--- 1/draft-ietf-i2nsf-registration-interface-dm-12.txt	2021-10-04 08:13:19.206924337 -0700
+++ 2/draft-ietf-i2nsf-registration-interface-dm-13.txt	2021-10-04 08:13:19.286926334 -0700
@@ -1,23 +1,23 @@
 
 I2NSF Working Group                                         S. Hyun, Ed.
 Internet-Draft                                        Myongji University
 Intended status: Standards Track                           J. Jeong, Ed.
-Expires: 19 March 2022                                            T. Roh
+Expires: 7 April 2022                                             T. Roh
                                                                    S. Wi
                                                  Sungkyunkwan University
                                                                  J. Park
                                                                     ETRI
-                                                       15 September 2021
+                                                          4 October 2021
 
               I2NSF Registration Interface YANG Data Model
-             draft-ietf-i2nsf-registration-interface-dm-12
+             draft-ietf-i2nsf-registration-interface-dm-13
 
 Abstract
 
    This document defines an information model and a YANG data model for
    Registration Interface between Security Controller and Developer's
    Management System (DMS) in the Interface to Network Security
    Functions (I2NSF) framework to register Network Security Functions
    (NSF) of the DMS with the Security Controller.  The objective of
    these information and data models is to support NSF capability
    registration and query via I2NSF Registration Interface.
@@ -30,21 +30,21 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at https://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on 19 March 2022.
+   This Internet-Draft will expire on 7 April 2022.
 
 Copyright Notice
 
    Copyright (c) 2021 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents (https://trustee.ietf.org/
    license-info) in effect on the date of publication of this document.
    Please review these documents carefully, as they describe your rights
@@ -67,38 +67,38 @@
      5.1.  YANG Tree Diagram . . . . . . . . . . . . . . . . . . . .   9
        5.1.1.  Definition of Symbols in Tree Diagrams  . . . . . . .   9
        5.1.2.  I2NSF Registration Interface  . . . . . . . . . . . .   9
        5.1.3.  NSF Capability Information  . . . . . . . . . . . . .  11
        5.1.4.  NSF Access Information  . . . . . . . . . . . . . . .  12
      5.2.  YANG Data Modules . . . . . . . . . . . . . . . . . . . .  12
    6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  17
    7.  Security Considerations . . . . . . . . . . . . . . . . . . .  18
    8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  19
      8.1.  Normative References  . . . . . . . . . . . . . . . . . .  19
-     8.2.  Informative References  . . . . . . . . . . . . . . . . .  20
+     8.2.  Informative References  . . . . . . . . . . . . . . . . .  21
    Appendix A.  XML Examples of I2NSF Registration Interface Data
            Model . . . . . . . . . . . . . . . . . . . . . . . . . .  22
      A.1.  Example 1: Registration for the Capabilities of a General
            Firewall  . . . . . . . . . . . . . . . . . . . . . . . .  22
      A.2.  Example 2: Registration for the Capabilities of a
-           Time-based Firewall . . . . . . . . . . . . . . . . . . .  25
+           Time-based Firewall . . . . . . . . . . . . . . . . . . .  26
      A.3.  Example 3: Registration for the Capabilities of a Web
-           Filter  . . . . . . . . . . . . . . . . . . . . . . . . .  29
+           Filter  . . . . . . . . . . . . . . . . . . . . . . . . .  30
      A.4.  Example 4: Registration for the Capabilities of a VoIP/
            VoLTE Filter  . . . . . . . . . . . . . . . . . . . . . .  33
      A.5.  Example 5: Registration for the Capabilities of a DDoS
            Mitigator . . . . . . . . . . . . . . . . . . . . . . . .  36
      A.6.  Example 6: Query for the Capabilities of a Time-based
-           Firewall  . . . . . . . . . . . . . . . . . . . . . . . .  40
+           Firewall  . . . . . . . . . . . . . . . . . . . . . . . .  41
    Appendix B.  NSF Lifecycle Management in NFV Environments . . . .  43
-   Appendix C.  Acknowledgments  . . . . . . . . . . . . . . . . . .  43
-   Appendix D.  Contributors . . . . . . . . . . . . . . . . . . . .  43
+   Appendix C.  Acknowledgments  . . . . . . . . . . . . . . . . . .  44
+   Appendix D.  Contributors . . . . . . . . . . . . . . . . . . . .  44
    Appendix E.  Changes from
            draft-ietf-i2nsf-registration-interface-dm-11 . . . . . .  44
    Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  44
 
