--- 1/draft-ietf-i2nsf-capability-data-model-17.txt 2021-09-15 09:13:14.382067813 -0700 +++ 2/draft-ietf-i2nsf-capability-data-model-18.txt 2021-09-15 09:13:14.498070728 -0700 @@ -1,24 +1,24 @@ I2NSF Working Group S. Hares, Ed. Internet-Draft Huawei Intended status: Standards Track J. Jeong, Ed. -Expires: 15 February 2022 J. Kim +Expires: 19 March 2022 J. Kim Sungkyunkwan University R. Moskowitz HTT Consulting Q. Lin Huawei - 14 August 2021 + 15 September 2021 I2NSF Capability YANG Data Model - draft-ietf-i2nsf-capability-data-model-17 + draft-ietf-i2nsf-capability-data-model-18 Abstract This document defines an information model and the corresponding YANG data model for the capabilities of various Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework to centrally manage the capabilities of the various NSFs. Status of This Memo @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 15 February 2022. + This Internet-Draft will expire on 19 March 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -55,40 +55,40 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Information Model of I2NSF NSF Capability . . . . . . . . . . 4 3.1. Design Principles and ECA Policy Model . . . . . . . . . 5 3.2. Conflict, Resolution Strategy and Default Action . . . . 8 4. Overview of YANG Data Model . . . . . . . . . . . . . . . . . 10 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 12 5.1. Network Security Function (NSF) Capabilities . . . . . . 12 6. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 15 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 49 - 9. Security Considerations . . . . . . . . . . . . . . . . . . . 49 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 50 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 10.1. Normative References . . . . . . . . . . . . . . . . . . 51 - 10.2. Informative References . . . . . . . . . . . . . . . . . 55 + 10.2. Informative References . . . . . . . . . . . . . . . . . 56 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 57 A.1. Example 1: Registration for the Capabilities of a General - Firewall . . . . . . . . . . . . . . . . . . . . . . . . 57 + Firewall . . . . . . . . . . . . . . . . . . . . . . . . 58 A.2. Example 2: Registration for the Capabilities of a Time-based Firewall . . . . . . . . . . . . . . . . . . . 59 A.3. Example 3: Registration for the Capabilities of a Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . 61 A.4. Example 4: Registration for the Capabilities of a VoIP/ - VoLTE Filter . . . . . . . . . . . . . . . . . . . . . . 61 + VoLTE Filter . . . . . . . . . . . . . . . . . . . . . . 62 A.5. Example 5: Registration for the Capabilities of a HTTP and - HTTPS Flood Mitigator . . . . . . . . . . . . . . . . . . 62 - Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 63 - Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 64 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 65 + HTTPS Flood Mitigator . . . . . . . . . . . . . . . . . . 63 + Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 64 + Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 65 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 66 1. Introduction As the industry becomes more sophisticated and network devices (e.g., Internet-of-Things (IoT) devices, autonomous vehicles, and smartphones using Voice over IP (VoIP) and Voice over LTE (VoLTE)) require advanced security protection in various scenarios, security service providers have a lot of problems described in [RFC8192] to provide such network devices with efficient and reliable security services in network infrastructure. To resolve these problems, this @@ -532,31 +532,33 @@ module: ietf-i2nsf-capability +--rw nsf* [nsf-name] +--rw nsf-name string +--rw directional-capabilities* identityref +--rw event-capabilities | +--rw system-event-capability* identityref | +--rw system-alarm-capability* identityref | +--rw time-capabilities* identityref +--rw condition-capabilities | +--rw generic-nsf-capabilities + | | +--rw ethernet-capability* identityref | | +--rw ipv4-capability* identityref | | +--rw ipv6-capability* identityref | | +--rw icmpv4-capability* identityref | | +--rw icmpv6-capability* identityref | | +--rw tcp-capability* identityref | | +--rw udp-capability* identityref | | +--rw sctp-capability* identityref | | +--rw dccp-capability* identityref | +--rw advanced-nsf-capabilities | | +--rw anti-ddos-capability* identityref | | +--rw ips-capability* identityref + | | +--rw anti-virus-capability* identityref | | +--rw url-capability* identityref | | +--rw voip-volte-filtering-capability* identityref | +--rw context-capabilities | +--rw application-filter-capabilities* identityref | +--rw target-capabilities* identityref | +--rw user-condition-capabilities* identityref | +--rw geography-capabilities* identityref +--rw action-capabilities | +--rw ingress-action-capability* identityref | +--rw egress-action-capability* identityref @@ -660,87 +662,101 @@ 6. YANG Data Model of I2NSF NSF Capability This section introduces a YANG module for NSFs' capabilities, as defined in the Section 3. It makes references to * [RFC0768] * [RFC0791] - * [RFC0792] * [RFC0793] + + * [RFC0854] + + * [RFC0959] + + * [RFC1939] + * [RFC2474] + * [RFC2616] + + * [RFC2818] + * [RFC3168] * [RFC3261] * [RFC3501] * [RFC4340] * [RFC4443] + * [RFC4766] + * [RFC4960] + * [RFC5101] + + * [RFC5321] + * [RFC5595] * [RFC6335] * [RFC6437] * [RFC6691] * [RFC6864] * [RFC7230] * [RFC7231] - - * [RFC7296] - * [RFC7323] * [RFC8200] * [RFC8329] - * [RFC8519] - * [RFC8805] + * [IEEE802.3-2018] + * [IANA-Protocol-Numbers] * [I-D.ietf-tcpm-rfc793bis] * [I-D.ietf-tcpm-accurate-ecn] * [I-D.ietf-tsvwg-udp-options] + * [I-D.ietf-i2nsf-nsf-monitoring-data-model] - file "ietf-i2nsf-capability@2021-08-14.yang" + file "ietf-i2nsf-capability@2021-09-15.yang" module ietf-i2nsf-capability { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; prefix nsfcap; organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact - "WG Web: + "WG Web: WG List: Editor: Jaehoon Paul Jeong Editor: Jinyong Tim Kim Editor: Patrick Lingga @@ -762,21 +778,21 @@ Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. - revision "2021-08-14"{ + revision "2021-09-15"{ description "Initial revision."; reference "RFC XXXX: I2NSF Capability YANG Data Model"; // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. } /* * Identities @@ -1043,56 +1055,55 @@ "Identity for bidirectional traffic flow."; reference "RFC 5101: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information - Terminology Bidirectional Flow"; } identity protocol { description - "Base identity for Internet Protocols"; + "Base identity for protocols"; } identity ethernet { base protocol; description - "Base identity for data link layer protocol."; + "Base identity for Ethernet protocol."; } identity source-mac-address { base ethernet; description "Identity for the capability of matching Media Access Control (MAC) source address(es) condition capability."; reference - "IEEE 802.3: IEEE Standard for Ethernet"; + "IEEE 802.3 - 2018: IEEE Standard for Ethernet"; } identity destination-mac-address { base ethernet; description "Identity for the capability of matching Media Access Control (MAC) destination address(es) condition capability."; reference - "IEEE 802.3: IEEE Standard for Ethernet"; + "IEEE 802.3 - 2018: IEEE Standard for Ethernet"; } identity ether-type { base ethernet; description - "Identity for the capability of matching the EtherType of a - packet."; + "Identity for the capability of matching the EtherType in + Ethernet II and Length in Ethernet 802.3 of a packet."; reference - "IEEE 802.3: IEEE Standard for Ethernet"; + "IEEE 802.3 - 2018: IEEE Standard for Ethernet"; } - identity ip { base protocol; description "Base identity for internet/network layer protocol, e.g., IPv4, IPv6, and ICMP."; } identity ipv4 { base ip; description @@ -1122,42 +1133,41 @@ Services Field (DS Field) in the IPv4 and IPv6 Headers RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Traffic Class"; } identity length { base ipv4; base ipv6; description - "Identity for the capability of matching IPv4 Total Length header - field or IPv6 Payload Length header field. + "Identity for the capability of matching IPv4 Total Length + header field or IPv6 Payload Length header field. - IPv4 Total Length is the length of datagram, measured in octets, - including internet header and data. + IPv4 Total Length is the length of datagram, measured in + octets, including internet header and data. - IPv6 Payload Length is the length of the IPv6 payload, i.e., the - rest of the packet following the IPv6 header, measured in + IPv6 Payload Length is the length of the IPv6 payload, i.e., + the rest of the packet following the IPv6 header, measured in octets."; reference "RFC 791: Internet Protocol - Total Length RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Payload Length"; } identity ttl { base ipv4; base ipv6; description - "Identity for the capability of matching IPv4 Time-To-Live (TTL) - or IPv6 Hop Limit."; - + "Identity for the capability of matching IPv4 Time-To-Live + (TTL) or IPv6 Hop Limit."; reference "RFC 791: Internet Protocol - Time To Live (TTL) RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Hop Limit"; } identity next-header { base ipv4; base ipv6; description @@ -1180,22 +1190,22 @@ reference "RFC 791: Internet