"; } identity anti-virus-capability { base advanced-nsf-capability; description - "Identity for advanced NSF Anti-Virus capability"; + "Identity for advanced NSF Anti-Virus capability. + This can be used for an extension point for Anti-Virus + as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-Virus capability"; } identity anti-ddos-capability { base advanced-nsf-capability; description - "Identity for advanced NSF Anti-DDoS attack capability"; + "Identity for advanced NSF Anti-DDoS Attack capability. + This can be used for an extension point for Anti-DDoS + Attack as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS Attack capability"; - } identity ips-capability { base advanced-nsf-capability; description "Identity for advanced NSF Intrusion Prevention System - (IPS) capabilities"; + (IPS) capabilities. This can be used for an extension + point for IPS as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF IPS capability"; } identity voip-volte-capability { base advanced-nsf-capability; description - "Identity for advanced NSF VoIP/VoLTE capability"; + "Identity for advanced NSF VoIP/VoLTE Security Service + capability. This can be used for an extension point + for VoIP/VoLTE Security Service as an advanced NSF."; reference "RFC 3261: SIP: Session Initiation Protocol RFC 8329: Framework for Interface to Network Security - Functions - Advanced NSF VoIP/VoLTE capability"; + Functions - Advanced NSF VoIP/VoLTE security service + capability"; } identity detect { base anti-virus-capability; description - "Identity for advanced NSF Anti-Virus Detection capability"; + "Identity for advanced NSF Anti-Virus Detection capability. + This can be used for an extension point for Anti-Virus + Detection as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-Virus Detection capability"; } identity exception-application { base anti-virus-capability; description "Identity for advanced NSF Anti-Virus Exception Application - capability"; + capability. This can be used for an extension point for + Anti-Virus Exception Application as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-Virus Exception Application capability"; } identity exception-signature { base anti-virus-capability; description "Identity for advanced NSF Anti-Virus Exception Signature - capability"; + capability. This can be used for an extension point for + Anti-Virus Exception Signature as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-Virus Exception Signature capability"; } - identity whitelists { + identity allow-list { base anti-virus-capability; description - "Identity for advanced NSF Anti-Virus Whitelists capability"; + "Identity for advanced NSF Anti-Virus Allow List capability. + This can be used for an extension point for Anti-Virus + Allow List as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security - Functions - Advanced NSF Anti-Virus Whitelists capability"; + Functions - Advanced NSF Anti-Virus Allow List capability"; } identity syn-flood-action { base anti-ddos-capability; description "Identity for advanced NSF Anti-DDoS SYN Flood Action - capability"; + capability. This can be used for an extension point for + Anti-DDoS SYN Flood Action as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS SYN Flood Action capability"; } identity udp-flood-action { base anti-ddos-capability; description "Identity for advanced NSF Anti-DDoS UDP Flood Action - capability"; + capability. This can be used for an extension point for + Anti-DDoS UDP Flood Action as an advanced NSF."; + reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS UDP Flood Action capability"; } identity http-flood-action { base anti-ddos-capability; description - "Identity for advanced NSF anti-DDoS HTTP Flood Action - capability"; + "Identity for advanced NSF Anti-DDoS HTTP Flood Action + capability. This can be used for an extension point for + Anti-DDoS HTTP Flood Action as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS HTTP Flood Action capability"; } identity https-flood-action { base anti-ddos-capability; description "Identity for advanced NSF Anti-DDoS HTTPS Flood Action - capability"; + capability. This can be used for an extension point for + Anti-DDoS HTTPS Flood Action as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS HTTPS Flood Action capability"; } identity dns-request-flood-action { base anti-ddos-capability; description "Identity for advanced NSF Anti-DDoS DNS Request Flood - Action Aapability"; + Action capability. This can be used for an extension + point for Anti-DDoS DNS Request Flood Action as an + advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS DNS Request Flood Action capability"; } identity dns-reply-flood-action { base anti-ddos-capability; description "Identity for advanced NSF Anti-DDoS DNS Reply Flood - Action capability"; + Action capability. This can be used for an extension + point for Anti-DDoS DNS Reply