| draft-ietf-i2nsf-capability-data-model-08.txt | draft-ietf-i2nsf-capability-data-model-09.txt | |||
|---|---|---|---|---|
| I2NSF Working Group S. Hares, Ed. | I2NSF Working Group S. Hares, Ed. | |||
| Internet-Draft Huawei | Internet-Draft Huawei | |||
| Intended status: Standards Track J. Jeong, Ed. | Intended status: Standards Track J. Jeong, Ed. | |||
| Expires: February 26, 2021 J. Kim | Expires: March 1, 2021 J. Kim | |||
| Sungkyunkwan University | Sungkyunkwan University | |||
| R. Moskowitz | R. Moskowitz | |||
| HTT Consulting | HTT Consulting | |||
| Q. Lin | Q. Lin | |||
| Huawei | Huawei | |||
| August 25, 2020 | August 28, 2020 | |||
| I2NSF Capability YANG Data Model | I2NSF Capability YANG Data Model | |||
| draft-ietf-i2nsf-capability-data-model-08 | draft-ietf-i2nsf-capability-data-model-09 | |||
| Abstract | Abstract | |||
| This document defines a YANG data model for the capabilities of | This document defines a YANG data model for the capabilities of | |||
| various Network Security Functions (NSFs) in the Interface to Network | various Network Security Functions (NSFs) in the Interface to Network | |||
| Security Functions (I2NSF) framework to centrally manage the | Security Functions (I2NSF) framework to centrally manage the | |||
| capabilities of the various NSFs. | capabilities of the various NSFs. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 26, 2021. | This Internet-Draft will expire on March 1, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 | ||||
| 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 | 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.1. Network Security Function (NSF) Capabilities . . . . . . 6 | 5.1. Network Security Function (NSF) Capabilities . . . . . . 6 | |||
| 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 | 6. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9 | |||
| 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 | ||||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 40 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 40 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 43 | 9.2. Informative References . . . . . . . . . . . . . . . . . 44 | |||
| Appendix A. Configuration Examples . . . . . . . . . . . . . . . 44 | Appendix A. Configuration Examples . . . . . . . . . . . . . . . 45 | |||
| A.1. Example 1: Registration for Capabilities of General | A.1. Example 1: Registration for the Capabilities of a General | |||
| Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44 | ||||
| A.2. Example 2: Registration for Capabilities of Time based | ||||
| Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 | Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| A.3. Example 3: Registration for Capabilities of Web Filter . 46 | A.2. Example 2: Registration for the Capabilities of a Time- | |||
| A.4. Example 4: Registration for Capabilities of VoIP/VoLTE | based Firewall . . . . . . . . . . . . . . . . . . . . . 47 | |||
| Filter . . . . . . . . . . . . . . . . . . . . . . . . . 46 | A.3. Example 3: Registration for the Capabilities of a Web | |||
| A.5. Example 5: Registration for Capabilities of HTTP and | Filter . . . . . . . . . . . . . . . . . . . . . . . . . 48 | |||
| HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 47 | A.4. Example 4: Registration for the Capabilities of a | |||
| Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 48 | VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 49 | |||
| Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 48 | A.5. Example 5: Registration for the Capabilities of a HTTP | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 | and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 50 | |||
| Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 51 | ||||
| Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 52 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 | ||||
| 1. Introduction | 1. Introduction | |||
| As the industry becomes more sophisticated and network devices (e.g., | As the industry becomes more sophisticated and network devices (e.g., | |||
| Internet of Things, Self-driving vehicles, and VoIP/VoLTE | Internet of Things, Self-driving vehicles, and VoIP/VoLTE | |||
| smartphones), service providers have a lot of problems described in | smartphones), service providers have a lot of problems described in | |||
| [RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability] | [RFC8192]. To resolve these problems, [I-D.ietf-i2nsf-capability] | |||
| specifies the information model of the capabilities of Network | specifies the information model of the capabilities of Network | |||
| Security Functions (NSFs). | Security Functions (NSFs) in a framework of the Interface to Network | |||
| Security Functions (I2NSF) [RFC8329]. | ||||
| This document provides a YANG data model [RFC6020][RFC7950] that | This document provides a YANG data model [RFC6020][RFC7950] that | |||
| defines the capabilities of NSFs to centrally manage the capabilities | defines the capabilities of NSFs to centrally manage the capabilities | |||
| of those security devices. The security devices can register their | of those security devices. The security devices can register their | |||
| own capabilities into a Network Operator Management (Mgmt) System | own capabilities into a Network Operator Management (Mgmt) System | |||
| (i.e., Security Controller) with this YANG data model through the | (i.e., Security Controller) with this YANG data model through the | |||
| registration interface [RFC8329]. With the capabilities of those | registration interface [RFC8329]. With the capabilities of those | |||
| security devices maintained centrally, those security devices can be | security devices maintained centrally, those security devices can be | |||
| more easily managed [RFC8329]. This YANG data model is based on the | more easily managed [RFC8329]. This YANG data model is based on the | |||
| information model for I2NSF NSF capabilities | information model for I2NSF NSF capabilities | |||
| [draft-ietf-i2nsf-capability]. | [I-D.ietf-i2nsf-capability]. | |||
| This YANG data model uses an "Event-Condition-Action" (ECA) policy | This YANG data model uses an "Event-Condition-Action" (ECA) policy | |||
| model that is used as the basis for the design of I2NSF Policy as | model that is used as the basis for the design of I2NSF Policy as | |||
| described in [RFC8329] and [draft-ietf-i2nsf-capability]. The "ietf- | described in [RFC8329] and [I-D.ietf-i2nsf-capability]. The "ietf- | |||
| i2nsf-capability" YANG module defined in this document provides the | i2nsf-capability" YANG module defined in this document provides the | |||
| following features: | following features: | |||
| o Definition for general capabilities of network security functions. | o Definition for general capabilities of network security functions. | |||
| o Definition for event capabilities of generic network security | o Definition for event capabilities of generic network security | |||
| functions. | functions. | |||
| o Definition for condition capabilities of generic network security | o Definition for condition capabilities of generic network security | |||
| functions. | functions. | |||
| skipping to change at page 3, line 42 ¶ | skipping to change at page 3, line 42 ¶ | |||
| o Definition for resolution strategy capabilities of generic network | o Definition for resolution strategy capabilities of generic network | |||
| security functions. | security functions. | |||
| o Definition for default action capabilities of generic network | o Definition for default action capabilities of generic network | |||
| security functions. | security functions. | |||
| 2. Requirements Language | 2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119][RFC8174]. | document are to be interpreted as described in [RFC2119]. | |||
| 3. Terminology | 3. Terminology | |||
| This document uses the terminology described in | This document uses the terminology described in [RFC8329]. | |||
| [draft-ietf-i2nsf-capability][RFC8431]. Especially, the following | ||||
| terms are from [RFC3444]: | ||||
| o Data Model: A data model is a representation of concepts of | ||||
| interest to an environment in a form that is dependent on data | ||||
| repository, data definition language, query language, | ||||
| implementation language, and protocol. | ||||
| o Information Model: An information model is a representation of | ||||
| concepts of interest to an environment in a form that is | ||||
| independent of data repository, data definition language, query | ||||
| language, implementation language, and protocol. | ||||
| 3.1. Tree Diagrams | ||||
| A simplified graphical representation of the data model is used in | This document follows the guidelines of [RFC8407], uses the common | |||
| this document. The meaning of the symbols in these diagrams is | YANG types defined in [RFC6991], and adopts the Network Management | |||
