draft-ietf-i2nsf-consumer-facing-interface-dm-14.txt   draft-ietf-i2nsf-consumer-facing-interface-dm-15.txt 
I2NSF Working Group J. Jeong, Ed. I2NSF Working Group J. Jeong, Ed.
Internet-Draft C. Chung Internet-Draft C. Chung
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: 22 February 2022 T. Ahn Expires: 19 March 2022 T. Ahn
Korea Telecom Korea Telecom
R. Kumar R. Kumar
Juniper Networks Juniper Networks
S. Hares S. Hares
Huawei Huawei
21 August 2021 15 September 2021
I2NSF Consumer-Facing Interface YANG Data Model I2NSF Consumer-Facing Interface YANG Data Model
draft-ietf-i2nsf-consumer-facing-interface-dm-14 draft-ietf-i2nsf-consumer-facing-interface-dm-15
Abstract Abstract
This document describes an information model and a YANG data model This document describes an information model and a YANG data model
for the Consumer-Facing Interface between an Interface to Network for the Consumer-Facing Interface between an Interface to Network
Security Functions (I2NSF) User and Security Controller in an I2NSF Security Functions (I2NSF) User and Security Controller in an I2NSF
system in a Network Functions Virtualization (NFV) environment. The system in a Network Functions Virtualization (NFV) environment. The
information model defines various types of managed objects and the information model defines various types of managed objects and the
relationship among them needed to build the interface. The relationship among them needed to build the interface. The
information model is based on the "Event-Condition-Action" (ECA) information model is based on the "Event-Condition-Action" (ECA)
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 22 February 2022. This Internet-Draft will expire on 19 March 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 30 skipping to change at page 2, line 30
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Information Model for Policy . . . . . . . . . . . . . . . . 5 3. Information Model for Policy . . . . . . . . . . . . . . . . 5
3.1. Event Sub-model . . . . . . . . . . . . . . . . . . . . . 7 3.1. Event Sub-model . . . . . . . . . . . . . . . . . . . . . 7
3.2. Condition Sub-model . . . . . . . . . . . . . . . . . . . 8 3.2. Condition Sub-model . . . . . . . . . . . . . . . . . . . 8
3.3. Action Sub-model . . . . . . . . . . . . . . . . . . . . 10 3.3. Action Sub-model . . . . . . . . . . . . . . . . . . . . 10
4. Information Model for Policy Endpoint Groups . . . . . . . . 11 4. Information Model for Policy Endpoint Groups . . . . . . . . 11
4.1. User Group . . . . . . . . . . . . . . . . . . . . . . . 12 4.1. User Group . . . . . . . . . . . . . . . . . . . . . . . 12
4.2. Device Group . . . . . . . . . . . . . . . . . . . . . . 13 4.2. Device Group . . . . . . . . . . . . . . . . . . . . . . 13
4.3. Location Group . . . . . . . . . . . . . . . . . . . . . 14 4.3. Location Group . . . . . . . . . . . . . . . . . . . . . 13
4.4. URL Group . . . . . . . . . . . . . . . . . . . . . . . . 14 4.4. URL Group . . . . . . . . . . . . . . . . . . . . . . . . 14
5. Information Model for Threat Prevention . . . . . . . . . . . 15 5. Information Model for Threat Prevention . . . . . . . . . . . 15
5.1. Threat Feed . . . . . . . . . . . . . . . . . . . . . . . 15 5.1. Threat Feed . . . . . . . . . . . . . . . . . . . . . . . 15
5.2. Payload Content . . . . . . . . . . . . . . . . . . . . . 16 5.2. Payload Content . . . . . . . . . . . . . . . . . . . . . 16
6. Network Configuration Access Control Model (NACM) for I2NSF 6. Network Configuration Access Control Model (NACM) for I2NSF
Consumer-Facing Interface . . . . . . . . . . . . . . . . 17 Consumer-Facing Interface . . . . . . . . . . . . . . . . 17
7. YANG Data Model of Consumer-Facing Interface . . . . . . . . 19 7. YANG Data Model of Consumer-Facing Interface . . . . . . . . 19
7.1. YANG Module of Consumer-Facing Interface . . . . . . . . 19 7.1. YANG Module of Consumer-Facing Interface . . . . . . . . 19
8. XML Configuration Examples of High-Level Security Policy 8. XML Configuration Examples of High-Level Security Policy
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 47
8.1. Database Registration: Information of Positions and Devices 8.1. Database Registration: Information of Positions and Devices
(Endpoint Group) . . . . . . . . . . . . . . . . . . . . 46 (Endpoint Group) . . . . . . . . . . . . . . . . . . . . 47
8.2. Scenario 1: Block SNS Access during Business Hours . . . 48 8.2. Scenario 1: Block SNS Access during Business Hours . . . 49
8.3. Scenario 2: Block Malicious VoIP/VoLTE Packets Coming to a 8.3. Scenario 2: Block Malicious VoIP/VoLTE Packets Coming to a
Company . . . . . . . . . . . . . . . . . . . . . . . . . 50 Company . . . . . . . . . . . . . . . . . . . . . . . . . 51
8.4. Scenario 3: Mitigate HTTP and HTTPS Flood Attacks on a 8.4. Scenario 3: Mitigate HTTP and HTTPS Flood Attacks on a
Company Web Server . . . . . . . . . . . . . . . . . . . 51 Company Web Server . . . . . . . . . . . . . . . . . . . 52
9. XML Configuration Example of a User Group's Access Control for 9. XML Configuration Example of a User Group's Access Control for
I2NSF Consumer-Facing Interface . . . . . . . . . . . . . 52 I2NSF Consumer-Facing Interface . . . . . . . . . . . . . 53
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55
11. Security Considerations . . . . . . . . . . . . . . . . . . . 54 11. Security Considerations . . . . . . . . . . . . . . . . . . . 55
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 55 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 56
13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 55 13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 57
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 56 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 57
14.1. Normative References . . . . . . . . . . . . . . . . . . 56 14.1. Normative References . . . . . . . . . . . . . . . . . . 57
14.2. Informative References . . . . . . . . . . . . . . . . . 57 14.2. Informative References . . . . . . . . . . . . . . . . . 60
Appendix A. Changes from Appendix A. Changes from
draft-ietf-i2nsf-consumer-facing-interface-dm-13 . . . . 59 draft-ietf-i2nsf-consumer-facing-interface-dm-14 . . . . 62
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 59 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 62
1. Introduction 1. Introduction
In a framework of Interface to Network Security Functions (I2NSF) In a framework of Interface to Network Security Functions (I2NSF)
[RFC8329], each vendor can register their NSFs using a Developer's [RFC8329], each vendor can register their NSFs using a Developer's
Management System (DMS). Assuming that vendors also provide the Management System (DMS). Assuming that vendors also provide the
front-end web applications registered with an I2NSF User, the front-end web applications registered with an I2NSF User, the
Consumer-Facing Interface is required because the web applications Consumer-Facing Interface is required because the web applications
developed by each vendor need to have a standard interface specifying developed by each vendor need to have a standard interface specifying
the data types used when the I2NSF User and Security Controller the data types used when the I2NSF User and Security Controller
skipping to change at page 6, line 48 skipping to change at page 7, line 9
Action: This field identifies the action taken when a rule is Action: This field identifies the action taken when a rule is
matched. There is always an implicit action to drop matched. There is always an implicit action to drop
traffic if no rule is matched for a traffic type. See traffic if no rule is matched for a traffic type. See
details in Section 4.3. details in Section 4.3.
+--rw rules* [rule-name] +--rw rules* [rule-name]
| +--rw rule-name string | +--rw rule-name string
| +--rw priority? uint8 | +--rw priority? uint8
| +--rw event | +--rw event
| ...
| +--rw condition | +--rw condition
| ...
| +--rw actions | +--rw actions
...
Figure 3: Rule YANG Data Tree Figure 3: Rule YANG Data Tree
Note that in the case of policy conflicts, the resolution of the Note that in the case of policy conflicts, the resolution of the
conflicted policies conforms to the guidelines of "Information Model conflicted policies conforms to the guidelines of "Information Model
of NSFs Capabilities" [I-D.ietf-i2nsf-capability]. of NSFs Capabilities" [I-D.ietf-i2nsf-capability].
