--- 1/draft-ietf-i2nsf-capability-data-model-10.txt 2020-09-08 23:13:09.537690393 -0700 +++ 2/draft-ietf-i2nsf-capability-data-model-11.txt 2020-09-08 23:13:09.629692723 -0700 @@ -1,24 +1,24 @@ I2NSF Working Group S. Hares, Ed. Internet-Draft Huawei Intended status: Standards Track J. Jeong, Ed. -Expires: March 10, 2021 J. Kim +Expires: March 12, 2021 J. Kim Sungkyunkwan University R. Moskowitz HTT Consulting Q. Lin Huawei - September 6, 2020 + September 8, 2020 I2NSF Capability YANG Data Model - draft-ietf-i2nsf-capability-data-model-10 + draft-ietf-i2nsf-capability-data-model-11 Abstract This document defines a YANG data model for the capabilities of various Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework to centrally manage the capabilities of the various NSFs. Status of This Memo @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on March 10, 2021. + This Internet-Draft will expire on March 12, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -53,49 +53,49 @@ described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 4.1. Network Security Function (NSF) Capabilities . . . . . . 6 5. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 40 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 - 8.1. Normative References . . . . . . . . . . . . . . . . . . 41 - 8.2. Informative References . . . . . . . . . . . . . . . . . 44 - Appendix A. Configuration Examples . . . . . . . . . . . . . . . 45 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 41 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 42 + 8.2. Informative References . . . . . . . . . . . . . . . . . 45 + Appendix A. Configuration Examples . . . . . . . . . . . . . . . 47 A.1. Example 1: Registration for the Capabilities of a General - Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 + Firewall . . . . . . . . . . . . . . . . . . . . . . . . 47 A.2. Example 2: Registration for the Capabilities of a Time- - based Firewall . . . . . . . . . . . . . . . . . . . . . 47 + based Firewall . . . . . . . . . . . . . . . . . . . . . 49 A.3. Example 3: Registration for the Capabilities of a Web - Filter . . . . . . . . . . . . . . . . . . . . . . . . . 48 + Filter . . . . . . . . . . . . . . . . . . . . . . . . . 50 A.4. Example 4: Registration for the Capabilities of a - VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 49 + VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 51 A.5. Example 5: Registration for the Capabilities of a HTTP - and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 50 - Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 51 - Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 52 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 + and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 52 + Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 53 + Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 54 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 1. Introduction As the industry becomes more sophisticated and network devices (e.g., - Internet of Things, Self-driving vehicles, and VoIP/VoLTE - smartphones), service providers have a lot of problems described in - [RFC8192]. To resolve these problems, [I-D.ietf-i2nsf-capability] - specifies the information model of the capabilities of Network - Security Functions (NSFs) in a framework of the Interface to Network - Security Functions (I2NSF) [RFC8329]. + Internet of Things, Self-driving vehicles, and smartphone using Voice + over IP (VoIP) and Voice over LTE (VoLTE)), service providers have a + lot of problems described in [RFC8192]. To resolve these problems, + [I-D.ietf-i2nsf-capability] specifies the information model of the + capabilities of Network Security Functions (NSFs) in a framework of + the Interface to Network Security Functions (I2NSF) [RFC8329]. This document provides a YANG data model [RFC6020][RFC7950] that defines the capabilities of NSFs to centrally manage the capabilities of those security devices. The security devices can register their own capabilities into a Network Operator Management (Mgmt) System (i.e., Security Controller) with this YANG data model through the registration interface [RFC8329]. With the capabilities of those security devices maintained centrally, those security devices can be more easily managed [RFC8329]. This YANG data model is based on the information model for I2NSF NSF capabilities @@ -158,23 +158,23 @@ as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy rules where 'E', 'C', and 'A' mean "Event", "Condition", and "Action", respectively. The condition involves IPv4 or IPv6 datagrams, and the action includes "Allow" and "Deny" for those datagrams. Note that the NSF-Facing Interface [RFC8329] is used to configure the security policy rules of the