draft-ietf-i2nsf-capability-data-model-17.txt   draft-ietf-i2nsf-capability-data-model-18.txt 
I2NSF Working Group S. Hares, Ed. I2NSF Working Group S. Hares, Ed.
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Jeong, Ed. Intended status: Standards Track J. Jeong, Ed.
Expires: 15 February 2022 J. Kim Expires: 19 March 2022 J. Kim
Sungkyunkwan University Sungkyunkwan University
R. Moskowitz R. Moskowitz
HTT Consulting HTT Consulting
Q. Lin Q. Lin
Huawei Huawei
14 August 2021 15 September 2021
I2NSF Capability YANG Data Model I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-17 draft-ietf-i2nsf-capability-data-model-18
Abstract Abstract
This document defines an information model and the corresponding YANG This document defines an information model and the corresponding YANG
data model for the capabilities of various Network Security Functions data model for the capabilities of various Network Security Functions
(NSFs) in the Interface to Network Security Functions (I2NSF) (NSFs) in the Interface to Network Security Functions (I2NSF)
framework to centrally manage the capabilities of the various NSFs. framework to centrally manage the capabilities of the various NSFs.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 15 February 2022. This Internet-Draft will expire on 19 March 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 20 skipping to change at page 2, line 20
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Information Model of I2NSF NSF Capability . . . . . . . . . . 4 3. Information Model of I2NSF NSF Capability . . . . . . . . . . 4
3.1. Design Principles and ECA Policy Model . . . . . . . . . 5 3.1. Design Principles and ECA Policy Model . . . . . . . . . 5
3.2. Conflict, Resolution Strategy and Default Action . . . . 8 3.2. Conflict, Resolution Strategy and Default Action . . . . 8
4. Overview of YANG Data Model . . . . . . . . . . . . . . . . . 10 4. Overview of YANG Data Model . . . . . . . . . . . . . . . . . 10
5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 12 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Network Security Function (NSF) Capabilities . . . . . . 12 5.1. Network Security Function (NSF) Capabilities . . . . . . 12
6. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 15 6. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 49 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 49
9. Security Considerations . . . . . . . . . . . . . . . . . . . 49 9. Security Considerations . . . . . . . . . . . . . . . . . . . 50
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
10.1. Normative References . . . . . . . . . . . . . . . . . . 51 10.1. Normative References . . . . . . . . . . . . . . . . . . 51
10.2. Informative References . . . . . . . . . . . . . . . . . 55 10.2. Informative References . . . . . . . . . . . . . . . . . 56
Appendix A. Configuration Examples . . . . . . . . . . . . . . . 57 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 57
A.1. Example 1: Registration for the Capabilities of a General A.1. Example 1: Registration for the Capabilities of a General
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 57 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 58
A.2. Example 2: Registration for the Capabilities of a A.2. Example 2: Registration for the Capabilities of a
Time-based Firewall . . . . . . . . . . . . . . . . . . . 59 Time-based Firewall . . . . . . . . . . . . . . . . . . . 59
A.3. Example 3: Registration for the Capabilities of a Web A.3. Example 3: Registration for the Capabilities of a Web
Filter . . . . . . . . . . . . . . . . . . . . . . . . . 61 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 61
A.4. Example 4: Registration for the Capabilities of a VoIP/ A.4. Example 4: Registration for the Capabilities of a VoIP/
VoLTE Filter . . . . . . . . . . . . . . . . . . . . . . 61 VoLTE Filter . . . . . . . . . . . . . . . . . . . . . . 62
A.5. Example 5: Registration for the Capabilities of a HTTP and A.5. Example 5: Registration for the Capabilities of a HTTP and
HTTPS Flood Mitigator . . . . . . . . . . . . . . . . . . 62 HTTPS Flood Mitigator . . . . . . . . . . . . . . . . . . 63
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 63 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 64
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 64 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 65
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 66
1. Introduction 1. Introduction
As the industry becomes more sophisticated and network devices (e.g., As the industry becomes more sophisticated and network devices (e.g.,
Internet-of-Things (IoT) devices, autonomous vehicles, and Internet-of-Things (IoT) devices, autonomous vehicles, and
smartphones using Voice over IP (VoIP) and Voice over LTE (VoLTE)) smartphones using Voice over IP (VoIP) and Voice over LTE (VoLTE))
require advanced security protection in various scenarios, security require advanced security protection in various scenarios, security
service providers have a lot of problems described in [RFC8192] to service providers have a lot of problems described in [RFC8192] to
provide such network devices with efficient and reliable security provide such network devices with efficient and reliable security
services in network infrastructure. To resolve these problems, this services in network infrastructure. To resolve these problems, this
skipping to change at page 13, line 15 skipping to change at page 13, line 15
module: ietf-i2nsf-capability module: ietf-i2nsf-capability
+--rw nsf* [nsf-name] +--rw nsf* [nsf-name]
+--rw nsf-name string +--rw nsf-name string
+--rw directional-capabilities* identityref +--rw directional-capabilities* identityref
+--rw event-capabilities +--rw event-capabilities
| +--rw system-event-capability* identityref | +--rw system-event-capability* identityref
| +--rw system-alarm-capability* identityref | +--rw system-alarm-capability* identityref
| +--rw time-capabilities* identityref | +--rw time-capabilities* identityref
+--rw condition-capabilities +--rw condition-capabilities
| +--rw generic-nsf-capabilities | +--rw generic-nsf-capabilities
| | +--rw ipv4-capability* identityref | | +--rw ethernet-capability* identityref
| | +--rw ipv6-capability* identityref | | +--rw ipv4-capability* identityref
| | +--rw icmpv4-capability* identityref | | +--rw ipv6-capability* identityref
| | +--rw icmpv6-capability* identityref | | +--rw icmpv4-capability* identityref
| | +--rw tcp-capability* identityref | | +--rw icmpv6-capability* identityref
| | +--rw udp-capability* identityref | | +--rw tcp-capability* identityref
| | +--rw sctp-capability* identityref | | +--rw udp-capability* identityref