3.1. Event Sub-model 3.1. Event Sub-model
The Event Object contains information related to scheduling a Rule. The Event Object contains information related to scheduling a Rule.
The Rule could be activated based on a set time or security event. The Rule could be activated based on a set time or security event.
skipping to change at page 8, line 5 skipping to change at page 8, line 5
repeating" repeating"
Period: This represents the period of time the rule event is Period: This represents the period of time the rule event is
active. It can be configured by the start-time, stop-time, active. It can be configured by the start-time, stop-time,
day, date, and month. day, date, and month.
Frequency: This represents how frequent the rule should be enforced. Frequency: This represents how frequent the rule should be enforced.
There are four options: "only-once", "daily", "weekly", There are four options: "only-once", "daily", "weekly",
"monthly" or "yearly". "monthly" or "yearly".
+--rw event +--rw event
+--rw security-event identityref | +--rw security-event? identityref
+--rw time-information | +--rw time
| +--rw start-date-time? yang:date-and-time | +--rw start-date-time? yang:date-and-time
| +--rw end-date-time? yang:date-and-time | +--rw end-date-time? yang:date-and-time
| +--rw period | +--rw period
| | +--rw start-time? time | | +--rw start-time? time
| | +--rw stop-time? time | | +--rw end-time? time
| | +--rw day* identityref | | +--rw day* identityref
| | +--rw date* int32 | | +--rw date* int32
| | +--rw month* string | | +--rw month* string
+--rw frequency? enumeration | +--rw frequency? enumeration
Figure 4: Event Sub-model YANG Data Tree Figure 4: Event Sub-model YANG Data Tree
3.2. Condition Sub-model 3.2. Condition Sub-model
This object represents Conditions that Security Administrator wants This object represents Conditions that Security Administrator wants
to apply the checking on the traffic in order to determine whether to apply the checking on the traffic in order to determine whether
the set of actions in the Rule can be executed or not. The Condition the set of actions in the Rule can be executed or not. The Condition
Sub-model consists of three different types of containers each Sub-model consists of three different types of containers each
representing different cases, such as general firewall and DDoS- representing different cases, such as general firewall and DDoS-
skipping to change at page 10, line 5 skipping to change at page 10, line 5
Case (context-condition): This field represents a context of a Case (context-condition): This field represents a context of a
packet or flow. The context can be extended. This module packet or flow. The context can be extended. This module
provides a context of geography location. provides a context of geography location.
Case (Threat-feed-condition): This field contains the information Case (Threat-feed-condition): This field contains the information
obtained from threat-feeds (e.g., Palo-Alto, or RSA- obtained from threat-feeds (e.g., Palo-Alto, or RSA-
netwitness). This information is useful when security rule netwitness). This information is useful when security rule
condition is based on the existing threat reports gathered condition is based on the existing threat reports gathered
by other sources. by other sources.
+--rw condition +--rw condition
| +--rw firewall-condition | +--rw firewall-condition
| | +--rw source* union | | +--rw source* union
| | +--rw destination* union | | +--rw destination* union
| | +--rw transport-layer-protocol? identityref | | +--rw transport-layer-protocol? identityref
| | +--rw range-port-number | | +--rw range-port-number
| | | +--rw start-port-number? inet:port-number | | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number | | | +--rw end-port-number? inet:port-number
| | +--rw icmp* [version] | | +--rw icmp* [version]
| | +--rw version enumeration | | +--rw version enumeration
| | +--rw type* uint8 | | +--rw type* uint8
| | +--rw code* uint8 | | +--rw code* uint8
| +--rw ddos-condition | +--rw ddos-condition
| | +--rw rate-limit | | +--rw rate-limit
| | +--rw packet-rate-threshold? uint32 | | +--rw packet-rate-threshold? uint32
| | +--rw byte-rate-threshold? uint32 | | +--rw byte-rate-threshold? uint32
| | +--rw flow-rate-threshold? uint32 | | +--rw flow-rate-threshold? uint32
| +--rw anti-virus-condition | +--rw anti-virus-condition
| | +--rw exception-files* string | | +--rw exception-files* string
| +--rw payload-condition | +--rw payload-condition
| | +--rw content* | | +--rw content*
-> /i2nsf-cfi-policy/threat-preventions/payload-content/name -> /i2nsf-cfi-policy/threat-preventions/payload-content/name
| +--rw url-condition | +--rw url-condition
| | +--rw url-name? | | +--rw url-name?
-> /i2nsf-cfi-policy/endpoint-groups/url-group/name -> /i2nsf-cfi-policy/endpoint-groups/url-group/name
| +--rw voice-condition | +--rw voice-condition
| | +--rw source-id* string | | +--rw source-id* string
| | +--rw destination-id* string | | +--rw destination-id* string
| | +--rw user-agent* string | | +--rw user-agent* string
| +--rw context-condition | +--rw context-condition
| +--rw geography-location-condition | +--rw geography-location-condition
| +--rw source* | +--rw source*
-> /i2nsf-cfi-policy/endpoint-groups/location-group/name -> /i2nsf-cfi-policy/endpoint-groups/location-group/name
| +--rw destination* | +--rw destination*
-> /i2nsf-cfi-policy/endpoint-groups/location-group/name -> /i2nsf-cfi-policy/endpoint-groups/location-group/name
| | +--rw threat-feed-condition | | +--rw threat-feed-condition
| | +--rw name* | | +--rw name*
-> /i2nsf-cfi-policy/threat-preventions/threat-feed-list/name -> /i2nsf-cfi-policy/threat-preventions/threat-feed-list/name
Figure 5: Condition Sub-model YANG Data Tree Figure 5: Condition Sub-model YANG Data Tree
3.3. Action Sub-model 3.3. Action Sub-model
This object represents actions that Security Admin wants to perform This object represents actions that Security Admin wants to perform
based on certain traffic class. Figure 6 shows the YANG tree of the based on certain traffic class. Figure 6 shows the YANG tree of the
Action object. The Action object SHALL have following information: Action object. The Action object SHALL have following information:
Primary-action: This field identifies the action when a rule is Primary-action: This field identifies the action when a rule is
matched by an NSF. The action could be one of "pass", matched by an NSF. The action could be one of "pass",
"drop", "rate-limit", "mirror", "invoke-signaling", "drop", "rate-limit", "mirror", "invoke-signaling",
skipping to change at page 12, line 6 skipping to change at page 12, line 6
+---------+---------+ +---------+---------+
^ ^
| |
+--------------+-------+--------+---------------+ +--------------+-------+--------+---------------+
0..n | 0..n | 0..n | 0..n | 0..n | 0..n | 0..n | 0..n |
+-----+----+ +------+-----+ +-------+------+ +-----+---+ +-----+----+ +------+-----+ +-------+------+ +-----+---+
|User-group| |Device-group| |Location-group| |Url-group| |User-group| |Device-group| |Location-group| |Url-group|
+----------+ +------------+ +--------------+ +---------+ +----------+ +------------+ +--------------+ +---------+
Figure 7: Endpoint Group Diagram Figure 7: Endpoint Group Diagram
+--rw endpoint-groups +--rw endpoint-groups
| +--rw user-group* [name] | +--rw user-group* [name]
| ... | ...
| +--rw device-group* [name] | +--rw device-group* [name]
| ... | ...
| +--rw location-group* [name] | +--rw location-group* [name]
| ... | ...
| +--rw url-group* [name] | +--rw url-group* [name]
| ... | ...
Figure 8: Endpoint Group YANG Data Tree Figure 8: Endpoint Group YANG Data Tree
4.1. User Group 4.1. User Group
This object represents a User-Group. Figure 9 shows the YANG tree of This object represents a User-Group. Figure 9 shows the YANG tree of
the User-Group object. The User-Group object SHALL have the the User-Group object. The User-Group object SHALL have the
following information: following information:
Name: This field identifies the name of this object. Name: This field identifies the name of this object.
mac-address: This represents the MAC address of a user in the user mac-address: This represents the MAC address of a user in the user
group. group.