| referred from [RFC8340]. | Datastore Architecture (NMDA). The meaning of the symbols in tree | |||
| diagrams is defined in [RFC8340]. | ||||
| 4. Overview | 4. Overview | |||
| This section provides as overview of how the YANG data model can be | This section provides as overview of how the YANG data model can be | |||
| used in the I2NSF framework described in [RFC8329]. Figure 1 shows | used in the I2NSF framework described in [RFC8329]. Figure 1 shows | |||
| the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF | the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF | |||
| Framework. As shown in this figure, an NSF Developer's Management | Framework. As shown in this figure, an NSF Developer's Management | |||
| System can register NSFs and the capabilities that the network | System can register NSFs and the capabilities that the network | |||
| security device can support. To register NSFs in this way, the | security device can support. To register NSFs in this way, the | |||
| Developer's Management System utilizes this standardized capability | Developer's Management System utilizes this standardized capability | |||
| YANG data model through the I2NSF Registration Interface | YANG data model through the I2NSF Registration Interface [RFC8329]. | |||
| [draft-ietf-i2nsf-registration-interface-dm]. That is, this | That is, this Registration Interface uses the YANG module described | |||
| Registration Interface uses the YANG module described in this | in this document to describe the capability of a network security | |||
| document to describe the capability of a network security function | function that is registered with the Security Controller. With the | |||
| that is registered with the Security Controller. With the | ||||
| capabilities of those network security devices maintained centrally, | capabilities of those network security devices maintained centrally, | |||
| those security devices can be more easily managed, which can resolve | those security devices can be more easily managed, which can resolve | |||
| many of the problems described in [RFC8192]. | many of the problems described in [RFC8192]. | |||
| In Figure 1, a new NSF at a Developer's Management Systems has | In Figure 1, a new NSF at a Developer's Management Systems has | |||
| capabilities of Firewall (FW) and Web Filter (WF), which are denoted | capabilities of Firewall (FW) and Web Filter (WF), which are denoted | |||
| as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy | as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy | |||
| rules where 'E', 'C', and 'A' mean "Event", "Condition", and | rules where 'E', 'C', and 'A' mean "Event", "Condition", and | |||
| "Action", respectively. The condition involves IPv4 or IPv6 | "Action", respectively. The condition involves IPv4 or IPv6 | |||
| datagrams, and the action includes "Allow" and "Deny" for those | datagrams, and the action includes "Allow" and "Deny" for those | |||
| datagrams. | datagrams. | |||
| Note that the NSF-Facing Interface is used to configure the security | Note that the NSF-Facing Interface [RFC8329] is used to configure the | |||
| policy rules of the generic network security functions | security policy rules of the generic network security functions, and | |||
| [draft-ietf-i2nsf-nsf-facing-interface-dm], and The configuration of | The configuration of advanced security functions over the NSF-Facing | |||
| advanced security functions over the NSF-Facing Interface is used to | Interface is used to configure the security policy rules of advanced | |||
| configure the security policy rules of advanced network security | network security functions (e.g., anti-virus and anti-DDoS attack), | |||
| functions (e.g., anti-virus and anti-DDoS attack), respectively, | respectively, according to the capabilities of NSFs registered with | |||
| according to the capabilities of NSFs registered with the I2NSF | the I2NSF Framework. | |||
| Framework. | ||||
| +------------------------------------------------------+ | +------------------------------------------------------+ | |||
| | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | | | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | | |||
| | Network Mgmt, another network domain's mgmt, etc.) | | | Network Mgmt, another network domain's mgmt, etc.) | | |||
| +--------------------+---------------------------------+ | +--------------------+---------------------------------+ | |||
| I2NSF ^ | I2NSF ^ | |||
| Consumer-Facing Interface | | Consumer-Facing Interface | | |||
| | | | | |||
| v I2NSF | v I2NSF | |||
| +-----------------+------------+ Registration +-------------+ | +-----------------+------------+ Registration +-------------+ | |||
| skipping to change at page 6, line 21 ¶ | skipping to change at page 6, line 21 ¶ | |||
| o If NSFs encounter the suspicious IPv6 packets of malicious users, | o If NSFs encounter the suspicious IPv6 packets of malicious users, | |||
| they can filter the packets out according to the configured | they can filter the packets out according to the configured | |||
| security policy rule. Therefore, the security policy rule against | security policy rule. Therefore, the security policy rule against | |||
| the malicious users' packets can be automatically applied to | the malicious users' packets can be automatically applied to | |||
| appropriate NSFs without human intervention. | appropriate NSFs without human intervention. | |||
| 5. YANG Tree Diagram | 5. YANG Tree Diagram | |||
| This section shows a YANG tree diagram of capabilities of network | This section shows a YANG tree diagram of capabilities of network | |||
| security functions, as defined in the [draft-ietf-i2nsf-capability]. | security functions, as defined in the [I-D.ietf-i2nsf-capability]. | |||
| 5.1. Network Security Function (NSF) Capabilities | 5.1. Network Security Function (NSF) Capabilities | |||
| This section explains a YANG tree diagram of NSF capabilities and its | This section explains a YANG tree diagram of NSF capabilities and its | |||
| features. Figure 2 shows a YANG tree diagram of NSF capabilities. | features. Figure 2 shows a YANG tree diagram of NSF capabilities. | |||
| The NSF capabilities in the tree include time capabilities, event | The NSF capabilities in the tree include time capabilities, event | |||
| capabilities, condition capabilities, action capabilities, resolution | capabilities, condition capabilities, action capabilities, resolution | |||
| strategy capabilities, and default action capabilities. Those | strategy capabilities, and default action capabilities. Those | |||
| capabilities can be tailored or extended according to a vendor's | capabilities can be tailored or extended according to a vendor's | |||
| specific requirements. Refer to the NSF capabilities information | specific requirements. Refer to the NSF capabilities information | |||
| model for detailed discussion [draft-ietf-i2nsf-capability]. | model for detailed discussion [I-D.ietf-i2nsf-capability]. | |||
| module: ietf-i2nsf-capability | module: ietf-i2nsf-capability | |||
| +--rw nsf* [nsf-name] | +--rw nsf* [nsf-name] | |||
| +--rw nsf-name string | +--rw nsf-name string | |||
| +--rw time-capabilities* enumeration | +--rw time-capabilities* enumeration | |||
| +--rw event-capabilities | +--rw event-capabilities | |||
| | +--rw system-event-capability* identityref | | +--rw system-event-capability* identityref | |||
| | +--rw system-alarm-capability* identityref | | +--rw system-alarm-capability* identityref | |||
| +--rw condition-capabilities | +--rw condition-capabilities | |||
| | +--rw generic-nsf-capabilities | | +--rw generic-nsf-capabilities | |||
| skipping to change at page 7, line 43 ¶ | skipping to change at page 7, line 43 ¶ | |||
| +--rw ipsec-method* identityref | +--rw ipsec-method* identityref | |||
| Figure 2: YANG Tree Diagram of Capabilities of Network Security | Figure 2: YANG Tree Diagram of Capabilities of Network Security | |||
| Functions | Functions | |||
| Time capabilities are used to specify the capabilities which describe | Time capabilities are used to specify the capabilities which describe | |||
| when to execute the I2NSF policy rule. The time capabilities are | when to execute the I2NSF policy rule. The time capabilities are | |||
| defined in terms of absolute time and periodic time. The absolute | defined in terms of absolute time and periodic time. The absolute | |||
| time means the exact time to start or end. The periodic time means | time means the exact time to start or end. The periodic time means | |||
| repeated time like day, week, or month. See Section 3.4.6 | repeated time like day, week, or month. See Section 3.4.6 | |||
| (Capability Algebra) in [draft-ietf-i2nsf-capability] for more | (Capability Algebra) in [I-D.ietf-i2nsf-capability] for more | |||
