--- 1/draft-ietf-i2nsf-capability-data-model-09.txt 2020-09-06 04:13:39.575307843 -0700 +++ 2/draft-ietf-i2nsf-capability-data-model-10.txt 2020-09-06 04:13:39.663310066 -0700 @@ -1,24 +1,24 @@ I2NSF Working Group S. Hares, Ed. Internet-Draft Huawei Intended status: Standards Track J. Jeong, Ed. -Expires: March 1, 2021 J. Kim +Expires: March 10, 2021 J. Kim Sungkyunkwan University R. Moskowitz HTT Consulting Q. Lin Huawei - August 28, 2020 + September 6, 2020 I2NSF Capability YANG Data Model - draft-ietf-i2nsf-capability-data-model-09 + draft-ietf-i2nsf-capability-data-model-10 Abstract This document defines a YANG data model for the capabilities of various Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework to centrally manage the capabilities of the various NSFs. Status of This Memo @@ -28,51 +28,50 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on March 1, 2021. + This Internet-Draft will expire on March 10, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 - 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 - 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 - 5.1. Network Security Function (NSF) Capabilities . . . . . . 6 - 6. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 40 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 - 9.2. Informative References . . . . . . . . . . . . . . . . . 44 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 + 4.1. Network Security Function (NSF) Capabilities . . . . . . 6 + 5. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 40 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 41 + 8.2. Informative References . . . . . . . . . . . . . . . . . 44 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 45 A.1. Example 1: Registration for the Capabilities of a General Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 A.2. Example 2: Registration for the Capabilities of a Time- based Firewall . . . . . . . . . . . . . . . . . . . . . 47 A.3. Example 3: Registration for the Capabilities of a Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . 48 A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 49 A.5. Example 5: Registration for the Capabilities of a HTTP @@ -121,36 +120,30 @@ o Definition for action capabilities of generic network security functions. o Definition for resolution strategy capabilities of generic network security functions. o Definition for default action capabilities of generic network security functions. -2. Requirements Language - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in [RFC2119]. - -3. Terminology +2. Terminology This document uses the terminology described in [RFC8329]. This document follows the guidelines of [RFC8407], uses the common YANG types defined in [RFC6991], and adopts the Network Management Datastore Architecture (NMDA). The meaning of the symbols in tree diagrams is defined in [RFC8340]. -4. Overview +3. Overview This section provides as overview of how the YANG data model can be used in the I2NSF framework described in [RFC8329]. Figure 1 shows the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF Framework. As shown in this figure, an NSF Developer's Management System can register NSFs and the capabilities that the network security device can support. To register NSFs in this way, the Developer's Management System utilizes this standardized capability YANG data model through the I2NSF Registration Interface [RFC8329]. That is, this Registration Interface uses the YANG module described @@ -229,26 +222,26 @@ and NSF-1 in Developer's Management System B) which can support the capabilities (i.e., IPv6). This lets an I2NSF User not consider NSFs where the rule is applied. o If NSFs encounter the suspicious IPv6 packets of malicious users, they can filter the packets out according to the configured security policy rule. Therefore, the security policy rule against the malicious users' packets can be automatically applied to appropriate NSFs without human intervention. -5. YANG Tree Diagram +4. YANG Tree Diagram This section shows a YANG tree diagram of capabilities of network security functions, as defined in the [I-D.ietf-i2nsf-capability]. -5.1. Network Security Function (NSF) Capabilities +4.1. Network Security Function (NSF) Capabilities This section explains a YANG tree diagram of NSF capabilities and its features. Figure 2 shows a YANG tree diagram of NSF capabilities. The NSF capabilities in the tree include time capabilities, event capabilities, condition capabilities, action capabilities, resolution strategy capabilities, and default action capabilities. Those capabilities can be tailored or extended according to a vendor's specific requirements. Refer to the NSF capabilities information model for detailed discussion [I-D.ietf-i2nsf-capability]. @@ -349,31 +342,31 @@ alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in [I-D.ietf-i2nsf-capability] for more information about the default action. IPsec method capabilities are used to specify capabilities of how to support an Internet Key Exchange (IKE) for the security communication. The default action capabilities are defined as IKE or IKE-less. See [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for more information about the SDN-based IPsec flow protection in I2NSF. -6. YANG Data Model of I2NSF NSF Capability +5. YANG Data Model of I2NSF NSF Capability This section introduces a YANG module for NSFs' capabilities, as defined in the [I-D.ietf-i2nsf-capability]. This YANG module imports from [RFC6991]. It makes references to [RFC - 0768][RFC0790][RFC0791][RFC0792][RFC0793][RFC3261][RFC4443][RFC8200][ - RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf-monitoring-dat - a-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. + 0768][IANA-Protocol-Numbers][RFC0791][RFC0792][RFC0793][RFC3261][RFC4 + 443][RFC8200][RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf- + monitoring-data-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. - file "ietf-i2nsf-capability@2020-08-28.yang" + file "ietf-i2nsf-capability@2020-09-06.yang" module ietf-i2nsf-capability { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; prefix nsfcap; organization "IETF I2NSF (Interface to Network Security Functions) @@ -402,24 +395,30 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision "2020-08-28"{ + // RFC Ed.: replace XXXX with an actual RFC number and remove + // this note. + + revision "2020-09-06"{ description "Initial revision."; reference "RFC XXXX: I2NSF Capability YANG Data Model"; + + // RFC Ed.: replace XXXX with an actual RFC number and remove + // this note. } /* * Identities */ identity event { description "Base identity for I2NSF policy events."; reference @@ -662,33 +658,35 @@ condition capability"; reference "RFC 791: Internet Protocol - Time To Live (TTL)"; } identity ipv4-protocol { base ipv4-capability; description "Identity for IPv4 protocol condition capability"; reference - "RFC 790: Assigned numbers - Assigned Internet - Protocol Number + "IANA Website: Assigned Internet Protocol Numbers + - Protocol Number for IPv4 RFC 791: Internet Protocol - Protocol"; } identity exact-ipv4-address { base ipv4-capability; description "Identity for exact-match IPv4 address condition capability"; + reference "RFC 791: Internet Protocol - Address"; } + identity range-ipv4-address { base ipv4-capability; description "Identity for range-match IPv4 address condition capability"; reference "RFC 791: Internet Protocol - Address"; } identity ipv4-ip-opts { @@ -789,20 +785,31 @@ identity range-ipv6-hop-limit { base ipv6-capability; description "Identity for range-match IPv6 hop limit condition capability"; reference "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Hop Limit"; } + identity ipv6-protocol { + base ipv6-capability; + description + "Identity for IPv6 protocol condition capability"; + reference + "IANA Website: Assigned Internet Protocol Numbers + - Protocol Number for IPv6 + RFC 8200: Internet Protocol, Version 6 (IPv6) + Specification - Protocol"; + } + identity exact-ipv6-address { base ipv6-capability; description "Identity for exact-match IPv6 address condition capability"; reference "RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Address"; } @@ -1830,38 +1833,41 @@ description "The name of Network Security Function (NSF)"; } } } Figure 3: YANG Data Module of I2NSF Capability -7. IANA Considerations +6. IANA Considerations This document requests IANA to register the following URI in the "IETF XML Registry" [RFC3688]: URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability Registrant Contact: The IESG. XML: N/A; the requested URI is an XML namespace. This document requests IANA to register the following YANG module in the "YANG Module Names" registry [RFC7950][RFC8525]: name: ietf-i2nsf-capability namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability prefix: nsfcap reference: RFC XXXX -8. Security Considerations + // RFC Ed.: replace XXXX with an actual RFC number and remove + // this note. + +7. Security Considerations The YANG module specified in this document defines a data schema designed to be accessed through network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the required transport secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the required transport secure transport is TLS [RFC8446]. The NETCONF access control model [RFC8341] provides a means of @@ -1882,32 +1888,28 @@ Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability: o ietf-i2nsf-capability: An attacker could gather the security capability information of any NSF and use this information to evade detection or filtering. -9. References +8. References -9.1. Normative References +8.1. Normative References [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, DOI 10.17487/RFC0768, August 1980, . - [RFC0790] Postel, J., "Assigned numbers", RFC 790, - DOI 10.17487/RFC0790, September 1981, - . - [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 10.17487/RFC0791, September 1981, . [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, DOI 10.17487/RFC0792, September 1981, . [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 793, DOI 10.17487/RFC0793, September 1981, @@ -2012,38 +2014,43 @@ [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., and R. Wilton, "YANG Library", RFC 8525, DOI 10.17487/RFC8525, March 2019, . -9.2. Informative References +8.2. Informative References [I-D.ietf-i2nsf-capability] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", draft-ietf- i2nsf-capability-05 (work in progress), April 2019. [I-D.ietf-i2nsf-nsf-monitoring-data-model] Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- nsf-monitoring-data-model-03 (work in progress), May 2020. [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, "Software-Defined Networking (SDN)-based IPsec Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 (work in progress), June 2020. + [IANA-Protocol-Numbers] + "Assigned Internet Protocol Numbers", Available: + https://www.iana.org/assignments/protocol- + numbers/protocol-numbers.xhtml, September 2020. + Appendix A. Configuration Examples This section shows configuration examples of "ietf-i2nsf-capability" module for capabilities registration of general firewall. A.1. Example 1: Registration for the Capabilities of a General Firewall This section shows a configuration example for the capabilities registration of a general firewall in either an IPv4 network or an IPv6 network. @@ -2327,23 +2334,21 @@ 4. The NSF can control whether the packets are allowed to pass, drop, or alert. Appendix B. Acknowledgments This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized - Security Service Provisioning). This work was supported in part by - the IITP (2020-0-00395, Standard Development of Blockchain based - Network Management Automation Technology). + Security Service Provisioning). Appendix C. Contributors This document is made by the group effort of I2NSF working group. Many people actively contributed to this document, such as Acee Lindem, Roman Danyliw, and Tom Petch. The authors sincerely appreciate their contributions. The following are co-authors of this document: