--- 1/draft-ietf-i2nsf-capability-data-model-08.txt 2020-08-28 11:13:10.520160798 -0700 +++ 2/draft-ietf-i2nsf-capability-data-model-09.txt 2020-08-28 11:13:10.608163019 -0700 @@ -1,24 +1,24 @@ I2NSF Working Group S. Hares, Ed. Internet-Draft Huawei Intended status: Standards Track J. Jeong, Ed. -Expires: February 26, 2021 J. Kim +Expires: March 1, 2021 J. Kim Sungkyunkwan University R. Moskowitz HTT Consulting Q. Lin Huawei - August 25, 2020 + August 28, 2020 I2NSF Capability YANG Data Model - draft-ietf-i2nsf-capability-data-model-08 + draft-ietf-i2nsf-capability-data-model-09 Abstract This document defines a YANG data model for the capabilities of various Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework to centrally manage the capabilities of the various NSFs. Status of This Memo @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on February 26, 2021. + This Internet-Draft will expire on March 1, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -50,68 +50,68 @@ to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Network Security Function (NSF) Capabilities . . . . . . 6 - 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 - 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 + 6. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 8. Security Considerations . . . . . . . . . . . . . . . . . . . 40 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 - 9.2. Informative References . . . . . . . . . . . . . . . . . 43 - Appendix A. Configuration Examples . . . . . . . . . . . . . . . 44 - A.1. Example 1: Registration for Capabilities of General - Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44 - A.2. Example 2: Registration for Capabilities of Time based + 9.2. Informative References . . . . . . . . . . . . . . . . . 44 + Appendix A. Configuration Examples . . . . . . . . . . . . . . . 45 + A.1. Example 1: Registration for the Capabilities of a General Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 - A.3. Example 3: Registration for Capabilities of Web Filter . 46 - A.4. Example 4: Registration for Capabilities of VoIP/VoLTE - Filter . . . . . . . . . . . . . . . . . . . . . . . . . 46 - A.5. Example 5: Registration for Capabilities of HTTP and - HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 47 - Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 48 - Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 48 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 + A.2. Example 2: Registration for the Capabilities of a Time- + based Firewall . . . . . . . . . . . . . . . . . . . . . 47 + A.3. Example 3: Registration for the Capabilities of a Web + Filter . . . . . . . . . . . . . . . . . . . . . . . . . 48 + A.4. Example 4: Registration for the Capabilities of a + VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 49 + A.5. Example 5: Registration for the Capabilities of a HTTP + and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 50 + Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 51 + Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 52 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 1. Introduction As the industry becomes more sophisticated and network devices (e.g., Internet of Things, Self-driving vehicles, and VoIP/VoLTE smartphones), service providers have a lot of problems described in - [RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability] + [RFC8192]. To resolve these problems, [I-D.ietf-i2nsf-capability] specifies the information model of the capabilities of Network - Security Functions (NSFs). + Security Functions (NSFs) in a framework of the Interface to Network + Security Functions (I2NSF) [RFC8329]. This document provides a YANG data model [RFC6020][RFC7950] that defines the capabilities of NSFs to centrally manage the capabilities of those security devices. The security devices can register their own capabilities into a Network Operator Management (Mgmt) System (i.e., Security Controller) with this YANG data model through the registration interface [RFC8329]. With the capabilities of those security devices maintained centrally, those security devices can be more easily managed [RFC8329]. This YANG data model is based on the information model for I2NSF NSF capabilities - [draft-ietf-i2nsf-capability]. + [I-D.ietf-i2nsf-capability]. This YANG data model uses an "Event-Condition-Action" (ECA) policy model that is used as the basis for the design of I2NSF Policy as - described in [RFC8329] and [draft-ietf-i2nsf-capability]. The "ietf- + described in [RFC8329] and [I-D.ietf-i2nsf-capability]. The "ietf- i2nsf-capability" YANG module defined in this document provides the following features: o Definition for general capabilities of network security functions. o Definition for event capabilities of generic network security functions. o Definition for condition capabilities of generic network security functions. @@ -125,78 +125,63 @@ o Definition for resolution strategy capabilities of generic network security functions. o Definition for default action capabilities of generic network security functions. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in [RFC2119][RFC8174]. + document are to be interpreted as described in [RFC2119]. 3. Terminology - This document uses the terminology described in - [draft-ietf-i2nsf-capability][RFC8431]. Especially, the following - terms are from [RFC3444]: - - o Data Model: A data model is a representation of concepts of - interest to an environment in a form that is dependent on data - repository, data definition language, query language, - implementation language, and protocol. - - o Information Model: An information model is a representation of - concepts of interest to an environment in a form that is - independent of data repository, data definition language, query - language, implementation language, and protocol. - -3.1. Tree Diagrams + This document uses the terminology described in [RFC8329]. - A simplified graphical representation of the data model is used in - this document. The meaning of the symbols in these diagrams is - referred from [RFC8340]. + This document follows the guidelines of [RFC8407], uses the common + YANG types defined in [RFC6991], and adopts the Network Management + Datastore Architecture (NMDA). The meaning of the symbols in tree + diagrams is defined in [RFC8340]. 4. Overview This section provides as overview of how the YANG data model can be used in the I2NSF framework described in [RFC8329]. Figure 1 shows the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF Framework. As shown in this figure, an NSF Developer's Management System can register NSFs and the capabilities that the network security device can support. To register NSFs in this way, the Developer's Management System utilizes this standardized capability - YANG data model through the I2NSF Registration Interface - [draft-ietf-i2nsf-registration-interface-dm]. That is, this - Registration Interface uses the YANG module described in this - document to describe the capability of a network security function - that is registered with the Security Controller. With the + YANG data model through the I2NSF Registration Interface [RFC8329]. + That is, this Registration Interface uses the YANG module described + in this document to describe the capability of a network security + function that is registered with the Security Controller. With the capabilities of those network security devices maintained centrally, those security devices can be more easily managed, which can resolve many of the problems described in [RFC8192]. In Figure 1, a new NSF at a Developer's Management Systems has capabilities of Firewall (FW) and Web Filter (WF), which are denoted as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy rules where 'E', 'C', and 'A' mean "Event", "Condition", and "Action", respectively. The condition involves IPv4 or IPv6 datagrams, and the action includes "Allow" and "Deny" for those datagrams. - Note that the NSF-Facing Interface is used to configure the security - policy rules of the generic network security functions - [draft-ietf-i2nsf-nsf-facing-interface-dm], and The configuration of - advanced security functions over the NSF-Facing Interface is used to - configure the security policy rules of advanced network security - functions (e.g., anti-virus and anti-DDoS attack), respectively, - according to the capabilities of NSFs registered with the I2NSF - Framework. + Note that the NSF-Facing Interface [RFC8329] is used to configure the + security policy rules of the generic network security functions, and + The configuration of advanced security functions over the NSF-Facing + Interface is used to configure the security policy rules of advanced + network security functions (e.g., anti-virus and anti-DDoS attack), + respectively, according to the capabilities of NSFs registered with + the I2NSF Framework. +------------------------------------------------------+ | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | | Network Mgmt, another network domain's mgmt, etc.) | +--------------------+---------------------------------+ I2NSF ^ Consumer-Facing Interface | | v I2NSF +-----------------+------------+ Registration +-------------+ @@ -247,32 +232,32 @@ o If NSFs encounter the suspicious IPv6 packets of malicious users, they can filter the packets out according to the configured security policy rule. Therefore, the security policy rule against the malicious users' packets can be automatically applied to appropriate NSFs without human intervention. 