draft-ietf-i2nsf-capability-data-model-14.txt   draft-ietf-i2nsf-capability-data-model-15.txt 
I2NSF Working Group S. Hares, Ed. I2NSF Working Group S. Hares, Ed.
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Jeong, Ed. Intended status: Standards Track J. Jeong, Ed.
Expires: July 3, 2021 J. Kim Expires: July 21, 2021 J. Kim
Sungkyunkwan University Sungkyunkwan University
R. Moskowitz R. Moskowitz
HTT Consulting HTT Consulting
Q. Lin Q. Lin
Huawei Huawei
December 30, 2020 January 17, 2021
I2NSF Capability YANG Data Model I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-14 draft-ietf-i2nsf-capability-data-model-15
Abstract Abstract
This document defines an information model and the corresponding YANG This document defines an information model and the corresponding YANG
data model for the capabilities of various Network Security Functions data model for the capabilities of various Network Security Functions
(NSFs) in the Interface to Network Security Functions (I2NSF) (NSFs) in the Interface to Network Security Functions (I2NSF)
framework to centrally manage the capabilities of the various NSFs. framework to centrally manage the capabilities of the various NSFs.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 3, 2021. This Internet-Draft will expire on July 21, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 22 skipping to change at page 2, line 22
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Capability Information Model Design . . . . . . . . . . . . . 4 3. Capability Information Model Design . . . . . . . . . . . . . 4
3.1. Design Principles and ECA Policy Model Overview . . . . . 5 3.1. Design Principles and ECA Policy Model Overview . . . . . 5
3.2. Matched Policy Rule . . . . . . . . . . . . . . . . . . . 8 3.2. Matched Policy Rule . . . . . . . . . . . . . . . . . . . 8
3.3. Conflict, Resolution Strategy and Default Action . . . . 8 3.3. Conflict, Resolution Strategy and Default Action . . . . 8
4. Overview of YANG Data Model . . . . . . . . . . . . . . . . . 9 4. Overview of YANG Data Model . . . . . . . . . . . . . . . . . 9
5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 12 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Network Security Function (NSF) Capabilities . . . . . . 12 5.1. Network Security Function (NSF) Capabilities . . . . . . 12
6. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 15 6. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 50 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 59
9. Security Considerations . . . . . . . . . . . . . . . . . . . 51 9. Security Considerations . . . . . . . . . . . . . . . . . . . 60
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 52 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 61
10.1. Normative References . . . . . . . . . . . . . . . . . . 52 10.1. Normative References . . . . . . . . . . . . . . . . . . 61
10.2. Informative References . . . . . . . . . . . . . . . . . 56 10.2. Informative References . . . . . . . . . . . . . . . . . 65
Appendix A. Configuration Examples . . . . . . . . . . . . . . . 58 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 67
A.1. Example 1: Registration for the Capabilities of a General A.1. Example 1: Registration for the Capabilities of a General
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 58 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 67
A.2. Example 2: Registration for the Capabilities of a Time- A.2. Example 2: Registration for the Capabilities of a Time-
based Firewall . . . . . . . . . . . . . . . . . . . . . 60 based Firewall . . . . . . . . . . . . . . . . . . . . . 70
A.3. Example 3: Registration for the Capabilities of a Web A.3. Example 3: Registration for the Capabilities of a Web
Filter . . . . . . . . . . . . . . . . . . . . . . . . . 61 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 72
A.4. Example 4: Registration for the Capabilities of a A.4. Example 4: Registration for the Capabilities of a
VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 62 VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 72
A.5. Example 5: Registration for the Capabilities of a HTTP A.5. Example 5: Registration for the Capabilities of a HTTP
and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 63 and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 73
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 64 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 74
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 65 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 75
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 77
1. Introduction 1. Introduction
As the industry becomes more sophisticated and network devices (e.g., As the industry becomes more sophisticated and network devices (e.g.,
Internet-of-Things (IoT) devices, autonomous vehicles, and Internet-of-Things (IoT) devices, autonomous vehicles, and
smartphones using Voice over IP (VoIP) and Voice over LTE (VoLTE)) smartphones using Voice over IP (VoIP) and Voice over LTE (VoLTE))
require advanced security protection in various scenario, service require advanced security protection in various scenario, service
providers have a lot of problems described in [RFC8192]. To resolve providers have a lot of problems described in [RFC8192]. To resolve
these problems, this document specifies the information and data these problems, this document specifies the information and data
models of the capabilities of Network Security Functions (NSFs) in a models of the capabilities of Network Security Functions (NSFs) in a
skipping to change at page 5, line 31 skipping to change at page 5, line 31
their automatic processing by means of computer-based techniques. their automatic processing by means of computer-based techniques.
This CapIM includes enabling a security controller in an I2NSF This CapIM includes enabling a security controller in an I2NSF
framework [RFC8329] to properly identify and manage NSFs, and allow framework [RFC8329] to properly identify and manage NSFs, and allow
NSFs to properly declare their functionality through a Developer's NSFs to properly declare their functionality through a Developer's
Management System (DMS) [RFC8329] , so that they can be used in the Management System (DMS) [RFC8329] , so that they can be used in the
correct way. correct way.
