draft-ietf-i2nsf-registration-interface-dm-11.txt   draft-ietf-i2nsf-registration-interface-dm-12.txt 
I2NSF Working Group S. Hyun, Ed. I2NSF Working Group S. Hyun, Ed.
Internet-Draft Myongji University Internet-Draft Myongji University
Intended status: Standards Track J. Jeong, Ed. Intended status: Standards Track J. Jeong, Ed.
Expires: 22 February 2022 T. Roh Expires: 19 March 2022 T. Roh
S. Wi S. Wi
Sungkyunkwan University Sungkyunkwan University
J. Park J. Park
ETRI ETRI
21 August 2021 15 September 2021
I2NSF Registration Interface YANG Data Model I2NSF Registration Interface YANG Data Model
draft-ietf-i2nsf-registration-interface-dm-11 draft-ietf-i2nsf-registration-interface-dm-12
Abstract Abstract
This document defines an information model and a YANG data model for This document defines an information model and a YANG data model for
Registration Interface between Security Controller and Developer's Registration Interface between Security Controller and Developer's
Management System (DMS) in the Interface to Network Security Management System (DMS) in the Interface to Network Security
Functions (I2NSF) framework to register Network Security Functions Functions (I2NSF) framework to register Network Security Functions
(NSF) of the DMS with the Security Controller. The objective of (NSF) of the DMS with the Security Controller. The objective of
these information and data models is to support NSF capability these information and data models is to support NSF capability
registration and query via I2NSF Registration Interface. registration and query via I2NSF Registration Interface.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 22 February 2022. This Internet-Draft will expire on 19 March 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 5 skipping to change at page 3, line 5
A.4. Example 4: Registration for the Capabilities of a VoIP/ A.4. Example 4: Registration for the Capabilities of a VoIP/
VoLTE Filter . . . . . . . . . . . . . . . . . . . . . . 33 VoLTE Filter . . . . . . . . . . . . . . . . . . . . . . 33
A.5. Example 5: Registration for the Capabilities of a DDoS A.5. Example 5: Registration for the Capabilities of a DDoS
Mitigator . . . . . . . . . . . . . . . . . . . . . . . . 36 Mitigator . . . . . . . . . . . . . . . . . . . . . . . . 36
A.6. Example 6: Query for the Capabilities of a Time-based A.6. Example 6: Query for the Capabilities of a Time-based
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 40 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 40
Appendix B. NSF Lifecycle Management in NFV Environments . . . . 43 Appendix B. NSF Lifecycle Management in NFV Environments . . . . 43
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 43 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 43
Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 43 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 43
Appendix E. Changes from Appendix E. Changes from
draft-ietf-i2nsf-registration-interface-dm-10 . . . . . . 44 draft-ietf-i2nsf-registration-interface-dm-11 . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44
1. Introduction 1. Introduction
A number of Network Security Functions (NSF) may exist in the A number of Network Security Functions (NSF) may exist in the
Interface to Network Security Functions (I2NSF) framework [RFC8329]. Interface to Network Security Functions (I2NSF) framework [RFC8329].
Since each of these NSFs likely has different security capabilities Since each of these NSFs likely has different security capabilities
from each other, it is important to register the security from each other, it is important to register the security
capabilities of the NSF with the security controller. In addition, capabilities of the NSF with the security controller. In addition,
it is required to search NSFs of some required security capabilities it is required to search NSFs of some required security capabilities
skipping to change at page 12, line 30 skipping to change at page 12, line 30
This module is used to specify the performance capabilities of an NSF This module is used to specify the performance capabilities of an NSF
when registering or initiating the NSF. when registering or initiating the NSF.
5.1.4. NSF Access Information 5.1.4. NSF Access Information
This section expands the nsf-access-info in Figure 6. This section expands the nsf-access-info in Figure 6.
NSF Access Information NSF Access Information
+--rw nsf-access-info +--rw nsf-access-info
+--rw capability-name string +--rw capability-name string
+--rw ip inet:ip-address +--rw ip inet:ip-address-no-zone
+--rw port inet:port-number +--rw port inet:port-number
Figure 10: YANG Tree of I2NSF NSF Access Informantion Figure 10: YANG Tree of I2NSF NSF Access Informantion
This module contains the network access information of an NSF that is This module contains the network access information of an NSF that is
required to enable network communications with the NSF. The field of required to enable network communications with the NSF. The field of
ip can have either an IPv4 address or an IPv6 address. ip can have either an IPv4 address or an IPv6 address.
5.2. YANG Data Modules 5.2. YANG Data Modules
This section provides a YANG module of the data model for the This section provides a YANG module of the data model for the
registration interface between Security Controller and Developer's registration interface between Security Controller and Developer's
Management System, as defined in Section 4. Management System, as defined in Section 4.