Range-ipv4-address: This represents the IPv4 address range of a user Range-ipv4-address: This represents the IPv4 address range of a user
in the user group. in the user group.
Range-ipv6-address: This represents the IPv6 address range of a user Range-ipv6-address: This represents the IPv6 address range of a user
in the user group. in the user group.
+--rw user-group* [name] +--rw user-group* [name]
| +--rw name string | +--rw name string
| +--rw mac-address* yang:mac-address | +--rw mac-address* yang:mac-address
| +--rw (match-type) | +--rw (match-type)
| | +--:(range-match-ipv4) | | +--:(range-match-ipv4)
| | | +--rw range-ipv4-address | | | +--rw range-ipv4-address
| | | +--rw start-ipv4-address inet:ipv4-address | | | +--rw start-ipv4-address inet:ipv4-address-no-zone
| | | +--rw end-ipv4-address inet:ipv4-address | | | +--rw end-ipv4-address inet:ipv4-address-no-zone
| | +--:(range-match-ipv6) | | +--:(range-match-ipv6)
| | +--rw range-ipv6-address | | +--rw range-ipv6-address
| | +--rw start-ipv6-address inet:ipv6-address | | +--rw start-ipv6-address inet:ipv6-address-no-zone
| | +--rw end-ipv6-address inet:ipv6-address | | +--rw end-ipv6-address inet:ipv6-address-no-zone
Figure 9: User Group YANG Data Tree Figure 9: User Group YANG Data Tree
4.2. Device Group 4.2. Device Group
This object represents a Device-Group. Figure 10 shows the YANG tree This object represents a Device-Group. Figure 10 shows the YANG tree
of the Device-group object. The Device-Group object SHALL have the of the Device-group object. The Device-Group object SHALL have the
following information: following information:
Name: This field identifies the name of this object. Name: This field identifies the name of this object.
skipping to change at page 13, line 29 skipping to change at page 13, line 29
Range-ipv4-address: This represents the IPv4 address range of a Range-ipv4-address: This represents the IPv4 address range of a
device in the device group. device in the device group.
Range-ipv6-address: This represents the IPv6 address range of a Range-ipv6-address: This represents the IPv6 address range of a
device in the device group. device in the device group.
Application-protocol: This represents the application layer Application-protocol: This represents the application layer
protocols of devices. If this is not set, it cannot protocols of devices. If this is not set, it cannot
support the appropriate protocol support the appropriate protocol
+--rw device-group* [name] +--rw device-group* [name]
+--rw name string | +--rw name string
+--rw (match-type) | +--rw (match-type)
| +--:(exact-match-ipv4) | | +--:(range-match-ipv4)
| | +--rw ipv4? inet:ipv4-address | | | +--rw range-ipv4-address
| +--:(exact-match-ipv6) | | | +--rw start-ipv4-address inet:ipv4-address-no-zone
| | +--rw ipv6? inet:ipv6-address | | | +--rw end-ipv4-address inet:ipv4-address-no-zone
| +--:(range-match-ipv4) | | +--:(range-match-ipv6)
| | +--rw range-ipv4-address* | | +--rw range-ipv6-address
| | | +--rw start-ipv4-address inet:ipv4-address | | +--rw start-ipv6-address inet:ipv6-address-no-zone
| | | +--rw end-ipv4-address inet:ipv4-address | | +--rw end-ipv6-address inet:ipv6-address-no-zone
| +--:(range-match-ipv6) | +--rw application-protocol* identityref
| | +--rw range-ipv6-address*
| | | +--rw start-ipv6-address inet:ipv6-address
| | | +--rw end-ipv6-address inet:ipv6-address
+--rw application-protocol* identityref
Figure 10: Device Group YANG Data Tree Figure 10: Device Group YANG Data Tree
4.3. Location Group 4.3. Location Group
This object represents a location group based on either tag or other This object represents a location group based on either tag or other
information. Figure 11 shows the YANG tree of the Location-Group information. Figure 11 shows the YANG tree of the Location-Group
object. The Location-Group object SHALL have the following object. The Location-Group object SHALL have the following
information: information:
skipping to change at page 14, line 26 skipping to change at page 14, line 19
Geo-ip-ipv6: This field represents the IPv6 Geo-ip address of a Geo-ip-ipv6: This field represents the IPv6 Geo-ip address of a
location [RFC8805]. location [RFC8805].
Continent: This field represents the continent where the location Continent: This field represents the continent where the location
group member is located. group member is located.
+--rw location-group* [name] +--rw location-group* [name]
| +--rw name string | +--rw name string
| +--rw geo-ip-ipv4* [ipv4-address] | +--rw geo-ip-ipv4* [ipv4-address]
| | +--rw ipv4-address inet:ipv4-address | | +--rw ipv4-address inet:ipv4-address-no-zone
| | +--rw ipv4-prefix? inet:ipv4-prefix | | +--rw ipv4-prefix? inet:ipv4-prefix
| +--rw geo-ip-ipv6* [ipv6-address] | +--rw geo-ip-ipv6* [ipv6-address]
| | +--rw ipv6-address inet:ipv6-address | | +--rw ipv6-address inet:ipv6-address-no-zone
| | +--rw ipv6-prefix? inet:ipv6-prefix | | +--rw ipv6-prefix? inet:ipv6-prefix
| +--rw continent? identityref | +--rw continent? identityref
Figure 11: Location Group YANG Data Tree Figure 11: Location Group YANG Data Tree
4.4. URL Group 4.4. URL Group
This object represents a URL group based on a Uniform Resource This object represents a URL group based on a Uniform Resource
Locator (URL) or web address. Figure 12 shows the YANG tree of the Locator (URL) or web address. Figure 12 shows the YANG tree of the
URL-Group object. The URLn-Group object SHALL have the following URL-Group object. The URLn-Group object SHALL have the following
skipping to change at page 19, line 36 skipping to change at page 19, line 36
based firewall, VoIP/VoLTE security service, and DDoS-attack based firewall, VoIP/VoLTE security service, and DDoS-attack
mitigation in Section 8. mitigation in Section 8.
7.1. YANG Module of Consumer-Facing Interface 7.1. YANG Module of Consumer-Facing Interface
This section describes a YANG module of Consumer-Facing Interface. This section describes a YANG module of Consumer-Facing Interface.
This document provides identities in the data model to be used for This document provides identities in the data model to be used for
configuration of an NSF. Each identity is used for a different type configuration of an NSF. Each identity is used for a different type
of configuration. The details are explained in the description of of configuration. The details are explained in the description of
each identity. This YANG module imports from [RFC6991]. It makes each identity. This YANG module imports from [RFC6991]. It makes
references to references to [RFC0768][RFC0792][RFC0793] [RFC0854][RFC0959][RFC1939]
[RFC0854][RFC0959][RFC1939][RFC3022][RFC2818][RFC4250][RFC5321] [RFC2818][RFC3022][RFC3261] [RFC3501][RFC4250][RFC4340]
[RFC7230][RFC7231][STIX]. [RFC4443][RFC5321][RFC7230] [RFC7231][I-D.ietf-i2nsf-capability]
[I-D.ietf-tcpm-rfc793bis][IANA-ICMP-Parameters]
[IANA-ICMPv6-Parameters][Encyclopedia-Britannica] [STIX].