| | +--rw dccp-capability* identityref | | +--rw sctp-capability* identityref
| | +--rw dccp-capability* identityref
| +--rw advanced-nsf-capabilities | +--rw advanced-nsf-capabilities
| | +--rw anti-ddos-capability* identityref | | +--rw anti-ddos-capability* identityref
| | +--rw ips-capability* identityref | | +--rw ips-capability* identityref
| | +--rw anti-virus-capability* identityref
| | +--rw url-capability* identityref | | +--rw url-capability* identityref
| | +--rw voip-volte-filtering-capability* identityref | | +--rw voip-volte-filtering-capability* identityref
| +--rw context-capabilities | +--rw context-capabilities
| +--rw application-filter-capabilities* identityref | +--rw application-filter-capabilities* identityref
| +--rw target-capabilities* identityref | +--rw target-capabilities* identityref
| +--rw user-condition-capabilities* identityref | +--rw user-condition-capabilities* identityref
| +--rw geography-capabilities* identityref | +--rw geography-capabilities* identityref
+--rw action-capabilities +--rw action-capabilities
| +--rw ingress-action-capability* identityref | +--rw ingress-action-capability* identityref
| +--rw egress-action-capability* identityref | +--rw egress-action-capability* identityref
skipping to change at page 15, line 47 skipping to change at page 16, line 4
6. YANG Data Model of I2NSF NSF Capability 6. YANG Data Model of I2NSF NSF Capability
This section introduces a YANG module for NSFs' capabilities, as This section introduces a YANG module for NSFs' capabilities, as
defined in the Section 3. defined in the Section 3.
It makes references to It makes references to
* [RFC0768] * [RFC0768]
* [RFC0791] * [RFC0791]
* [RFC0792] * [RFC0792]
* [RFC0793] * [RFC0793]
* [RFC0854]
* [RFC0959]
* [RFC1939]
* [RFC2474] * [RFC2474]
* [RFC2616]
* [RFC2818]
* [RFC3168] * [RFC3168]
* [RFC3261] * [RFC3261]
* [RFC3501] * [RFC3501]
* [RFC4340] * [RFC4340]
* [RFC4443] * [RFC4443]
* [RFC4766]
* [RFC4960] * [RFC4960]
* [RFC5101]
* [RFC5321]
* [RFC5595] * [RFC5595]
* [RFC6335] * [RFC6335]
* [RFC6437] * [RFC6437]
* [RFC6691] * [RFC6691]
* [RFC6864] * [RFC6864]
* [RFC7230] * [RFC7230]
* [RFC7231] * [RFC7231]
* [RFC7296]
* [RFC7323] * [RFC7323]
* [RFC8200] * [RFC8200]
* [RFC8329] * [RFC8329]
* [RFC8519]
* [RFC8805] * [RFC8805]
* [IEEE802.3-2018]
* [IANA-Protocol-Numbers] * [IANA-Protocol-Numbers]
* [I-D.ietf-tcpm-rfc793bis] * [I-D.ietf-tcpm-rfc793bis]
* [I-D.ietf-tcpm-accurate-ecn] * [I-D.ietf-tcpm-accurate-ecn]
* [I-D.ietf-tsvwg-udp-options] * [I-D.ietf-tsvwg-udp-options]
* [I-D.ietf-i2nsf-nsf-monitoring-data-model] * [I-D.ietf-i2nsf-nsf-monitoring-data-model]
<CODE BEGINS> file "ietf-i2nsf-capability@2021-08-14.yang" <CODE BEGINS> file "ietf-i2nsf-capability@2021-09-15.yang"
module ietf-i2nsf-capability { module ietf-i2nsf-capability {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability";
prefix prefix
nsfcap; nsfcap;
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <https://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Jinyong Tim Kim Editor: Jinyong Tim Kim
<mailto:timkim@skku.edu> <mailto:timkim@skku.edu>
Editor: Patrick Lingga Editor: Patrick Lingga
<mailto:patricklink@skku.edu> <mailto:patricklink@skku.edu>
skipping to change at page 18, line 8 skipping to change at page 18, line 26
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices."; for full legal notices.";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
revision "2021-08-14"{ revision "2021-09-15"{
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Capability YANG Data Model"; "RFC XXXX: I2NSF Capability YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
} }
/* /*
* Identities * Identities
skipping to change at page 23, line 47 skipping to change at page 24, line 16
"Identity for bidirectional traffic flow."; "Identity for bidirectional traffic flow.";
reference reference
"RFC 5101: Specification of the IP Flow Information "RFC 5101: Specification of the IP Flow Information
Export (IPFIX) Protocol for the Exchange of IP Export (IPFIX) Protocol for the Exchange of IP
Traffic Flow Information - Terminology Bidirectional Traffic Flow Information - Terminology Bidirectional
Flow"; Flow";
} }
identity protocol { identity protocol {
description description
"Base identity for Internet Protocols"; "Base identity for protocols";
} }
identity ethernet { identity ethernet {
base protocol; base protocol;
description description
"Base identity for data link layer protocol."; "Base identity for Ethernet protocol.";
} }
identity source-mac-address { identity source-mac-address {
base ethernet; base ethernet;
description description
"Identity for the capability of matching Media Access Control "Identity for the capability of matching Media Access Control
(MAC) source address(es) condition capability."; (MAC) source address(es) condition capability.";
reference reference
"IEEE 802.3: IEEE Standard for Ethernet"; "IEEE 802.3 - 2018: IEEE Standard for Ethernet";
} }
identity destination-mac-address { identity destination-mac-address {
base ethernet; base ethernet;
description description
"Identity for the capability of matching Media Access Control "Identity for the capability of matching Media Access Control
(MAC) destination address(es) condition capability."; (MAC) destination address(es) condition capability.";
reference reference
"IEEE 802.3: IEEE Standard for Ethernet"; "IEEE 802.3 - 2018: IEEE Standard for Ethernet";
} }
identity ether-type { identity ether-type {
base ethernet; base ethernet;
description description
"Identity for the capability of matching the EtherType of a "Identity for the capability of matching the EtherType in
packet."; Ethernet II and Length in Ethernet 802.3 of a packet.";
reference reference
"IEEE 802.3: IEEE Standard for Ethernet"; "IEEE 802.3 - 2018: IEEE Standard for Ethernet";
} }
identity ip { identity ip {
base protocol; base protocol;
description description
"Base identity for internet/network layer protocol, "Base identity for internet/network layer protocol,
e.g., IPv4, IPv6, and ICMP."; e.g., IPv4, IPv6, and ICMP.";
} }
identity ipv4 { identity ipv4 {
base ip; base ip;
description description
skipping to change at page 25, line 31 skipping to change at page 25, line 47
Services Field (DS Field) in the IPv4 and Services Field (DS Field) in the IPv4 and
IPv6 Headers IPv6 Headers
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Traffic Class"; Specification - Traffic Class";
} }
identity length { identity length {
base ipv4; base ipv4;
base ipv6; base ipv6;
description description
"Identity for the capability of matching IPv4 Total Length header "Identity for the capability of matching IPv4 Total Length
field or IPv6 Payload Length header field. header field or IPv6 Payload Length header field.