Flood Action as an + advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS DNS Reply Flood Action capability"; } identity icmp-flood-action { base anti-ddos-capability; description "Identity for advanced NSF Anti-DDoS ICMP Flood Action - capability"; + capability. This can be used for an extension point + for Anti-DDoS ICMP Flood Action as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS ICMP Flood Action capability"; } identity icmpv6-flood-action { base anti-ddos-capability; description "Identity for advanced NSF Anti-DDoS ICMPv6 Flood Action - capability"; - + capability. This can be used for an extension point + for Anti-DDoS ICMPv6 Flood Action as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS ICMPv6 Flood Action capability"; } identity sip-flood-action { base anti-ddos-capability; description "Identity for advanced NSF Anti-DDoS SIP Flood Action - capability"; + capability. This can be used for an extension point + for Anti-DDoS SIP Flood Action as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS SIP Flood Action capability"; } identity detect-mode { base anti-ddos-capability; description "Identity for advanced NSF Anti-DDoS Detection Mode - capability"; + capability. This can be used for an extension point + for Anti-DDoS Detection Mode as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS Detection Mode capability"; } identity baseline-learning { base anti-ddos-capability; description "Identity for advanced NSF Anti-DDoS Baseline Learning - capability"; + capability. This can be used for an extension point + for Anti-DDoS Baseline Learning as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS Baseline Learning capability"; } identity signature-set { base ips-capability; description - "Identity for advanced NSF IPS Signature Set capability"; + "Identity for advanced NSF IPS Signature Set capability. + This can be used for an extension point for IPS Signature + Set as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF IPS Signature Set capability"; } + identity ips-exception-signature { base ips-capability; description "Identity for advanced NSF IPS Exception Signature - capability"; + capability. This can be used for an extension point for + IPS Exception Signature as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF IPS Exception Signature Set capability"; } identity voice-id { base voip-volte-capability; description - "Identity for advanced NSF VoIP/VoLTE Voice-ID capability"; + "Identity for advanced NSF VoIP/VoLTE Voice-ID capability. + This can be used for an extension point for VoIP/VoLTE + Voice-ID as an advanced NSF."; reference - "RFC 3261: SIP: Session Initiation Protocol"; + "RFC 3261: SIP: Session Initiation Protocol + RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF VoIP/VoLTE Security Service + capability"; + } identity user-agent { base voip-volte-capability; description - "Identity for advanced NSF VoIP/VoLTE User Agent capability"; + "Identity for advanced NSF VoIP/VoLTE User Agent capability. + This can be used for an extension point for VoIP/VoLTE + User Agent as an advanced NSF."; reference - "RFC 3261: SIP: Session Initiation Protocol"; + "RFC 3261: SIP: Session Initiation Protocol + RFC 8329: Framework for Interface to Network Security + Functions - Advanced NSF VoIP/VoLTE Security Service + capability"; } identity ipsec-capability { description "Base identity for an IPsec capability"; + reference + "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: + Software-Defined Networking (SDN)-based IPsec Flow + Protection - IPsec methods such as IKE and IKE-less"; } identity ike { base ipsec-capability; description "Identity for an IPSec Internet Key Exchange (IKE) capability"; + reference + "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: + Software-Defined Networking (SDN)-based IPsec Flow + Protection - IPsec method with IKE"; } identity ikeless { base ipsec-capability; description "Identity for an IPSec without Internet Key Exchange (IKE) capability"; + reference + "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: + Software-Defined Networking (SDN)-based IPsec Flow + Protection - IPsec method without IKE"; } /* * Grouping */ grouping nsf-capabilities { description "Network Security Function (NSF) Capabilities"; reference @@ -1619,21 +1675,23 @@ description "UDP packet capabilities"; reference "RFC 768: User Datagram Protocol - UDP"; } } container advanced-nsf-capabilities { description "Advanced Network Security Function (NSF) capabilities, - such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE."; + such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE. + This container contains the leaf-lists of advanced + NSF capabilities"; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF capabilities"; leaf-list anti-virus-capability { type identityref { base anti-virus-capability; } description "Anti-Virus capabilities";