Protocol - Address RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Source Address"; } identity destination-address { base ipv4; base ipv6; description - "Identity for the capability of matching IPv4 or IPv6 destination - address(es) condition capability."; + "Identity for the capability of matching IPv4 or IPv6 + destination address(es) condition capability."; reference "RFC 791: Internet Protocol - Address RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - Destination Address"; } identity flow-direction { base ipv4; base ipv6; description @@ -1362,31 +1375,31 @@ reference "RFC 792: Internet Control Message Protocol RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification - ICMPv6"; } identity transport-protocol { base protocol; description - "Base identity for Layer 4 protocol condition capabilities, e.g., - TCP, UDP, SCTP, DCCP, and ICMP"; + "Base identity for Layer 4 protocol condition capabilities, + e.g., TCP, UDP, SCTP, and DCCP"; } identity tcp { base transport-protocol; description "Base identity for TCP condition capabilities"; reference "RFC 793: Transmission Control Protocol - draft-ietf-tcpm-rfc793bis: Transmission Control Protocol + draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol (TCP) Specification"; } identity udp { base transport-protocol; description "Base identity for UDP condition capabilities"; reference "RFC 768: User Datagram Protocol"; } @@ -1409,62 +1423,63 @@ identity source-port-number { base tcp; base udp; base sctp; base dccp; description "Identity for matching TCP, UDP, SCTP, and DCCP source port number condition capability"; reference "RFC 793: Transmission Control Protocol - Port Number - draft-ietf-tcpm-rfc793bis: Transmission Control Protocol + draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol (TCP) Specification RFC 768: User Datagram Protocol RFC 4960: Stream Control Transmission Protocol RFC 4340: Datagram Congestion Control Protocol"; + } identity destination-port-number { base tcp; base udp; base sctp; base dccp; description - "Identity for matching TCP, UDP, SCTP, and DCCP destination port - number condition capability"; + "Identity for matching TCP, UDP, SCTP, and DCCP destination + port number condition capability"; reference "RFC 793: Transmission Control Protocol - Port Number - draft-ietf-tcpm-rfc793bis: Transmission Control Protocol + draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol (TCP) Specification"; } identity flags { base tcp; description "Identity for TCP control bits (flags) condition capability"; reference "RFC 793: Transmission Control Protocol - Flags RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP - TCP Header Flags - draft-ietf-tcpm-rfc793bis: Transmission Control Protocol + draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol (TCP) Specification draft-ietf-tcpm-accurate-ecn: More Accurate ECN Feedback in TCP"; } identity tcp-options { base tcp; description "Identity for TCP options condition capability."; reference "RFC 793: Transmission Control Protocol - Options - draft-ietf-tcpm-rfc793bis: Transmission Control Protocol + draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol (TCP) Specification RFC 6691: TCP Options and Maximum Segment Size RFC 7323: TCP Extensions for High Performance"; } identity total-length { base udp; description "Identity for matching UDP total-length condition capability. The UDP total length can be smaller than the IP transport @@ -1507,91 +1523,86 @@ identity application-protocol { base protocol; description "Base identity for Application protocol"; } identity http { base application-protocol; description - "The identity for HTTP protocol."; + "The identity for Hypertext Transfer Protocol."; reference "RFC 2616: Hypertext Transfer Protocol (HTTP) RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content"; } identity https { base application-protocol; description - "The identity for HTTPS protocol."; + "The identity for Hypertext Transfer Protocol Secure."; reference "RFC 2818: HTTP over TLS (HTTPS) RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content"; } + identity ftp { base application-protocol; description - "The identity for ftp protocol."; + "The identity for File Transfer Protocol."; reference "RFC 959: File Transfer Protocol (FTP)"; } identity ssh { base application-protocol; description - "The identity for ssh protocol."; + "The identity for Secure Shell (SSH) protocol."; reference "RFC 4250: The Secure Shell (SSH) Protocol"; } identity telnet { base application-protocol; description "The identity for telnet."; reference "RFC 854: Telnet Protocol"; } identity smtp { base application-protocol; description - "The identity for smtp."; + "The