<CODE BEGINS> file "ietf-i2nsf-cfi-policy@2021-08-21.yang" <CODE BEGINS> file "ietf-i2nsf-cfi-policy@2021-09-15.yang"
module ietf-i2nsf-cfi-policy { module ietf-i2nsf-cfi-policy {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy";
prefix nsfcfi; prefix nsfcfi;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference "RFC 6991"; reference "RFC 6991";
} }
skipping to change at page 20, line 13 skipping to change at page 20, line 14
import ietf-yang-types{ import ietf-yang-types{
prefix yang; prefix yang;
reference "RFC 6991"; reference "RFC 6991";
} }
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <https://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Patrick Lingga Editor: Patrick Lingga
<mailto:patricklink@skku.edu>"; <mailto:patricklink@skku.edu>";
description description
"This module is a YANG module for Consumer-Facing Interface. "This module is a YANG module for Consumer-Facing Interface.
skipping to change at page 20, line 42 skipping to change at page 20, line 43
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices."; for full legal notices.";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
revision "2021-08-21"{ revision "2021-09-15" {
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Consumer-Facing Interface YANG Data Model"; "RFC XXXX: I2NSF Consumer-Facing Interface YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
} }
identity resolution-strategy { identity resolution-strategy {
description description
"Base identity for resolution strategy"; "Base identity for resolution strategy";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity fmr { identity fmr {
base resolution-strategy; base resolution-strategy;
skipping to change at page 21, line 42 skipping to change at page 21, line 43
"Identity for Prioritized Matching Rule (PMR)"; "Identity for Prioritized Matching Rule (PMR)";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity pmre { identity pmre {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule "Identity for Prioritized Matching Rule
with Errors (PMRE)"; with Errors (PMRE)";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity pmrn { identity pmrn {
base resolution-strategy; base resolution-strategy;
description description
"Identity for Prioritized Matching Rule "Identity for Prioritized Matching Rule
with No Errors (PMRN)"; with No Errors (PMRN)";
reference reference
"draft-ietf-i2nsf-capability-data-model-17: "draft-ietf-i2nsf-capability-data-model-17:
I2NSF Capability YANG Data Model - Resolution Strategy"; I2NSF Capability YANG Data Model - Resolution Strategy";
} }
identity security-event-type { identity security-event {
description description
"Base identity for security event types."; "Base identity for security event types.";
} }
identity ddos { identity anti-ddos {
base security-event-type; base security-event;
description description
"Identity for DDoS event types."; "Identity for Anti-DDoS event types.";
} }
identity intrusion { identity ips {
base security-event-type; base security-event;
description description
"Identity for intrusion event types."; "Identity for Intrusion Prevention System event types.";
} }
identity web-attack { identity url-filtering {
base security-event-type; base security-event;
description description
"Identity for web-attack event types."; "Identity for url-filtering event types.";
} }
identity voip-volte { identity anti-virus {
base security-event-type; base security-event;
description description
"Identity for VoIP/VoLTE event types."; "Identity for Antivirus types.";
}
identity voip-volte-filtering {
base security-event;
description
"Identity for VoIP/VoLTE Filtering event types.";
} }
identity protocol { identity protocol {
description description
"This identity represents the protocol types."; "This identity represents the protocol types.";
} }
identity layer-4-protocol { identity transport-protocol {
base protocol; base protocol;
description description
"Base identity for the Layer 4 (i.e., Transport Layer) "Base identity for the Layer 4 (i.e., Transport Layer)
Protocols"; Protocols";
} }
identity tcp { identity tcp {
base layer-4-protocol; base transport-protocol;
description description
"Base identity for TCP condition capabilities"; "Base identity for TCP condition capabilities";
reference reference
"RFC 793: Transmission Control Protocol "RFC 793: Transmission Control Protocol
draft-ietf-tcpm-rfc793bis: Transmission Control Protocol draft-ietf-tcpm-rfc793bis: Transmission Control Protocol
(TCP) Specification"; (TCP) Specification";
} }
identity udp { identity udp {
base layer-4-protocol; base transport-protocol;
description description
"Base identity for UDP condition capabilities"; "Base identity for UDP condition capabilities";
reference reference
"RFC 768: User Datagram Protocol"; "RFC 768: User Datagram Protocol";
} }
identity sctp { identity sctp {
base layer-4-protocol; base transport-protocol;
description description
"Identity for SCTP condition capabilities"; "Identity for SCTP condition capabilities";
reference reference
"RFC 4960: Stream Control Transmission Protocol"; "RFC 4960: Stream Control Transmission Protocol";
} }
identity dccp { identity dccp {
base layer-4-protocol; base transport-protocol;
description description
"Identity for DCCP condition capabilities"; "Identity for DCCP condition capabilities";
reference reference
"RFC 4340: Datagram Congestion Control Protocol"; "RFC 4340: Datagram Congestion Control Protocol";
} }
identity layer-7-protocol { identity application-protocol {
base protocol; base protocol;
description description
"Base identity for the Layer 7 (i.e., Application Layer) "Base identity for the Layer 7 (i.e., Application Layer)
Protocols"; Protocols";
} }
identity ftp { identity ftp {
base layer-7-protocol; base application-protocol;
description description
"The identity for ftp protocol."; "The identity for ftp protocol.";
reference reference
"RFC 959: File Transfer Protocol (FTP)"; "RFC 959: File Transfer Protocol (FTP)";
} }
identity ssh { identity ssh {
base layer-7-protocol; base application-protocol;
description description
"The identity for ssh protocol."; "The identity for ssh protocol.";
reference reference
"RFC 4250: The Secure Shell (SSH) Protocol"; "RFC 4250: The Secure Shell (SSH) Protocol";
} }
identity telnet { identity telnet {
base layer-7-protocol; base application-protocol;
description description
"The identity for telnet."; "The identity for telnet.";
reference reference
"RFC 854: Telnet Protocol"; "RFC 854: Telnet Protocol";
} }
identity smtp { identity smtp {
base layer-7-protocol; base application-protocol;
description description
"The identity for smtp."; "The identity for smtp.";
reference reference
"RFC 5321: Simple Mail Transfer Protocol (SMTP)"; "RFC 5321: Simple Mail Transfer Protocol (SMTP)";
} }
identity http { identity http {
base layer-7-protocol; base application-protocol;
description description
"The identity for http."; "The identity for http.";
reference reference
"RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message
Syntax and Routing Syntax and Routing
RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content"; and Content";
} }
identity https { identity https {
base layer-7-protocol; base application-protocol;
description description
"The identity for https."; "The identity for https.";
reference reference
"RFC 2818: HTTP over TLS (HTTPS)"; "RFC 2818: HTTP over TLS (HTTPS)";
} }
identity pop3 { identity pop3 {
base layer-7-protocol; base application-protocol;
description description
"The identity for pop3."; "The identity for pop3.";
reference reference
"RFC 1939: Post Office Protocol - Version 3 (POP3)"; "RFC 1939: Post Office Protocol - Version 3 (POP3)";
} }
identity nat { identity imap {
base layer-7-protocol; base application-protocol;
description description
"The identity for nat."; "The identity for Internet Message Access Protocol (IMAP).";
reference reference
"RFC 3022: Traditional IP Network Address Translator (Traditional "RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1";
NAT)";
} }
identity action { identity action {
description description
"Base identity for action"; "Base identity for action";
} }
identity ingress-action { identity ingress-action {
base action; base action;
description description
skipping to change at page 26, line 47 skipping to change at page 27, line 4
Functions - Forwarding action"; Functions - Forwarding action";
} }
identity transformation { identity transformation {
base egress-action; base egress-action;
description description
"Identity for transformation action capability"; "Identity for transformation action capability";
reference reference
"RFC 8329: Framework for Interface to Network Security "RFC 8329: Framework for Interface to Network Security
Functions - Redirection action"; Functions - Redirection action";
} }
identity log-action { identity log-action {
description description
"Base identity for representing log actions, such as rule-log and "Base identity for representing log actions, such as rule-log
session-log action."; and session-log action.";
} }
identity rule-log { identity rule-log {
base log-action; base log-action;
description description
"Identity for rule log-action capability. "Identity for rule log-action capability.