5. YANG Tree Diagram This section shows a YANG tree diagram of capabilities of network - security functions, as defined in the [draft-ietf-i2nsf-capability]. + security functions, as defined in the [I-D.ietf-i2nsf-capability]. 5.1. Network Security Function (NSF) Capabilities This section explains a YANG tree diagram of NSF capabilities and its features. Figure 2 shows a YANG tree diagram of NSF capabilities. The NSF capabilities in the tree include time capabilities, event capabilities, condition capabilities, action capabilities, resolution strategy capabilities, and default action capabilities. Those capabilities can be tailored or extended according to a vendor's specific requirements. Refer to the NSF capabilities information - model for detailed discussion [draft-ietf-i2nsf-capability]. + model for detailed discussion [I-D.ietf-i2nsf-capability]. module: ietf-i2nsf-capability +--rw nsf* [nsf-name] +--rw nsf-name string +--rw time-capabilities* enumeration +--rw event-capabilities | +--rw system-event-capability* identityref | +--rw system-alarm-capability* identityref +--rw condition-capabilities | +--rw generic-nsf-capabilities @@ -298,239 +283,238 @@ +--rw ipsec-method* identityref Figure 2: YANG Tree Diagram of Capabilities of Network Security Functions Time capabilities are used to specify the capabilities which describe when to execute the I2NSF policy rule. The time capabilities are defined in terms of absolute time and periodic time. The absolute time means the exact time to start or end. The periodic time means repeated time like day, week, or month. See Section 3.4.6 - (Capability Algebra) in [draft-ietf-i2nsf-capability] for more + (Capability Algebra) in [I-D.ietf-i2nsf-capability] for more information about the time-based condition (e.g., time period) in the capability algebra. Event capabilities are used to specify the capabilities that describe the event that would trigger the evaluation of the condition clause of the I2NSF Policy Rule. The defined event capabilities are system event and system alarm. See Section 3.1 (Design Principles and ECA - Policy Model Overview) in [draft-ietf-i2nsf-capability] for more + Policy Model Overview) in [I-D.ietf-i2nsf-capability] for more information about the event in the ECA policy model. Condition capabilities are used to specify capabilities of a set of attributes, features, and/or values that are to be compared with a set of known attributes, features, and/or values in order to determine whether or not the set of actions in that (imperative) I2NSF policy rule can be executed. The condition capabilities are classified in terms of generic network security functions and advanced network security functions. The condition capabilities of generic network security functions are defined as IPv4 capability, IPv6 capability, TCP capability, UDP capability, and ICMP capability. The condition capabilities of advanced network security functions are defined as anti-virus capability, anti-DDoS capability, IPS capability, HTTP capability, and VoIP/VoLTE capability. See Section 3.1 (Design Principles and ECA Policy Model Overview) in - [draft-ietf-i2nsf-capability] for more information about the - condition in the ECA policy model. Also, see Section 3.4.3 (I2NSF - Condition Clause Operator Types) in [draft-ietf-i2nsf-capability] for - more information about the operator types in an I2NSF condition - clause. + [I-D.ietf-i2nsf-capability] for more information about the condition + in the ECA policy model. Also, see Section 3.4.3 (I2NSF Condition + Clause Operator Types) in [I-D.ietf-i2nsf-capability] for more + information about the operator types in an I2NSF condition clause. Action capabilities are used to specify the capabilities that describe the control and monitoring aspects of flow-based NSFs when the event and condition clauses are satisfied. The action capabilities are defined as ingress-action capability, egress-action capability, and log-action capability. See Section 3.1 (Design Principles and ECA Policy Model Overview) in - [draft-ietf-i2nsf-capability] for more information about the action - in the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow + [I-D.ietf-i2nsf-capability] for more information about the action in + the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow Security Policy Structure) in [RFC8329] for more information about the ingress and egress actions. In addition, see Section 9.1 (Flow- Based NSF Capability Characterization) for more information about logging at NSFs. Resolution strategy capabilities are used to specify the capabilities that describe conflicts that occur between the actions of the same or different policy rules that are matched and contained in this particular NSF. The resolution strategy