3.1. Design Principles and ECA Policy Model Overview 3.1. Design Principles and ECA Policy Model Overview
This document defines an information model for representing NSF -po This document defines an information model for representing NSF
capabilities. Some basic design principles for security capabilities capabilities. Some basic design principles for security capabilities
and the systems that manage them are: and the systems that manage them are:
o Independence: Each security capability SHOULD be an independent o Independence: Each security capability SHOULD be an independent
function, with minimum overlap or dependency on other function, with minimum overlap or dependency on other
capabilities. This enables each security capability to be capabilities. This enables each security capability to be
utilized and assembled together freely. More importantly, changes utilized and assembled together freely. More importantly, changes
to one capability SHOULD NOT affect other capabilities. This to one capability SHOULD NOT affect other capabilities. This
follows the Single Responsibility Principle [Martin] [OODSRP]. follows the Single Responsibility Principle [Martin] [OODSRP].
skipping to change at page 16, line 26 skipping to change at page 16, line 26
o [I-D.ietf-tcpm-rfc793bis] o [I-D.ietf-tcpm-rfc793bis]
o [I-D.ietf-tcpm-accurate-ecn] o [I-D.ietf-tcpm-accurate-ecn]
o [I-D.ietf-tsvwg-udp-options] o [I-D.ietf-tsvwg-udp-options]
o [I-D.ietf-i2nsf-nsf-monitoring-data-model] o [I-D.ietf-i2nsf-nsf-monitoring-data-model]
o [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] o [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]
<CODE BEGINS> file "ietf-i2nsf-capability@2020-12-30.yang" <CODE BEGINS> file "ietf-i2nsf-capability@2021-01-17.yang"
module ietf-i2nsf-capability { module ietf-i2nsf-capability {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability";
prefix prefix
nsfcap; nsfcap;
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
skipping to change at page 16, line 49 skipping to change at page 16, line 49
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Jinyong Tim Kim Editor: Jinyong Tim Kim
<mailto:timkim@skku.edu> <mailto:timkim@skku.edu>
Editor: Patrick Lingga
<mailto:patricklink@skku.edu>
Editor: Susan Hares Editor: Susan Hares
<mailto:shares@ndzh.com>"; <mailto:shares@ndzh.com>";
description description
"This module is a YANG module for I2NSF Network Security "This module is a YANG module for I2NSF Network Security
Functions (NSFs)'s Capabilities. Functions (NSFs)'s Capabilities.
Copyright (c) 2020 IETF Trust and the persons identified as Copyright (c) 2021 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
http://trustee.ietf.org/license-info). http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
revision "2020-12-30"{ revision "2021-01-17"{
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Capability YANG Data Model"; "RFC XXXX: I2NSF Capability YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
} }
/* /*
* Identities * Identities
skipping to change at page 21, line 27 skipping to change at page 21, line 30
identity geography { identity geography {
base context-capability; base context-capability;
description description
"Identity for geography condition capability"; "Identity for geography condition capability";
reference reference
"RFC 8805: A Format for Self-Published IP Geolocation Feeds - "RFC 8805: A Format for Self-Published IP Geolocation Feeds -
An access control for a geographical location (i.e., An access control for a geographical location (i.e.,
geolocation) that has the corresponding IP prefix."; geolocation) that has the corresponding IP prefix.";
} }
identity directional-capability {
description
"Base identity for directional traffic flow capability";
reference
"RFC 5101: Specification of the IP Flow Information
Export (IPFIX) Protocol for the Exchange of IP
Traffic Flow Information - Terminology Unidirectional
and Bidirectional Flow";
}
identity unidirectional {
base directional-capability;
description
"Identity for unirectional traffic flow.";
reference
"RFC 5101: Specification of the IP Flow Information
Export (IPFIX) Protocol for the Exchange of IP
Traffic Flow Information - Terminology Unidirectional
Flow";
}
identity bidirectional {
base directional-capability;
description
"Identity for bidirectional traffic flow.";
reference
"RFC 5101: Specification of the IP Flow Information
Export (IPFIX) Protocol for the Exchange of IP
Traffic Flow Information - Terminology Bidirectional
Flow";
}
identity ipv4-capability { identity ipv4-capability {
base condition; base condition;
description description
"Base identity for IPv4 condition capability"; "Base identity for IPv4 condition capability";
reference reference
"RFC 791: Internet Protocol"; "RFC 791: Internet Protocol";
} }
identity exact-ipv4-header-length { identity exact-ipv4-header-length {
base ipv4-capability; base ipv4-capability;
skipping to change at page 24, line 4 skipping to change at page 24, line 38
identity ipv4-protocol { identity ipv4-protocol {
base ipv4-capability; base ipv4-capability;
description description
"Identity for IPv4 protocol condition capability"; "Identity for IPv4 protocol condition capability";
reference reference
"IANA Website: Assigned Internet Protocol Numbers "IANA Website: Assigned Internet Protocol Numbers
- Protocol Number for IPv4 - Protocol Number for IPv4
RFC 791: Internet Protocol - Protocol"; RFC 791: Internet Protocol - Protocol";
} }
identity prefix-ipv4-address-flow-direction {
base ipv4-capability;
description
"Identity for flow direction of prefix-match IPv4 source
or destination address(es) condition capability where flow
direction is either unidirectional or bidirectional";
reference
"RFC 4340: Datagram Congestion Control Protocol";
}
identity prefix-ipv4-address { identity prefix-ipv4-address {
base ipv4-capability; base ipv4-capability;
description description
"Identity for prefix-match IPv4 address "Identity for prefix-match IPv4 source or destination
condition capability. The addresses are address condition capability. The addresses are specified
specified by a pair of prefix and prefix by a pair of prefix and prefix length.";
length."; reference
"RFC 791: Internet Protocol - Address";
}
identity prefix-ipv4-src-address {
base ipv4-capability;
description
"Identity for prefix-match IPv4 source address condition
capability. The addresses are specified by a pair of
prefix and prefix length.";
reference reference