generic network security functions, and The configuration of advanced security functions over the NSF-Facing Interface is used to configure the security policy rules of advanced - network security functions (e.g., anti-virus and anti-DDoS attack), - respectively, according to the capabilities of NSFs registered with - the I2NSF Framework. + network security functions (e.g., anti-virus and Distributed-Denial- + of-Service (DDoS) attack mitigator), respectively, according to the + capabilities of NSFs registered with the I2NSF Framework. +------------------------------------------------------+ | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | | Network Mgmt, another network domain's mgmt, etc.) | +--------------------+---------------------------------+ I2NSF ^ Consumer-Facing Interface | | v I2NSF +-----------------+------------+ Registration +-------------+ @@ -297,27 +297,28 @@ Condition capabilities are used to specify capabilities of a set of attributes, features, and/or values that are to be compared with a set of known attributes, features, and/or values in order to determine whether or not the set of actions in that (imperative) I2NSF policy rule can be executed. The condition capabilities are classified in terms of generic network security functions and advanced network security functions. The condition capabilities of generic network security functions are defined as IPv4 capability, IPv6 capability, TCP capability, UDP capability, and ICMP capability. The condition capabilities of advanced network security functions are - defined as anti-virus capability, anti-DDoS capability, IPS - capability, HTTP capability, and VoIP/VoLTE capability. See - Section 3.1 (Design Principles and ECA Policy Model Overview) in - [I-D.ietf-i2nsf-capability] for more information about the condition - in the ECA policy model. Also, see Section 3.4.3 (I2NSF Condition - Clause Operator Types) in [I-D.ietf-i2nsf-capability] for more - information about the operator types in an I2NSF condition clause. + defined as anti-virus capability, anti-DDoS capability, Intrusion + Prevention System (IPS) capability, HTTP capability, and VoIP/VoLTE + capability. See Section 3.1 (Design Principles and ECA Policy Model + Overview) in [I-D.ietf-i2nsf-capability] for more information about + the condition in the ECA policy model. Also, see Section 3.4.3 + (I2NSF Condition Clause Operator Types) in + [I-D.ietf-i2nsf-capability] for more information about the operator + types in an I2NSF condition clause. Action capabilities are used to specify the capabilities that describe the control and monitoring aspects of flow-based NSFs when the event and condition clauses are satisfied. The action capabilities are defined as ingress-action capability, egress-action capability, and log-action capability. See Section 3.1 (Design Principles and ECA Policy Model Overview) in [I-D.ietf-i2nsf-capability] for more information about the action in the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow Security Policy Structure) in [RFC8329] for more information about @@ -337,36 +338,36 @@ strategy. Default action capabilities are used to specify the capabilities that describe how to execute I2NSF policy rules when no rule matches a packet. The default action capabilities are defined as pass, drop, alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in [I-D.ietf-i2nsf-capability] for more information about the default action. IPsec method capabilities are used to specify capabilities of how to - support an Internet Key Exchange (IKE) for the security + support an Internet Key Exchange (IKE) [RFC7296] for the security communication. The default action capabilities are defined as IKE or IKE-less. See [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for more information about the SDN-based IPsec flow protection in I2NSF. 5. YANG Data Model of I2NSF NSF Capability This section introduces a YANG module for NSFs' capabilities, as defined in the [I-D.ietf-i2nsf-capability]. This YANG module imports from [RFC6991]. It makes references to [RFC 0768][IANA-Protocol-Numbers][RFC0791][RFC0792][RFC0793][RFC3261][RFC4 443][RFC8200][RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf- monitoring-data-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. - file "ietf-i2nsf-capability@2020-09-06.yang" + file "ietf-i2nsf-capability@2020-09-08.yang" module ietf-i2nsf-capability { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; prefix nsfcap; organization "IETF I2NSF (Interface to Network Security Functions) @@ -398,167 +399,217 @@ set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. - revision "2020-09-06"{ + revision "2020-09-08"{ description "Initial revision."; reference "RFC XXXX: I2NSF Capability YANG Data