capabilities are defined as First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), and Prioritized Matching Rule with No Errors (PMRN). See Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in - [draft-ietf-i2nsf-capability] for more information about the - resolution strategy. + [I-D.ietf-i2nsf-capability] for more information about the resolution + strategy. Default action capabilities are used to specify the capabilities that describe how to execute I2NSF policy rules when no rule matches a packet. The default action capabilities are defined as pass, drop, alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy - and Default Action) in [draft-ietf-i2nsf-capability] for more + and Default Action) in [I-D.ietf-i2nsf-capability] for more information about the default action. IPsec method capabilities are used to specify capabilities of how to support an Internet Key Exchange (IKE) for the security communication. The default action capabilities are defined as IKE or - IKE-less. See [draft-ietf-i2nsf-sdn-ipsec-flow-protection] for more + IKE-less. See [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for more information about the SDN-based IPsec flow protection in I2NSF. -6. YANG Data Modules +6. YANG Data Model of I2NSF NSF Capability -6.1. I2NSF Capability YANG Data Module + This section introduces a YANG module for NSFs' capabilities, as + defined in the [I-D.ietf-i2nsf-capability]. - This section introduces a YANG data module for network security - functions capabilities, as defined in the - [draft-ietf-i2nsf-capability]. + This YANG module imports from [RFC6991]. It makes references to [RFC + 0768][RFC0790][RFC0791][RFC0792][RFC0793][RFC3261][RFC4443][RFC8200][ + RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf-monitoring-dat + a-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. - file "ietf-i2nsf-capability@2020-08-25.yang" + file "ietf-i2nsf-capability@2020-08-28.yang" module ietf-i2nsf-capability { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; prefix nsfcap; organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact "WG Web: WG List: - WG Chair: Linda Dunbar - - - WG Chair: Yoav Nir - - - Editor: Susan Hares - - Editor: Jaehoon Paul Jeong + Editor: Jinyong Tim Kim - "; + + + Editor: Susan Hares + "; description - "This module describes a capability model for I2NSF devices. + "This module is a YANG module for I2NSF Network Security + Functions (NSFs)'s Capabilities. Copyright (c) 2020 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents - (http://trustee.ietf.org/license-info). + http://trustee.ietf.org/license-info). - This version of this YANG module is part of RFC 8341; see + This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision "2020-08-25"{ + revision "2020-08-28"{ description "Initial revision."; reference "RFC XXXX: I2NSF Capability YANG Data Model"; } /* * Identities */ identity event { description "Base identity for I2NSF policy events."; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03 - - Event"; + "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + Monitoring YANG Data Model - Event"; } identity system-event-capability { base event; description - "Identity for system events"; + "Identity for system event"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03 - - System alarm"; + "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + Monitoring YANG Data Model - System event"; } identity system-alarm-capability { base event; description - "Identity for system alarms"; + "Identity for system alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03 - - System alarm"; + "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + Monitoring YANG Data Model - System alarm"; } identity access-violation { base system-event-capability; description - "Identity for access violation events"; + "Identity for access violation event"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03 - - System event"; + "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + Monitoring YANG Data Model - System event for access + violation"; } identity configuration-change { base system-event-capability; description - "Identity for configuration change events"; + "Identity for configuration change event"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03 - - System event"; + "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + Monitoring YANG Data Model - System event for configuration + change"; } identity memory-alarm { base system-alarm-capability; description - "Identity for memory alarm events"; + "Identity for memory alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03 - - System alarm"; + "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + Monitoring YANG Data Model - System alarm for memory"; } identity cpu-alarm { base