"RFC 791: Internet Protocol - Address"; "RFC 791: Internet Protocol - Address";
} }
identity prefix-ipv4-dst-address {
base ipv4-capability;
description
"Identity for prefix-match IPv4 destination address
condition capability. The addresses are specified by a
pair of prefix and prefix length.";
reference
"RFC 791: Internet Protocol - Address";
}
identity range-ipv4-address-flow-direction {
base ipv4-capability;
description
"Identity for flow direction of range-match IPv4 source
or destination address(es) condition capability where flow
direction is either unidirectional or bidirectional";
reference
"RFC 4340: Datagram Congestion Control Protocol";
}
identity range-ipv4-address { identity range-ipv4-address {
base ipv4-capability; base ipv4-capability;
description description
"Identity for range-match IPv4 address condition "Identity for range-match IPv4 source or destination
capability. The range addresses are specified address condition capability. The addresses are specified
by a pair of a start address and an end address.";
reference
"RFC 791: Internet Protocol - Address";
}
identity range-ipv4-src-address {
base ipv4-capability;
description
"Identity for range-match IPv4 source address condition
capability. The addresses are specified by a pair of
by a start address and an end address."; by a start address and an end address.";
reference
"RFC 791: Internet Protocol - Address";
}
identity range-ipv4-dst-address {
base ipv4-capability;
description
"Identity for range-match IPv4 destination address
condition capability. The addresses are specified by
a pair of by a start address and an end address.";
reference reference
"RFC 791: Internet Protocol - Address"; "RFC 791: Internet Protocol - Address";
} }
identity ipv4-ip-opts { identity ipv4-ip-opts {
base ipv4-capability; base ipv4-capability;
description description
"Identity for IPv4 option condition capability"; "Identity for IPv4 option condition capability";
reference reference
"RFC 791: Internet Protocol - Options"; "RFC 791: Internet Protocol - Options";
skipping to change at page 26, line 43 skipping to change at page 28, line 42
identity range-ipv6-hop-limit { identity range-ipv6-hop-limit {
base ipv6-capability; base ipv6-capability;
description description
"Identity for range-match IPv6 hop limit condition "Identity for range-match IPv6 hop limit condition
capability"; capability";
reference reference
"RFC 8200: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Hop Limit"; Specification - Hop Limit";
} }
identity prefix-ipv6-address-flow-direction {
base ipv6-capability;
description
"Identity for flow direction of prefix-match IPv6 source
or destination address(es) condition capability where flow
direction is either unidirectional or bidirectional";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Address";
}
identity prefix-ipv6-address { identity prefix-ipv6-address {
base ipv6-capability; base ipv6-capability;
description description
"Identity for prefix-match IPv6 address condition "Identity for prefix-match IPv6 address condition
capability. The addresses are specified by a pair capability. The addresses are specified by a pair
of prefix and prefix length."; of prefix and prefix length.";
reference reference
"RFC 8200: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Address"; Specification - Address";
}
identity prefix-ipv6-src-address {
base ipv6-capability;
description
"Identity for prefix-match IPv6 source address condition
capability. The addresses are specified by a pair of
prefix and prefix length.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Address";
}
identity prefix-ipv6-dst-address {
base ipv6-capability;
description
"Identity for prefix-match IPv6 destination address
condition capability. The addresses are specified by a
pair of prefix and prefix length.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Address";
}
identity range-ipv6-address-flow-direction {
base ipv6-capability;
description
"Identity for flow direction of prefix-match IPv6 source
or destination address(es) condition capability where flow
direction is either unidirectional or bidirectional";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Address";
} }
identity range-ipv6-address { identity range-ipv6-address {
base ipv6-capability; base ipv6-capability;
description description
"Identity for range-match IPv6 address condition "Identity for range-match IPv6 source or destination
capability. The addresses are specified by a start address condition capability. The addresses are
address and an end address."; specified by a pair of a start address and an end
address.";
reference reference
"RFC 8200: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Address"; Specification - Address";
}
identity range-ipv6-src-address {
base ipv6-capability;
description
"Identity for range-match IPv6 source address
condition capability. The addresses are specified
by a pair of a start address and an end address.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Address";
}
identity range-ipv6-dst-address {
base ipv6-capability;
description
"Identity for range-match IPv6 destination address
condition capability. The addresses are specified
by a pair of a start address and an end address.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Address";
} }
identity ipv6-header-order { identity ipv6-header-order {
base ipv6-capability; base ipv6-capability;
description description
"Identity for IPv6 extension header order condition "Identity for IPv6 extension header order condition
capability"; capability";
reference reference
"RFC 8200: Internet Protocol, Version 6 (IPv6) "RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Extension Header Order"; Specification - Extension Header Order";
skipping to change at page 28, line 50 skipping to change at page 32, line 18
identity tcp-capability { identity tcp-capability {
base condition; base condition;
description description
"Base identity for TCP condition capabilities"; "Base identity for TCP condition capabilities";
reference reference
"RFC 793: Transmission Control Protocol "RFC 793: Transmission Control Protocol
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol draft-ietf-tcpm-rfc793bis: Transmission Control Protocol
(TCP) Specification"; (TCP) Specification";
} }
identity exact-tcp-port-num-flow-direction {
base tcp-capability;
description
"Identity for flow direction of exact-match TCP source or
destination port number condition capability where flow