This YANG module imports from [RFC6991], and makes a reference to This YANG module imports from [RFC6991], and makes a reference to
[I-D.ietf-i2nsf-capability-data-model]. [I-D.ietf-i2nsf-capability-data-model].
<CODE BEGINS> file "ietf-i2nsf-reg-interface@2021-08-21.yang" <CODE BEGINS> file "ietf-i2nsf-reg-interface@2021-09-15.yang"
module ietf-i2nsf-reg-interface { module ietf-i2nsf-reg-interface {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface";
prefix nsfreg; prefix nsfreg;
// RFC Ed.: replace occurences of XXXX with actual RFC number and // RFC Ed.: replace occurences of XXXX with actual RFC number and
// remove this note // remove this note
skipping to change at page 13, line 32 skipping to change at page 13, line 32
// RFC Ed.: replace YYYY with actual RFC number of // RFC Ed.: replace YYYY with actual RFC number of
// draft-ietf-i2nsf-capability-data-model and remove this note. // draft-ietf-i2nsf-capability-data-model and remove this note.
reference "RFC YYYY: I2NSF Capability YANG Data Model"; reference "RFC YYYY: I2NSF Capability YANG Data Model";
} }
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <https://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
Editor: Sangwon Hyun Editor: Sangwon Hyun
<mailto:shyun@mju.ac.kr> <mailto:shyun@mju.ac.kr>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>"; <mailto:pauljeong@skku.edu>";
description description
"This module defines a YANG data model for I2NSF "This module defines a YANG data model for I2NSF
Registration Interface. Registration Interface.
Copyright (c) 2021 IETF Trust and the persons Copyright (c) 2021 IETF Trust and the persons
identified as authors of the code. All rights reserved. identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove // RFC Ed.: replace XXXX with actual RFC number and remove
// this note // this note
revision "2021-08-21" { revision "2021-09-15" {
description "Initial revision"; description "Initial revision";
reference reference
"RFC XXXX: I2NSF Registration Interface YANG Data Model"; "RFC XXXX: I2NSF Registration Interface YANG Data Model";
// RFC Ed.: replace XXXX with actual RFC number and remove // RFC Ed.: replace XXXX with actual RFC number and remove
// this note // this note
} }
grouping nsf-performance-capability { grouping nsf-performance-capability {
description description
"Description of the performance capabilities of an NSF"; "Description of the performance capabilities of an NSF";
skipping to change at page 16, line 12 skipping to change at page 16, line 12
grouping nsf-access-info { grouping nsf-access-info {
description description
"Information required to access an NSF"; "Information required to access an NSF";
leaf capability-name { leaf capability-name {
type string; type string;
description description
"Unique name of this NSF's capability"; "Unique name of this NSF's capability";
} }
leaf ip { leaf ip {
type inet:ip-address; type inet:ip-address-no-zone;
description description
"Either an IPv4 address or an IPv6 address of this NSF"; "Either an IPv4 address or an IPv6 address of this NSF";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
description description
"Port available on this NSF"; "Port available on this NSF";
} }
} }
skipping to change at page 21, line 31 skipping to change at page 21, line 31
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>. <https://www.rfc-editor.org/info/rfc8329>.
[I-D.ietf-i2nsf-nsf-monitoring-data-model] [I-D.ietf-i2nsf-nsf-monitoring-data-model]
Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H.
Birkholz, "I2NSF NSF Monitoring Interface YANG Data Birkholz, "I2NSF NSF Monitoring Interface YANG Data
Model", Work in Progress, Internet-Draft, draft-ietf- Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-monitoring-data-model-08, 29 April 2021, i2nsf-nsf-monitoring-data-model-09, 24 August 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
monitoring-data-model-08.txt>. monitoring-data-model-09.txt>.
[RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- [RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "A YANG Data Model for IPsec Flow Protection Based Garcia, "A YANG Data Model for IPsec Flow Protection Based
on Software-Defined Networking (SDN)", RFC 9061, on Software-Defined Networking (SDN)", RFC 9061,
DOI 10.17487/RFC9061, July 2021, DOI 10.17487/RFC9061, July 2021,
<https://www.rfc-editor.org/info/rfc9061>. <https://www.rfc-editor.org/info/rfc9061>.
[I-D.ietf-nvo3-vxlan-gpe] [I-D.ietf-nvo3-vxlan-gpe]
(Editor), F. M., (editor), L. K., and U. E. (editor), (Editor), F. M., (editor), L. K., and U. E. (editor),
"Generic Protocol Extension for VXLAN (VXLAN-GPE)", Work "Generic Protocol Extension for VXLAN (VXLAN-GPE)", Work
skipping to change at page 22, line 17 skipping to change at page 22, line 17
This section describes XML examples of the I2NSF Registration This section describes XML examples of the I2NSF Registration
Interface data model under the assumption of registering several Interface data model under the assumption of registering several
types of NSFs and querying NSF capability. types of NSFs and querying NSF capability.