| information about the time-based condition (e.g., time period) in the | information about the time-based condition (e.g., time period) in the | |||
| capability algebra. | capability algebra. | |||
| Event capabilities are used to specify the capabilities that describe | Event capabilities are used to specify the capabilities that describe | |||
| the event that would trigger the evaluation of the condition clause | the event that would trigger the evaluation of the condition clause | |||
| of the I2NSF Policy Rule. The defined event capabilities are system | of the I2NSF Policy Rule. The defined event capabilities are system | |||
| event and system alarm. See Section 3.1 (Design Principles and ECA | event and system alarm. See Section 3.1 (Design Principles and ECA | |||
| Policy Model Overview) in [draft-ietf-i2nsf-capability] for more | Policy Model Overview) in [I-D.ietf-i2nsf-capability] for more | |||
| information about the event in the ECA policy model. | information about the event in the ECA policy model. | |||
| Condition capabilities are used to specify capabilities of a set of | Condition capabilities are used to specify capabilities of a set of | |||
| attributes, features, and/or values that are to be compared with a | attributes, features, and/or values that are to be compared with a | |||
| set of known attributes, features, and/or values in order to | set of known attributes, features, and/or values in order to | |||
| determine whether or not the set of actions in that (imperative) | determine whether or not the set of actions in that (imperative) | |||
| I2NSF policy rule can be executed. The condition capabilities are | I2NSF policy rule can be executed. The condition capabilities are | |||
| classified in terms of generic network security functions and | classified in terms of generic network security functions and | |||
| advanced network security functions. The condition capabilities of | advanced network security functions. The condition capabilities of | |||
| generic network security functions are defined as IPv4 capability, | generic network security functions are defined as IPv4 capability, | |||
| IPv6 capability, TCP capability, UDP capability, and ICMP capability. | IPv6 capability, TCP capability, UDP capability, and ICMP capability. | |||
| The condition capabilities of advanced network security functions are | The condition capabilities of advanced network security functions are | |||
| defined as anti-virus capability, anti-DDoS capability, IPS | defined as anti-virus capability, anti-DDoS capability, IPS | |||
| capability, HTTP capability, and VoIP/VoLTE capability. See | capability, HTTP capability, and VoIP/VoLTE capability. See | |||
| Section 3.1 (Design Principles and ECA Policy Model Overview) in | Section 3.1 (Design Principles and ECA Policy Model Overview) in | |||
| [draft-ietf-i2nsf-capability] for more information about the | [I-D.ietf-i2nsf-capability] for more information about the condition | |||
| condition in the ECA policy model. Also, see Section 3.4.3 (I2NSF | in the ECA policy model. Also, see Section 3.4.3 (I2NSF Condition | |||
| Condition Clause Operator Types) in [draft-ietf-i2nsf-capability] for | Clause Operator Types) in [I-D.ietf-i2nsf-capability] for more | |||
| more information about the operator types in an I2NSF condition | information about the operator types in an I2NSF condition clause. | |||
| clause. | ||||
| Action capabilities are used to specify the capabilities that | Action capabilities are used to specify the capabilities that | |||
| describe the control and monitoring aspects of flow-based NSFs when | describe the control and monitoring aspects of flow-based NSFs when | |||
| the event and condition clauses are satisfied. The action | the event and condition clauses are satisfied. The action | |||
| capabilities are defined as ingress-action capability, egress-action | capabilities are defined as ingress-action capability, egress-action | |||
| capability, and log-action capability. See Section 3.1 (Design | capability, and log-action capability. See Section 3.1 (Design | |||
| Principles and ECA Policy Model Overview) in | Principles and ECA Policy Model Overview) in | |||
| [draft-ietf-i2nsf-capability] for more information about the action | [I-D.ietf-i2nsf-capability] for more information about the action in | |||
| in the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow | the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow | |||
| Security Policy Structure) in [RFC8329] for more information about | Security Policy Structure) in [RFC8329] for more information about | |||
| the ingress and egress actions. In addition, see Section 9.1 (Flow- | the ingress and egress actions. In addition, see Section 9.1 (Flow- | |||
| Based NSF Capability Characterization) for more information about | Based NSF Capability Characterization) for more information about | |||
| logging at NSFs. | logging at NSFs. | |||
| Resolution strategy capabilities are used to specify the capabilities | Resolution strategy capabilities are used to specify the capabilities | |||
| that describe conflicts that occur between the actions of the same or | that describe conflicts that occur between the actions of the same or | |||
| different policy rules that are matched and contained in this | different policy rules that are matched and contained in this | |||
| particular NSF. The resolution strategy capabilities are defined as | particular NSF. The resolution strategy capabilities are defined as | |||
| First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized | First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized | |||
| Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), | Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), | |||
| and Prioritized Matching Rule with No Errors (PMRN). See | and Prioritized Matching Rule with No Errors (PMRN). See | |||
| Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in | Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in | |||
| [draft-ietf-i2nsf-capability] for more information about the | [I-D.ietf-i2nsf-capability] for more information about the resolution | |||
| resolution strategy. | strategy. | |||
| Default action capabilities are used to specify the capabilities that | Default action capabilities are used to specify the capabilities that | |||
| describe how to execute I2NSF policy rules when no rule matches a | describe how to execute I2NSF policy rules when no rule matches a | |||
| packet. The default action capabilities are defined as pass, drop, | packet. The default action capabilities are defined as pass, drop, | |||
| alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy | alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy | |||
| and Default Action) in [draft-ietf-i2nsf-capability] for more | and Default Action) in [I-D.ietf-i2nsf-capability] for more | |||
| information about the default action. | information about the default action. | |||
| IPsec method capabilities are used to specify capabilities of how to | IPsec method capabilities are used to specify capabilities of how to | |||
| support an Internet Key Exchange (IKE) for the security | support an Internet Key Exchange (IKE) for the security | |||
| communication. The default action capabilities are defined as IKE or | communication. The default action capabilities are defined as IKE or | |||
| IKE-less. See [draft-ietf-i2nsf-sdn-ipsec-flow-protection] for more | IKE-less. See [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for more | |||
| information about the SDN-based IPsec flow protection in I2NSF. | information about the SDN-based IPsec flow protection in I2NSF. | |||
| 6. YANG Data Modules | 6. YANG Data Model of I2NSF NSF Capability | |||
| 6.1. I2NSF Capability YANG Data Module | This section introduces a YANG module for NSFs' capabilities, as | |||
| defined in the [I-D.ietf-i2nsf-capability]. | ||||
| This section introduces a YANG data module for network security | This YANG module imports from [RFC6991]. It makes references to [RFC | |||
| functions capabilities, as defined in the | 0768][RFC0790][RFC0791][RFC0792][RFC0793][RFC3261][RFC4443][RFC8200][ | |||
| [draft-ietf-i2nsf-capability]. | RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf-monitoring-dat | |||
| a-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. | ||||
| <CODE BEGINS> file "ietf-i2nsf-capability@2020-08-25.yang" | <CODE BEGINS> file "ietf-i2nsf-capability@2020-08-28.yang" | |||
| module ietf-i2nsf-capability { | module ietf-i2nsf-capability { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace | namespace | |||
| "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; | "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; | |||
| prefix | prefix | |||
| nsfcap; | nsfcap; | |||
| organization | organization | |||
| "IETF I2NSF (Interface to Network Security Functions) | "IETF I2NSF (Interface to Network Security Functions) | |||
| Working Group"; | Working Group"; | |||
| contact | contact | |||
| "WG Web: <http://tools.ietf.org/wg/i2nsf> | "WG Web: <http://tools.ietf.org/wg/i2nsf> | |||
| WG List: <mailto:i2nsf@ietf.org> | WG List: <mailto:i2nsf@ietf.org> | |||
| WG Chair: Linda Dunbar | ||||
| <mailto:ldunbar@futurewei.com> | ||||
| WG Chair: Yoav Nir | ||||
| <mailto:ynir.ietf@gmail.com> | ||||
| Editor: Susan Hares | ||||
| <mailto:shares@ndzh.com> | ||||
| Editor: Jaehoon Paul Jeong | Editor: Jaehoon Paul Jeong | |||
| <mailto:pauljeong@skku.edu> | <mailto:pauljeong@skku.edu> | |||
| Editor: Jinyong Tim Kim | Editor: Jinyong Tim Kim | |||
| <mailto:timkim@skku.edu>"; | <mailto:timkim@skku.edu> | |||
| Editor: Susan Hares | ||||
| <mailto:shares@ndzh.com>"; | ||||
| description | description | |||
| "This module describes a capability model for I2NSF devices. | "This module is a YANG module for I2NSF Network Security | |||
| Functions (NSFs)'s Capabilities. | ||||
| Copyright (c) 2020 IETF Trust and the persons identified as | Copyright (c) 2020 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD License | to the license terms contained in, the Simplified BSD License | |||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | set forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 8341; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision "2020-08-25"{ | revision "2020-08-28"{ | |||
| description "Initial revision."; | description "Initial revision."; | |||
| reference | reference | |||
| "RFC XXXX: I2NSF Capability YANG Data Model"; | "RFC XXXX: I2NSF Capability YANG Data Model"; | |||
| } | } | |||
| /* | /* | |||
| * Identities | * Identities | |||
| */ | */ | |||
| identity event { | identity event { | |||
| description | description | |||
| "Base identity for I2NSF policy events."; | "Base identity for I2NSF policy events."; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-nsf-monitoring-data-model-03 | "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF | |||
| - Event"; | Monitoring YANG Data Model - Event"; | |||
| } | } | |||
| identity system-event-capability { | identity system-event-capability { | |||
| base event; | base event; | |||
| description | description | |||
| "Identity for system events"; | "Identity for system event"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-nsf-monitoring-data-model-03 | "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF | |||
| - System alarm"; | Monitoring YANG Data Model - System event"; | |||
| } | } | |||
| identity system-alarm-capability { | identity system-alarm-capability { | |||
| base event; | base event; | |||
| description | description | |||
| "Identity for system alarms"; | "Identity for system alarm"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-nsf-monitoring-data-model-03 | "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF | |||
| - System alarm"; | Monitoring YANG Data Model - System alarm"; | |||
| } | } | |||
| identity access-violation { | identity access-violation { | |||
| base system-event-capability; | base system-event-capability; | |||
| description | description | |||
| "Identity for access violation events"; | "Identity for access violation event"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-nsf-monitoring-data-model-03 | "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF | |||
| - System event"; | Monitoring YANG Data Model - System event for access | |||
| violation"; | ||||
| } | } | |||
| identity configuration-change { | identity configuration-change { | |||
| base system-event-capability; | base system-event-capability; | |||
| description | description | |||
| "Identity for configuration change events"; | "Identity for configuration change event"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-nsf-monitoring-data-model-03 | "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF | |||
| - System event"; | Monitoring YANG Data Model - System event for configuration | |||
| change"; | ||||
| } | } | |||
| identity memory-alarm { | identity memory-alarm { | |||
| base system-alarm-capability; | base system-alarm-capability; | |||
| description | description | |||
| "Identity for memory alarm events"; | "Identity for memory alarm"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-nsf-monitoring-data-model-03 | "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF | |||
| - System alarm"; | Monitoring YANG Data Model - System alarm for memory"; | |||
| } | } | |||
| identity cpu-alarm { | identity cpu-alarm { | |||
| base system-alarm-capability; | base system-alarm-capability; | |||
| description | description | |||
| "Identity for CPU alarm events"; | "Identity for CPU alarm"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-nsf-monitoring-data-model-03 | "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF | |||
| - System alarm"; | Monitoring YANG Data Model - System alarm for CPU"; | |||
| } | } | |||
| identity disk-alarm { | identity disk-alarm { | |||
| base system-alarm-capability; | base system-alarm-capability; | |||
| description | description | |||
| "Identity for disk alarm events"; | "Identity for disk alarm"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-nsf-monitoring-data-model-03 | "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF | |||
| - System alarm"; | Monitoring YANG Data Model - System alarm for disk"; | |||
| } | } | |||
| identity hardware-alarm { | identity hardware-alarm { | |||
| base system-alarm-capability; | base system-alarm-capability; | |||
| description | description | |||
| "Identity for hardware alarm events"; | "Identity for hardware alarm"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-nsf-monitoring-data-model-03 | "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF | |||
| - System alarm"; | Monitoring YANG Data Model - System alarm for hardware"; | |||
| } | } | |||
| identity interface-alarm { | identity interface-alarm { | |||
| base system-alarm-capability; | base system-alarm-capability; | |||
| description | description | |||
| "Identity for interface alarm events"; | "Identity for interface alarm"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-nsf-monitoring-data-model-03 | "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF | |||
| - System alarm"; | Monitoring YANG Data Model - System alarm for interface"; | |||
| } | } | |||
| identity condition { | identity condition { | |||
| description | description | |||
| "Base identity for policy conditions"; | "Base identity for policy conditions"; | |||
| } | } | |||
| identity context-capability { | identity context-capability { | |||
| base condition; | base condition; | |||
| description | description | |||
| skipping to change at page 23, line 32 ¶ | skipping to change at page 23, line 32 ¶ | |||
| identity pass { | identity pass { | |||
| base ingress-action-capability; | base ingress-action-capability; | |||
| base egress-action-capability; | base egress-action-capability; | |||
| base default-action-capability; | base default-action-capability; | |||
| description | description | |||
| "Identity for pass action capability"; | "Identity for pass action capability"; | |||
| reference | reference | |||
| "RFC 8329: Framework for Interface to Network Security | "RFC 8329: Framework for Interface to Network Security | |||
| Functions - Ingress, egress, and pass actions | Functions - Ingress, egress, and pass actions | |||
| draft-ietf-i2nsf-capability-05: Information Model of | draft-ietf-i2nsf-capability-05: Information Model of | |||
| NSFs Capabilities - Actions and default action"; | NSFs Capabilities - Actions and default action"; | |||
| } | } | |||
| identity drop { | identity drop { | |||
| base ingress-action-capability; | base ingress-action-capability; | |||
| base egress-action-capability; | base egress-action-capability; | |||
| base default-action-capability; | base default-action-capability; | |||
| description | description | |||
| "Identity for drop action capability"; | "Identity for drop action capability"; | |||
| reference | reference | |||
| skipping to change at page 32, line 38 ¶ | skipping to change at page 32, line 38 ¶ | |||
| "Base identity for an IPsec capability"; | "Base identity for an IPsec capability"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: | "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: | |||
| Software-Defined Networking (SDN)-based IPsec Flow | Software-Defined Networking (SDN)-based IPsec Flow | |||
| Protection - IPsec methods such as IKE and IKE-less"; | Protection - IPsec methods such as IKE and IKE-less"; | |||
| } | } | |||
| identity ike { | identity ike { | |||
| base ipsec-capability; | base ipsec-capability; | |||
| description | description | |||
| "Identity for an IPSec Internet Key Exchange (IKE) | "Identity for an IPsec Internet Key Exchange (IKE) | |||