IPv4 Total Length is the length of datagram, measured in octets, IPv4 Total Length is the length of datagram, measured in
including internet header and data. octets, including internet header and data.
IPv6 Payload Length is the length of the IPv6 payload, i.e., the IPv6 Payload Length is the length of the IPv6 payload, i.e.,
rest of the packet following the IPv6 header, measured in the rest of the packet following the IPv6 header, measured in
octets."; octets.";
reference reference
"RFC 791: Internet Protocol - Total Length "RFC 791: Internet Protocol - Total Length
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Payload Length"; Specification - Payload Length";
} }
identity ttl { identity ttl {
base ipv4; base ipv4;
base ipv6; base ipv6;
description description
"Identity for the capability of matching IPv4 Time-To-Live (TTL) "Identity for the capability of matching IPv4 Time-To-Live
or IPv6 Hop Limit."; (TTL) or IPv6 Hop Limit.";
reference reference
"RFC 791: Internet Protocol - Time To Live (TTL) "RFC 791: Internet Protocol - Time To Live (TTL)
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Hop Limit"; Specification - Hop Limit";
} }
identity next-header { identity next-header {
base ipv4; base ipv4;
base ipv6; base ipv6;
description description
skipping to change at page 26, line 41 skipping to change at page 27, line 7
reference reference
"RFC 791: Internet Protocol - Address "RFC 791: Internet Protocol - Address
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Source Address"; Specification - Source Address";
} }
identity destination-address { identity destination-address {
base ipv4; base ipv4;
base ipv6; base ipv6;
description description
"Identity for the capability of matching IPv4 or IPv6 destination "Identity for the capability of matching IPv4 or IPv6
address(es) condition capability."; destination address(es) condition capability.";
reference reference
"RFC 791: Internet Protocol - Address "RFC 791: Internet Protocol - Address
RFC 8200: Internet Protocol, Version 6 (IPv6) RFC 8200: Internet Protocol, Version 6 (IPv6)
Specification - Destination Address"; Specification - Destination Address";
} }
identity flow-direction { identity flow-direction {
base ipv4; base ipv4;
base ipv6; base ipv6;
description description
skipping to change at page 30, line 31 skipping to change at page 30, line 47
reference reference
"RFC 792: Internet Control Message Protocol "RFC 792: Internet Control Message Protocol
RFC 4443: Internet Control Message Protocol (ICMPv6) RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6) Specification for the Internet Protocol Version 6 (IPv6) Specification
- ICMPv6"; - ICMPv6";
} }
identity transport-protocol { identity transport-protocol {
base protocol; base protocol;
description description
"Base identity for Layer 4 protocol condition capabilities, e.g., "Base identity for Layer 4 protocol condition capabilities,
TCP, UDP, SCTP, DCCP, and ICMP"; e.g., TCP, UDP, SCTP, and DCCP";
} }
identity tcp { identity tcp {
base transport-protocol; base transport-protocol;
description description
"Base identity for TCP condition capabilities"; "Base identity for TCP condition capabilities";
reference reference
"RFC 793: Transmission Control Protocol "RFC 793: Transmission Control Protocol
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol
(TCP) Specification"; (TCP) Specification";
} }
identity udp { identity udp {
base transport-protocol; base transport-protocol;
description description
"Base identity for UDP condition capabilities"; "Base identity for UDP condition capabilities";
reference reference
"RFC 768: User Datagram Protocol"; "RFC 768: User Datagram Protocol";
} }
skipping to change at page 31, line 30 skipping to change at page 31, line 47
identity source-port-number { identity source-port-number {
base tcp; base tcp;
base udp; base udp;
base sctp; base sctp;
base dccp; base dccp;
description description
"Identity for matching TCP, UDP, SCTP, and DCCP source port "Identity for matching TCP, UDP, SCTP, and DCCP source port
number condition capability"; number condition capability";
reference reference
"RFC 793: Transmission Control Protocol - Port Number "RFC 793: Transmission Control Protocol - Port Number
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol
(TCP) Specification (TCP) Specification
RFC 768: User Datagram Protocol RFC 768: User Datagram Protocol
RFC 4960: Stream Control Transmission Protocol RFC 4960: Stream Control Transmission Protocol
RFC 4340: Datagram Congestion Control Protocol"; RFC 4340: Datagram Congestion Control Protocol";
} }
identity destination-port-number { identity destination-port-number {
base tcp; base tcp;
base udp; base udp;
base sctp; base sctp;
base dccp; base dccp;
description description
"Identity for matching TCP, UDP, SCTP, and DCCP destination port "Identity for matching TCP, UDP, SCTP, and DCCP destination
number condition capability"; port number condition capability";
reference reference
"RFC 793: Transmission Control Protocol - Port Number "RFC 793: Transmission Control Protocol - Port Number
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol
(TCP) Specification"; (TCP) Specification";
} }
identity flags { identity flags {
base tcp; base tcp;
description description
"Identity for TCP control bits (flags) condition capability"; "Identity for TCP control bits (flags) condition capability";
reference reference
"RFC 793: Transmission Control Protocol - Flags "RFC 793: Transmission Control Protocol - Flags
RFC 3168: The Addition of Explicit Congestion Notification RFC 3168: The Addition of Explicit Congestion Notification
(ECN) to IP - TCP Header Flags (ECN) to IP - TCP Header Flags
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol
(TCP) Specification (TCP) Specification
draft-ietf-tcpm-accurate-ecn: More Accurate ECN Feedback draft-ietf-tcpm-accurate-ecn: More Accurate ECN Feedback
in TCP"; in TCP";
} }
identity tcp-options { identity tcp-options {
base tcp; base tcp;
description description
"Identity for TCP options condition capability."; "Identity for TCP options condition capability.";