A.1. Example 1: Registration for the Capabilities of a General Firewall A.1. Example 1: Registration for the Capabilities of a General Firewall
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
a general firewall in either IPv4 networks [RFC5737] or IPv6 networks a general firewall in either IPv4 networks [RFC5737] or IPv6 networks
[RFC3849]. [RFC3849].
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>general_firewall_capability</capability-name> <capability-name>general_firewall_capability</capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>cap:next-header</ipv4-capability> <ipv4-capability>cap:next-header</ipv4-capability>
<ipv4-capability>cap:source-address</ipv4-capability> <ipv4-capability>cap:source-address</ipv4-capability>
<ipv4-capability>cap:destination-address</ipv4-capability> <ipv4-capability>cap:destination-address</ipv4-capability>
<tcp-capability>cap:source-port-number</tcp-capability> <tcp-capability>cap:source-port-number</tcp-capability>
<tcp-capability>cap:destination-port-number</tcp-capability> <tcp-capability>cap:destination-port-number</tcp-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror cap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>general_firewall</capability-name> <capability-name>general_firewall</capability-name>
<ip>192.0.2.11</ip> <ip>192.0.2.11</ip>
<port>3000</port> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 12: Configuration XML for Registration of a General Figure 12: Configuration XML for Registration of a General
Firewall in an IPv4 Network Firewall in an IPv4 Network
Figure 12 shows the configuration XML for registering a general Figure 12 shows the configuration XML for registering a general
firewall in an IPv4 network [RFC5737] and its capabilities as firewall in an IPv4 network [RFC5737] and its capabilities as
follows. follows.
1. The instance name of the NSF is general_firewall. 1. The instance name of the NSF is general_firewall.
2. The NSF can inspect IPv4 protocol header field, source 2. The NSF can inspect IPv4 protocol header field, source
address(es), and destination address(es) address(es), and destination address(es)
skipping to change at page 24, line 9 skipping to change at page 24, line 9
5. The NSF can support IPsec not through IKEv2, but through a 5. The NSF can support IPsec not through IKEv2, but through a
Security Controller [RFC9061]. Security Controller [RFC9061].
6. The NSF can have processing power and bandwidth. 6. The NSF can have processing power and bandwidth.
7. The IPv4 address of the NSF is 192.0.2.11. 7. The IPv4 address of the NSF is 192.0.2.11.
8. The port of the NSF is 3000. 8. The port of the NSF is 3000.
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>general_firewall_capability</capability-name> <capability-name>general_firewall_capability</capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv6-capability>cap:next-header</ipv6-capability> <ipv6-capability>cap:next-header</ipv6-capability>
<ipv6-capability>cap:source-address</ipv6-capability> <ipv6-capability>cap:source-address</ipv6-capability>
<ipv6-capability>cap:destination-address</ipv6-capability> <ipv6-capability>cap:destination-address</ipv6-capability>
<tcp-capability>cap:source-port-number</tcp-capability> <tcp-capability>cap:source-port-number</tcp-capability>
<tcp-capability>cap:destination-port-number</tcp-capability> <tcp-capability>cap:destination-port-number</tcp-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror cap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>general_firewall</capability-name> <capability-name>general_firewall</capability-name>
<ip>2001:DB8:0:1::11</ip> <ip>2001:DB8:0:1::11</ip>
<port>3000</port> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 13: Configuration XML for Registration of a General Figure 13: Configuration XML for Registration of a General
Firewall in an IPv6 Network Firewall in an IPv6 Network
In addition, Figure 13 shows the configuration XML for registering a In addition, Figure 13 shows the configuration XML for registering a
general firewall in an IPv6 network [RFC3849] and its capabilities as general firewall in an IPv6 network [RFC3849] and its capabilities as
follows. follows.
1. The instance name of the NSF is general_firewall. 1. The instance name of the NSF is general_firewall.
2. The NSF can inspect IPv6 next header, flow direction, source 2. The NSF can inspect IPv6 next header, flow direction, source
address(es), and destination address(es) address(es), and destination address(es)
skipping to change at page 26, line 5 skipping to change at page 26, line 5
7. The port of the NSF is 3000. 7. The port of the NSF is 3000.
A.2. Example 2: Registration for the Capabilities of a Time-based A.2. Example 2: Registration for the Capabilities of a Time-based
Firewall Firewall
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
a time-based firewall in either IPv4 networks [RFC5737] or IPv6 a time-based firewall in either IPv4 networks [RFC5737] or IPv6
networks [RFC3849]. networks [RFC3849].