| capability"; | capability"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: | "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: | |||
| Software-Defined Networking (SDN)-based IPsec Flow | Software-Defined Networking (SDN)-based IPsec Flow | |||
| Protection - IPsec method with IKE"; | Protection - IPsec method with IKE"; | |||
| } | } | |||
| identity ikeless { | identity ikeless { | |||
| base ipsec-capability; | base ipsec-capability; | |||
| description | description | |||
| "Identity for an IPSec without Internet Key Exchange (IKE) | "Identity for an IPsec without Internet Key Exchange (IKE) | |||
| capability"; | capability"; | |||
| reference | reference | |||
| "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: | "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: | |||
| Software-Defined Networking (SDN)-based IPsec Flow | Software-Defined Networking (SDN)-based IPsec Flow | |||
| Protection - IPsec method without IKE"; | Protection - IPsec method without IKE"; | |||
| } | } | |||
| /* | /* | |||
| * Grouping | * Grouping | |||
| */ | */ | |||
| skipping to change at page 40, line 10 ¶ | skipping to change at page 40, line 10 ¶ | |||
| <CODE ENDS> | <CODE ENDS> | |||
| Figure 3: YANG Data Module of I2NSF Capability | Figure 3: YANG Data Module of I2NSF Capability | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document requests IANA to register the following URI in the | This document requests IANA to register the following URI in the | |||
| "IETF XML Registry" [RFC3688]: | "IETF XML Registry" [RFC3688]: | |||
| Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability | URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability | |||
| Registrant Contact: The IESG. | ||||
| Registrant Contact: The IESG. | XML: N/A; the requested URI is an XML namespace. | |||
| XML: N/A; the requested URI is an XML namespace. | ||||
| This document requests IANA to register the following YANG module in | This document requests IANA to register the following YANG module in | |||
| the "YANG Module Names" registry [RFC7950][RFC8525]. | the "YANG Module Names" registry [RFC7950][RFC8525]: | |||
| name: ietf-i2nsf-capability | ||||
| namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability | ||||
| prefix: nsfcap | ||||
| reference: RFC XXXX | name: ietf-i2nsf-capability | |||
| namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability | ||||
| prefix: nsfcap | ||||
| reference: RFC XXXX | ||||
| 8. Security Considerations | 8. Security Considerations | |||
| The YANG module specified in this document defines a data schema | The YANG module specified in this document defines a data schema | |||
| designed to be accessed through network management protocols such as | designed to be accessed through network management protocols such as | |||
| NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is | NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is | |||
| the secure transport layer, and the required transport secure | the secure transport layer, and the required transport secure | |||
| transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer | transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer | |||
| is HTTPS, and the required transport secure transport is TLS | is HTTPS, and the required transport secure transport is TLS | |||
| [RFC8446]. | [RFC8446]. | |||
| skipping to change at page 41, line 19 ¶ | skipping to change at page 41, line 15 ¶ | |||
| nodes and their sensitivity/vulnerability: | nodes and their sensitivity/vulnerability: | |||
| o ietf-i2nsf-capability: An attacker could gather the security | o ietf-i2nsf-capability: An attacker could gather the security | |||
| capability information of any NSF and use this information to | capability information of any NSF and use this information to | |||
| evade detection or filtering. | evade detection or filtering. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [draft-ietf-i2nsf-capability] | [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | |||
| Xia, L., Strassner, J., Basile, C., and D. Lopez, | DOI 10.17487/RFC0768, August 1980, | |||
| "Information Model of NSFs Capabilities", draft-ietf- | <https://www.rfc-editor.org/info/rfc768>. | |||
| i2nsf-capability-05 (work in progress), April 2019. | ||||
| [draft-ietf-i2nsf-nsf-monitoring-data-model] | [RFC0790] Postel, J., "Assigned numbers", RFC 790, | |||
| Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, | DOI 10.17487/RFC0790, September 1981, | |||
| "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- | <https://www.rfc-editor.org/info/rfc790>. | |||
| nsf-monitoring-data-model-03 (work in progress), May 2020. | ||||
| [draft-ietf-i2nsf-sdn-ipsec-flow-protection] | [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, | |||
| Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- | DOI 10.17487/RFC0791, September 1981, | |||
| Garcia, "Software-Defined Networking (SDN)-based IPsec | <https://www.rfc-editor.org/info/rfc791>. | |||
| Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- | ||||
| protection-08 (work in progress), June 2020. | [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, | |||
| RFC 792, DOI 10.17487/RFC0792, September 1981, | ||||
| <https://www.rfc-editor.org/info/rfc792>. | ||||
| [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, | ||||
| RFC 793, DOI 10.17487/RFC0793, September 1981, | ||||
| <https://www.rfc-editor.org/info/rfc793>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, | [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, | |||
| A., Peterson, J., Sparks, R., Handley, M., and E. | A., Peterson, J., Sparks, R., Handley, M., and E. | |||
| Schooler, "SIP: Session Initiation Protocol", RFC 3261, | Schooler, "SIP: Session Initiation Protocol", RFC 3261, | |||
| DOI 10.17487/RFC3261, June 2002, | DOI 10.17487/RFC3261, June 2002, | |||
| skipping to change at page 42, line 9 ¶ | skipping to change at page 42, line 9 ¶ | |||
| [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between | [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between | |||
| Information Models and Data Models", RFC 3444, | Information Models and Data Models", RFC 3444, | |||
| DOI 10.17487/RFC3444, January 2003, | DOI 10.17487/RFC3444, January 2003, | |||
| <https://www.rfc-editor.org/info/rfc3444>. | <https://www.rfc-editor.org/info/rfc3444>. | |||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
| <https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
| [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix | ||||
| Reserved for Documentation", RFC 3849, | ||||
| DOI 10.17487/RFC3849, July 2004, | ||||
| <https://www.rfc-editor.org/info/rfc3849>. | ||||
| [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet | ||||
| Control Message Protocol (ICMPv6) for the Internet | ||||
| Protocol Version 6 (IPv6) Specification", STD 89, | ||||
| RFC 4443, DOI 10.17487/RFC4443, March 2006, | ||||
| <https://www.rfc-editor.org/info/rfc4443>. | ||||
| [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks | ||||
| Reserved for Documentation", RFC 5737, | ||||
| DOI 10.17487/RFC5737, January 2010, | ||||
| <https://www.rfc-editor.org/info/rfc5737>. | ||||
| [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||
| the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||
| <https://www.rfc-editor.org/info/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||
| [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
| and A. Bierman, Ed., "Network Configuration Protocol | and A. Bierman, Ed., "Network Configuration Protocol | |||
| (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
| <https://www.rfc-editor.org/info/rfc6241>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
| [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | |||
| Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, | Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, | |||
| <https://www.rfc-editor.org/info/rfc6242>. | <https://www.rfc-editor.org/info/rfc6242>. | |||
| [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August | [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | |||
| 1980. | RFC 6991, DOI 10.17487/RFC6991, July 2013, | |||
| <https://www.rfc-editor.org/info/rfc6991>. | ||||
| [RFC790] Postel, J., "Assigned Numbers", RFC 790, September 1981. | ||||
| [RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981. | ||||
| [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, | ||||
| September 1981. | ||||
| [RFC793] Postel, J., "Transmission Control Protocol", RFC 793, | ||||
| September 1981. | ||||
| [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | |||
| RFC 7950, DOI 10.17487/RFC7950, August 2016, | RFC 7950, DOI 10.17487/RFC7950, August 2016, | |||
| <https://www.rfc-editor.org/info/rfc7950>. | <https://www.rfc-editor.org/info/rfc7950>. | |||
| [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | |||
| Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | |||