system-alarm-capability; description - "Identity for CPU alarm events"; + "Identity for CPU alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03 - - System alarm"; + "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + Monitoring YANG Data Model - System alarm for CPU"; } identity disk-alarm { base system-alarm-capability; description - "Identity for disk alarm events"; + "Identity for disk alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03 - - System alarm"; + "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + Monitoring YANG Data Model - System alarm for disk"; } identity hardware-alarm { base system-alarm-capability; description - "Identity for hardware alarm events"; + "Identity for hardware alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03 - - System alarm"; + "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + Monitoring YANG Data Model - System alarm for hardware"; } identity interface-alarm { base system-alarm-capability; description - "Identity for interface alarm events"; + "Identity for interface alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03 - - System alarm"; + "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + Monitoring YANG Data Model - System alarm for interface"; } identity condition { description "Base identity for policy conditions"; } identity context-capability { base condition; description @@ -1494,32 +1480,32 @@ "Base identity for an IPsec capability"; reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: Software-Defined Networking (SDN)-based IPsec Flow Protection - IPsec methods such as IKE and IKE-less"; } identity ike { base ipsec-capability; description - "Identity for an IPSec Internet Key Exchange (IKE) + "Identity for an IPsec Internet Key Exchange (IKE) capability"; reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: Software-Defined Networking (SDN)-based IPsec Flow Protection - IPsec method with IKE"; } identity ikeless { base ipsec-capability; description - "Identity for an IPSec without Internet Key Exchange (IKE) + "Identity for an IPsec without Internet Key Exchange (IKE) capability"; reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: Software-Defined Networking (SDN)-based IPsec Flow Protection - IPsec method without IKE"; } /* * Grouping */ @@ -1849,35 +1835,30 @@ Figure 3: YANG Data Module of I2NSF Capability 7. IANA Considerations This document requests IANA to register the following URI in the "IETF XML Registry" [RFC3688]: - Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability - + URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability Registrant Contact: The IESG. - XML: N/A; the requested URI is an XML namespace. This document requests IANA to register the following YANG module in - the "YANG Module Names" registry [RFC7950][RFC8525]. + the "YANG Module Names" registry [RFC7950][RFC8525]: name: ietf-i2nsf-capability - namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability - prefix: nsfcap - reference: RFC XXXX 8. Security Considerations The YANG module specified in this document defines a data schema designed to be accessed through network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the required transport secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the required transport secure transport is TLS @@ -1905,35 +1886,39 @@ nodes and their sensitivity/vulnerability: o ietf-i2nsf-capability: An attacker could gather the security capability information of any NSF and use this information to evade detection or filtering. 9. References 9.1. Normative References - [draft-ietf-i2nsf-capability] - Xia, L., Strassner, J., Basile, C., and D. Lopez, - "Information Model of NSFs Capabilities", draft-ietf- - i2nsf-capability-05 (work in progress), April 2019. + [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, + DOI 10.17487/RFC0768, August 1980, + . - [draft-ietf-i2nsf-nsf-monitoring-data-model] - Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, - "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- - nsf-monitoring-data-model-03 (work in progress), May 2020. + [RFC0790] Postel, J., "Assigned numbers", RFC 790, + DOI 10.17487/RFC0790, September 1981, + . - [draft-ietf-i2nsf-sdn-ipsec-flow-protection] - Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- - Garcia, "Software-Defined Networking (SDN)-based IPsec - Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- - protection-08 (work in progress), June 2020. + [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, + DOI 10.17487/RFC0791, September 1981, + . + + [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, + RFC 792, DOI 10.17487/RFC0792, September 1981, + . + + [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, + RFC 793, DOI 10.17487/RFC0793, September 1981, + . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, @@ -1941,59 +1926,62 @@ [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, DOI 10.17487/RFC3444, January 2003, . [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . + [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix + Reserved for Documentation", RFC 3849, + DOI 10.17487/RFC3849, July 2004, + . + + [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet + Control Message Protocol (ICMPv6) for the Internet + Protocol Version 6 (IPv6) Specification", STD 89, + RFC 4443, DOI 10.17487/RFC4443, March 2006, + . + + [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks + Reserved for Documentation", RFC 5737, + DOI 10.17487/RFC5737, January 2010, + . + [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, . [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, . - [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August - 1980. - - [RFC790] Postel, J., "Assigned Numbers", RFC 790, September 1981. - - [RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981. - - [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, - September 1981. - - [RFC793] Postel, J., "Transmission Control Protocol", RFC 793, - September 1981. + [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", + RFC 6991, DOI 10.17487/RFC6991, July 2013, + . [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, . [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, . - [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC - 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, - May 2017, . - [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., and J. Jeong, "Interface to Network Security Functions (I2NSF): Problem Statement and Use Cases", RFC 8192, DOI 10.17487/RFC8192, July 2017, . [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/RFC8200, July 2017, . @@ -2005,56 +1993,67 @@ [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, . [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, March 2018, . + [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of + Documents Containing YANG Data Models", BCP 216, RFC 8407, + DOI 10.17487/RFC8407, October 2018, + . + [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, S., and N. Bahadur, "A YANG Data Model for the Routing Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, September 2018, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., and R. Wilton, "YANG Library", RFC 8525, DOI 10.17487/RFC8525, March 2019, . 9.2. Informative References - [draft-ietf-i2nsf-nsf-facing-interface-dm] - Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, - "I2NSF Network Security Function-Facing Interface YANG - Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-09 - (work in progress), May 2020. + [I-D.ietf-i2nsf-capability] + Xia, L., Strassner, J., Basile, C., and D. Lopez, + "Information Model of NSFs Capabilities", draft-ietf- + i2nsf-capability-05 (work in progress), April 2019. - [draft-ietf-i2nsf-registration-interface-dm] - Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF - Registration Interface YANG Data Model", draft-ietf-i2nsf- - registration-interface-dm (work in progress), March 2020. + [I-D.ietf-i2nsf-nsf-monitoring-data-model] + Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, + "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- + nsf-monitoring-data-model-03 (work in progress), May 2020. + + [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] + Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, + "Software-Defined Networking (SDN)-based IPsec Flow + Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 + (work in progress), June 2020. Appendix A. Configuration Examples This section shows configuration examples of "ietf-i2nsf-capability" module for capabilities registration of general firewall. -A.1. Example 1: Registration for Capabilities of General Firewall +A.1. Example 1: Registration for the Capabilities of a General Firewall - This section shows a configuration example for capabilities - registration of general firewall. + This section shows a configuration example for the capabilities + registration of a general firewall in either an IPv4 network or an + IPv6 network. general_firewall ipv4-protocol exact-ipv4-address range-ipv4-address exact-fourth-layer-port-num range-fourth-layer-port-num @@ -2063,41 +2062,83 @@ pass drop alert pass drop alert - Figure 4: Configuration XML for Capabilities Registration of General - Firewall + Figure 4: Configuration XML for the Capabilities Registration of a + General Firewall in an IPv4 Network - Figure 4 shows the configuration XML for capabilities registration of - general firewall and its capabilities are as follows. + Figure 4 shows the configuration XML for the capabilities + registration of a general firewall as an NSF in an IPv4 network + [RFC5737]. Its capabilities are as follows. 1. The name of the NSF is general_firewall. - 2. The NSF can inspect protocol, exact IPv4 address, and range IPv4 - address for IPv4 packets. + 2. The NSF can inspect a protocol, an exact IPv4 address, and a + range of IPv4 addresses for IPv4 packets. - 3. The NSF can inspect exact port number and range port number for - fourth layer packets. + 3. The NSF can inspect an exact port number and a range of port + numbers for the fourth layer packets. 4. The NSF can control whether the packets are allowed to pass, drop, or alert. -A.2. Example 2: Registration for Capabilities of Time based Firewall + + general_firewall + + + ipv6-protocol + exact-ipv6-address + range-ipv6-address + exact-fourth-layer-port-num + range-fourth-layer-port-num + + + + pass + drop + alert + pass + drop + alert + + - This section shows a configuration example for capabilities - registration of time based firewall. + Figure 5: Configuration XML for the Capabilities Registration of a + General Firewall in an IPv6 Network + + In addition, Figure 5 shows the configuration XML for the + capabilities registration of a general firewall as an NSF in an IPv6 + network [RFC3849]. Its capabilities are as follows. + + 1. The name of the NSF is general_firewall. + + 2. The NSF can inspect a protocol, an exact IPv6 address, and a + range of IPv6 addresses for IPv6 packets. + + 3. The NSF can inspect an exact port number and a range of port + numbers for the fourth layer packets. + + 4. The NSF can control whether the packets are allowed to pass, + drop, or alert. + +A.2. Example 2: Registration for the Capabilities of a Time-based + Firewall + + This section shows a configuration example for the capabilities + registration of a time-based firewall in either an IPv4 network or an + IPv6 network. time_based_firewall absolute-time periodic-time ipv4-protocol exact-ipv4-address range-ipv4-address @@ -2106,174 +2147,270 @@ pass drop alert pass drop alert - Figure 5: Configuration XML for Capabilities Registration of Time - based Firewall + Figure 6: Configuration XML for the Capabilities Registration of a + Time-based Firewall in an IPv4 Network - Figure 5 shows the configuration XML for capabilities registration of - time based firewall and its capabilities are as follows. + Figure 6 shows the configuration XML for the capabilities + registration of a time-based firewall as an NSF in an IPv4 network + [RFC5737]. Its capabilities are as follows. 1. The name of the NSF is time_based_firewall. 2. The NSF can execute the security policy rule according to absolute time and periodic time. - 3. The NSF can inspect protocol, exact IPv4 address, and range IPv4 - address for IPv4 packets. + 3. The NSF can inspect a protocol, an exact IPv4 address, and a + range of IPv4 addresses for IPv4 packets. 4. The NSF can control whether the packets are allowed to pass, drop, or alert. -A.3. Example 3: Registration for Capabilities of Web Filter + + time_based_firewall + absolute-time + periodic-time + + + ipv6-protocol + exact-ipv6-address + range-ipv6-address + + + + pass + drop + alert + pass + drop + alert + + - This section shows a configuration example for capabilities - registration of web filter. + Figure 7: Configuration XML for the Capabilities Registration of a + Time-based Firewall in an IPv6 Network + + In addition, Figure 7 shows the configuration XML for the + capabilities registration of a time-based firewall as an NSF in an + IPv6 network [RFC3849]. Its capabilities are as follows. + + 1. The name of the NSF is time_based_firewall. + + 2. The NSF can execute the security policy rule according to + absolute time and periodic time. + + 3. The NSF can inspect a protocol, an exact IPv6 address, and a + range of IPv6 addresses for IPv6 packets. + + 4. The NSF can control whether the packets are allowed to pass, + drop, or alert. + +A.3. Example 3: Registration for the Capabilities of a Web Filter + + This section shows a configuration example for the capabilities + registration of a web filter. web_filter user-defined pass drop alert pass drop alert - Figure 6: Configuration XML for Capabilities Registration of Web - Filter + Figure 8: Configuration XML for the Capabilities Registration of a + Web Filter - Figure 6 shows the configuration XML for capabilities registration of - web filter and its capabilities are as follows. + Figure 8 shows the configuration XML for the capabilities + registration of a web filter as an NSF. Its capabilities are as + follows. 1. The name of the NSF is web_filter. 2. The NSF can inspect url for http and https packets. 