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>time_based_firewall_capability</capability-name> <capability-name>time_based_firewall_capability</capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<event-capabilities> <event-capabilities>
<time-capabilities>cap:absolute-time</time-capabilities> <time-capabilities>cap:absolute-time</time-capabilities>
<time-capabilities>cap:periodic-time</time-capabilities> <time-capabilities>cap:periodic-time</time-capabilities>
</event-capabilities> </event-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>cap:ipv4-protocol</ipv4-capability> <ipv4-capability>cap:next-header</ipv4-capability>
<ipv4-capability>cap:source-address</ipv4-capability> <ipv4-capability>cap:source-address</ipv4-capability>
<ipv4-capability>cap:destination-address</ipv4-capability> <ipv4-capability>cap:destination-address</ipv4-capability>
<tcp-capability>cap:source-port-number</tcp-capability> <tcp-capability>cap:source-port-number</tcp-capability>
<tcp-capability>cap:destination-port-number</tcp-capability> <tcp-capability>cap:destination-port-number</tcp-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror cap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>time_based_firewall</capability-name> <capability-name>time_based_firewall</capability-name>
<ip>192.0.2.11</ip> <ip>192.0.2.11</ip>
<port>3000</port> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 14: Configuration XML for Registration of a Time-based Figure 14: Configuration XML for Registration of a Time-based
Firewall in an IPv4 Network Firewall in an IPv4 Network
Figure 14 shows the configuration XML for registering a time-based Figure 14 shows the configuration XML for registering a time-based
firewall in an IPv4 network [RFC5737] and its capabilities as firewall in an IPv4 network [RFC5737] and its capabilities as
follows. follows.
1. The instance name of the NSF is time_based_firewall. 1. The instance name of the NSF is time_based_firewall.
2. The NSF can enforce the security policy rule according to 2. The NSF can enforce the security policy rule according to
absolute time and periodic time. absolute time and periodic time.
3. The NSF can inspect the IPv4 protocol header field, flow 3. The NSF can inspect the IPv4 protocol header field, IPv4 source
direction, source address(es), and destination address(es). address(es), IPv4 destination address(es), TCP source port
number(s), and TCP destination port number(s).
4. The NSF can determine whether the packets are allowed to pass, 4. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
5. The NSF can have processing power and bandwidth. 5. The NSF can have processing power and bandwidth.
6. The IPv4 address of the NSF is 192.0.2.11. 6. The IPv4 address of the NSF is 192.0.2.11.
7. The port of the NSF is 3000. 7. The port of the NSF is 3000.
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>time_based_firewall_capability</capability-name> <capability-name>time_based_firewall_capability</capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<event-capabilities> <event-capabilities>
<time-capabilities>cap:absolute-time</time-capabilities> <time-capabilities>cap:absolute-time</time-capabilities>
<time-capabilities>cap:periodic-time</time-capabilities> <time-capabilities>cap:periodic-time</time-capabilities>
</event-capabilities> </event-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv6-capability>cap:ipv6-protocol</ipv6-capability> <ipv6-capability>cap:next-header</ipv6-capability>
<ipv6-capability>cap:source-address</ipv6-capability> <ipv6-capability>cap:source-address</ipv6-capability>
<ipv6-capability>cap:destination-address</ipv6-capability> <ipv6-capability>cap:destination-address</ipv6-capability>
<tcp-capability>cap:source-port-number</tcp-capability> <tcp-capability>cap:source-port-number</tcp-capability>
<tcp-capability>cap:destination-port-number</tcp-capability> <tcp-capability>cap:destination-port-number</tcp-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror cap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound>
</inbound> </bandwidth>
</bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>time_based_firewall</capability-name> <capability-name>time_based_firewall</capability-name>
<ip>2001:DB8:0:1::11</ip> <ip>2001:DB8:0:1::11</ip>
<port>3000</port> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 15: Configuration XML for Registration of a Time-based Figure 15: Configuration XML for Registration of a Time-based
Firewall in an IPv6 Network Firewall in an IPv6 Network
In addition, Figure 15 shows the configuration XML for registering a In addition, Figure 15 shows the configuration XML for registering a
time-based firewall in an IPv6 network [RFC3849] and its capabilities time-based firewall in an IPv6 network [RFC3849] and its capabilities
as follows. as follows.
1. The instance name of the NSF is time_based_firewall. 1. The instance name of the NSF is time_based_firewall.
2. The NSF can enforce the security policy rule according to 2. The NSF can enforce the security policy rule according to
absolute time and periodic time. absolute time and periodic time.
3. The NSF can inspect the IPv6 protocol header field, flow 3. The NSF can inspect the IPv6 next header field, IPv6 source
direction, source address(es), and destination address(es).. address(es), IPv6 destination address(es), TCP source port
number(s), and TCP destination port number(s).
4. The NSF can determine whether the packets are allowed to pass, 4. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
5. The NSF can have processing power and bandwidth. 5. The NSF can have processing power and bandwidth.
6. The IPv6 address of the NSF is 2001:DB8:0:1::11. 6. The IPv6 address of the NSF is 2001:DB8:0:1::11.
7. The port of the NSF is 3000. 7. The port of the NSF is 3000.
A.3. Example 3: Registration for the Capabilities of a Web Filter A.3. Example 3: Registration for the Capabilities of a Web Filter
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
a web filter in either IPv4 networks [RFC5737] or IPv6 networks a web filter in either IPv4 networks [RFC5737] or IPv6 networks
[RFC3849]. [RFC3849].