Model"; // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. } /* * Identities */ identity event { description "Base identity for I2NSF policy events."; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - Event"; + + // RFC Ed.: replace the above draft with an actual RFC in the + // YANG module and remove this note. } identity system-event-capability { base event; description "Identity for system event"; + reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - System event"; } + identity system-alarm-capability { base event; description "Identity for system alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - System alarm"; } identity access-violation { base system-event-capability; description "Identity for access violation event"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - System event for access violation"; } identity configuration-change { base system-event-capability; description "Identity for configuration change event"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - System event for configuration change"; } identity memory-alarm { base system-alarm-capability; description "Identity for memory alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - System alarm for memory"; } identity cpu-alarm { base system-alarm-capability; description "Identity for CPU alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - System alarm for CPU"; } identity disk-alarm { base system-alarm-capability; description "Identity for disk alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - System alarm for disk"; } identity hardware-alarm { base system-alarm-capability; description "Identity for hardware alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - System alarm for hardware"; } identity interface-alarm { base system-alarm-capability; description "Identity for interface alarm"; reference - "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF + "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - System alarm for interface"; } identity condition { description "Base identity for policy conditions"; } identity context-capability { base condition; description - "Identity for context condition capabilities"; + "Identity for context condition capabilities for an NSF"; + reference + "draft-ietf-i2nsf-capability-05: Information Model of NSFs + Capabilities - The operating context of an NSF."; } - identity acl-number { + identity access-control-list { base context-capability; description - "Identity for ACL number condition capability"; + "Identity for Access Control List (ACL) condition capability"; + reference + "draft-ietf-i2nsf-capability-05: Information Model of NSFs + Capabilities - The context of an NSF. + RFC 8519: YANG Data Model for Network Access Control Lists + (ACLs) - A user-ordered set of rules used to configure the + forwarding behavior in an NSF."; } - identity application { + identity application-layer-filter { base context-capability; description - "Identity for application condition capability"; + "Identity for application-layer-filter condition capability"; + reference + "draft-ietf-i2nsf-capability-05: Information Model of NSFs + Capabilities - An application-layer filtering (e.g., web + filter) as an NSF."; } + identity target { base context-capability; description "Identity for target condition capability"; + reference + "draft-ietf-i2nsf-capability-05: Information Model of NSFs + Capabilities - A target (or destination) of a policy rule + to be applied by an NSF. + RFC 8519: YANG Data Model for Network Access Control Lists + (ACLs) - An access control for a target (e.g., the + corresponding IP address) in an NSF."; } identity user { base context-capability; description "Identity for user condition capability"; + reference + "draft-ietf-i2nsf-capability-05: Information Model of NSFs + Capabilities - A user in an application of a policy rule + to be applied by an NSF. + RFC 8519: YANG Data Model for Network Access Control Lists + (ACLs) - An access control for a user (e.g., the + corresponding IP address) in an NSF."; } identity group { base context-capability; description "Identity for group condition capability"; + reference + "draft-ietf-i2nsf-capability-05: Information Model of NSFs + Capabilities - A group (i.e., a set of users) in an + application of a policy rule to be applied by an NSF. + RFC 8519: YANG Data Model for Network Access Control Lists + (ACLs) - An access control for a group (e.g., the + corresponding IP address) in an NSF."; } identity geography { base context-capability; description "Identity for geography condition capability"; + reference + "draft-ietf-i2nsf-capability-05: Information Model of NSFs + Capabilities - A group (i.e., a set of users) in an + application of a policy rule to be applied by an NSF. + RFC 