reference reference
"RFC 793: Transmission Control Protocol - Options "RFC 793: Transmission Control Protocol - Options
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol
(TCP) Specification (TCP) Specification
RFC 6691: TCP Options and Maximum Segment Size RFC 6691: TCP Options and Maximum Segment Size
RFC 7323: TCP Extensions for High Performance"; RFC 7323: TCP Extensions for High Performance";
} }
identity total-length { identity total-length {
base udp; base udp;
description description
"Identity for matching UDP total-length condition capability. "Identity for matching UDP total-length condition capability.
The UDP total length can be smaller than the IP transport The UDP total length can be smaller than the IP transport
skipping to change at page 33, line 32 skipping to change at page 33, line 50
identity application-protocol { identity application-protocol {
base protocol; base protocol;
description description
"Base identity for Application protocol"; "Base identity for Application protocol";
} }
identity http { identity http {
base application-protocol; base application-protocol;
description description
"The identity for HTTP protocol."; "The identity for Hypertext Transfer Protocol.";
reference reference
"RFC 2616: Hypertext Transfer Protocol (HTTP) "RFC 2616: Hypertext Transfer Protocol (HTTP)
RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message
Syntax and Routing Syntax and Routing
RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content"; and Content";
} }
identity https { identity https {
base application-protocol; base application-protocol;
description description
"The identity for HTTPS protocol."; "The identity for Hypertext Transfer Protocol Secure.";
reference reference
"RFC 2818: HTTP over TLS (HTTPS) "RFC 2818: HTTP over TLS (HTTPS)
RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message
Syntax and Routing Syntax and Routing
RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content"; and Content";
} }
identity ftp { identity ftp {
base application-protocol; base application-protocol;
description description
"The identity for ftp protocol."; "The identity for File Transfer Protocol.";
reference reference
"RFC 959: File Transfer Protocol (FTP)"; "RFC 959: File Transfer Protocol (FTP)";
} }
identity ssh { identity ssh {
base application-protocol; base application-protocol;
description description
"The identity for ssh protocol."; "The identity for Secure Shell (SSH) protocol.";
reference reference
"RFC 4250: The Secure Shell (SSH) Protocol"; "RFC 4250: The Secure Shell (SSH) Protocol";
} }
identity telnet { identity telnet {
base application-protocol; base application-protocol;
description description
"The identity for telnet."; "The identity for telnet.";
reference reference
"RFC 854: Telnet Protocol"; "RFC 854: Telnet Protocol";
} }
identity smtp { identity smtp {
base application-protocol; base application-protocol;
description description
"The identity for smtp."; "The identity for Simple Mail Transfer Protocol.";
reference reference
"RFC 5321: Simple Mail Transfer Protocol (SMTP)"; "RFC 5321: Simple Mail Transfer Protocol (SMTP)";
}
identity sftp {
base application-protocol;
description
"The identity for sftp.";
reference
"RFC 913: Simple File Transfer Protocol (SFTP)";
} }
identity pop3 { identity pop3 {
base application-protocol; base application-protocol;
description description
"The identity for pop3."; "The identity for Post Office Protocol 3.";
reference reference
"RFC 1081: Post Office Protocol - Version 3 (POP3)"; "RFC 1939: Post Office Protocol - Version 3 (POP3)";
} }
identity imap { identity imap {
base application-protocol; base application-protocol;
description description
"The identity for Internet Message Access Protocol (IMAP)."; "The identity for Internet Message Access Protocol.";
reference reference
"RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1"; "RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1";
} }
identity action { identity action {
description description
"Base identity for action capability"; "Base identity for action capability";
} }
identity log-action { identity log-action {
skipping to change at page 36, line 39 skipping to change at page 36, line 48
"Identity for drop action capability. The drop action denies "Identity for drop action capability. The drop action denies
packet to go through the NSF entering or exiting the internal packet to go through the NSF entering or exiting the internal
network."; network.";
} }
identity mirror { identity mirror {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for mirror action capability. The mirror action copies "Identity for mirror action capability. The mirror action
packet and send it to the monitoring entity while still allow copies packet and send it to the monitoring entity while still
the packet or flow to go through the NSF."; allow the packet or flow to go through the NSF.";
} }
identity rate-limit { identity rate-limit {
base ingress-action; base ingress-action;
base egress-action; base egress-action;
base default-action; base default-action;
description description
"Identity for rate limiting action capability. The rate limit "Identity for rate limiting action capability. The rate limit
action limits the number of packets or flows that can go through action limits the number of packets or flows that can go
the NSF by dropping packets or flows (randomly or through the NSF by dropping packets or flows (randomly or
systematically)."; systematically).";
} }
identity invoke-signaling { identity invoke-signaling {
base egress-action; base egress-action;
description description
"Identity for invoke signaling action capability"; "Identity for invoke signaling action capability";
} }
identity tunnel-encapsulation { identity tunnel-encapsulation {
base egress-action; base egress-action;
skipping to change at page 38, line 43 skipping to change at page 39, line 4
Intrusion Prevention System (IPS), URL-Filtering, Antivirus, Intrusion Prevention System (IPS), URL-Filtering, Antivirus,
and VoIP/VoLTE Filter."; and VoIP/VoLTE Filter.";
} }