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>web_filter</capability-name> <capability-name>web_filter</capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<url-capability>cap:user-defined</url-capability> <url-capability>cap:user-defined</url-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror cap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability>
</nsf-capability-info>
<nsf-access-info>
<capability-name>web_filter</capability-name>
<ip>192.0.2.11</ip>
<port>3000</port>
</nsf-access-info> </performance-capability>
</nsf-information> </nsf-capability-info>
<nsf-access-info>
<capability-name>web_filter</capability-name>
<ip>192.0.2.11</ip>
<port>3000</port>
</nsf-access-info>
</nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 16: Configuration XML for Registration of a Web Filter in Figure 16: Configuration XML for Registration of a Web Filter in
an IPv4 Network an IPv4 Network
Figure 16 shows the configuration XML for registering a web filter in Figure 16 shows the configuration XML for registering a web filter in
an IPv4 network [RFC5737] and its capabilities are as follows. an IPv4 network [RFC5737] and its capabilities are as follows.
1. The instance name of the NSF is web_filter. 1. The instance name of the NSF is web_filter.
skipping to change at page 31, line 30 skipping to change at page 31, line 36
3. The NSF can determine whether the packets are allowed to pass, 3. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
4. The NSF can have processing power and bandwidth. 4. The NSF can have processing power and bandwidth.
5. The IPv4 address of the NSF is 192.0.2.11. 5. The IPv4 address of the NSF is 192.0.2.11.
6. The port of the NSF is 3000. 6. The port of the NSF is 3000.
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>web_filter</capability-name> <capability-name>web_filter</capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<url-capability>cap:user-defined</url-capability> <url-capability>cap:user-defined</url-capability>
<url-capability>cap:pre-defined</url-capability> <url-capability>cap:pre-defined</url-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror cap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>web_filter</capability-name> <capability-name>web_filter</capability-name>
<ip>2001:DB8:0:1::11</ip> <ip>2001:DB8:0:1::11</ip>
<port>3000</port> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 17: Configuration XML for Registration of a Web Filter in Figure 17: Configuration XML for Registration of a Web Filter in
an IPv6 Network an IPv6 Network
In addition, Figure 17 shows the configuration XML for registering a In addition, Figure 17 shows the configuration XML for registering a
web filter in an IPv6 network [RFC3849] and its capabilities are as web filter in an IPv6 network [RFC3849] and its capabilities are as
follows. follows.
1. The instance name of the NSF is web_filter. 1. The instance name of the NSF is web_filter.
skipping to change at page 33, line 21 skipping to change at page 33, line 26
6. The port of the NSF is 3000. 6. The port of the NSF is 3000.
A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE
Filter Filter
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
a VoIP/VoLTE filter in either IPv4 networks [RFC5737] or IPv6 a VoIP/VoLTE filter in either IPv4 networks [RFC5737] or IPv6
networks [RFC3849]. networks [RFC3849].
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>voip_volte_filter</capability-name> <capability-name>voip_volte_filter</capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<voip-volte-capability>cap:call-id</voip-volte-capability> <voip-volte-capability>cap:call-id</voip-volte-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability>
<egress-action-capability>
cap:mirror
</egress-action-capability>
</action-capabilities>
</security-capability> </egress-action-capability>
<performance-capability> <egress-action-capability>
<processing> cap:mirror
<processing-average>1000</processing-average> </egress-action-capability>
<processing-peak>5000</processing-peak> </action-capabilities>
</processing> </security-capability>
<bandwidth> <performance-capability>
<outbound> <processing>
<outbound-average>1000</outbound-average> <processing-average>1000</processing-average>
<outbound-peak>5000</outbound-peak> <processing-peak>5000</processing-peak>
</outbound> </processing>
<inbound> <bandwidth>
<inbound-average>1000</inbound-average> <outbound>
<inbound-peak>5000</inbound-peak> <outbound-average>1000</outbound-average>
</inbound> <outbound-peak>5000</outbound-peak>
</bandwidth> </outbound>
</performance-capability> <inbound>
</nsf-capability-info> <inbound-average>1000</inbound-average>
<nsf-access-info> <inbound-peak>5000</inbound-peak>
<capability-name>voip_volte_filter</capability-name> </inbound>
<ip>192.0.2.11</ip> </bandwidth>
<port>3000</port> </performance-capability>
</nsf-access-info> </nsf-capability-info>
<nsf-access-info>
<capability-name>voip_volte_filter</capability-name>
<ip>192.0.2.11</ip>
<port>3000</port>
</nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 18: Configuration XML for Registration of a VoIP/VoLTE Figure 18: Configuration XML for Registration of a VoIP/VoLTE
Filter in an IPv4 Network Filter in an IPv4 Network
Figure 18 shows the configuration XML for registering a VoIP/VoLTE Figure 18 shows the configuration XML for registering a VoIP/VoLTE
filter in an IPv4 network [RFC5737] and its capabilities are as filter in an IPv4 network [RFC5737] and its capabilities are as
follows. follows.