direction is either unidirectional or bidirectional";
reference
"RFC 793: Transmission Control Protocol - Port Number
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol
(TCP) Specification";
}
identity exact-tcp-port-num { identity exact-tcp-port-num {
base tcp-capability; base tcp-capability;
description description
"Identity for exact-match TCP port number condition "Identity for exact-match TCP source or destination port
capability"; number condition capability";
reference
"RFC 793: Transmission Control Protocol - Port Number
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol
(TCP) Specification";
}
identity exact-tcp-src-port-num {
base tcp-capability;
description
"Identity for exact-match TCP source port
number condition capability";
reference
"RFC 793: Transmission Control Protocol - Port Number
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol
(TCP) Specification";
}
identity exact-tcp-dst-port-num {
base tcp-capability;
description
"Identity for exact-match TCP destination port
number condition capability";
reference
"RFC 793: Transmission Control Protocol - Port Number
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol
(TCP) Specification";
}
identity range-tcp-port-num-flow-direction {
base tcp-capability;
description
"Identity for flow direction of range-match TCP source or
destination port number condition capability where flow
direction is either unidirectional or bidirectional";
reference reference
"RFC 793: Transmission Control Protocol - Port Number "RFC 793: Transmission Control Protocol - Port Number
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol draft-ietf-tcpm-rfc793bis: Transmission Control Protocol
(TCP) Specification"; (TCP) Specification";
} }
identity range-tcp-port-num { identity range-tcp-port-num {
base tcp-capability; base tcp-capability;
description description
"Identity for range-match TCP port number condition "Identity for range-match TCP source or destination port
capability"; number condition capability. The port numbers are
specified by a pair of a start port number and an end
port number.";
reference
"RFC 793: Transmission Control Protocol - Port Number
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol
(TCP) Specification";
}
identity range-tcp-src-port-num {
base tcp-capability;
description
"Identity for range-match TCP source port number
condition capability. The port numbers are specified by
a pair of a start port number and an end port number.";
reference
"RFC 793: Transmission Control Protocol - Port Number
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol
(TCP) Specification";
}
identity range-tcp-dst-port-num {
base tcp-capability;
description
"Identity for range-match TCP destination port number
condition capability. The port numbers are specified by
a pair of a start port number and an end port number.";
reference reference
"RFC 793: Transmission Control Protocol - Port Number "RFC 793: Transmission Control Protocol - Port Number
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol draft-ietf-tcpm-rfc793bis: Transmission Control Protocol
(TCP) Specification"; (TCP) Specification";
} }
identity tcp-flags { identity tcp-flags {
base tcp-capability; base tcp-capability;
description description
"Identity for TCP control bits (flags) condition capability"; "Identity for TCP control bits (flags) condition capability";
skipping to change at page 30, line 9 skipping to change at page 34, line 50
} }
identity udp-capability { identity udp-capability {
base condition; base condition;
description description
"Base identity for UDP condition capabilities"; "Base identity for UDP condition capabilities";
reference reference
"RFC 768: User Datagram Protocol"; "RFC 768: User Datagram Protocol";
} }
identity exact-udp-port-num-flow-direction {
base udp-capability;
description
"Identity for flow direction of exact-match UDP source or
destination port number condition capability where flow
direction is either unidirectional or bidirectional";
reference
"RFC 768: User Datagram Protocol - Port Number";
}
identity exact-udp-port-num { identity exact-udp-port-num {
base udp-capability; base udp-capability;
description description
"Identity for exact-match UDP port number condition capability"; "Identity for exact-match UDP source or destination
port number condition capability";
reference
"RFC 768: User Datagram Protocol - Port Number";
}
identity exact-udp-src-port-num {
base udp-capability;
description
"Identity for exact-match UDP source port number
condition capability";
reference
"RFC 768: User Datagram Protocol - Port Number";
}
identity exact-udp-dst-port-num {
base udp-capability;
description
"Identity for exact-match UDP destination port number
condition capability";
reference
"RFC 768: User Datagram Protocol - Port Number";
}
identity range-udp-port-num-flow-direction {
base udp-capability;
description
"Identity for flow direction of range-match UDP source or
destination port number condition capability where flow
direction is either unidirectional or bidirectional";
reference reference
"RFC 768: User Datagram Protocol - Port Number"; "RFC 768: User Datagram Protocol - Port Number";
} }
identity range-udp-port-num { identity range-udp-port-num {
base udp-capability; base udp-capability;
description description
"Identity for range-match UDP port number condition capability"; "Identity for range-match UDP source or destination
port number condition capability. The port numbers
are specified by a pair of a start port number and
an end port number.";
reference
"RFC 768: User Datagram Protocol - Port Number";
}
identity range-udp-src-port-num {
base udp-capability;
description
"Identity for range-match UDP source port number
condition capability. The port numbers are specified by
a pair of a start port number and an end port number.";
reference
"RFC 768: User Datagram Protocol - Port Number";
}
identity range-udp-dst-port-num {
base udp-capability;
description
"Identity for range-match TCP destination port number
condition capability. The port numbers are specified by
a pair of a start port number and an end port number.";
reference reference
"RFC 768: User Datagram Protocol - Port Number"; "RFC 768: User Datagram Protocol - Port Number";
} }
identity exact-udp-total-length { identity exact-udp-total-length {
base udp-capability; base udp-capability;
description description
"Identity for exact-match UDP total-length condition capability. "Identity for exact-match UDP total-length condition capability.