| <https://www.rfc-editor.org/info/rfc8040>. | <https://www.rfc-editor.org/info/rfc8040>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., | [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., | |||
| and J. Jeong, "Interface to Network Security Functions | and J. Jeong, "Interface to Network Security Functions | |||
| (I2NSF): Problem Statement and Use Cases", RFC 8192, | (I2NSF): Problem Statement and Use Cases", RFC 8192, | |||
| DOI 10.17487/RFC8192, July 2017, | DOI 10.17487/RFC8192, July 2017, | |||
| <https://www.rfc-editor.org/info/rfc8192>. | <https://www.rfc-editor.org/info/rfc8192>. | |||
| [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", STD 86, RFC 8200, | (IPv6) Specification", STD 86, RFC 8200, | |||
| DOI 10.17487/RFC8200, July 2017, | DOI 10.17487/RFC8200, July 2017, | |||
| <https://www.rfc-editor.org/info/rfc8200>. | <https://www.rfc-editor.org/info/rfc8200>. | |||
| skipping to change at page 43, line 24 ¶ | skipping to change at page 43, line 30 ¶ | |||
| [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | |||
| BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | |||
| <https://www.rfc-editor.org/info/rfc8340>. | <https://www.rfc-editor.org/info/rfc8340>. | |||
| [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | |||
| Access Control Model", STD 91, RFC 8341, | Access Control Model", STD 91, RFC 8341, | |||
| DOI 10.17487/RFC8341, March 2018, | DOI 10.17487/RFC8341, March 2018, | |||
| <https://www.rfc-editor.org/info/rfc8341>. | <https://www.rfc-editor.org/info/rfc8341>. | |||
| [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | ||||
| Documents Containing YANG Data Models", BCP 216, RFC 8407, | ||||
| DOI 10.17487/RFC8407, October 2018, | ||||
| <https://www.rfc-editor.org/info/rfc8407>. | ||||
| [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, | [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, | |||
| S., and N. Bahadur, "A YANG Data Model for the Routing | S., and N. Bahadur, "A YANG Data Model for the Routing | |||
| Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, | Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, | |||
| September 2018, <https://www.rfc-editor.org/info/rfc8431>. | September 2018, <https://www.rfc-editor.org/info/rfc8431>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., | [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., | |||
| and R. Wilton, "YANG Library", RFC 8525, | and R. Wilton, "YANG Library", RFC 8525, | |||
| DOI 10.17487/RFC8525, March 2019, | DOI 10.17487/RFC8525, March 2019, | |||
| <https://www.rfc-editor.org/info/rfc8525>. | <https://www.rfc-editor.org/info/rfc8525>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [draft-ietf-i2nsf-nsf-facing-interface-dm] | [I-D.ietf-i2nsf-capability] | |||
| Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, | Xia, L., Strassner, J., Basile, C., and D. Lopez, | |||
| "I2NSF Network Security Function-Facing Interface YANG | "Information Model of NSFs Capabilities", draft-ietf- | |||
| Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-09 | i2nsf-capability-05 (work in progress), April 2019. | |||
| (work in progress), May 2020. | ||||
| [draft-ietf-i2nsf-registration-interface-dm] | [I-D.ietf-i2nsf-nsf-monitoring-data-model] | |||
| Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, | |||
| Registration Interface YANG Data Model", draft-ietf-i2nsf- | "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- | |||
| registration-interface-dm (work in progress), March 2020. | nsf-monitoring-data-model-03 (work in progress), May 2020. | |||
| [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] | ||||
| Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, | ||||
| "Software-Defined Networking (SDN)-based IPsec Flow | ||||
| Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 | ||||
| (work in progress), June 2020. | ||||
| Appendix A. Configuration Examples | Appendix A. Configuration Examples | |||
| This section shows configuration examples of "ietf-i2nsf-capability" | This section shows configuration examples of "ietf-i2nsf-capability" | |||
| module for capabilities registration of general firewall. | module for capabilities registration of general firewall. | |||
| A.1. Example 1: Registration for Capabilities of General Firewall | A.1. Example 1: Registration for the Capabilities of a General Firewall | |||
| This section shows a configuration example for capabilities | This section shows a configuration example for the capabilities | |||
| registration of general firewall. | registration of a general firewall in either an IPv4 network or an | |||
| IPv6 network. | ||||
| <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | |||
| <nsf-name>general_firewall</nsf-name> | <nsf-name>general_firewall</nsf-name> | |||
| <condition-capabilities> | <condition-capabilities> | |||
| <generic-nsf-capabilities> | <generic-nsf-capabilities> | |||
| <ipv4-capability>ipv4-protocol</ipv4-capability> | <ipv4-capability>ipv4-protocol</ipv4-capability> | |||
| <ipv4-capability>exact-ipv4-address</ipv4-capability> | <ipv4-capability>exact-ipv4-address</ipv4-capability> | |||
| <ipv4-capability>range-ipv4-address</ipv4-capability> | <ipv4-capability>range-ipv4-address</ipv4-capability> | |||
| <tcp-capability>exact-fourth-layer-port-num</tcp-capability> | <tcp-capability>exact-fourth-layer-port-num</tcp-capability> | |||
| <tcp-capability>range-fourth-layer-port-num</tcp-capability> | <tcp-capability>range-fourth-layer-port-num</tcp-capability> | |||
| skipping to change at page 44, line 36 ¶ | skipping to change at page 45, line 37 ¶ | |||
| <action-capabilities> | <action-capabilities> | |||
| <ingress-action-capability>pass</ingress-action-capability> | <ingress-action-capability>pass</ingress-action-capability> | |||
| <ingress-action-capability>drop</ingress-action-capability> | <ingress-action-capability>drop</ingress-action-capability> | |||
| <ingress-action-capability>alert</ingress-action-capability> | <ingress-action-capability>alert</ingress-action-capability> | |||
| <egress-action-capability>pass</egress-action-capability> | <egress-action-capability>pass</egress-action-capability> | |||
| <egress-action-capability>drop</egress-action-capability> | <egress-action-capability>drop</egress-action-capability> | |||
| <egress-action-capability>alert</egress-action-capability> | <egress-action-capability>alert</egress-action-capability> | |||
| </action-capabilities> | </action-capabilities> | |||
| </nsf> | </nsf> | |||
| Figure 4: Configuration XML for Capabilities Registration of General | Figure 4: Configuration XML for the Capabilities Registration of a | |||
| Firewall | General Firewall in an IPv4 Network | |||
| Figure 4 shows the configuration XML for capabilities registration of | Figure 4 shows the configuration XML for the capabilities | |||
| general firewall and its capabilities are as follows. | registration of a general firewall as an NSF in an IPv4 network | |||
| [RFC5737]. Its capabilities are as follows. | ||||
| 1. The name of the NSF is general_firewall. | 1. The name of the NSF is general_firewall. | |||
| 2. The NSF can inspect protocol, exact IPv4 address, and range IPv4 | 2. The NSF can inspect a protocol, an exact IPv4 address, and a | |||
| address for IPv4 packets. | range of IPv4 addresses for IPv4 packets. | |||
| 3. The NSF can inspect exact port number and range port number for | 3. The NSF can inspect an exact port number and a range of port | |||
| fourth layer packets. | numbers for the fourth layer packets. | |||
| 4. The NSF can control whether the packets are allowed to pass, | 4. The NSF can control whether the packets are allowed to pass, | |||
| drop, or alert. | drop, or alert. | |||
| A.2. Example 2: Registration for Capabilities of Time based Firewall | <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | |||
| <nsf-name>general_firewall</nsf-name> | ||||
| <condition-capabilities> | ||||
| <generic-nsf-capabilities> | ||||
| <ipv6-capability>ipv6-protocol</ipv6-capability> | ||||
| <ipv6-capability>exact-ipv6-address</ipv6-capability> | ||||
| <ipv6-capability>range-ipv6-address</ipv6-capability> | ||||
| <tcp-capability>exact-fourth-layer-port-num</tcp-capability> | ||||
| <tcp-capability>range-fourth-layer-port-num</tcp-capability> | ||||
| </generic-nsf-capabilities> | ||||
| </condition-capabilities> | ||||
| <action-capabilities> | ||||
| <ingress-action-capability>pass</ingress-action-capability> | ||||
| <ingress-action-capability>drop</ingress-action-capability> | ||||
| <ingress-action-capability>alert</ingress-action-capability> | ||||
| <egress-action-capability>pass</egress-action-capability> | ||||
| <egress-action-capability>drop</egress-action-capability> | ||||
| <egress-action-capability>alert</egress-action-capability> | ||||
| </action-capabilities> | ||||
| </nsf> | ||||
| This section shows a configuration example for capabilities | Figure 5: Configuration XML for the Capabilities Registration of a | |||