 1.  Introduction
 
    A number of Network Security Functions (NSF) may exist in the
    Interface to Network Security Functions (I2NSF) framework [RFC8329].
    Since each of these NSFs likely has different security capabilities
    from each other, it is important to register the security
@@ -144,22 +144,22 @@
       repository, data definition language, query language,
       implementation language, and protocol.
 
    *  Information Model: An information model is a representation of
       concepts of interest to an environment in a form that is
       independent of data repository, data definition language, query
       language, implementation language, and protocol.
 
    *  YANG: This document follows the guidelines of [RFC8407], uses the
       common YANG types defined in [RFC6991], and adopts the Network
-      Management Datastore Architecture (NMDA).  The meaning of the
-      symbols in tree diagrams is defined in [RFC8340].
+      Management Datastore Architecture (NMDA) [RFC8342].  The meaning
+      of the symbols in tree diagrams is defined in [RFC8340].
 
 3.  Objectives
 
    *  Registering NSFs to I2NSF framework: Developer's Management System
       (DMS) in I2NSF framework is typically run by an NSF vendor, and
       uses Registration Interface to provide NSFs developed by the NSF
       vendor to Security Controller.  DMS registers NSFs and their
       capabilities to I2NSF framework through Registration Interface.
       For the registered NSFs, Security Controller maintains a catalog
       of the capabilities of those NSFs.
@@ -388,31 +388,29 @@
    Security Controller uses the registration interface to query DMS
    about NSF(s) having the required capabilities.  The following
    sections describe the YANG data models to support these operations.
 
 5.1.2.1.  NSF Capability Registration
 
    This section expands the i2nsf-nsf-registrations in Figure 5.
 
          NSF Capability Registration
           +--rw nsf-registrations
-              +--rw nsf-information*  [capability-name]
-                 +--rw capability-name                       string
+              +--rw nsf-information*  [nsf-name]
+                 +--rw nsf-name       string
                  +--rw nsf-capability-info
                  |  uses nsf-capability-info
                        +--rw security-capability
                        |  uses ietf-i2nsf-capability
                        +--rw performance-capability
                        |  uses performance-capability
                  +--rw nsf-access-info
-                 |  uses nsf-access-info
-                       +--rw capability-name
                        +--rw ip
                        +--rw port
 
          Figure 6: YANG Tree of NSF Capability Registration Module
 
    When registering an NSF to Security Controller, DMS uses this module
    to describe what capabilities the NSF can offer.  DMS includes the
    network access information of the NSF which is required to make a
    network connection with the NSF as well as the capability description
    of the NSF.
@@ -421,22 +419,21 @@
 
    This section expands the nsf-capability-query in Figure 5.
 
          I2NSF Capability Query
            +---x nsf-capability-query
                +---w input
                |  +---w query-nsf-capability
                |  |   uses ietf-i2nsf-capability
                +--ro output
                    +--ro nsf-access-info
-                   |  uses nsf-access-info
-                       +--rw capability-name
+                       +--rw nsf-name
                        +--rw ip
                        +--rw port
 
              Figure 7: YANG Tree of NSF Capability Query Module
 
    Security Controller MAY require some additional capabilities to
    provide the security service requested by an I2NSF user, but none of
    the registered NSFs has the required capabilities.  In this case,
    Security Controller makes a description of the required capabilities
    using this module and then queries DMS about which NSF(s) can provide
@@ -484,45 +481,43 @@
 
    This module is used to specify the performance capabilities of an NSF
    when registering or initiating the NSF.
 
 5.1.4.  NSF Access Information
 
    This section expands the nsf-access-info in Figure 6.
 
          NSF Access Information
            +--rw nsf-access-info
-             +--rw capability-name      string
              +--rw ip      inet:ip-address-no-zone
              +--rw port    inet:port-number
 
            Figure 10: YANG Tree of I2NSF NSF Access Informantion
 
    This module contains the network access information of an NSF that is
    required to enable network communications with the NSF.  The field of
    ip can have either an IPv4 address or an IPv6 address.
 
 5.2.  YANG Data Modules
 
    This section provides a YANG module of the data model for the
    registration interface between Security Controller and Developer's
    Management System, as defined in Section 4.
 
    This YANG module imports from [RFC6991], and makes a reference to
    [I-D.ietf-i2nsf-capability-data-model].
 
-   <CODE BEGINS> file "ietf-i2nsf-reg-interface@2021-09-15.yang"
+   <CODE BEGINS> file "ietf-i2nsf-reg-interface@2021-10-04.yang"
        module ietf-i2nsf-reg-interface {
         yang-version 1.1;
 
         namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface";
-
         prefix nsfreg;
 
      // RFC Ed.: replace occurences of XXXX with actual RFC number and
      // remove this note
 
         import ietf-inet-types {
          prefix inet;
          reference "RFC 6991";
         }
         import ietf-i2nsf-capability {
@@ -519,21 +514,21 @@
         prefix nsfreg;
 
      // RFC Ed.: replace occurences of XXXX with actual RFC number and
      // remove this note
 
         import ietf-inet-types {
          prefix inet;
          reference "RFC 6991";
         }
         import ietf-i2nsf-capability {
-         prefix cap;
+       prefix nsfcap;
       // RFC Ed.: replace YYYY with actual RFC number of
       // draft-ietf-i2nsf-capability-data-model and remove this note.
          reference "RFC YYYY: I2NSF Capability YANG Data Model";
         }
 
         organization
          "IETF I2NSF (Interface to Network Security Functions)
           Working Group";
 
         contact
@@ -543,37 +538,41 @@
           Editor: Sangwon Hyun
           <mailto:shyun@mju.ac.kr>
 
           Editor: Jaehoon Paul Jeong
           <mailto:pauljeong@skku.edu>";
 
         description
          "This module defines a YANG data model for I2NSF
           Registration Interface.
 
+        The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+        'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+        'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
+        document are to be interpreted as described in BCP 14
+        (RFC 2119) (RFC 8174) when, and only when, they appear
+        in all capitals, as shown here.
+
           Copyright (c) 2021 IETF Trust and the persons
           identified as authors of the code. All rights reserved.
 
           Redistribution and use in source and binary forms, with or
           without modification, is permitted pursuant to, and subject
           to the license terms contained in, the Simplified BSD License
           set forth in Section 4.c of the IETF Trust's Legal Provisions
           Relating to IETF Documents
           (https://trustee.ietf.org/license-info).
 
           This version of this YANG module is part of RFC XXXX; see
           the RFC itself for full legal notices.";
 
-       // RFC Ed.: replace XXXX with actual RFC number and remove
-       // this note
-
-        revision "2021-09-15" {
+     revision "2021-10-04" {
          description "Initial revision";
          reference
           "RFC XXXX: I2NSF Registration Interface YANG Data Model";
        // RFC Ed.: replace XXXX with actual RFC number and remove
        // this note
         }
 
         grouping nsf-performance-capability {
          description
           "Description of the performance capabilities of an NSF";
@@ -634,65 +635,62 @@
           }
          }
         }
 