The UDP total length can be smaller than the IP transport The UDP total length can be smaller than the IP transport
length for UDP transport layer options."; length for UDP transport layer options.";
reference reference
"RFC 768: User Datagram Protocol - Total Length "RFC 768: User Datagram Protocol - Total Length
draft-ietf-tsvwg-udp-options: Transport Options for UDP"; draft-ietf-tsvwg-udp-options: Transport Options for UDP";
} }
identity range-udp-total-length { identity range-udp-total-length {
base udp-capability; base udp-capability;
description description
"Identity for range-match UDP total-length condition capability "Identity for range-match UDP total-length condition capability.
The UDP total length can be smaller than the IP transport The UDP total length can be smaller than the IP transport
length for UDP transport layer options."; length for UDP transport layer options.";
reference reference
"RFC 768: User Datagram Protocol - Total Length "RFC 768: User Datagram Protocol - Total Length
draft-ietf-tsvwg-udp-options: Transport Options for UDP"; draft-ietf-tsvwg-udp-options: Transport Options for UDP";
} }
identity sctp-capability { identity sctp-capability {
description description
"Identity for SCTP condition capabilities"; "Identity for SCTP condition capabilities";
reference reference
"RFC 4960: Stream Control Transmission Protocol"; "RFC 4960: Stream Control Transmission Protocol";
}
identity exact-sctp-port-num-flow-direction {
base sctp-capability;
description
"Identity for flow direction of range-match SCTP source or
destination port number condition capability where flow
direction is either unidirectional or bidirectional";
reference
"RFC 4960: Stream Control Transmission Protocol - Port Number";
} }
identity exact-sctp-port-num { identity exact-sctp-port-num {
base sctp-capability; base sctp-capability;
description description
"Identity for exact-match SCTP port number condition "Identity for exact-match SCTP source or destination
capability"; port number condition capability";
reference
"RFC 4960: Stream Control Transmission Protocol - Port Number";
}
identity exact-sctp-src-port-num {
base sctp-capability;
description
"Identity for exact-match SCTP source port number
condition capability";
reference
"RFC 4960: Stream Control Transmission Protocol - Port Number";
}
identity exact-sctp-dst-port-num {
base sctp-capability;
description
"Identity for exact-match SCTP destination port number
condition capability";
reference
"RFC 4960: Stream Control Transmission Protocol - Port Number";
}
identity range-sctp-port-num-flow-direction {
base sctp-capability;
description
"Identity for flow direction of range-match SCTP source or
destination port number condition capability where flow
direction is either unidirectional or bidirectional";
reference reference
"RFC 4960: Stream Control Transmission Protocol - Port Number"; "RFC 4960: Stream Control Transmission Protocol - Port Number";
} }
identity range-sctp-port-num { identity range-sctp-port-num {
base sctp-capability; base sctp-capability;
description description
"Identity for range-match SCTP port number condition "Identity for range-match SCTP source or destination
capability"; port number condition capability. The port numbers are
specified by a pair of a start port number and an end
port number.";
reference
"RFC 4960: Stream Control Transmission Protocol - Port Number";
}
identity range-sctp-src-port-num {
base sctp-capability;
description
"Identity for range-match SCTP source port number
condition capability. The port numbers are specified by
a pair of a start port number and an end port number.";
reference
"RFC 4960: Stream Control Transmission Protocol - Port Number";
}
identity range-sctp-dst-port-num {
base sctp-capability;
description
"Identity for range-match SCTP destination port number
condition capability. The port numbers are specified by
a pair of a start port number and an end port number.";
reference reference
"RFC 4960: Stream Control Transmission Protocol - Port Number"; "RFC 4960: Stream Control Transmission Protocol - Port Number";
} }
identity sctp-verification-tag { identity sctp-verification-tag {
base sctp-capability; base sctp-capability;
description description
"Identity for range-match SCTP verification tag condition "Identity for range-match SCTP verification tag condition
capability"; capability";
reference reference
skipping to change at page 31, line 49 skipping to change at page 39, line 19
"RFC 4960: Stream Control Transmission Protocol - Chunk Type"; "RFC 4960: Stream Control Transmission Protocol - Chunk Type";
} }
identity dccp-capability { identity dccp-capability {