| registration of time based firewall. | General Firewall in an IPv6 Network | |||
| In addition, Figure 5 shows the configuration XML for the | ||||
| capabilities registration of a general firewall as an NSF in an IPv6 | ||||
| network [RFC3849]. Its capabilities are as follows. | ||||
| 1. The name of the NSF is general_firewall. | ||||
| 2. The NSF can inspect a protocol, an exact IPv6 address, and a | ||||
| range of IPv6 addresses for IPv6 packets. | ||||
| 3. The NSF can inspect an exact port number and a range of port | ||||
| numbers for the fourth layer packets. | ||||
| 4. The NSF can control whether the packets are allowed to pass, | ||||
| drop, or alert. | ||||
| A.2. Example 2: Registration for the Capabilities of a Time-based | ||||
| Firewall | ||||
| This section shows a configuration example for the capabilities | ||||
| registration of a time-based firewall in either an IPv4 network or an | ||||
| IPv6 network. | ||||
| <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | |||
| <nsf-name>time_based_firewall</nsf-name> | <nsf-name>time_based_firewall</nsf-name> | |||
| <time-capabilities>absolute-time</time-capabilities> | <time-capabilities>absolute-time</time-capabilities> | |||
| <time-capabilities>periodic-time</time-capabilities> | <time-capabilities>periodic-time</time-capabilities> | |||
| <condition-capabilities> | <condition-capabilities> | |||
| <generic-nsf-capabilities> | <generic-nsf-capabilities> | |||
| <ipv4-capability>ipv4-protocol</ipv4-capability> | <ipv4-capability>ipv4-protocol</ipv4-capability> | |||
| <ipv4-capability>exact-ipv4-address</ipv4-capability> | <ipv4-capability>exact-ipv4-address</ipv4-capability> | |||
| <ipv4-capability>range-ipv4-address</ipv4-capability> | <ipv4-capability>range-ipv4-address</ipv4-capability> | |||
| skipping to change at page 45, line 34 ¶ | skipping to change at page 47, line 33 ¶ | |||
| <action-capabilities> | <action-capabilities> | |||
| <ingress-action-capability>pass</ingress-action-capability> | <ingress-action-capability>pass</ingress-action-capability> | |||
| <ingress-action-capability>drop</ingress-action-capability> | <ingress-action-capability>drop</ingress-action-capability> | |||
| <ingress-action-capability>alert</ingress-action-capability> | <ingress-action-capability>alert</ingress-action-capability> | |||
| <egress-action-capability>pass</egress-action-capability> | <egress-action-capability>pass</egress-action-capability> | |||
| <egress-action-capability>drop</egress-action-capability> | <egress-action-capability>drop</egress-action-capability> | |||
| <egress-action-capability>alert</egress-action-capability> | <egress-action-capability>alert</egress-action-capability> | |||
| </action-capabilities> | </action-capabilities> | |||
| </nsf> | </nsf> | |||
| Figure 5: Configuration XML for Capabilities Registration of Time | Figure 6: Configuration XML for the Capabilities Registration of a | |||
| based Firewall | Time-based Firewall in an IPv4 Network | |||
| Figure 5 shows the configuration XML for capabilities registration of | Figure 6 shows the configuration XML for the capabilities | |||
| time based firewall and its capabilities are as follows. | registration of a time-based firewall as an NSF in an IPv4 network | |||
| [RFC5737]. Its capabilities are as follows. | ||||
| 1. The name of the NSF is time_based_firewall. | 1. The name of the NSF is time_based_firewall. | |||
| 2. The NSF can execute the security policy rule according to | 2. The NSF can execute the security policy rule according to | |||
| absolute time and periodic time. | absolute time and periodic time. | |||
| 3. The NSF can inspect protocol, exact IPv4 address, and range IPv4 | 3. The NSF can inspect a protocol, an exact IPv4 address, and a | |||
| address for IPv4 packets. | range of IPv4 addresses for IPv4 packets. | |||
| 4. The NSF can control whether the packets are allowed to pass, | 4. The NSF can control whether the packets are allowed to pass, | |||
| drop, or alert. | drop, or alert. | |||
| A.3. Example 3: Registration for Capabilities of Web Filter | <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | |||
| <nsf-name>time_based_firewall</nsf-name> | ||||
| <time-capabilities>absolute-time</time-capabilities> | ||||
| <time-capabilities>periodic-time</time-capabilities> | ||||
| <condition-capabilities> | ||||
| <generic-nsf-capabilities> | ||||
| <ipv6-capability>ipv6-protocol</ipv6-capability> | ||||
| <ipv6-capability>exact-ipv6-address</ipv6-capability> | ||||
| <ipv6-capability>range-ipv6-address</ipv6-capability> | ||||
| </generic-nsf-capabilities> | ||||
| </condition-capabilities> | ||||
| <action-capabilities> | ||||
| <ingress-action-capability>pass</ingress-action-capability> | ||||
| <ingress-action-capability>drop</ingress-action-capability> | ||||
| <ingress-action-capability>alert</ingress-action-capability> | ||||
| <egress-action-capability>pass</egress-action-capability> | ||||
| <egress-action-capability>drop</egress-action-capability> | ||||
| <egress-action-capability>alert</egress-action-capability> | ||||
| </action-capabilities> | ||||
| </nsf> | ||||
| This section shows a configuration example for capabilities | Figure 7: Configuration XML for the Capabilities Registration of a | |||
| registration of web filter. | Time-based Firewall in an IPv6 Network | |||
| In addition, Figure 7 shows the configuration XML for the | ||||
| capabilities registration of a time-based firewall as an NSF in an | ||||
| IPv6 network [RFC3849]. Its capabilities are as follows. | ||||
| 1. The name of the NSF is time_based_firewall. | ||||
| 2. The NSF can execute the security policy rule according to | ||||
| absolute time and periodic time. | ||||
| 3. The NSF can inspect a protocol, an exact IPv6 address, and a | ||||
| range of IPv6 addresses for IPv6 packets. | ||||
| 4. The NSF can control whether the packets are allowed to pass, | ||||
| drop, or alert. | ||||
| A.3. Example 3: Registration for the Capabilities of a Web Filter | ||||
| This section shows a configuration example for the capabilities | ||||
| registration of a web filter. | ||||
| <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | |||
| <nsf-name>web_filter</nsf-name> | <nsf-name>web_filter</nsf-name> | |||
| <condition-capabilities> | <condition-capabilities> | |||
| <advanced-nsf-capabilities> | <advanced-nsf-capabilities> | |||
| <url-capability>user-defined</url-capability> | <url-capability>user-defined</url-capability> | |||
| </advanced-nsf-capabilities> | </advanced-nsf-capabilities> | |||
| </condition-capabilities> | </condition-capabilities> | |||
| <action-capabilities> | <action-capabilities> | |||
| <ingress-action-capability>pass</ingress-action-capability> | <ingress-action-capability>pass</ingress-action-capability> | |||
| <ingress-action-capability>drop</ingress-action-capability> | <ingress-action-capability>drop</ingress-action-capability> | |||
| <ingress-action-capability>alert</ingress-action-capability> | <ingress-action-capability>alert</ingress-action-capability> | |||
| <egress-action-capability>pass</egress-action-capability> | <egress-action-capability>pass</egress-action-capability> | |||
| <egress-action-capability>drop</egress-action-capability> | <egress-action-capability>drop</egress-action-capability> | |||
| <egress-action-capability>alert</egress-action-capability> | <egress-action-capability>alert</egress-action-capability> | |||
| </action-capabilities> | </action-capabilities> | |||
| </nsf> | </nsf> | |||
| Figure 6: Configuration XML for Capabilities Registration of Web | Figure 8: Configuration XML for the Capabilities Registration of a | |||
| Filter | Web Filter | |||
| Figure 6 shows the configuration XML for capabilities registration of | Figure 8 shows the configuration XML for the capabilities | |||
| web filter and its capabilities are as follows. | registration of a web filter as an NSF. Its capabilities are as | |||
| follows. | ||||
| 1. The name of the NSF is web_filter. | 1. The name of the NSF is web_filter. | |||
| 2. The NSF can inspect url for http and https packets. | 2. The NSF can inspect url for http and https packets. | |||
| 3. The NSF can control whether the packets are allowed to pass, | 3. The NSF can control whether the packets are allowed to pass, | |||
| drop, or alert. | drop, or alert. | |||
| A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter | A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE | |||
| Filter | ||||
| This section shows a configuration example for capabilities | This section shows a configuration example for the capabilities | |||
| registration of VoIP/VoLTE filter. | registration of a VoIP/VoLTE filter. | |||
| <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | |||
| <nsf-name>voip_volte_filter</nsf-name> | <nsf-name>voip_volte_filter</nsf-name> | |||