8519: YANG Data Model for Network Access Control Lists + (ACLs) - An access control for a geographical location + i.e., geolocation (e.g., the corresponding IP address) in + an NSF. + RFC 8805: A Format for Self-Published IP Geolocation Feeds + - An IP address with geolocation information."; } identity ipv4-capability { base condition; description "Identity for IPv4 condition capability"; reference "RFC 791: Internet Protocol"; } @@ -1042,73 +1096,73 @@ } identity pass { base ingress-action-capability; base egress-action-capability; base default-action-capability; description "Identity for pass action capability"; reference "RFC 8329: Framework for Interface to Network Security - Functions - Ingress, egress, and pass actions + Functions - Ingress, egress, and pass actions. draft-ietf-i2nsf-capability-05: Information Model of - NSFs Capabilities - Actions and default action"; + NSFs Capabilities - Actions and default action."; } - identity drop { base ingress-action-capability; base egress-action-capability; base default-action-capability; description "Identity for drop action capability"; reference "RFC 8329: Framework for Interface to Network Security - Functions - Ingress, egress, and drop actions + Functions - Ingress, egress, and drop actions. draft-ietf-i2nsf-capability-05: Information Model of - NSFs Capabilities - Actions and default action"; + NSFs Capabilities - Actions and default action."; } identity alert { base ingress-action-capability; base egress-action-capability; base default-action-capability; description "Identity for alert action capability"; reference "RFC 8329: Framework for Interface to Network Security - Functions - Ingress, egress, and alert actions - draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF - NSF Monitoring YANG Data Model - Alarm (i.e., alert) + Functions - Ingress, egress, and alert actions. + draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF + NSF Monitoring YANG Data Model - Alarm (i.e., alert). draft-ietf-i2nsf-capability-05: Information Model of - NSFs Capabilities - Actions and default action"; + NSFs Capabilities - Actions and default action."; } identity mirror { base ingress-action-capability; base egress-action-capability; base default-action-capability; description "Identity for mirror action capability"; reference "RFC 8329: Framework for Interface to Network Security - Functions - Ingress, egress, and mirror actions + Functions - Ingress, egress, and mirror actions. draft-ietf-i2nsf-capability-05: Information Model of - NSFs Capabilities - Actions and default action"; + NSFs Capabilities - Actions and default action."; } identity invoke-signaling { base egress-action-capability; description "Identity for invoke signaling action capability"; reference "RFC 8329: Framework for Interface to Network Security Functions - Invoke-signaling action"; + } identity tunnel-encapsulation { base egress-action-capability; description "Identity for tunnel encapsulation action capability"; reference "RFC 8329: Framework for Interface to Network Security Functions - Tunnel-encapsulation action"; } @@ -1218,23 +1273,22 @@ This can be used for an extension point for Anti-DDoS Attack as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS Attack capability"; } identity ips-capability { base advanced-nsf-capability; description - "Identity for advanced NSF Intrusion Prevention System - (IPS) capabilities. This can be used for an extension - point for IPS as an advanced NSF."; + "Identity for advanced NSF IPS capabilities. This can be + used for an extension point for IPS as an advanced NSF."; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF IPS capability"; } identity voip-volte-capability { base advanced-nsf-capability; description "Identity for advanced NSF VoIP/VoLTE Security Service capability. This can be used for an extension point @@ -1488,21 +1540,25 @@ } identity ike { base ipsec-capability; description "Identity for an IPsec Internet Key Exchange (IKE) capability"; reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: Software-Defined Networking (SDN)-based IPsec Flow - Protection - IPsec method with IKE"; + Protection - IPsec method with IKE. + RFC 7296: Internet Key Exchange Protocol Version 2 + (IKEv2) - IKE as a component of IPsec used for + performing mutual authentication and establishing and + maintaining Security Associations (SAs)."; } identity ikeless { base ipsec-capability; description "Identity for an IPsec without Internet Key Exchange (IKE) capability"; reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: Software-Defined Networking (SDN)-based IPsec Flow @@ -1511,23 +1567,23 @@ /* * Grouping */ grouping nsf-capabilities { description "Network Security Function (NSF) Capabilities"; reference "RFC 