description description
"Identity for DCCP condition capabilities"; "Identity for DCCP condition capabilities";
reference reference
"RFC 4340: Datagram Congestion Control Protocol"; "RFC 4340: Datagram Congestion Control Protocol";
} }
identity exact-dccp-port-num-flow-direction {
base dccp-capability;
description
"Identity for flow direction of exact-match DCCP source or
destination port number condition capability where flow
direction is either unidirectional or bidirectional";
reference
"RFC 4340: Datagram Congestion Control Protocol";
}
identity exact-dccp-port-num { identity exact-dccp-port-num {
base dccp-capability; base dccp-capability;
description description
"Identity for exact-match DCCP port number condition "Identity for exact-match DCCP source or destination
capability"; port number condition capability";
reference
"RFC 4340: Datagram Congestion Control Protocol";
}
identity exact-dccp-src-port-num {
base dccp-capability;
description
"Identity for exact-match DCCP source port number
condition capability";
reference
"RFC 4340: Datagram Congestion Control Protocol";
}
identity exact-dccp-dst-port-num {
base dccp-capability;
description
"Identity for exact-match DCCP destination port number
condition capability";
reference
"RFC 4340: Datagram Congestion Control Protocol";
}
identity range-dccp-port-num-flow-direction {
base dccp-capability;
description
"Identity for flow direction of range-match DCCP source or
destination port number condition capability where flow
direction is either unidirectional or bidirectional";
reference reference
"RFC 4340: Datagram Congestion Control Protocol"; "RFC 4340: Datagram Congestion Control Protocol";
} }
identity range-dccp-port-num { identity range-dccp-port-num {
base dccp-capability; base dccp-capability;
description description
"Identity for range-match DCCP port number condition "Identity for range-match DCCP source or destination
capability"; port number condition capability. The port numbers are
specified by a pair of a start port number and an end
port number.";
reference
"RFC 4340: Datagram Congestion Control Protocol";
}
identity range-dccp-src-port-num {
base dccp-capability;
description
"Identity for range-match DCCP source port number
condition capability. The port numbers are specified by
a pair of a start port number and an end port number.";
reference
"RFC 4340: Datagram Congestion Control Protocol";
}
identity range-dccp-dst-port-num {
base dccp-capability;
description
"Identity for range-match DCCP source port number
condition capability. The port numbers are specified by
a pair of a start port number and an end port number.";
reference reference
"RFC 4340: Datagram Congestion Control Protocol"; "RFC 4340: Datagram Congestion Control Protocol";
} }
identity dccp-service-code { identity dccp-service-code {
base dccp-capability; base dccp-capability;
description description
"Identity for DCCP Service Code condition capabilitiy"; "Identity for DCCP Service Code condition capabilitiy";
reference reference
"RFC 4340: Datagram Congestion Control Protocol "RFC 4340: Datagram Congestion Control Protocol
skipping to change at page 43, line 29 skipping to change at page 52, line 12
* Grouping * Grouping
*/ */
grouping nsf-capabilities { grouping nsf-capabilities {
description description
"Network Security Function (NSF) Capabilities"; "Network Security Function (NSF) Capabilities";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - I2NSF Flow Security Policy Structure."; Functions - I2NSF Flow Security Policy Structure.";
leaf-list directional-capabilities {
type identityref {
base directional-capability;
}
description
"The capability of an NSF for handling directional traffic
flow (i.e., unidirectional or bidirectional traffic flow).";
}
leaf-list time-capabilities { leaf-list time-capabilities {
type enumeration { type enumeration {
enum absolute-time { enum absolute-time {
description description
"absolute time capabilities. "absolute time capabilities.
If a network security function has the absolute time If a network security function has the absolute time
capability, the network security function supports capability, the network security function supports
rule execution according to absolute time."; rule execution according to absolute time.";
} }
enum periodic-time { enum periodic-time {
skipping to change at page 58, line 16 skipping to change at page 67, line 16
This section shows configuration examples of "ietf-i2nsf-capability" This section shows configuration examples of "ietf-i2nsf-capability"
module for capabilities registration of general firewall. module for capabilities registration of general firewall.