1. The instance name of the NSF is voip_volte_filter. 1. The instance name of the NSF is voip_volte_filter.
2. The NSF can inspect a call id for VoIP/VoLTE packets. 2. The NSF can inspect a call id for VoIP/VoLTE packets.
3. The NSF can determine whether the packets are allowed to pass, 3. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
4. The NSF can have processing power and bandwidth. 4. The NSF can have processing power and bandwidth.
5. The IPv4 address of the NSF is 192.0.2.11. 5. The IPv4 address of the NSF is 192.0.2.11.
6. The port of the NSF is 3000. 6. The port of the NSF is 3000.
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>voip_volte_filter</capability-name> <capability-name>voip_volte_filter</capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<voip-volte-capability>cap:call-id</voip-volte-capability> <voip-volte-capability>cap:call-id</voip-volte-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror cap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound>
</bandwidth>
</performance-capability> </inbound>
</nsf-capability-info> </bandwidth>
<nsf-access-info> </performance-capability>
<capability-name>voip_volte_filter</capability-name> </nsf-capability-info>
<ip>2001:DB8:0:1::11</ip> <nsf-access-info>
<port>3000</port> <capability-name>voip_volte_filter</capability-name>
</nsf-access-info> <ip>2001:DB8:0:1::11</ip>
<port>3000</port>
</nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 19: Configuration XML for Registration of a VoIP/VoLTE Figure 19: Configuration XML for Registration of a VoIP/VoLTE
Filter in an IPv6 Network Filter in an IPv6 Network
Figure 19 shows the configuration XML for registering a VoIP/VoLTE Figure 19 shows the configuration XML for registering a VoIP/VoLTE
filter in an IPv6 network [RFC3849] and its capabilities are as filter in an IPv6 network [RFC3849] and its capabilities are as
follows. follows.
1. The instance name of the NSF is voip_volte_filter. 1. The instance name of the NSF is voip_volte_filter.
2. The NSF can inspect a call id for VoIP/VoLTE packets. 2. The NSF can inspect a call id for VoIP/VoLTE packets.
3. The NSF can determine whether the packets are allowed to pass, 3. The NSF can determine whether the packets are allowed to pass,
skipping to change at page 36, line 42 skipping to change at page 36, line 44
6. The port of the NSF is 3000. 6. The port of the NSF is 3000.
A.5. Example 5: Registration for the Capabilities of a DDoS Mitigator A.5. Example 5: Registration for the Capabilities of a DDoS Mitigator
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
a DDoS mitigator in either IPv4 networks [RFC5737] or IPv6 networks a DDoS mitigator in either IPv4 networks [RFC5737] or IPv6 networks
[RFC3849]. [RFC3849].
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>anti_DDoS</capability-name> <capability-name>anti_DDoS</capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<anti-ddos-capability> <anti-ddos-capability>
cap:packet-rate cap:packet-rate
</anti-ddos-capability> </anti-ddos-capability>
<anti-ddos-capability> <anti-ddos-capability>
cap:flow-rate cap:flow-rate
</anti-ddos-capability> </anti-ddos-capability>
<anti-ddos-capability> <anti-ddos-capability>
cap:byte-rate cap:byte-rate
</anti-ddos-capability> </anti-ddos-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:rate-limit cap:rate-limit
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror cap:mirror
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:rate-limit cap:rate-limit
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound>
</inbound> </bandwidth>
</bandwidth> </performance-capability>
</performance-capability> </nsf-capability-info>
</nsf-capability-info> <nsf-access-info>
<nsf-access-info> <capability-name>
<capability-name> http_and_https_flood_mitigation
http_and_https_flood_mitigation </capability-name>
</capability-name> <ip>192.0.2.11</ip>
<ip>192.0.2.11</ip> <port>3000</port>
<port>3000</port> </nsf-access-info>
</nsf-access-info> </nsf-information>
</nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 20: Configuration XML for Registration of a DDoS Mitigator Figure 20: Configuration XML for Registration of a DDoS Mitigator
in an IPv4 Network in an IPv4 Network
Figure 20 shows the configuration XML for registering a DDoS Figure 20 shows the configuration XML for registering a DDoS
mitigator in an IPv4 network [RFC5737] and its capabilities are as mitigator in an IPv4 network [RFC5737] and its capabilities are as
follows. follows.