Log the received packet based on the rule"; Log the received packet based on the rule";
} }
identity session-log { identity session-log {
skipping to change at page 28, line 47 skipping to change at page 29, line 4
base day; base day;
description description
"This represents Friday."; "This represents Friday.";
} }
identity saturday { identity saturday {
base day; base day;
description description
"This represents Saturday."; "This represents Saturday.";
} }
identity sunday { identity sunday {
base day; base day;
description description
"This represents Sunday."; "This represents Sunday.";
} }
identity continent { identity continent {
description description
"Base Identity for continent types."; "Base identity for continent types. The continents are based
on Encyclopedia Britannica";
reference
"Encyclopedia Britannica: Continent";
} }
identity africa { identity africa {
base continent; base continent;
description description
"Identity for Africa."; "Identity for Africa.";
reference
"Encyclopedia Britannica: Continent";
} }
identity asia { identity asia {
base continent; base continent;
description description
"Identity for Asia."; "Identity for Asia.";
reference
"Encyclopedia Britannica: Continent";
}
identity antarctica {
base continent;
description
"Identity for Antarctica.";
reference
"Encyclopedia Britannica: Continent";
} }
identity europe { identity europe {
base continent; base continent;
description description
"Identity for Europe."; "Identity for Europe.";
reference
"Encyclopedia Britannica: Continent";
} }
identity north-america { identity north-america {
base continent; base continent;
description description
"Identity for North America."; "Identity for North America.";
reference
"Encyclopedia Britannica: Continent";
} }
identity south-america { identity south-america {
base continent; base continent;
description description
"Identity for South America."; "Identity for South America.";
reference
"Encyclopedia Britannica: Continent";
} }
identity oceania { identity australia {
base continent; base continent;
description description
"Identity for Oceania"; "Identity for Australia";
reference
"Encyclopedia Britannica: Continent";
} }
/* /*
* Typedefs * Typedefs
*/ */
typedef time { typedef time {
type string { type string {
pattern '(0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](\.\d+)?' pattern '(0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](\.\d+)?'
+ '(Z|[\+\-]((1[0-3]|0[0-9]):([0-5][0-9])|14:00))?'; + '(Z|[\+\-]((1[0-3]|0[0-9]):([0-5][0-9])|14:00))?';
} }
description description
"The time type represents an instance of time of zero-duration "The time type represents an instance of time of zero-duration
that recurs every day."; that recurs every day.";
} }
/* /*
* Groupings * Groupings
*/ */
skipping to change at page 30, line 19 skipping to change at page 30, line 47
} }
/* /*
* Groupings * Groupings
*/ */
grouping ipv4-list { grouping ipv4-list {
description description
"Grouping for an IPv4 address list."; "Grouping for an IPv4 address list.";
leaf-list ipv4 { leaf-list ipv4 {
type inet:ipv4-address; type inet:ipv4-address-no-zone;
description description
"This is the entry for an IPv4 address list."; "This is the entry for an IPv4 address list.";
} }
} }
grouping ipv6-list { grouping ipv6-list {
description description
"Grouping for an IPv6 address list."; "Grouping for an IPv6 address list.";
leaf-list ipv6 { leaf-list ipv6 {
type inet:ipv6-address; type inet:ipv6-address-no-zone;
description description
"This is the entry for an IPv6 address list."; "This is the entry for an IPv6 address list.";
} }
} }
grouping ipv4 { grouping ipv4 {
description description
"Grouping for an IPv4 address."; "Grouping for an IPv4 address.";
leaf ipv4 { leaf ipv4 {
type inet:ipv4-address; type inet:ipv4-address-no-zone;
description description
"This is the entry for an IPv4 address."; "This is the entry for an IPv4 address.";
} }
} }
grouping ipv6 { grouping ipv6 {
description description
"Grouping for an IPv6 address."; "Grouping for an IPv6 address.";
leaf ipv6 { leaf ipv6 {
type inet:ipv6-address; type inet:ipv6-address-no-zone;
description description
"This is the entry for an IPv6 address."; "This is the entry for an IPv6 address.";
} }
} }
grouping ip-address-info { grouping ip-address-info {
description description
"There are two types to configure a security policy "There are two types to configure a security policy
for an IP address, such as IPv4 adress and IPv6 address."; for an IP address, such as IPv4 adress and IPv6 address.";
choice match-type { choice match-type {
description description
"User can choose between IPv4 and IPv6."; "User can choose between IPv4 and IPv6.";
case range-match-ipv4 { case range-match-ipv4 {
skipping to change at page 31, line 17 skipping to change at page 31, line 44
grouping ip-address-info { grouping ip-address-info {
description description
"There are two types to configure a security policy "There are two types to configure a security policy
for an IP address, such as IPv4 adress and IPv6 address."; for an IP address, such as IPv4 adress and IPv6 address.";
choice match-type { choice match-type {
description description
"User can choose between IPv4 and IPv6."; "User can choose between IPv4 and IPv6.";
case range-match-ipv4 { case range-match-ipv4 {
container range-ipv4-address { container range-ipv4-address {
leaf start-ipv4-address { leaf start-ipv4-address {
type inet:ipv4-address; type inet:ipv4-address-no-zone;
mandatory true; mandatory true;
description description
"A start IPv4 address for a range match."; "A start IPv4 address for a range match.";
} }
leaf end-ipv4-address { leaf end-ipv4-address {
type inet:ipv4-address; type inet:ipv4-address-no-zone;
mandatory true; mandatory true;
description description
"An end IPv4 address for a range match."; "An end IPv4 address for a range match.";
} }
description description
"A range match for IPv4 addresses is provided. "A range match for IPv4 addresses is provided.
Note that the start IPv4 address must be lower than Note that the start IPv4 address must be lower than
the end IPv4 address."; the end IPv4 address.";
} }
} }
case range-match-ipv6 { case range-match-ipv6 {
container range-ipv6-address { container range-ipv6-address {
leaf start-ipv6-address { leaf start-ipv6-address {
type inet:ipv6-address; type inet:ipv6-address-no-zone;
mandatory true; mandatory true;
description description
"A start IPv6 address for a range match."; "A start IPv6 address for a range match.";
} }
leaf end-ipv6-address { leaf end-ipv6-address {
type inet:ipv6-address; type inet:ipv6-address-no-zone;
mandatory true; mandatory true;
description description
"An end IPv6 address for a range match."; "An end IPv6 address for a range match.";
} }
description description
"A range match for IPv6 addresses is provided. "A range match for IPv6 addresses is provided.
Note that the start IPv6 address must be lower than Note that the start IPv6 address must be lower than
the end IPv6 address."; the end IPv6 address.";
} }
} }
} }
} }
grouping user-group { grouping user-group {
description description
"This group represents user group information such as name and "This group represents user group information such as name and
ip-address."; ip-address.";
leaf name { leaf name {
type string; type string;
skipping to change at page 32, line 52 skipping to change at page 33, line 31
description description
"This represents the name of a device-group."; "This represents the name of a device-group.";
} }
uses ip-address-info{ uses ip-address-info{
refine match-type{ refine match-type{
mandatory true; mandatory true;
} }
} }
leaf-list application-protocol { leaf-list application-protocol {
type identityref { type identityref {
base layer-7-protocol; base application-protocol;
} }
description description
"This represents the application layer protocols of devices. "This represents the application layer protocols of devices.