A.1. Example 1: Registration for the Capabilities of a General Firewall A.1. Example 1: Registration for the Capabilities of a General Firewall
This section shows a configuration example for the capabilities This section shows a configuration example for the capabilities
registration of a general firewall in either an IPv4 network or an registration of a general firewall in either an IPv4 network or an
IPv6 network. IPv6 network.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>general_firewall</nsf-name> <nsf-name>general_firewall</nsf-name>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>ipv4-protocol</ipv4-capability> <ipv4-capability>ipv4-protocol</ipv4-capability>
<ipv4-capability>prefix-ipv4-address</ipv4-capability> <ipv4-capability>prefix-ipv4-address-flow-direction</ipv4-capability>
<ipv4-capability>range-ipv4-address</ipv4-capability> <ipv4-capability>prefix-ipv4-address</ipv4-capability>
<tcp-capability>exact-tcp-port-num</tcp-capability> <ipv4-capability>range-ipv4-address-flow-direction</ipv4-capability>
<tcp-capability>range-tcp-port-num</tcp-capability> <ipv4-capability>range-ipv4-address</ipv4-capability>
<udp-capability>exact-udp-port-num</udp-capability> <tcp-capability>exact-tcp-port-num-flow-direction</tcp-capability>
<udp-capability>range-udp-port-num</udp-capability> <tcp-capability>exact-tcp-src-port-num</tcp-capability>
</generic-nsf-capabilities> <tcp-capability>exact-tcp-dst-port-num</tcp-capability>
</condition-capabilities> <tcp-capability>range-tcp-port-num-flow-direction</tcp-capability>
<action-capabilities> <tcp-capability>range-tcp-src-port-num</tcp-capability>
<ingress-action-capability>pass</ingress-action-capability> <tcp-capability>range-tcp-dst-port-num</tcp-capability>
<ingress-action-capability>drop</ingress-action-capability> <udp-capability>exact-udp-port-num-flow-direction</udp-capability>
<ingress-action-capability>alert</ingress-action-capability> <udp-capability>exact-udp-src-port-num</udp-capability>
<egress-action-capability>pass</egress-action-capability> <udp-capability>exact-udp-dst-port-num</udp-capability>
<egress-action-capability>drop</egress-action-capability> <udp-capability>range-udp-port-num-flow-direction</udp-capability>
<egress-action-capability>alert</egress-action-capability> <udp-capability>range-udp-src-port-num</udp-capability>
</action-capabilities> <udp-capability>range-udp-dst-port-num</udp-capability>
</nsf> </generic-nsf-capabilities>
</condition-capabilities>
<action-capabilities>
<ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
Figure 4: Configuration XML for the Capabilities Registration of a Figure 4: Configuration XML for the Capabilities Registration of a
General Firewall in an IPv4 Network General Firewall in an IPv4 Network
Figure 4 shows the configuration XML for the capabilities Figure 4 shows the configuration XML for the capabilities
registration of a general firewall as an NSF in an IPv4 network. Its registration of a general firewall as an NSF in an IPv4 network. Its
capabilities are as follows. capabilities are as follows.
1. The name of the NSF is general_firewall. 1. The name of the NSF is general_firewall.
2. The NSF can inspect a protocol, a prefix of IPv4 addresses, and a 2. The NSF can inspect a protocol, a prefix of IPv4 addresses, and a
range of IPv4 addresses for IPv4 packets. range of IPv4 addresses for IPv4 packets.
3. The NSF can inspect an exact port number and a range of port 3. The NSF can inspect an exact port number and a range of port
numbers for the transport layer (TCP and UDP). numbers for the transport layer (TCP and UDP).
4. The NSF can control whether the packets are allowed to pass, 4. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>general_firewall</nsf-name> <nsf-name>general_firewall</nsf-name>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv6-capability>ipv6-next-header</ipv6-capability> <ipv6-capability>ipv6-next-header</ipv6-capability>
<ipv6-capability>prefix-ipv6-address</ipv6-capability> <ipv6-capability>prefix-ipv6-address-flow-direction</ipv6-capability>
<ipv6-capability>range-ipv6-address</ipv6-capability> <ipv6-capability>prefix-ipv6-address</ipv6-capability>
<tcp-capability>exact-tcp-port-num</tcp-capability> <ipv6-capability>range-ipv6-address-flow-direction</ipv6-capability>
<tcp-capability>range-tcp-port-num</tcp-capability> <ipv6-capability>range-ipv6-address</ipv6-capability>
<udp-capability>exact-udp-port-num</udp-capability> <tcp-capability>exact-tcp-port-num-flow-direction</tcp-capability>
<udp-capability>range-udp-port-num</udp-capability> <tcp-capability>exact-tcp-src-port-num</tcp-capability>
</generic-nsf-capabilities> <tcp-capability>exact-tcp-dst-port-num</tcp-capability>
</condition-capabilities> <tcp-capability>range-tcp-port-num-flow-direction</tcp-capability>
<action-capabilities> <tcp-capability>range-tcp-src-port-num</tcp-capability>
<ingress-action-capability>pass</ingress-action-capability> <tcp-capability>range-tcp-dst-port-num</tcp-capability>
<ingress-action-capability>drop</ingress-action-capability> <udp-capability>exact-udp-port-num-flow-direction</udp-capability>
<ingress-action-capability>alert</ingress-action-capability> <udp-capability>exact-udp-src-port-num</udp-capability>
<egress-action-capability>pass</egress-action-capability> <udp-capability>exact-udp-dst-port-num</udp-capability>
<egress-action-capability>drop</egress-action-capability> <udp-capability>range-udp-port-num-flow-direction</udp-capability>
<egress-action-capability>alert</egress-action-capability> <udp-capability>range-udp-src-port-num</udp-capability>
</action-capabilities> <udp-capability>range-udp-dst-port-num</udp-capability>
</nsf> </generic-nsf-capabilities>
</condition-capabilities>
<action-capabilities>
<ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
Figure 5: Configuration XML for the Capabilities Registration of a Figure 5: Configuration XML for the Capabilities Registration of a
General Firewall in an IPv6 Network General Firewall in an IPv6 Network
In addition, Figure 5 shows the configuration XML for the In addition, Figure 5 shows the configuration XML for the
capabilities registration of a general firewall as an NSF in an IPv6 capabilities registration of a general firewall as an NSF in an IPv6
network. Its capabilities are as follows. network. Its capabilities are as follows.