3. The NSF can control whether the packets are allowed to pass, drop, or alert. -A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter +A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE + Filter - This section shows a configuration example for capabilities - registration of VoIP/VoLTE filter. + This section shows a configuration example for the capabilities + registration of a VoIP/VoLTE filter. voip_volte_filter voice-id pass drop alert pass drop alert - Figure 7: Configuration XML for Capabilities Registration of VoIP/ - VoLTE Filter + Figure 9: Configuration XML for the Capabilities Registration of a + VoIP/VoLTE Filter - Figure 7 shows the configuration XML for capabilities registration of - VoIP/VoLTE filter and its capabilities are as follows. + Figure 9 shows the configuration XML for the capabilities + registration of a VoIP/VoLTE filter as an NSF. Its capabilities are + as follows. 1. The name of the NSF is voip_volte_filter. - 2. The NSF can inspect voice id for VoIP/VoLTE packets. + 2. The NSF can inspect a voice id for VoIP/VoLTE packets. 3. The NSF can control whether the packets are allowed to pass, drop, or alert. -A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood - Mitigation +A.5. Example 5: Registration for the Capabilities of a HTTP and HTTPS + Flood Mitigator - This section shows a configuration example for capabilities - registration of http and https flood mitigation. + This section shows a configuration example for the capabilities + registration of a HTTP and HTTPS flood mitigator. http_and_https_flood_mitigation http-flood-action https-flood-action pass drop alert pass drop alert - Figure 8: Configuration XML for Capabilities Registration of HTTP and - HTTPS Flood Mitigation + Figure 10: Configuration XML for the Capabilities Registration of a + HTTP and HTTPS Flood Mitigator - Figure 8 shows the configuration XML for capabilities registration of - http and https flood mitigation and its capabilities are as follows. + Figure 10 shows the configuration XML for the capabilities + registration of a HTTP and HTTPS flood mitigator as an NSF. Its + capabilities are as follows. 1. The name of the NSF is http_and_https_flood_mitigation. - 2. The location of the NSF is 221.159.112.140. + 2. The IPv4 address of the NSF is assumed to be 192.0.2.11 + [RFC5737]. Also, the IPv6 address of the NSF is assumed to be + 2001:DB8:0:1::11 [RFC3849]. - 3. The NSF can control the amount of packets for http and https - packets. + 3. The NSF can control the amount of packets for HTTP and HTTPS + packets, which are routed to the NSF's IPv4 address or the NSF's + IPv6 address. 4. The NSF can control whether the packets are allowed to pass, drop, or alert. Appendix B. Acknowledgments This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized - Security Service Provisioning). + Security Service Provisioning). This work was supported in part by + the IITP (2020-0-00395, Standard Development of Blockchain based + Network Management Automation Technology). Appendix C. Contributors This document is made by the group effort of I2NSF working group. - Many people actively contributed to this document. The following are - considered co-authors: + Many people actively contributed to this document, such as Acee + Lindem, Roman Danyliw, and Tom Petch. The authors sincerely + appreciate their contributions. - o Hyoungshick Kim (Sungkyunkwan University) + The following are co-authors of this document: - o Daeyoung Hyun (Sungkyunkwan University) + Hyoungshick Kim + Department of Computer Science and Engineering + Sungkyunkwan University + 2066 Seo-ro Jangan-gu + Suwon, Gyeonggi-do 16419 + Republic of Korea - o Dongjin Hong (Sungkyunkwan University) + EMail: hyoung@skku.edu - o Liang Xia (Huawei) + Daeyoung Hyun + Department of Computer Science and Engineering + Sungkyunkwan University + 2066 Seo-ro Jangan-gu + Suwon, Gyeonggi-do 16419 + Republic of Korea - o Jung-Soo Park (ETRI) + EMail: dyhyun@skku.edu - o Tae-Jin Ahn (Korea Telecom) + Dongjin Hong + Department of Electronic, Electrical and Computer Engineering + Sungkyunkwan University + 2066 Seo-ro Jangan-gu + Suwon, Gyeonggi-do 16419 + Republic of Korea - o Se-Hui Lee (Korea Telecom) + EMail: dong.jin@skku.edu + + Liang Xia + Huawei + 101 Software Avenue + Nanjing, Jiangsu 210012 + China + + EMail: Frank.Xialiang@huawei.com + Jung-Soo Park + Electronics and Telecommunications Research Institute + 218 Gajeong-Ro, Yuseong-Gu + Daejeon, 34129 + Republic of Korea + + EMail: pjs@etri.re.kr + + Tae-Jin Ahn + Korea Telecom + 70 Yuseong-Ro, Yuseong-Gu + Daejeon, 305-811 + Republic of Korea + + EMail: taejin.ahn@kt.com + + Se-Hui Lee + Korea Telecom + 70 Yuseong-Ro, Yuseong-Gu + Daejeon, 305-811 + Republic of Korea + + EMail: sehuilee@kt.com Authors' Addresses Susan Hares (editor) Huawei 7453 Hickory Hill Saline, MI 48176 USA Phone: +1-734-604-0332