If this is not set, it cannot support the appropriate If this is not set, it cannot support the appropriate
protocol"; protocol";
} }
} }
grouping location-group { grouping location-group {
description description
"This group represents location-group information such as geo-ip "This group represents location-group information such as
and continent."; geo-ip and continent.";
leaf name { leaf name {
type string; type string;
description description
"This represents the name of a location."; "This represents the name of a location.";
} }
list geo-ip-ipv4 { list geo-ip-ipv4 {
key "ipv4-address"; key "ipv4-address";
description description
"This represents the list of IPv4 addresses based on a "This represents the list of IPv4 addresses based on a
location."; location.";
leaf ipv4-address{ leaf ipv4-address{
type inet:ipv4-address; type inet:ipv4-address-no-zone;
description description
"This represents an IPv4 geo-ip address of a location."; "This represents an IPv4 geo-ip address of a location.";
} }
leaf ipv4-prefix{ leaf ipv4-prefix{
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"This represents the prefix for the IPv4 addresses."; "This represents the prefix for the IPv4 addresses.";
} }
} }
list geo-ip-ipv6 { list geo-ip-ipv6 {
key "ipv6-address"; key "ipv6-address";
description description
"This represents the list of IPv6 addresses based on a "This represents the list of IPv6 addresses based on a
location."; location.";
leaf ipv6-address{ leaf ipv6-address{
type inet:ipv6-address; type inet:ipv6-address-no-zone;
description description
"This represents an IPv6 geo-ip address of a location."; "This represents an IPv6 geo-ip address of a location.";
} }
leaf ipv6-prefix{ leaf ipv6-prefix{
type inet:ipv6-prefix; type inet:ipv6-prefix;
description description
"This represents the prefix for the IPv6 addresses."; "This represents the prefix for the IPv6 addresses.";
} }
} }
leaf continent { leaf continent {
type identityref { type identityref {
base continent; base continent;
} }
default asia; default asia;
description description
"location-group has geo-ip addresses of the corresponding "location-group has geo-ip addresses of the corresponding
continent."; continent.";
} }
skipping to change at page 34, line 19 skipping to change at page 34, line 46
} }
default asia; default asia;
description description
"location-group has geo-ip addresses of the corresponding "location-group has geo-ip addresses of the corresponding
continent."; continent.";
} }
} }
grouping payload-string { grouping payload-string {
description description
"The grouping for payload-string content. It contains information "The grouping for payload-string content. It contains
such as name and string content."; information such as name and string content.";
leaf description { leaf description {
type string; type string;
description description
"This represents the description of a payload. If this is not "This represents the description of a payload. If this is
set, it cannot support the description of how the payload not set, it cannot support the description of how the
content is related to a security attack."; payload content is related to a security attack.";
} }
leaf-list content { leaf-list content {
type string; type string;
description description
"This represents the string of the payload contents. "This represents the string of the payload contents.
This content leaf-list contains the payload of a packet to This content leaf-list contains the payload of a packet to
analyze a threat. Due to the types of threats, the type of analyze a threat. Due to the types of threats, the type of
the content is defined as a string to accommodate any kind the content is defined as a string to accommodate any kind
of a payload type such as HTTP, HTTPS, and SIP. If this is of a payload type such as HTTP, HTTPS, and SIP. If this is
not set, it cannot support the payload contents involved in not set, it cannot support the payload contents involved in
a security attack as a string."; a security attack as a string.";
} }
} }
list i2nsf-cfi-policy { list i2nsf-cfi-policy {
key "policy-name"; key "policy-name";
description description
"This is a security policy list. Each policy in the list contains "This is a security policy list. Each policy in the list
a list of security policy rules, and is a policy instance to have contains a list of security policy rules, and is a policy
the information of where and when a policy needs to be applied."; instance to have the information of where and when a policy
needs to be applied.";
leaf policy-name { leaf policy-name {
type string; type string;
description description
"The name which identifies the policy."; "The name which identifies the policy.";
} }
leaf resolution-strategy { leaf resolution-strategy {
type identityref { type identityref {
base resolution-strategy; base resolution-strategy;
} }
default fmr; default fmr;
skipping to change at page 35, line 41 skipping to change at page 36, line 23
range "1..255"; range "1..255";
} }
description description
"The priority keyword comes with a mandatory "The priority keyword comes with a mandatory
numeric value which can range from 1 through 255. numeric value which can range from 1 through 255.
Note that a higher number means a higher priority"; Note that a higher number means a higher priority";
} }
container event { container event {
description description
"This represents an event (i.e., a security event), for which "This represents an event (i.e., a security event), for
a security rule is made."; which a security rule is made.";
leaf security-event { leaf security-event {
type identityref { type identityref {
base security-event-type; base security-event;
} }
description description
"This contains the description of a security event. If this "This contains the description of a security event. If
is not set, it cannot support what security event will be this is not set, it cannot support what security event
enforced."; will be enforced.";
} }
container time { container time {
description description
"The time when a security policy rule should be applied."; "The time when a security policy rule should be
applied.";
leaf start-date-time { leaf start-date-time {
type yang:date-and-time; type yang:date-and-time;
description description
"This is the start date and time for a security policy "This is the start date and time for a security policy
rule."; rule.";
} }
leaf end-date-time { leaf end-date-time {
type yang:date-and-time; type yang:date-and-time;
description description
"This is the end date and time for a policy rule. The "This is the end date and time for a policy rule. The
policy rule will stop working after the specified policy rule will stop working after the specified
end-date-time."; end-date-time.";
} }
container period{ container period {
when when
"../frequency!='only-once'"; "../frequency!='only-once'";
description description
"This represents the repetition time. In the case where "This represents the repetition time. In the case
the frequency is weekly, the days can be set."; where the frequency is weekly, the days can be set.";
leaf start-time { leaf start-time {
type time; type time;
description description
"This is a period's start time for an event."; "This is a period's start time for an event.";
} }
leaf end-time { leaf end-time {
type time; type time;
description description
"This is a period's end time for an event."; "This is a period's end time for an event.";
} }
leaf-list day { leaf-list day {
when when
"../../frequency='weekly'"; "../../frequency='weekly'";
type identityref{ type identityref{
base day; base day;
} }
min-elements 1; min-elements 1;
description description
"This represents the repeated day of every week (e.g., "This represents the repeated day of every week
Monday and Tuesday). More than one day can be (e.g., Monday and Tuesday). More than one day can be
specified."; specified.";
} }
leaf-list date { leaf-list date {
when when
"../../frequency='monthly'"; "../../frequency='monthly'";
type int32{ type int32{
range "1..31"; range "1..31";
} }
min-elements 1; min-elements 1;
description description
skipping to change at page 38, line 26 skipping to change at page 39, line 8
enforced."; enforced.";
} }
} }
} }
container condition { container condition {
description description
"Conditions for general security policies."; "Conditions for general security policies.";
container firewall-condition { container firewall-condition {
description description
"A general firewall condition based on the packet header."; "A general firewall condition based on the packet
header.";
leaf-list source { leaf-list source {
type union { type union {
type leafref { type leafref {
path path
"/i2nsf-cfi-policy/endpoint-groups/user-group/name"; "/i2nsf-cfi-policy/endpoint-groups/"
+"user-group/name";
} }
type leafref { type leafref {
path path
"/i2nsf-cfi-policy/endpoint-groups/device-group/name"; "/i2nsf-cfi-policy/endpoint-groups/"
+"device-group/name";
} }
} }
description description
"This describes the path of the source."; "This describes the path of the source.";
} }
leaf-list destination { leaf-list destination {
type union { type union {
type leafref { type leafref {
path path
"/i2nsf-cfi-policy/endpoint-groups/user-group/name"; "/i2nsf-cfi-policy/endpoint-groups/"
+"user-group/name";
} }
type leafref { type leafref {
path path
"/i2nsf-cfi-policy/endpoint-groups/device-group/name"; "/i2nsf-cfi-policy/endpoint-groups/"
+"device-group/name";
} }
} }
description description
"This describes the path to the destinations."; "This describes the path to the destinations.";
} }
leaf transport-layer-protocol { leaf transport-layer-protocol {
type identityref { type identityref {
base layer-4-protocol; base transport-protocol;
} }
description description
"The transport-layer protocol to be matched."; "The transport-layer protocol to be matched.";
} }
container range-port-number { container range-port-number {
leaf start-port-number { leaf start-port-number {
type inet:port-number; type inet:port-number;
description description
"A start port number for range match."; "A start port number for range match.";
} }
leaf end-port-number { leaf end-port-number {
type inet:port-number; type inet:port-number;
description description
"An end port number for range match."; "An end port number for range match.";
skipping to change at page 39, line 28 skipping to change at page 40, line 16
type inet:port-number; type inet:port-number;
description description
"A start port number for range match."; "A start port number for range match.";
} }