8329: Framework for Interface to Network Security - Functions - I2NSF Flow Security Policy Structure + Functions - I2NSF Flow Security Policy Structure. draft-ietf-i2nsf-capability-05: Information Model of - NSFs Capabilities - Capability Information Model Design"; + NSFs Capabilities - Capability Information Model Design."; leaf-list time-capabilities { type enumeration { enum absolute-time { description "absolute time capabilities. If a network security function has the absolute time capability, the network security function supports rule execution according to absolute time."; } @@ -1546,27 +1601,27 @@ container event-capabilities { description "Capabilities of events. If a network security function has the event capabilities, the network security function supports rule execution according to system event and system alarm."; reference "RFC 8329: Framework for Interface to Network Security - Functions - I2NSF Flow Security Policy Structure + Functions - I2NSF Flow Security Policy Structure. draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Design Principles and ECA Policy - Model Overview - draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF + Model Overview. + draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF Monitoring YANG Data Model - System Alarm and - System Events"; + System Events."; leaf-list system-event-capability { type identityref { base system-event-capability; } description "System event capabilities"; } leaf-list system-alarm-capability { @@ -1583,34 +1638,34 @@ "Conditions capabilities."; container generic-nsf-capabilities { description "Conditions capabilities. If a network security function has the condition capabilities, the network security function supports rule execution according to conditions of IPv4, IPv6, TCP, UDP, ICMP, ICMPv6, and payload."; reference - "RFC 791: Internet Protocol - IPv4 - RFC 792: Internet Control Message Protocol - ICMP - RFC 793: Transmission Control Protocol - TCP - RFC 768: User Datagram Protocol - UDP + "RFC 791: Internet Protocol - IPv4. + RFC 792: Internet Control Message Protocol - ICMP. + RFC 793: Transmission Control Protocol - TCP. + RFC 768: User Datagram Protocol - UDP. RFC 8200: Internet Protocol, Version 6 (IPv6) - Specification - IPv6 + Specification - IPv6. RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification - - ICMPv6 + - ICMPv6. RFC 8329: Framework for Interface to Network Security - Functions - I2NSF Flow Security Policy Structure + Functions - I2NSF Flow Security Policy Structure. draft-ietf-i2nsf-capability-05: Information Model of NSFs Capabilities - Design Principles and ECA Policy - Model Overview"; + Model Overview."; leaf-list ipv4-capability { type identityref { base ipv4-capability; } description "IPv4 packet capabilities"; reference "RFC 791: Internet Protocol"; } @@ -1699,21 +1754,21 @@ reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF Anti-DDoS Attack capabilities"; } leaf-list ips-capability { type identityref { base ips-capability; } description - "Intrusion Prevention System (IPS) capabilities"; + "IPS capabilities"; reference "RFC 8329: Framework for Interface to Network Security Functions - Advanced NSF IPS capabilities"; } leaf-list url-capability { type identityref { base url-capability; } description @@ -1739,23 +1795,23 @@ base context-capability; } description "Security context capabilities"; } } container action-capabilities { description "Action capabilities. - If a network security function has the action - capabilities, the network security function supports - the attendant actions for policy rules."; + If a network security function has the action capabilities, + the network security function supports the attendant + actions for policy rules."; leaf-list ingress-action-capability { type identityref { base ingress-action-capability; } description "Ingress-action capabilities"; } leaf-list egress-action-capability { @@ -1794,23 +1849,23 @@ type identityref { base default-action-capability; } description "Default action capabilities. A default action is used to execute I2NSF policy rules when no rule matches a packet. The default action is defined as pass, drop, alert, or mirror."; reference "RFC 8329: Framework for Interface to Network Security - Functions - Ingress and egress actions + Functions - Ingress and egress actions. draft-ietf-i2nsf-capability-05: Information Model of - NSFs Capabilities - Default action capabilities"; + NSFs Capabilities - Default action capabilities."; } leaf-list ipsec-method { type identityref { base ipsec-capability; } description "IPsec method capabilities"; reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: @@ -1838,34 +1893,35 @@ Figure 3: YANG Data Module of I2NSF Capability 6. IANA Considerations This document