1. The instance name of the NSF is anti_DDoS. 1. The instance name of the NSF is anti_DDoS.
skipping to change at page 38, line 41 skipping to change at page 38, line 42
3. The NSF can determine whether the packets are allowed to pass, 3. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
4. The NSF can have processing power and bandwidth. 4. The NSF can have processing power and bandwidth.
5. The IPv4 address of the NSF is 192.0.2.11. 5. The IPv4 address of the NSF is 192.0.2.11.
6. The port of the NSF is 3000. 6. The port of the NSF is 3000.
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name> <capability-name>
anti_DDoS anti_DDoS
</capability-name> </capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<anti-ddos-capability> <anti-ddos-capability>
cap:packet-rate cap:packet-rate
</anti-ddos-capability>
</anti-ddos-capability> <anti-ddos-capability>
<anti-ddos-capability> cap:flow-rate
cap:flow-rate </anti-ddos-capability>
</anti-ddos-capability> <anti-ddos-capability>
<anti-ddos-capability> cap:byte-rate
cap:byte-rate </anti-ddos-capability>
</anti-ddos-capability> </advanced-nsf-capabilities>
</advanced-nsf-capabilities> </condition-capabilities>
</condition-capabilities> <action-capabilities>
<action-capabilities> <ingress-action-capability>
<ingress-action-capability> cap:pass
cap:pass </ingress-action-capability>
</ingress-action-capability> <ingress-action-capability>
<ingress-action-capability> cap:drop
cap:drop </ingress-action-capability>
</ingress-action-capability> <ingress-action-capability>
<ingress-action-capability> cap:mirror
cap:mirror </ingress-action-capability>
</ingress-action-capability> <ingress-action-capability>
<ingress-action-capability> cap:rate-limit
cap:rate-limit </ingress-action-capability>
</ingress-action-capability> <egress-action-capability>
<egress-action-capability> cap:pass
cap:pass </egress-action-capability>
</egress-action-capability> <egress-action-capability>
<egress-action-capability> cap:drop
cap:drop </egress-action-capability>
</egress-action-capability> <egress-action-capability>
<egress-action-capability> cap:mirror
cap:mirror </egress-action-capability>
</egress-action-capability> <egress-action-capability>
<egress-action-capability> cap:rate-limit
cap:rate-limit </egress-action-capability>
</egress-action-capability> </action-capabilities>
</action-capabilities> </security-capability>
</security-capability> <performance-capability>
<performance-capability> <processing>
<processing> <processing-average>1000</processing-average>
<processing-average>1000</processing-average> <processing-peak>5000</processing-peak>
<processing-peak>5000</processing-peak> </processing>
</processing> <bandwidth>
<bandwidth> <outbound>
<outbound> <outbound-average>1000</outbound-average>
<outbound-average>1000</outbound-average> <outbound-peak>5000</outbound-peak>
<outbound-peak>5000</outbound-peak> </outbound>
</outbound> <inbound>
<inbound> <inbound-average>1000</inbound-average>
<inbound-average>1000</inbound-average> <inbound-peak>5000</inbound-peak>
<inbound-peak>5000</inbound-peak> </inbound>
</inbound> </bandwidth>
</bandwidth> </performance-capability>
</performance-capability> </nsf-capability-info>
</nsf-capability-info> <nsf-access-info>
<nsf-access-info> <capability-name>anti_DDoS</capability-name>
<capability-name> <ip>2001:DB8:0:1::11</ip>
anti_DDoS <port>3000</port>
</capability-name> </nsf-access-info>
<ip>2001:DB8:0:1::11</ip> </nsf-information>
<port>3000</port>
</nsf-access-info>
</nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 21: Configuration XML for Registration of a DDoS Mitigator Figure 21: Configuration XML for Registration of a DDoS Mitigator
in an IPv6 Network in an IPv6 Network
In addition, Figure 21 shows the configuration XML for registering a In addition, Figure 21 shows the configuration XML for registering a
DDoS mitigator in an IPv6 network [RFC3849] and its capabilities are DDoS mitigator in an IPv6 network [RFC3849] and its capabilities are
as follows. as follows.
1. The instance name of the NSF is anti_DDoS. 1. The instance name of the NSF is anti_DDoS.
skipping to change at page 40, line 47 skipping to change at page 40, line 47
6. The port of the NSF is 3000. 6. The port of the NSF is 3000.
A.6. Example 6: Query for the Capabilities of a Time-based Firewall A.6. Example 6: Query for the Capabilities of a Time-based Firewall
This section shows an XML example for querying the capabilities of a This section shows an XML example for querying the capabilities of a
time-based firewall in either IPv4 networks [RFC5737] or IPv6 time-based firewall in either IPv4 networks [RFC5737] or IPv6
networks [RFC3849]. networks [RFC3849].