identity for Simple Mail Transfer Protocol."; reference "RFC 5321: Simple Mail Transfer Protocol (SMTP)"; - } - identity sftp { - base application-protocol; - description - "The identity for sftp."; - reference - "RFC 913: Simple File Transfer Protocol (SFTP)"; } identity pop3 { base application-protocol; description - "The identity for pop3."; + "The identity for Post Office Protocol 3."; reference - "RFC 1081: Post Office Protocol - Version 3 (POP3)"; + "RFC 1939: Post Office Protocol - Version 3 (POP3)"; } + identity imap { base application-protocol; description - "The identity for Internet Message Access Protocol (IMAP)."; + "The identity for Internet Message Access Protocol."; reference "RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1"; } identity action { description "Base identity for action capability"; } identity log-action { @@ -1657,35 +1667,33 @@ "Identity for drop action capability. The drop action denies packet to go through the NSF entering or exiting the internal network."; } identity mirror { base ingress-action; base egress-action; base default-action; description - "Identity for mirror action capability. The mirror action copies - packet and send it to the monitoring entity while still allow - the packet or flow to go through the NSF."; + "Identity for mirror action capability. The mirror action + copies packet and send it to the monitoring entity while still + allow the packet or flow to go through the NSF."; } - identity rate-limit { base ingress-action; base egress-action; base default-action; description "Identity for rate limiting action capability. The rate limit - action limits the number of packets or flows that can go through - the NSF by dropping packets or flows (randomly or + action limits the number of packets or flows that can go + through the NSF by dropping packets or flows (randomly or systematically)."; - } identity invoke-signaling { base egress-action; description "Identity for invoke signaling action capability"; } identity tunnel-encapsulation { base egress-action; @@ -1759,34 +1767,36 @@ Intrusion Prevention System (IPS), URL-Filtering, Antivirus, and VoIP/VoLTE Filter."; } identity attack-mitigation-control { base advanced-nsf; description "Base identity for attack mitigation control. Attack mitigation control is an NSF that mitigates an attack such as anti-DDoS or DDoS-mitigator."; + } identity ips { base content-security-control; description "Base identity for IPS (Intrusion Prevention System) capability that prevents malicious activity within a network"; } + identity url-filtering { base content-security-control; description - "Base identity for url filtering capability that limits access by - comparing the web traffic's URL with the URLs for web filtering - in a database"; + "Base identity for url filtering capability that limits access + by comparing the web traffic's URL with the URLs for web + filtering in a database"; } identity anti-virus { base content-security-control; description "Base identity for anti-virus capability to protect the network by detecting and removing viruses."; } identity voip-volte-filtering { @@ -1794,32 +1804,32 @@ description "Base identity for advanced NSF VoIP/VoLTE Security Service capability to filter the VoIP/VoLTE packets or flows."; reference "RFC 3261: SIP: Session Initiation Protocol"; } identity anti-ddos { base attack-mitigation-control; description - "Base identity for advanced NSF Anti-DDoS Attack or DDoS Mitigator - capability."; + "Base identity for advanced NSF Anti-DDoS Attack or DDoS + Mitigator capability."; } identity packet-rate { base anti-ddos; description "Identity for advanced NSF Anti-DDoS detecting Packet Rate - Capability where a packet rate is defined as the arrival rate of - Packets toward a victim destination node. The NSF with this - capability can detect the incoming packet rate and create an - alert if the rate exceeds the threshold."; + Capability where a packet rate is defined as the arrival rate + of Packets toward a victim destination node. The NSF with + this capability can detect the incoming packet rate and create + an alert if the rate exceeds the threshold."; } identity flow-rate { base anti-ddos; description "Identity for advanced NSF Anti-DDoS detecting Flow Rate Capability where a flow rate is defined as the arrival rate of flows towards a victim destination node. The NSF with this capability can detect the incoming flow rate and create an @@ -1852,32 +1862,31 @@ "Identity for the capability of IPS to exclude signatures from detecting the intrusion."; reference "RFC 4766: Intrusion Detection Message Exchange Requirements - Section 2.2.13"; } identity detect { base anti-virus; description - "Identity for advanced NSF Antivirus capability to detect viruses - using a security profile. The security profile is used to scan - threats, such as virus, malware, and spyware. The NSF should - be able to update the security profile."; + "Identity for advanced NSF Antivirus capability to detect + viruses using a security profile. The security profile is used + to scan threats, such as virus, malware, and spyware. The NSF + should be able to update the security profile."; } identity exception-files { base anti-virus; description "Identity for advanced NSF Antivirus capability to exclude a certain file type or name from detection."; - } identity pre-defined { base url-filtering; description "Identity for pre-defined URL Database condition capability. where URL database is a public database for URL filtering."; } identity user-defined { @@ -1950,32 +1958,30 @@ } description "System alarm capabilities"; } leaf-list time-capabilities { type identityref { base time; } description - "The capabilities for activating the policy within a specific - time."; + "The capabilities for activating the policy within a + specific time."; } } - container condition-capabilities { description "Conditions capabilities."; container generic-nsf-capabilities { description "Conditions capabilities. - If a network security function has the condition capabilities, the network security function supports rule execution according to conditions of IPv4, IPv6, TCP, UDP, SCTP, DCCP, ICMP, or ICMPv6."; reference "RFC 768: User Datagram Protocol - UDP. RFC 791: Internet Protocol - IPv4. RFC 792: Internet Control Message Protocol - ICMP. RFC 793: Transmission Control Protocol - TCP. RFC 4443: Internet Control Message Protocol (ICMPv6) @@ -2040,21 +2047,21 @@ } leaf-list tcp-capability { type identityref { base tcp; } description "TCP packet capabilities"; reference "RFC 793: Transmission Control Protocol - TCP - draft-ietf-tcpm-rfc793bis-24: Transmission Control + draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol (TCP) Specification"; } leaf-list udp-capability { type identityref { base udp; } description "UDP packet capabilities"; reference @@ -2146,29 +2154,31 @@ } description "Context capabilities based on the device attribute that can identify a device type (i.e., router, switch, pc, ios, or android)."; } leaf-list user-condition-capabilities { type identityref { base user-condition; + } description "Context capabilities based on user condition, such as user-id or user-name. The users can collected into a user-group and identified with group-id or group-name. - An NSF is aware of the IP address of the user provided by - a unified user management system via network. Based on - name-address association, an NSF is able to enforce the - security functions over the given user (or user group)"; + An NSF is aware of the IP address of the user provided + by a unified user management system via network. Based + on name-address association, an NSF is able to enforce + the security functions over the given user (or user + group)"; } leaf-list geography-capabilities { type identityref { base geography-location; } description "Context condition capabilities based on the geographical location of the source or destination"; } @@ -2367,31 +2377,53 @@ . [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, DOI 10.17487/RFC0792, September 1981, . [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 793, DOI 10.17487/RFC0793, September 1981, . + [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol + Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May + 1983, . + + [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", + STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, + . + + [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", + STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, + . + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, DOI 10.17487/RFC2474, December 1998, . + [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., + Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext + Transfer Protocol -- HTTP/1.1", RFC 2616, + DOI 10.17487/RFC2616, June 1999, + . + + [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, + DOI 10.17487/RFC2818, May 2000, + . + [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition of Explicit Congestion Notification (ECN) to IP", RFC 3168, DOI 10.17487/RFC3168, September 2001, . [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, . @@ -2412,24 +2444,37 @@ Congestion Control Protocol (DCCP)", RFC 4340, DOI 10.17487/RFC4340, March 2006, . [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", STD 89, RFC 4443, DOI 10.17487/RFC4443, March 2006, . + [RFC4766] Wood, M. and