1. The name of the NSF is general_firewall. 1. The name of the NSF is general_firewall.
skipping to change at page 60, line 12 skipping to change at page 70, line 15
4. The NSF can control whether the packets are allowed to pass, 4. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
A.2. Example 2: Registration for the Capabilities of a Time-based A.2. Example 2: Registration for the Capabilities of a Time-based
Firewall Firewall
This section shows a configuration example for the capabilities This section shows a configuration example for the capabilities
registration of a time-based firewall in either an IPv4 network or an registration of a time-based firewall in either an IPv4 network or an
IPv6 network. IPv6 network.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>time_based_firewall</nsf-name> <nsf-name>time_based_firewall</nsf-name>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>ipv4-protocol</ipv4-capability> <ipv4-capability>ipv4-protocol</ipv4-capability>
<ipv4-capability>prefix-ipv4-address</ipv4-capability> <ipv4-capability>prefix-ipv4-address-flow-direction</ipv4-capability>
<ipv4-capability>range-ipv4-address</ipv4-capability> <ipv4-capability>prefix-ipv4-address</ipv4-capability>
</generic-nsf-capabilities> <ipv4-capability>range-ipv4-address-flow-direction</ipv4-capability>
</condition-capabilities> <ipv4-capability>range-ipv4-address</ipv4-capability>
<action-capabilities> </generic-nsf-capabilities>
<ingress-action-capability>pass</ingress-action-capability> </condition-capabilities>
<ingress-action-capability>drop</ingress-action-capability> <action-capabilities>
<ingress-action-capability>alert</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<egress-action-capability>drop</egress-action-capability> <ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>alert</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
</action-capabilities> <egress-action-capability>drop</egress-action-capability>
</nsf> <egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
Figure 6: Configuration XML for the Capabilities Registration of a Figure 6: Configuration XML for the Capabilities Registration of a
Time-based Firewall in an IPv4 Network Time-based Firewall in an IPv4 Network
Figure 6 shows the configuration XML for the capabilities Figure 6 shows the configuration XML for the capabilities
registration of a time-based firewall as an NSF in an IPv4 network. registration of a time-based firewall as an NSF in an IPv4 network.
Its capabilities are as follows. Its capabilities are as follows.
1. The name of the NSF is time_based_firewall. 1. The name of the NSF is time_based_firewall.
2. The NSF can execute the security policy rule according to 2. The NSF can execute the security policy rule according to
absolute time and periodic time. absolute time and periodic time.
3. The NSF can inspect a protocol (Next-Header), an exact IPv4 3. The NSF can inspect a protocol (Next-Header), an exact IPv4
address, and a range of IPv4 addresses for IPv4 packets. address, and a range of IPv4 addresses for IPv4 packets.
4. The NSF can control whether the packets are allowed to pass, 4. The NSF can control whether the packets are allowed to pass,
drop, or alert. drop, or alert.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>time_based_firewall</nsf-name> <nsf-name>time_based_firewall</nsf-name>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv6-capability>ipv6-next-header</ipv6-capability> <ipv6-capability>ipv6-next-header</ipv6-capability>
<ipv6-capability>prefix-ipv6-address</ipv6-capability> <ipv6-capability>prefix-ipv6-address-flow-direction</ipv6-capability>
<ipv6-capability>range-ipv6-address</ipv6-capability> <ipv6-capability>prefix-ipv6-address</ipv6-capability>
</generic-nsf-capabilities> <ipv6-capability>range-ipv6-address-flow-direction</ipv6-capability>
</condition-capabilities> <ipv6-capability>range-ipv6-address</ipv6-capability>
<action-capabilities> </generic-nsf-capabilities>
<ingress-action-capability>pass</ingress-action-capability> </condition-capabilities>
<ingress-action-capability>drop</ingress-action-capability> <action-capabilities>
<ingress-action-capability>alert</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<egress-action-capability>drop</egress-action-capability> <ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>alert</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
</action-capabilities> <egress-action-capability>drop</egress-action-capability>
</nsf> <egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
Figure 7: Configuration XML for the Capabilities Registration of a Figure 7: Configuration XML for the Capabilities Registration of a
Time-based Firewall in an IPv6 Network Time-based Firewall in an IPv6 Network
In addition, Figure 7 shows the configuration XML for the In addition, Figure 7 shows the configuration XML for the
capabilities registration of a time-based firewall as an NSF in an capabilities registration of a time-based firewall as an NSF in an
IPv6 network. Its capabilities are as follows. IPv6 network. Its capabilities are as follows.
1. The name of the NSF is time_based_firewall. 1. The name of the NSF is time_based_firewall.
 End of changes. 47 change blocks. 
134 lines changed or deleted 581 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/