identity attack-mitigation-control { identity attack-mitigation-control {
base advanced-nsf; base advanced-nsf;
description description
"Base identity for attack mitigation control. Attack mitigation "Base identity for attack mitigation control. Attack mitigation
control is an NSF that mitigates an attack such as anti-DDoS control is an NSF that mitigates an attack such as anti-DDoS
or DDoS-mitigator."; or DDoS-mitigator.";
} }
identity ips { identity ips {
base content-security-control; base content-security-control;
description description
"Base identity for IPS (Intrusion Prevention System) capability "Base identity for IPS (Intrusion Prevention System) capability
that prevents malicious activity within a network"; that prevents malicious activity within a network";
} }
identity url-filtering { identity url-filtering {
base content-security-control; base content-security-control;
description description
"Base identity for url filtering capability that limits access by "Base identity for url filtering capability that limits access
comparing the web traffic's URL with the URLs for web filtering by comparing the web traffic's URL with the URLs for web
in a database"; filtering in a database";
} }
identity anti-virus { identity anti-virus {
base content-security-control; base content-security-control;
description description
"Base identity for anti-virus capability to protect the network "Base identity for anti-virus capability to protect the network
by detecting and removing viruses."; by detecting and removing viruses.";
} }
identity voip-volte-filtering { identity voip-volte-filtering {
skipping to change at page 39, line 31 skipping to change at page 39, line 41
description description
"Base identity for advanced NSF VoIP/VoLTE Security Service "Base identity for advanced NSF VoIP/VoLTE Security Service
capability to filter the VoIP/VoLTE packets or flows."; capability to filter the VoIP/VoLTE packets or flows.";
reference reference
"RFC 3261: SIP: Session Initiation Protocol"; "RFC 3261: SIP: Session Initiation Protocol";
} }
identity anti-ddos { identity anti-ddos {
base attack-mitigation-control; base attack-mitigation-control;
description description
"Base identity for advanced NSF Anti-DDoS Attack or DDoS Mitigator "Base identity for advanced NSF Anti-DDoS Attack or DDoS
capability."; Mitigator capability.";
} }
identity packet-rate { identity packet-rate {
base anti-ddos; base anti-ddos;
description description
"Identity for advanced NSF Anti-DDoS detecting Packet Rate "Identity for advanced NSF Anti-DDoS detecting Packet Rate
Capability where a packet rate is defined as the arrival rate of Capability where a packet rate is defined as the arrival rate
Packets toward a victim destination node. The NSF with this of Packets toward a victim destination node. The NSF with
capability can detect the incoming packet rate and create an this capability can detect the incoming packet rate and create
alert if the rate exceeds the threshold."; an alert if the rate exceeds the threshold.";
} }
identity flow-rate { identity flow-rate {
base anti-ddos; base anti-ddos;
description description
"Identity for advanced NSF Anti-DDoS detecting Flow Rate "Identity for advanced NSF Anti-DDoS detecting Flow Rate
Capability where a flow rate is defined as the arrival rate of Capability where a flow rate is defined as the arrival rate of
flows towards a victim destination node. The NSF with this flows towards a victim destination node. The NSF with this
capability can detect the incoming flow rate and create an capability can detect the incoming flow rate and create an
skipping to change at page 40, line 41 skipping to change at page 40, line 50
"Identity for the capability of IPS to exclude signatures from "Identity for the capability of IPS to exclude signatures from
detecting the intrusion."; detecting the intrusion.";
reference reference
"RFC 4766: Intrusion Detection Message Exchange Requirements - "RFC 4766: Intrusion Detection Message Exchange Requirements -
Section 2.2.13"; Section 2.2.13";
} }
identity detect { identity detect {
base anti-virus; base anti-virus;
description description
"Identity for advanced NSF Antivirus capability to detect viruses "Identity for advanced NSF Antivirus capability to detect
using a security profile. The security profile is used to scan viruses using a security profile. The security profile is used
threats, such as virus, malware, and spyware. The NSF should to scan threats, such as virus, malware, and spyware. The NSF
be able to update the security profile."; should be able to update the security profile.";
} }
identity exception-files { identity exception-files {
base anti-virus; base anti-virus;
description description
"Identity for advanced NSF Antivirus capability to exclude a "Identity for advanced NSF Antivirus capability to exclude a
certain file type or name from detection."; certain file type or name from detection.";
} }
identity pre-defined { identity pre-defined {
base url-filtering; base url-filtering;
description description
"Identity for pre-defined URL Database condition capability. "Identity for pre-defined URL Database condition capability.
where URL database is a public database for URL filtering."; where URL database is a public database for URL filtering.";
} }
identity user-defined { identity user-defined {
skipping to change at page 42, line 42 skipping to change at page 42, line 49
} }
description description
"System alarm capabilities"; "System alarm capabilities";
} }
leaf-list time-capabilities { leaf-list time-capabilities {
type identityref { type identityref {
base time; base time;
} }
description description
"The capabilities for activating the policy within a specific "The capabilities for activating the policy within a
time."; specific time.";
} }
} }
container condition-capabilities { container condition-capabilities {
description description
"Conditions capabilities."; "Conditions capabilities.";
container generic-nsf-capabilities { container generic-nsf-capabilities {
description description
"Conditions capabilities. "Conditions capabilities.