<rpc message-id="101" <rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<nsf-capability-query <nsf-capability-query
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<query-i2nsf-capability-info> <query-i2nsf-capability-info>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>cap:ipv4-protocol</ipv4-capability> <ipv4-capability>cap:next-header</ipv4-capability>
<ipv4-capability>cap:source-address</ipv4-capability> <ipv4-capability>cap:source-address</ipv4-capability>
<ipv4-capability>cap:destination-address</ipv4-capability> <ipv4-capability>cap:destination-address</ipv4-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror cap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</query-i2nsf-capability-info> </query-i2nsf-capability-info>
</nsf-capability-query> </nsf-capability-query>
</rpc> </rpc>
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<nsf-access-info <nsf-access-info
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface">
<capability-name>time-based-firewall</capability-name> <capability-name>time-based-firewall</capability-name>
<ip>192.0.2.11</ip> <ip>192.0.2.11</ip>
<port>3000</port> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</rpc-reply> </rpc-reply>
Figure 22: Configuration XML for Query of a Time-based Firewall Figure 22: Configuration XML for Query of a Time-based Firewall
in an IPv4 Network in an IPv4 Network
Figure 22 shows the XML configuration for querying the capabilities Figure 22 shows the XML configuration for querying the capabilities
of a time-based firewall in an IPv4 network [RFC5737]. The access of a time-based firewall in an IPv4 network [RFC5737]. The access
information of the announced time-based firewall has the IPv4 address information of the announced time-based firewall has the IPv4 address
of 192.0.2.11 and the port number of 3000. of 192.0.2.11 and the port number of 3000.
<rpc message-id="101" <rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<nsf-capability-query <nsf-capability-query
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<query-i2nsf-capability-info> <query-i2nsf-capability-info>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv6-capability>cap:ipv6-protocol</ipv6-capability> <ipv6-capability>cap:next-header</ipv6-capability>
<ipv6-capability>cap:source-address</ipv6-capability> <ipv6-capability>cap:source-address</ipv6-capability>
<ipv6-capability>cap:destination-address</ipv6-capability> <ipv6-capability>cap:destination-address</ipv6-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass cap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop cap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror cap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass cap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop cap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror cap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</query-i2nsf-capability-info> </query-i2nsf-capability-info>
</nsf-capability-query> </nsf-capability-query>
</rpc> </rpc>
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<nsf-access-info <nsf-access-info
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface">
<capability-name>time-based-firewall</capability-name> <capability-name>time-based-firewall</capability-name>
<ip>2001:DB8:0:1::11</ip> <ip>2001:DB8:0:1::11</ip>
<port>3000</port> <port>3000</port>
</nsf-access-info> </nsf-access-info>
</rpc-reply> </rpc-reply>
Figure 23: Configuration XML for Query of a Time-based Firewall Figure 23: Configuration XML for Query of a Time-based Firewall
in an IPv6 Network in an IPv6 Network
In addition, Figure 23 shows the XML configuration for querying the In addition, Figure 23 shows the XML configuration for querying the
capabilities of a time-based firewall in an IPv6 network [RFC3849]. capabilities of a time-based firewall in an IPv6 network [RFC3849].
The access information of the announced time-based firewall has the The access information of the announced time-based firewall has the
IPv6 address of 2001:DB8:0:1::11 and the port number of 3000. IPv6 address of 2001:DB8:0:1::11 and the port number of 3000.
skipping to change at page 44, line 23 skipping to change at page 44, line 23
Chaehong Chung Department of Electronic, Electrical and Computer Chaehong Chung Department of Electronic, Electrical and Computer
Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon,
Gyeonggi-do 16419 Republic of Korea EMail: darkhong@skku.edu Gyeonggi-do 16419 Republic of Korea EMail: darkhong@skku.edu
Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 USA EMail: Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 USA EMail:
shares@ndzh.com shares@ndzh.com
Diego R. Lopez Telefonica I+D Jose Manuel Lara, 9 Seville, 41013 Diego R. Lopez Telefonica I+D Jose Manuel Lara, 9 Seville, 41013
Spain EMail: diego.r.lopez@telefonica.com Spain EMail: diego.r.lopez@telefonica.com
Appendix E. Changes from draft-ietf-i2nsf-registration-interface-dm-10 Appendix E. Changes from draft-ietf-i2nsf-registration-interface-dm-11
The following changes are made from draft-ietf-i2nsf-registration- The following changes are made from draft-ietf-i2nsf-registration-
interface-dm-10: interface-dm-11:
* This version has been updated to synchronize with other I2NSF * This version has been updated to synchronize with other I2NSF
documents. documents.
Authors' Addresses Authors' Addresses
Sangwon Hyun (editor) Sangwon Hyun (editor)
Department of Computer Engineering Department of Computer Engineering
Myongji University Myongji University
116 Myongji-ro, Cheoin-gu 116 Myongji-ro, Cheoin-gu
 End of changes. 60 change blocks. 
705 lines changed or deleted 702 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/