         grouping nsf-capability-info {
          description
           "Capability description of an NSF";
          container security-capability {
           description
            "Description of the security capabilities of an NSF";
-          uses cap:nsf-capabilities;
+         uses nsfcap:nsf-capabilities;
+         reference "RFC YYYY: I2NSF Capability YANG Data Model";
        // RFC Ed.: replace YYYY with actual RFC number of
        // draft-ietf-i2nsf-capability-data-model and remove this note.
-          reference "RFC YYYY: I2NSF Capability YANG Data Model";
          }
          container performance-capability {
           description
            "Description of the performance capabilities of an NSF";
           uses nsf-performance-capability;
          }
         }
 
         grouping nsf-access-info {
          description
           "Information required to access an NSF";
-         leaf capability-name {
-          type string;
-          description
-            "Unique name of this NSF's capability";
-         }
          leaf ip {
           type inet:ip-address-no-zone;
           description
            "Either an IPv4 address or an IPv6 address of this NSF";
          }
          leaf port {
           type inet:port-number;
           description
            "Port available on this NSF";
          }
         }
 
         container nsf-registrations {
          description
           "Information of an NSF that DMS registers
            to Security Controller";
          list nsf-information {
-          key "capability-name";
+         key "nsf-name";
           description
            "Required information for registration";
-          leaf capability-name {
+         leaf nsf-name {
            type string;
-           mandatory true;
            description
-            "Unique name of this registered NSF";
+           "The name of this registered NSF. The NSF name MUST be unique
+            to identify the NSF with the capability. The name can be an
+            arbitrary string including FQDN (Fully Qualified Domain
+            Name).";
           }
           container nsf-capability-info {
            description
             "Capability description of this NSF";
            uses nsf-capability-info;
           }
           container nsf-access-info {
            description
             "Network access information of this NSF";
            uses nsf-access-info;
@@ -701,31 +699,39 @@
         }
 
         rpc nsf-capability-query {
          description
           "Description of the capabilities that the
            Security Controller requests to the DMS";
          input {
           container query-nsf-capability {
            description
             "Description of the capabilities to request";
-           uses cap:nsf-capabilities;
+           uses nsfcap:nsf-capabilities;
+           reference "RFC YYYY: I2NSF Capability YANG Data Model";
         // RFC Ed.: replace YYYY with actual RFC number of
         // draft-ietf-i2nsf-capability-data-model and remove this note.
-           reference "RFC YYYY: I2NSF Capability YANG Data Model";
            }
          }
          output {
           container nsf-access-info {
            description
             "Network access information of an NSF
              with the requested capabilities";
+           leaf nsf-name {
+             type string;
+             description
+             "The name of this registered NSF. The NSF name MUST be
+              unique to identify the NSF with the capability. The name
+              can be an arbitrary string including FQDN (Fully Qualified
+              Domain Name).";
+           }
            uses nsf-access-info;
           }
          }
         }
        }
    <CODE ENDS>
 
              Figure 11: Registration Interface YANG Data Model
 
 6.  IANA Considerations
@@ -855,20 +861,25 @@
 
    [RFC8340]  Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
               BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
               <https://www.rfc-editor.org/info/rfc8340>.
 
    [RFC8341]  Bierman, A. and M. Bjorklund, "Network Configuration
               Access Control Model", STD 91, RFC 8341,
               DOI 10.17487/RFC8341, March 2018,
               <https://www.rfc-editor.org/info/rfc8341>.
 
+   [RFC8342]  Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
+              and R. Wilton, "Network Management Datastore Architecture
+              (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
+              <https://www.rfc-editor.org/info/rfc8342>.
+
    [RFC8407]  Bierman, A., "Guidelines for Authors and Reviewers of
               Documents Containing YANG Data Models", BCP 216, RFC 8407,
               DOI 10.17487/RFC8407, October 2018,
               <https://www.rfc-editor.org/info/rfc8407>.
 
    [RFC8431]  Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
               S., and N. Bahadur, "A YANG Data Model for the Routing
               Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431,
               September 2018, <https://www.rfc-editor.org/info/rfc8431>.
 
@@ -877,23 +888,23 @@
               <https://www.rfc-editor.org/info/rfc8446>.
 