| <condition-capabilities> | <condition-capabilities> | |||
| <advanced-nsf-capabilities> | <advanced-nsf-capabilities> | |||
| <voip-volte-capability>voice-id</voip-volte-capability> | <voip-volte-capability>voice-id</voip-volte-capability> | |||
| </advanced-nsf-capabilities> | </advanced-nsf-capabilities> | |||
| </condition-capabilities> | </condition-capabilities> | |||
| <action-capabilities> | <action-capabilities> | |||
| <ingress-action-capability>pass</ingress-action-capability> | <ingress-action-capability>pass</ingress-action-capability> | |||
| <ingress-action-capability>drop</ingress-action-capability> | <ingress-action-capability>drop</ingress-action-capability> | |||
| <ingress-action-capability>alert</ingress-action-capability> | <ingress-action-capability>alert</ingress-action-capability> | |||
| <egress-action-capability>pass</egress-action-capability> | <egress-action-capability>pass</egress-action-capability> | |||
| <egress-action-capability>drop</egress-action-capability> | <egress-action-capability>drop</egress-action-capability> | |||
| <egress-action-capability>alert</egress-action-capability> | <egress-action-capability>alert</egress-action-capability> | |||
| </action-capabilities> | </action-capabilities> | |||
| </nsf> | </nsf> | |||
| Figure 7: Configuration XML for Capabilities Registration of VoIP/ | Figure 9: Configuration XML for the Capabilities Registration of a | |||
| VoLTE Filter | VoIP/VoLTE Filter | |||
| Figure 7 shows the configuration XML for capabilities registration of | Figure 9 shows the configuration XML for the capabilities | |||
| VoIP/VoLTE filter and its capabilities are as follows. | registration of a VoIP/VoLTE filter as an NSF. Its capabilities are | |||
| as follows. | ||||
| 1. The name of the NSF is voip_volte_filter. | 1. The name of the NSF is voip_volte_filter. | |||
| 2. The NSF can inspect voice id for VoIP/VoLTE packets. | 2. The NSF can inspect a voice id for VoIP/VoLTE packets. | |||
| 3. The NSF can control whether the packets are allowed to pass, | 3. The NSF can control whether the packets are allowed to pass, | |||
| drop, or alert. | drop, or alert. | |||
| A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood | A.5. Example 5: Registration for the Capabilities of a HTTP and HTTPS | |||
| Mitigation | Flood Mitigator | |||
| This section shows a configuration example for capabilities | This section shows a configuration example for the capabilities | |||
| registration of http and https flood mitigation. | registration of a HTTP and HTTPS flood mitigator. | |||
| <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> | |||
| <nsf-name>http_and_https_flood_mitigation</nsf-name> | <nsf-name>http_and_https_flood_mitigation</nsf-name> | |||
| <condition-capabilities> | <condition-capabilities> | |||
| <advanced-nsf-capabilities> | <advanced-nsf-capabilities> | |||
| <anti-ddos-capability>http-flood-action</anti-ddos-capability> | <anti-ddos-capability>http-flood-action</anti-ddos-capability> | |||
| <anti-ddos-capability>https-flood-action</anti-ddos-capability> | <anti-ddos-capability>https-flood-action</anti-ddos-capability> | |||
| </advanced-nsf-capabilities> | </advanced-nsf-capabilities> | |||
| </condition-capabilities> | </condition-capabilities> | |||
| <action-capabilities> | <action-capabilities> | |||
| <ingress-action-capability>pass</ingress-action-capability> | <ingress-action-capability>pass</ingress-action-capability> | |||
| <ingress-action-capability>drop</ingress-action-capability> | <ingress-action-capability>drop</ingress-action-capability> | |||
| <ingress-action-capability>alert</ingress-action-capability> | <ingress-action-capability>alert</ingress-action-capability> | |||
| <egress-action-capability>pass</egress-action-capability> | <egress-action-capability>pass</egress-action-capability> | |||
| <egress-action-capability>drop</egress-action-capability> | <egress-action-capability>drop</egress-action-capability> | |||
| <egress-action-capability>alert</egress-action-capability> | <egress-action-capability>alert</egress-action-capability> | |||
| </action-capabilities> | </action-capabilities> | |||
| </nsf> | </nsf> | |||
| Figure 8: Configuration XML for Capabilities Registration of HTTP and | Figure 10: Configuration XML for the Capabilities Registration of a | |||
| HTTPS Flood Mitigation | HTTP and HTTPS Flood Mitigator | |||
| Figure 8 shows the configuration XML for capabilities registration of | Figure 10 shows the configuration XML for the capabilities | |||
| http and https flood mitigation and its capabilities are as follows. | registration of a HTTP and HTTPS flood mitigator as an NSF. Its | |||
| capabilities are as follows. | ||||
| 1. The name of the NSF is http_and_https_flood_mitigation. | 1. The name of the NSF is http_and_https_flood_mitigation. | |||
| 2. The location of the NSF is 221.159.112.140. | 2. The IPv4 address of the NSF is assumed to be 192.0.2.11 | |||
| [RFC5737]. Also, the IPv6 address of the NSF is assumed to be | ||||
| 2001:DB8:0:1::11 [RFC3849]. | ||||
| 3. The NSF can control the amount of packets for http and https | 3. The NSF can control the amount of packets for HTTP and HTTPS | |||
| packets. | packets, which are routed to the NSF's IPv4 address or the NSF's | |||
| IPv6 address. | ||||
| 4. The NSF can control whether the packets are allowed to pass, | 4. The NSF can control whether the packets are allowed to pass, | |||
| drop, or alert. | drop, or alert. | |||
| Appendix B. Acknowledgments | Appendix B. Acknowledgments | |||
| This work was supported by Institute of Information & Communications | This work was supported by Institute of Information & Communications | |||
| Technology Planning & Evaluation (IITP) grant funded by the Korea | Technology Planning & Evaluation (IITP) grant funded by the Korea | |||
| MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based | MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based | |||
| Security Intelligence Technology Development for the Customized | Security Intelligence Technology Development for the Customized | |||
| Security Service Provisioning). | Security Service Provisioning). This work was supported in part by | |||
| the IITP (2020-0-00395, Standard Development of Blockchain based | ||||
| Network Management Automation Technology). | ||||
| Appendix C. Contributors | Appendix C. Contributors | |||
| This document is made by the group effort of I2NSF working group. | This document is made by the group effort of I2NSF working group. | |||
| Many people actively contributed to this document. The following are | Many people actively contributed to this document, such as Acee | |||
| considered co-authors: | Lindem, Roman Danyliw, and Tom Petch. The authors sincerely | |||
| appreciate their contributions. | ||||
| o Hyoungshick Kim (Sungkyunkwan University) | The following are co-authors of this document: | |||
| o Daeyoung Hyun (Sungkyunkwan University) | Hyoungshick Kim | |||
| Department of Computer Science and Engineering | ||||
| Sungkyunkwan University | ||||
| 2066 Seo-ro Jangan-gu | ||||
| Suwon, Gyeonggi-do 16419 | ||||
| Republic of Korea | ||||
| o Dongjin Hong (Sungkyunkwan University) | EMail: hyoung@skku.edu | |||
| o Liang Xia (Huawei) | Daeyoung Hyun | |||
| Department of Computer Science and Engineering | ||||
| Sungkyunkwan University | ||||
| 2066 Seo-ro Jangan-gu | ||||
| Suwon, Gyeonggi-do 16419 | ||||
| Republic of Korea | ||||
| o Jung-Soo Park (ETRI) | EMail: dyhyun@skku.edu | |||
| o Tae-Jin Ahn (Korea Telecom) | Dongjin Hong | |||
| Department of Electronic, Electrical and Computer Engineering | ||||
| Sungkyunkwan University | ||||
| 2066 Seo-ro Jangan-gu | ||||
| Suwon, Gyeonggi-do 16419 | ||||
| Republic of Korea | ||||
| o Se-Hui Lee (Korea Telecom) | EMail: dong.jin@skku.edu | |||
| Liang Xia | ||||
| Huawei | ||||
| 101 Software Avenue | ||||
| Nanjing, Jiangsu 210012 | ||||
| China | ||||
| EMail: Frank.Xialiang@huawei.com | ||||
| Jung-Soo Park | ||||
| Electronics and Telecommunications Research Institute | ||||
| 218 Gajeong-Ro, Yuseong-Gu | ||||
| Daejeon, 34129 | ||||
| Republic of Korea | ||||
| EMail: pjs@etri.re.kr | ||||
| Tae-Jin Ahn | ||||
| Korea Telecom | ||||
| 70 Yuseong-Ro, Yuseong-Gu | ||||
| Daejeon, 305-811 | ||||
| Republic of Korea | ||||
| EMail: taejin.ahn@kt.com | ||||
| Se-Hui Lee | ||||
| Korea Telecom | ||||
| 70 Yuseong-Ro, Yuseong-Gu | ||||
| Daejeon, 305-811 | ||||
| Republic of Korea | ||||
| EMail: sehuilee@kt.com | ||||
| Authors' Addresses | Authors' Addresses | |||
| Susan Hares (editor) | Susan Hares (editor) | |||
| Huawei | Huawei | |||
| 7453 Hickory Hill | 7453 Hickory Hill | |||
| Saline, MI 48176 | Saline, MI 48176 | |||
| USA | USA | |||
| Phone: +1-734-604-0332 | Phone: +1-734-604-0332 | |||
| End of changes. 107 change blocks. | ||||
| 238 lines changed or deleted | 373 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||