requests IANA to register the following URI in the "IETF XML Registry" [RFC3688]: + ID: yang:ietf-i2nsf-capability URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability - Registrant Contact: The IESG. - XML: N/A; the requested URI is an XML namespace. + Filename: [ TBD-at-Registration ] + Reference: [ RFC-to-be ] This document requests IANA to register the following YANG module in the "YANG Module Names" registry [RFC7950][RFC8525]: - name: ietf-i2nsf-capability - namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability - prefix: nsfcap - reference: RFC XXXX - - // RFC Ed.: replace XXXX with an actual RFC number and remove - // this note. + Name: ietf-i2nsf-capability + File: [ TBD-at-Registration ] + Maintained by IANA? N + Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability + Prefix: nsfcap + Module: + Reference: [ RFC-to-be ] 7. Security Considerations The YANG module specified in this document defines a data schema designed to be accessed through network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the required transport secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the required transport secure transport is TLS [RFC8446]. @@ -1892,20 +1948,36 @@ nodes and their sensitivity/vulnerability: o ietf-i2nsf-capability: An attacker could gather the security capability information of any NSF and use this information to evade detection or filtering. 8. References 8.1. Normative References + [I-D.ietf-i2nsf-capability] + Xia, L., Strassner, J., Basile, C., and D. Lopez, + "Information Model of NSFs Capabilities", draft-ietf- + i2nsf-capability-05 (work in progress), April 2019. + + [I-D.ietf-i2nsf-nsf-monitoring-data-model] + Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, + "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- + nsf-monitoring-data-model-03 (work in progress), May 2020. + + [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] + Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, + "Software-Defined Networking (SDN)-based IPsec Flow + Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 + (work in progress), June 2020. + [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, DOI 10.17487/RFC0768, August 1980, . [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 10.17487/RFC0791, September 1981, . [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, DOI 10.17487/RFC0792, September 1981, @@ -1962,20 +2034,25 @@ . [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, . [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, . + [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. + Kivinen, "Internet Key Exchange Protocol Version 2 + (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October + 2014, . + [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, . [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, . [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., and J. Jeong, "Interface to Network Security Functions @@ -2009,42 +2086,36 @@ [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, S., and N. Bahadur, "A YANG Data Model for the Routing Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, September 2018, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . + [RFC8519] Jethanandani, M., Agarwal, S., Huang, L., and D. Blair, + "YANG Data Model for Network Access Control Lists (ACLs)", + RFC 8519, DOI 10.17487/RFC8519, March 2019, + . + [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., and R. Wilton, "YANG Library", RFC 8525, DOI 10.17487/RFC8525, March 2019, . -8.2. Informative References - - [I-D.ietf-i2nsf-capability] - Xia, L., Strassner, J., Basile, C., and D. Lopez, - "Information Model of NSFs Capabilities", draft-ietf- - i2nsf-capability-05 (work in progress), April 2019. - - [I-D.ietf-i2nsf-nsf-monitoring-data-model] - Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, - "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- - nsf-monitoring-data-model-03 (work in progress), May 2020. + [RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W. + Kumari, "A Format for Self-Published IP Geolocation + Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020, + . - [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] - Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, - "Software-Defined Networking (SDN)-based IPsec Flow - Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 - (work in progress), June 2020. +8.2. Informative References [IANA-Protocol-Numbers] "Assigned Internet Protocol Numbers", Available: https://www.iana.org/assignments/protocol- numbers/protocol-numbers.xhtml, September 2020. Appendix A. Configuration Examples This section shows configuration examples of "ietf-i2nsf-capability" module for capabilities registration of general firewall.