M. Erlinger, "Intrusion Detection Message + Exchange Requirements", RFC 4766, DOI 10.17487/RFC4766, + March 2007, . + [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", RFC 4960, DOI 10.17487/RFC4960, September 2007, . + [RFC5101] Claise, B., Ed., "Specification of the IP Flow Information + Export (IPFIX) Protocol for the Exchange of IP Traffic + Flow Information", RFC 5101, DOI 10.17487/RFC5101, January + 2008, . + + [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, + DOI 10.17487/RFC5321, October 2008, + . + [RFC5595] Fairhurst, G., "The Datagram Congestion Control Protocol (DCCP) Service Codes", RFC 5595, DOI 10.17487/RFC5595, September 2009, . [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, . [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., @@ -2514,61 +2559,56 @@ [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., and R. Wilton, "YANG Library", RFC 8525, DOI 10.17487/RFC8525, March 2019, . - [RFC8519] Jethanandani, M., Agarwal, S., Huang, L., and D. Blair, - "YANG Data Model for Network Access Control Lists (ACLs)", - RFC 8519, DOI 10.17487/RFC8519, March 2019, - . - [I-D.ietf-tcpm-accurate-ecn] Briscoe, B., Kühlewind, M., and R. Scheffenegger, "More Accurate ECN Feedback in TCP", Work in Progress, Internet- Draft, draft-ietf-tcpm-accurate-ecn-15, 12 July 2021, . [I-D.ietf-tsvwg-udp-options] Touch, J., "Transport Options for UDP", Work in Progress, Internet-Draft, draft-ietf-tsvwg-udp-options-13, 19 June 2021, . [I-D.ietf-i2nsf-nsf-monitoring-data-model] Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. Birkholz, "I2NSF NSF Monitoring Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf- - i2nsf-nsf-monitoring-data-model-08, 29 April 2021, + i2nsf-nsf-monitoring-data-model-09, 24 August 2021, . + monitoring-data-model-09.txt>. [I-D.ietf-i2nsf-nsf-facing-interface-dm] Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, "I2NSF Network Security Function-Facing Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf- - i2nsf-nsf-facing-interface-dm-12, 8 March 2021, + i2nsf-nsf-facing-interface-dm-13, 15 August 2021, . + facing-interface-dm-13.txt>. [I-D.ietf-i2nsf-registration-interface-dm] Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park, "I2NSF Registration Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf-i2nsf-registration- - interface-dm-10, 21 February 2021, + interface-dm-11, 21 August 2021, . + registration-interface-dm-11.txt>. 10.2. Informative References [RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS)", RFC 6691, DOI 10.17487/RFC6691, July 2012, . [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, @@ -2587,29 +2627,34 @@ . [RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W. Kumari, "A Format for Self-Published IP Geolocation Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020, . [I-D.ietf-tcpm-rfc793bis] Eddy, W. M., "Transmission Control Protocol (TCP) Specification", Work in Progress, Internet-Draft, draft- - ietf-tcpm-rfc793bis-24, 12 July 2021, + ietf-tcpm-rfc793bis-25, 7 September 2021, . + rfc793bis-25.txt>. [IANA-Protocol-Numbers] "Assigned Internet Protocol Numbers", Available: https://www.iana.org/assignments/protocol- numbers/protocol-numbers.xhtml, September 2020. + [IEEE802.3-2018] + Committee, I. S., "IEEE 802.3-2018 - IEEE Standard for + Ethernet", August 2018, + . + [Alshaer] Shaer, Al., Hamed, E., and H. Hamed, "Modeling and management of firewall policies", 2004. [Galitsky] Galitsky, B. and R. Pampapathi, "Can many agents answer questions better than one", First Monday http://dx.doi.org/10.5210/fm.v10i1.1204, 2005. [Hirschman] Hirschman, L. and R. Gaizauskas, "Natural Language Question Answering: The View from Here", Natural Language @@ -2643,22 +2688,22 @@ general_firewall next-header flow-direction source-address destination-address source-port-number destination-port-number - source-port-num - destination-port-num + source-port-number + destination-port-number pass drop mirror pass drop mirror @@ -2685,22 +2730,22 @@ general_firewall next-header flow-direction source-address destination-address source-port-number destination-port-number - source-port-num - destination-port-num + source-port-number + destination-port-number pass drop mirror pass drop mirror @@ -2732,21 +2777,21 @@ IPv6 network. time_based_firewall absolute-time periodic-time - ipv4-protocol + next-header flow-direction source-address destination-address pass drop mirror pass @@ -2855,21 +2900,23 @@ A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE Filter This section shows a configuration example for the capabilities registration of a VoIP/VoLTE filter. voip_volte_filter - call-id + + call-id + pass drop mirror pass drop mirror