leaf end-port-number { leaf end-port-number {
type inet:port-number; type inet:port-number;
description description
"An end port number for range match."; "An end port number for range match.";
} }
description description
"A range match for transport-layer port number. Note that "A range match for transport-layer port number. Note
the start port number value must be lower than the end that the start port number value must be lower than
port number value"; the end port number value";
} }
list icmp { list icmp {
key "version"; key "version";
description description
"Represents the ICMP packet header information to "Represents the ICMP packet header information to
determine if the set of policy actions in this ECA determine if the set of policy actions in this ECA
policy rule should be executed or not."; policy rule should be executed or not.";
reference reference
"RFC 792: Internet Control Message Protocol "RFC 792: Internet Control Message Protocol
skipping to change at page 41, line 10 skipping to change at page 41, line 47
container ddos-condition { container ddos-condition {
description description
"A condition for a DDoS attack."; "A condition for a DDoS attack.";
container rate-limit { container rate-limit {
description description
"This describes the rate-limit."; "This describes the rate-limit.";
leaf packet-rate-threshold { leaf packet-rate-threshold {
type uint32; type uint32;
description description
"This is a trigger value for a rate limit of packet rate "This is a trigger value for a rate limit of packet
for a DDoS-attack mitigation."; rate for a DDoS-attack mitigation.";
} }
leaf byte-rate-threshold { leaf byte-rate-threshold {
type uint32; type uint32;
description description
"This is a trigger value for a rate limit of byte rate "This is a trigger value for a rate limit of byte
for a DDoS-attack mitigation."; rate for a DDoS-attack mitigation.";
} }
leaf flow-rate-threshold { leaf flow-rate-threshold {
type uint32; type uint32;
description description
"This is a trigger value for a rate limit of flow rate "This is a trigger value for a rate limit of flow
for a DDoS-attack mitigation."; rate for a DDoS-attack mitigation.";
} }
} }
} }
container anti-virus-condition { container anti-virus-condition {
description description
"A condition for anti-virus"; "A condition for anti-virus";
leaf-list exception-files { leaf-list exception-files {
type string; type string;
description description
"The type or name of the files to be excluded by the "The type or name of the files to be excluded by the
anti-virus. This can be used to keep the known harmless anti-virus. This can be used to keep the known
files."; harmless files.";
} }
} }
container payload-condition { container payload-condition {
description description
"A condition based on a packet's content."; "A condition based on a packet's content.";
leaf-list content { leaf-list content {
type leafref { type leafref {
path "/i2nsf-cfi-policy/threat-preventions/" path "/i2nsf-cfi-policy/threat-preventions/"
+ "payload-content/name"; + "payload-content/name";
skipping to change at page 42, line 4 skipping to change at page 42, line 40
description description
"A condition based on a packet's content."; "A condition based on a packet's content.";
leaf-list content { leaf-list content {
type leafref { type leafref {
path "/i2nsf-cfi-policy/threat-preventions/" path "/i2nsf-cfi-policy/threat-preventions/"
+ "payload-content/name"; + "payload-content/name";
} }
description description
"This describes the paths to a packet content's"; "This describes the paths to a packet content's";
} }
} }
container url-condition { container url-condition {
description description
"Condition for url category"; "Condition for url category";
leaf url-name { leaf url-name {
type leafref { type leafref {
path "/i2nsf-cfi-policy/endpoint-groups/url-group/name"; path
"/i2nsf-cfi-policy/endpoint-groups/"
+"url-group/name";
} }
description description
"This is description for the condition of a URL's "This is description for the condition of a URL's
category such as SNS sites, game sites, ecommerce category such as SNS sites, game sites, ecommerce
sites, company sites, and university sites."; sites, company sites, and university sites.";
} }
} }
container voice-condition { container voice-condition {
description description
skipping to change at page 43, line 11 skipping to change at page 43, line 49
leaf-list user-agent { leaf-list user-agent {
type string; type string;
description description
"The security policy rule according to "The security policy rule according to
an user agent for VoIP and VoLTE."; an user agent for VoIP and VoLTE.";
} }
} }
container context-condition { container context-condition {
description description
"Condition for matching the context of the packet, such as "Condition for matching the context of the packet, such
geographic location, time, packet direction"; as geographic location, time, packet direction";
container geography-location-condition { container geography-location-condition {
description description
"A condition for a location-based connection"; "A condition for a location-based connection";
leaf-list source { leaf-list source {
type leafref { type leafref {
path "/i2nsf-cfi-policy/endpoint-groups/" path
+ "location-group/name"; "/i2nsf-cfi-policy/endpoint-groups/"
+"location-group/name";
} }
description description
"This describes the paths to a location's sources."; "This describes the paths to a location's sources.";
} }
leaf-list destination { leaf-list destination {
type leafref { type leafref {
path "/i2nsf-cfi-policy/endpoint-groups/" path
+ "location-group/name"; "/i2nsf-cfi-policy/endpoint-groups/"
+"location-group/name";
} }
description description
"This describes the paths to a location's "This describes the paths to a location's
destinations."; destinations.";
} }
} }
} }
container threat-feed-condition { container threat-feed-condition {
description description
skipping to change at page 45, line 37 skipping to change at page 46, line 30
} }
} }
} }
container threat-preventions { container threat-preventions {
description description
"This describes the list of threat-preventions."; "This describes the list of threat-preventions.";
list threat-feed-list { list threat-feed-list {
key "name"; key "name";
description description
"There can be a single or multiple number of threat-feeds."; "There can be a single or multiple number of
threat-feeds.";
leaf name { leaf name {
type string; type string;
description description
"This represents the name of the threat-feed."; "This represents the name of the threat-feed.";
} }
leaf description { leaf description {
type string; type string;
description description
"This represents the descriptions of a threat-feed. The "This represents the descriptions of a threat-feed. The
description should include information, such as type, description should include information, such as type,
threat, method, and file type. Structured Threat threat, method, and file type. Structured Threat
Information Expression (STIX) can be used for description Information Expression (STIX) can be used for
of a threat [STIX]."; description of a threat [STIX].";
} }
leaf-list signatures { leaf-list signatures {
type identityref { type identityref {
base signature-type; base signature-type;
} }
description description
"This contains a list of signatures or hashes of the "This contains a list of signatures or hashes of the
threats."; threats.";
} }
} }
list payload-content { list payload-content {
key "name"; key "name";
leaf name { leaf name {
type string; type string;
description description
"This represents the name of a packet's payload-content. It "This represents the name of a packet's payload-content.
should give an idea of why a specific payload content is It should give an idea of why a specific payload content
marked as a threat. For example, the name 'backdoor' is marked as a threat. For example, the name 'backdoor'
indicates the payload content is related to a backdoor indicates the payload content is related to a backdoor
attack."; attack.";
} }
description description
"This represents a payload-string group."; "This represents a payload-string group.";
uses payload-string; uses payload-string;
} }
} }
} }
} }
skipping to change at page 54, line 41 skipping to change at page 55, line 41
name: ietf-i2nsf-cfi-policy name: ietf-i2nsf-cfi-policy
namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy
prefix: nsfcfi prefix: nsfcfi
reference: RFC XXXX reference: RFC XXXX
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
11. Security Considerations 11. Security Considerations
The data model for the I2NSF Consumer-Facing Interface is based on The YANG module specified in this document defines a data schema
the I2NSF framework [RFC8329], so the same security considerations designed to be accessed through network management protocols such as
with the I2NSF framework should be included in this document. The NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is
data model needs a secure communication channel to protect the the secure transport layer, and the required secure transport is
Consumer-Facing Interface between the I2NSF User and Security Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS,
Controller. Also, the data model's management access control is and the required secure transport is TLS [RFC8446].
based on Network Configuration Access Control Model(NACM) mechanisms
[RFC8341]. The Network Configuration Access Control Model (NACM) [RFC8341]
provides a means of restricting access to specific NETCONF or
RESTCONF users to a preconfigured subset of all available NETCONF or
RESTCONF protocol operations and contents. Thus, NACM SHOULD be used
to restrict the NSF registration from unauthorized users.
There are a number of data nodes defined in this YANG module that are
writable, creatable, and deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations to these data nodes
could have a negative effect on network and security operations.
These data nodes are collected into a single list node with the
following sensitivity/vulnerability:
* list i2nsf-cfi-policy: Writing to almost any element of this YANG
module would directly impact on the configuration of NSFs, e.g.,
completely turning off security monitoring and mitigation
capabilities; altering the scope of this monitoring and
mitigation; creating an overwhelming logging volume to overwhelm
downstream analytics or storage capacity; creating logging
patterns which are confusing; or rendering useless trained
statistics or artificial intelligence models.
Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or
notification) to these data nodes. These are the subtrees and data
nodes with their sensitivity/vulnerability:
* list i2nsf-cfi-policy: The leak of this node to an attacker could
reveal the specific configuration of security controls to an
attacker. An attacker can craft an attack path that avoids
observation or mitigations; one may reveal topology information to
inform additional targets or enable lateral movement; one enables
the construction of an attack path that avoids observation or
mitigations; one provides an indication that the operator has
discovered the attack. This node also holds a list of endpoint
data that is considered private to the users.
12. Acknowledgments 12. Acknowledgments
This work was supported by Institute of Information & Communications This work was supported by Institute of Information & Communications
Technology Planning & Evaluation (IITP) grant funded by the Korea Technology Planning & Evaluation (IITP) grant funded by the Korea
MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Security Intelligence Technology Development for the Customized Security Intelligence Technology Development for the Customized
Security Service Provisioning). This work was supported in part by Security Service Provisioning). This work was supported in part by
the IITP (2020-0-00395, Standard Development of Blockchain based the IITP (2020-0-00395, Standard Development of Blockchain based
Network Management Automation Technology). Network Management Automation Technology).
skipping to change at page 56, line 14 skipping to change at page 58, line 5
Senad Palislamovic Nokia 755 Ravendale Drive Mountain View, CA 94043 Senad Palislamovic Nokia 755 Ravendale Drive Mountain View, CA 94043
US EMail: senad.palislamovic@nokia.com US EMail: senad.palislamovic@nokia.com
Liang Xia Huawei 101 Software Avenue Nanjing, Jiangsu 210012 China Liang Xia Huawei 101 Software Avenue Nanjing, Jiangsu 210012 China
EMail: Frank.Xialiang@huawei.com EMail: Frank.Xialiang@huawei.com
14. References 14. References
14.1. Normative References 14.1. Normative References
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
DOI 10.17487/RFC0768, August 1980,
<https://www.rfc-editor.org/info/rfc768>.
[RFC0792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, DOI 10.17487/RFC0792, September 1981,
<https://www.rfc-editor.org/info/rfc792>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>.
[RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol
Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May
1983, <https://www.rfc-editor.org/info/rfc854>. 1983, <https://www.rfc-editor.org/info/rfc854>.
[RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol",
STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985,
<https://www.rfc-editor.org/info/rfc959>. <https://www.rfc-editor.org/info/rfc959>.
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996,
<https://www.rfc-editor.org/info/rfc1939>. <https://www.rfc-editor.org/info/rfc1939>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003,
<https://www.rfc-editor.org/info/rfc3501>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, Protocol Assigned Numbers", RFC 4250,
DOI 10.17487/RFC4250, January 2006, DOI 10.17487/RFC4250, January 2006,
<https://www.rfc-editor.org/info/rfc4250>. <https://www.rfc-editor.org/info/rfc4250>.
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
Congestion Control Protocol (DCCP)", RFC 4340,
DOI 10.17487/RFC4340, March 2006,
<https://www.rfc-editor.org/info/rfc4340>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", STD 89,
RFC 4443, DOI 10.17487/RFC4443, March 2006,
<https://www.rfc-editor.org/info/rfc4443>.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008, DOI 10.17487/RFC5321, October 2008,
<https://www.rfc-editor.org/info/rfc5321>. <https://www.rfc-editor.org/info/rfc5321>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing", Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014, RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>. <https://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
skipping to change at page 57, line 41 skipping to change at page 60, line 23
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341, Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018, DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>. <https://www.rfc-editor.org/info/rfc8341>.
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of
Documents Containing YANG Data Models", BCP 216, RFC 8407, Documents Containing YANG Data Models", BCP 216, RFC 8407,
DOI 10.17487/RFC8407, October 2018, DOI 10.17487/RFC8407, October 2018,
<https://www.rfc-editor.org/info/rfc8407>. <https://www.rfc-editor.org/info/rfc8407>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525, and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019, DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>. <https://www.rfc-editor.org/info/rfc8525>.
[I-D.ietf-tcpm-rfc793bis]
Eddy, W. M., "Transmission Control Protocol (TCP)
Specification", Work in Progress, Internet-Draft, draft-
ietf-tcpm-rfc793bis-25, 7 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-tcpm-
rfc793bis-25.txt>.
14.2. Informative References 14.2. Informative References
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/info/rfc2818>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001, DOI 10.17487/RFC3022, January 2001,
<https://www.rfc-editor.org/info/rfc3022>. <https://www.rfc-editor.org/info/rfc3022>.
skipping to change at page 58, line 42 skipping to change at page 61, line 37
Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020, Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
<https://www.rfc-editor.org/info/rfc8805>. <https://www.rfc-editor.org/info/rfc8805>.
[I-D.ietf-i2nsf-capability] [I-D.ietf-i2nsf-capability]
Xia, L., Strassner, J., Basile, C., and D. R. Lopez, Xia, L., Strassner, J., Basile, C., and D. R. Lopez,
"Information Model of NSFs Capabilities", Work in "Information Model of NSFs Capabilities", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-capability-05, Progress, Internet-Draft, draft-ietf-i2nsf-capability-05,
24 April 2019, <https://www.ietf.org/archive/id/draft- 24 April 2019, <https://www.ietf.org/archive/id/draft-
ietf-i2nsf-capability-05.txt>. ietf-i2nsf-capability-05.txt>.
[IANA-ICMP-Parameters]
Internet Assigned Numbers Authority (IANA), "Assigned
Internet Protocol Numbers", February 2021,
<https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml>.
[IANA-ICMPv6-Parameters]
Internet Assigned Numbers Authority (IANA), "Internet
Control Message Procotol version 6 (ICMPv6) Parameters",
February 2021, <https://www.iana.org/assignments/icmpv6-
parameters/icmpv6-parameters.xhtml>.
[Encyclopedia-Britannica]
Britannica, "Continent", September 2020,
<https://www.britannica.com/science/continent>.
[YARA] Alvarez, V., Bengen, H., Metz, J., Buehlmann, S., and W. [YARA] Alvarez, V., Bengen, H., Metz, J., Buehlmann, S., and W.
Shields, "YARA", YARA Shields, "YARA", YARA
Documents https://yara.readthedocs.io/en/v3.5.0/, August Documents https://yara.readthedocs.io/en/v3.5.0/, August
2020. 2020.
[SURICATA] Julien, V. and , "SURICATA", SURICATA Documents [SURICATA] Julien, V. and , "SURICATA", SURICATA Documents
https://suricata-ids.org/docs/, August 2020. https://suricata-ids.org/docs/, August 2020.
[SNORT] Roesch, M., Green, C., and B. Caswell, "SNORT", SNORT [SNORT] Roesch, M., Green, C., and B. Caswell, "SNORT", SNORT
Documents https://www.snort.org/#documents, August 2020. Documents https://www.snort.org/#documents, August 2020.
[STIX] Jordan, B., Piazza, R., and T. Darley, "Structured Threat [STIX] Jordan, B., Piazza, R., and T. Darley, "Structured Threat
Information Expression (STIX)", STIX Version 2.1: Information Expression (STIX)", STIX Version 2.1:
Committee Specification 01 https://docs.oasis- Committee Specification 01 https://docs.oasis-
open.org/cti/stix/v2.1/stix-v2.1.pdf, March 2020. open.org/cti/stix/v2.1/stix-v2.1.pdf, March 2020.
Appendix A. Changes from draft-ietf-i2nsf-consumer-facing-interface- Appendix A. Changes from draft-ietf-i2nsf-consumer-facing-interface-
dm-13 dm-14
The following changes are made from draft-ietf-i2nsf-consumer-facing- The following changes are made from draft-ietf-i2nsf-consumer-facing-
interface-dm-13: interface-dm-14:
* This version has been updated to synchronize with other I2NSF * This version has been updated following Tom Petch's comments.
documents.
Authors' Addresses Authors' Addresses
Jaehoon (Paul) Jeong (editor) Jaehoon (Paul) Jeong (editor)
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon Suwon
Gyeonggi-Do Gyeonggi-Do
16419 16419
 End of changes. 132 change blocks. 
235 lines changed or deleted 372 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/