If a network security function has the condition If a network security function has the condition
capabilities, the network security function capabilities, the network security function
supports rule execution according to conditions of supports rule execution according to conditions of
IPv4, IPv6, TCP, UDP, SCTP, DCCP, ICMP, or ICMPv6."; IPv4, IPv6, TCP, UDP, SCTP, DCCP, ICMP, or ICMPv6.";
reference reference
"RFC 768: User Datagram Protocol - UDP. "RFC 768: User Datagram Protocol - UDP.
RFC 791: Internet Protocol - IPv4. RFC 791: Internet Protocol - IPv4.
RFC 792: Internet Control Message Protocol - ICMP. RFC 792: Internet Control Message Protocol - ICMP.
RFC 793: Transmission Control Protocol - TCP. RFC 793: Transmission Control Protocol - TCP.
RFC 4443: Internet Control Message Protocol (ICMPv6) RFC 4443: Internet Control Message Protocol (ICMPv6)
skipping to change at page 44, line 34 skipping to change at page 44, line 41
} }
leaf-list tcp-capability { leaf-list tcp-capability {
type identityref { type identityref {
base tcp; base tcp;
} }
description description
"TCP packet capabilities"; "TCP packet capabilities";
reference reference
"RFC 793: Transmission Control Protocol - TCP "RFC 793: Transmission Control Protocol - TCP
draft-ietf-tcpm-rfc793bis-24: Transmission Control draft-ietf-tcpm-rfc793bis-25: Transmission Control
Protocol (TCP) Specification"; Protocol (TCP) Specification";
} }
leaf-list udp-capability { leaf-list udp-capability {
type identityref { type identityref {
base udp; base udp;
} }
description description
"UDP packet capabilities"; "UDP packet capabilities";
reference reference
skipping to change at page 46, line 45 skipping to change at page 47, line 4
} }
description description
"Context capabilities based on the device attribute that "Context capabilities based on the device attribute that
can identify a device type can identify a device type
(i.e., router, switch, pc, ios, or android)."; (i.e., router, switch, pc, ios, or android).";
} }
leaf-list user-condition-capabilities { leaf-list user-condition-capabilities {
type identityref { type identityref {
base user-condition; base user-condition;
} }
description description
"Context capabilities based on user condition, such as "Context capabilities based on user condition, such as
user-id or user-name. The users can collected into a user-id or user-name. The users can collected into a
user-group and identified with group-id or group-name. user-group and identified with group-id or group-name.
An NSF is aware of the IP address of the user provided by An NSF is aware of the IP address of the user provided
a unified user management system via network. Based on by a unified user management system via network. Based
name-address association, an NSF is able to enforce the on name-address association, an NSF is able to enforce
security functions over the given user (or user group)"; the security functions over the given user (or user
group)";
} }
leaf-list geography-capabilities { leaf-list geography-capabilities {
type identityref { type identityref {
base geography-location; base geography-location;
} }
description description
"Context condition capabilities based on the geographical "Context condition capabilities based on the geographical
location of the source or destination"; location of the source or destination";
} }
skipping to change at page 51, line 33 skipping to change at page 51, line 42
<https://www.rfc-editor.org/info/rfc791>. <https://www.rfc-editor.org/info/rfc791>.
[RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, DOI 10.17487/RFC0792, September 1981, RFC 792, DOI 10.17487/RFC0792, September 1981,
<https://www.rfc-editor.org/info/rfc792>. <https://www.rfc-editor.org/info/rfc792>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol
Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May
1983, <https://www.rfc-editor.org/info/rfc854>.
[RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol",
STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985,
<https://www.rfc-editor.org/info/rfc959>.
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996,
<https://www.rfc-editor.org/info/rfc1939>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black,
"Definition of the Differentiated Services Field (DS "Definition of the Differentiated Services Field (DS
Field) in the IPv4 and IPv6 Headers", RFC 2474, Field) in the IPv4 and IPv6 Headers", RFC 2474,
DOI 10.17487/RFC2474, December 1998, DOI 10.17487/RFC2474, December 1998,
<https://www.rfc-editor.org/info/rfc2474>. <https://www.rfc-editor.org/info/rfc2474>.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616,
DOI 10.17487/RFC2616, June 1999,
<https://www.rfc-editor.org/info/rfc2616>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>.
[RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition
of Explicit Congestion Notification (ECN) to IP", of Explicit Congestion Notification (ECN) to IP",
RFC 3168, DOI 10.17487/RFC3168, September 2001, RFC 3168, DOI 10.17487/RFC3168, September 2001,
<https://www.rfc-editor.org/info/rfc3168>. <https://www.rfc-editor.org/info/rfc3168>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>. <https://www.rfc-editor.org/info/rfc3261>.
skipping to change at page 52, line 34 skipping to change at page 53, line 11
Congestion Control Protocol (DCCP)", RFC 4340, Congestion Control Protocol (DCCP)", RFC 4340,
DOI 10.17487/RFC4340, March 2006, DOI 10.17487/RFC4340, March 2006,
<https://www.rfc-editor.org/info/rfc4340>. <https://www.rfc-editor.org/info/rfc4340>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", STD 89, Protocol Version 6 (IPv6) Specification", STD 89,
RFC 4443, DOI 10.17487/RFC4443, March 2006, RFC 4443, DOI 10.17487/RFC4443, March 2006,
<https://www.rfc-editor.org/info/rfc4443>. <https://www.rfc-editor.org/info/rfc4443>.
[RFC4766] Wood, M. and M. Erlinger, "Intrusion Detection Message
Exchange Requirements", RFC 4766, DOI 10.17487/RFC4766,
March 2007, <https://www.rfc-editor.org/info/rfc4766>.
[RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol",
RFC 4960, DOI 10.17487/RFC4960, September 2007, RFC 4960, DOI 10.17487/RFC4960, September 2007,
<https://www.rfc-editor.org/info/rfc4960>. <https://www.rfc-editor.org/info/rfc4960>.
[RFC5101] Claise, B., Ed., "Specification of the IP Flow Information
Export (IPFIX) Protocol for the Exchange of IP Traffic
Flow Information", RFC 5101, DOI 10.17487/RFC5101, January
2008, <https://www.rfc-editor.org/info/rfc5101>.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008,
<https://www.rfc-editor.org/info/rfc5321>.
[RFC5595] Fairhurst, G., "The Datagram Congestion Control Protocol [RFC5595] Fairhurst, G., "The Datagram Congestion Control Protocol
(DCCP) Service Codes", RFC 5595, DOI 10.17487/RFC5595, (DCCP) Service Codes", RFC 5595, DOI 10.17487/RFC5595,
September 2009, <https://www.rfc-editor.org/info/rfc5595>. September 2009, <https://www.rfc-editor.org/info/rfc5595>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
skipping to change at page 54, line 41 skipping to change at page 55, line 33
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525, and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019, DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>. <https://www.rfc-editor.org/info/rfc8525>.
[RFC8519] Jethanandani, M., Agarwal, S., Huang, L., and D. Blair,
"YANG Data Model for Network Access Control Lists (ACLs)",
RFC 8519, DOI 10.17487/RFC8519, March 2019,
<https://www.rfc-editor.org/info/rfc8519>.
[I-D.ietf-tcpm-accurate-ecn] [I-D.ietf-tcpm-accurate-ecn]
Briscoe, B., Kühlewind, M., and R. Scheffenegger, "More Briscoe, B., Kühlewind, M., and R. Scheffenegger, "More
Accurate ECN Feedback in TCP", Work in Progress, Internet- Accurate ECN Feedback in TCP", Work in Progress, Internet-
Draft, draft-ietf-tcpm-accurate-ecn-15, 12 July 2021, Draft, draft-ietf-tcpm-accurate-ecn-15, 12 July 2021,
<https://www.ietf.org/archive/id/draft-ietf-tcpm-accurate- <https://www.ietf.org/archive/id/draft-ietf-tcpm-accurate-
ecn-15.txt>. ecn-15.txt>.
[I-D.ietf-tsvwg-udp-options] [I-D.ietf-tsvwg-udp-options]
Touch, J., "Transport Options for UDP", Work in Progress, Touch, J., "Transport Options for UDP", Work in Progress,
Internet-Draft, draft-ietf-tsvwg-udp-options-13, 19 June Internet-Draft, draft-ietf-tsvwg-udp-options-13, 19 June
2021, <https://www.ietf.org/archive/id/draft-ietf-tsvwg- 2021, <https://www.ietf.org/archive/id/draft-ietf-tsvwg-
udp-options-13.txt>. udp-options-13.txt>.
[I-D.ietf-i2nsf-nsf-monitoring-data-model] [I-D.ietf-i2nsf-nsf-monitoring-data-model]
Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H.
Birkholz, "I2NSF NSF Monitoring Interface YANG Data Birkholz, "I2NSF NSF Monitoring Interface YANG Data
Model", Work in Progress, Internet-Draft, draft-ietf- Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-monitoring-data-model-08, 29 April 2021, i2nsf-nsf-monitoring-data-model-09, 24 August 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
monitoring-data-model-08.txt>. monitoring-data-model-09.txt>.
[I-D.ietf-i2nsf-nsf-facing-interface-dm] [I-D.ietf-i2nsf-nsf-facing-interface-dm]
Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG "I2NSF Network Security Function-Facing Interface YANG
Data Model", Work in Progress, Internet-Draft, draft-ietf- Data Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-facing-interface-dm-12, 8 March 2021, i2nsf-nsf-facing-interface-dm-13, 15 August 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
facing-interface-dm-12.txt>. facing-interface-dm-13.txt>.
[I-D.ietf-i2nsf-registration-interface-dm] [I-D.ietf-i2nsf-registration-interface-dm]
Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park, Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park,
"I2NSF Registration Interface YANG Data Model", Work in "I2NSF Registration Interface YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-registration- Progress, Internet-Draft, draft-ietf-i2nsf-registration-
interface-dm-10, 21 February 2021, interface-dm-11, 21 August 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-
registration-interface-dm-10.txt>. registration-interface-dm-11.txt>.
10.2. Informative References 10.2. Informative References
[RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS)", [RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS)",
RFC 6691, DOI 10.17487/RFC6691, July 2012, RFC 6691, DOI 10.17487/RFC6691, July 2012,
<https://www.rfc-editor.org/info/rfc6691>. <https://www.rfc-editor.org/info/rfc6691>.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, Considerations for Internet Protocols", RFC 6973,
skipping to change at page 56, line 18 skipping to change at page 57, line 8
<https://www.rfc-editor.org/info/rfc8329>. <https://www.rfc-editor.org/info/rfc8329>.
[RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W. [RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W.
Kumari, "A Format for Self-Published IP Geolocation Kumari, "A Format for Self-Published IP Geolocation
Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020, Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
<https://www.rfc-editor.org/info/rfc8805>. <https://www.rfc-editor.org/info/rfc8805>.
[I-D.ietf-tcpm-rfc793bis] [I-D.ietf-tcpm-rfc793bis]
Eddy, W. M., "Transmission Control Protocol (TCP) Eddy, W. M., "Transmission Control Protocol (TCP)
Specification", Work in Progress, Internet-Draft, draft- Specification", Work in Progress, Internet-Draft, draft-
ietf-tcpm-rfc793bis-24, 12 July 2021, ietf-tcpm-rfc793bis-25, 7 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-tcpm- <https://www.ietf.org/archive/id/draft-ietf-tcpm-
rfc793bis-24.txt>. rfc793bis-25.txt>.
[IANA-Protocol-Numbers] [IANA-Protocol-Numbers]
"Assigned Internet Protocol Numbers", Available: "Assigned Internet Protocol Numbers", Available:
https://www.iana.org/assignments/protocol- https://www.iana.org/assignments/protocol-
numbers/protocol-numbers.xhtml, September 2020. numbers/protocol-numbers.xhtml, September 2020.
[IEEE802.3-2018]
Committee, I. S., "IEEE 802.3-2018 - IEEE Standard for
Ethernet", August 2018,
<https://ieeexplore.ieee.org/document/8457469>.
[Alshaer] Shaer, Al., Hamed, E., and H. Hamed, "Modeling and [Alshaer] Shaer, Al., Hamed, E., and H. Hamed, "Modeling and
management of firewall policies", 2004. management of firewall policies", 2004.
[Galitsky] Galitsky, B. and R. Pampapathi, "Can many agents answer [Galitsky] Galitsky, B. and R. Pampapathi, "Can many agents answer
questions better than one", First questions better than one", First
Monday http://dx.doi.org/10.5210/fm.v10i1.1204, 2005. Monday http://dx.doi.org/10.5210/fm.v10i1.1204, 2005.
[Hirschman] [Hirschman]
Hirschman, L. and R. Gaizauskas, "Natural Language Hirschman, L. and R. Gaizauskas, "Natural Language
Question Answering: The View from Here", Natural Language Question Answering: The View from Here", Natural Language
skipping to change at page 57, line 26 skipping to change at page 58, line 21
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>general_firewall</nsf-name> <nsf-name>general_firewall</nsf-name>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>next-header</ipv4-capability> <ipv4-capability>next-header</ipv4-capability>
<ipv4-capability>flow-direction</ipv4-capability> <ipv4-capability>flow-direction</ipv4-capability>
<ipv4-capability>source-address</ipv4-capability> <ipv4-capability>source-address</ipv4-capability>
<ipv4-capability>destination-address</ipv4-capability> <ipv4-capability>destination-address</ipv4-capability>
<tcp-capability>source-port-number</tcp-capability> <tcp-capability>source-port-number</tcp-capability>
<tcp-capability>destination-port-number</tcp-capability> <tcp-capability>destination-port-number</tcp-capability>
<udp-capability>source-port-num</udp-capability> <udp-capability>source-port-number</udp-capability>
<udp-capability>destination-port-num</udp-capability> <udp-capability>destination-port-number</udp-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>mirror</ingress-action-capability> <ingress-action-capability>mirror</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability> <egress-action-capability>drop</egress-action-capability>
<egress-action-capability>mirror</egress-action-capability> <egress-action-capability>mirror</egress-action-capability>
</action-capabilities> </action-capabilities>
skipping to change at page 58, line 21 skipping to change at page 59, line 15
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>general_firewall</nsf-name> <nsf-name>general_firewall</nsf-name>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv6-capability>next-header</ipv6-capability> <ipv6-capability>next-header</ipv6-capability>
<ipv6-capability>flow-direction</ipv6-capability> <ipv6-capability>flow-direction</ipv6-capability>
<ipv6-capability>source-address</ipv6-capability> <ipv6-capability>source-address</ipv6-capability>
<ipv6-capability>destination-address</ipv6-capability> <ipv6-capability>destination-address</ipv6-capability>
<tcp-capability>source-port-number</tcp-capability> <tcp-capability>source-port-number</tcp-capability>
<tcp-capability>destination-port-number</tcp-capability> <tcp-capability>destination-port-number</tcp-capability>
<udp-capability>source-port-num</udp-capability> <udp-capability>source-port-number</udp-capability>
<udp-capability>destination-port-num</udp-capability> <udp-capability>destination-port-number</udp-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>mirror</ingress-action-capability> <ingress-action-capability>mirror</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability> <egress-action-capability>drop</egress-action-capability>
<egress-action-capability>mirror</egress-action-capability> <egress-action-capability>mirror</egress-action-capability>
</action-capabilities> </action-capabilities>
skipping to change at page 59, line 23 skipping to change at page 60, line 13
IPv6 network. IPv6 network.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>time_based_firewall</nsf-name> <nsf-name>time_based_firewall</nsf-name>
<event-capabilities> <event-capabilities>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
</event-capabilities> </event-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>ipv4-protocol</ipv4-capability> <ipv4-capability>next-header</ipv4-capability>
<ipv4-capability>flow-direction</ipv4-capability> <ipv4-capability>flow-direction</ipv4-capability>
<ipv4-capability>source-address</ipv4-capability> <ipv4-capability>source-address</ipv4-capability>
<ipv4-capability>destination-address</ipv4-capability> <ipv4-capability>destination-address</ipv4-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>mirror</ingress-action-capability> <ingress-action-capability>mirror</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
skipping to change at page 62, line 9 skipping to change at page 63, line 9
A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE
Filter Filter
This section shows a configuration example for the capabilities This section shows a configuration example for the capabilities
registration of a VoIP/VoLTE filter. registration of a VoIP/VoLTE filter.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>voip_volte_filter</nsf-name> <nsf-name>voip_volte_filter</nsf-name>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<voip-volte-capability>call-id</voip-volte-capability> <voip-volte-filtering-capability>
call-id
</voip-volte-filtering-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>mirror</ingress-action-capability> <ingress-action-capability>mirror</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability> <egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability> <egress-action-capability>drop</egress-action-capability>
<egress-action-capability>mirror</egress-action-capability> <egress-action-capability>mirror</egress-action-capability>
</action-capabilities> </action-capabilities>
 End of changes. 91 change blocks. 
122 lines changed or deleted 168 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/