    [RFC8525]  Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
               and R. Wilton, "YANG Library", RFC 8525,
               DOI 10.17487/RFC8525, March 2019,
               <https://www.rfc-editor.org/info/rfc8525>.
 
    [I-D.ietf-i2nsf-capability-data-model]
               Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q.
               Lin, "I2NSF Capability YANG Data Model", Work in Progress,
-              Internet-Draft, draft-ietf-i2nsf-capability-data-model-17,
-              14 August 2021, <https://www.ietf.org/archive/id/draft-
-              ietf-i2nsf-capability-data-model-17.txt>.
+              Internet-Draft, draft-ietf-i2nsf-capability-data-model-19,
+              28 September 2021, <https://www.ietf.org/archive/id/draft-
+              ietf-i2nsf-capability-data-model-19.txt>.
 
 8.2.  Informative References
 
    [RFC3849]  Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
               Reserved for Documentation", RFC 3849,
               DOI 10.17487/RFC3849, July 2004,
               <https://www.rfc-editor.org/info/rfc3849>.
 
    [RFC5737]  Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks
               Reserved for Documentation", RFC 5737,
@@ -909,36 +920,36 @@
 
    [RFC8329]  Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
               Kumar, "Framework for Interface to Network Security
               Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
               <https://www.rfc-editor.org/info/rfc8329>.
 
    [I-D.ietf-i2nsf-nsf-monitoring-data-model]
               Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H.
               Birkholz, "I2NSF NSF Monitoring Interface YANG Data
               Model", Work in Progress, Internet-Draft, draft-ietf-
-              i2nsf-nsf-monitoring-data-model-09, 24 August 2021,
+              i2nsf-nsf-monitoring-data-model-10, 15 September 2021,
               <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
-              monitoring-data-model-09.txt>.
+              monitoring-data-model-10.txt>.
 
    [RFC9061]  Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
               Garcia, "A YANG Data Model for IPsec Flow Protection Based
               on Software-Defined Networking (SDN)", RFC 9061,
               DOI 10.17487/RFC9061, July 2021,
               <https://www.rfc-editor.org/info/rfc9061>.
 
    [I-D.ietf-nvo3-vxlan-gpe]
               (Editor), F. M., (editor), L. K., and U. E. (editor),
               "Generic Protocol Extension for VXLAN (VXLAN-GPE)", Work
-              in Progress, Internet-Draft, draft-ietf-nvo3-vxlan-gpe-11,
-              6 March 2021, <https://www.ietf.org/archive/id/draft-ietf-
-              nvo3-vxlan-gpe-11.txt>.
+              in Progress, Internet-Draft, draft-ietf-nvo3-vxlan-gpe-12,
+              22 September 2021, <https://www.ietf.org/archive/id/draft-
+              ietf-nvo3-vxlan-gpe-12.txt>.
 
    [nfv-framework]
               "Network Functions Virtualisation (NFV); Architectureal
               Framework", ETSI GS NFV 002 ETSI GS NFV 002 V1.1.1,
               October 2013.
 
 Appendix A.  XML Examples of I2NSF Registration Interface Data Model
 
    This section describes XML examples of the I2NSF Registration
    Interface data model under the assumption of registering several
@@ -947,53 +958,52 @@
 A.1.  Example 1: Registration for the Capabilities of a General Firewall
 
    This section shows an XML example for registering the capabilities of
    a general firewall in either IPv4 networks [RFC5737] or IPv6 networks
    [RFC3849].
 
    <nsf-registrations
     xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
     xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
     <nsf-information>
-     <capability-name>general_firewall_capability</capability-name>
+     <nsf-name>general_firewall</nsf-name>
      <nsf-capability-info>
       <security-capability>
        <condition-capabilities>
         <generic-nsf-capabilities>
-         <ipv4-capability>cap:next-header</ipv4-capability>
-         <ipv4-capability>cap:source-address</ipv4-capability>
-         <ipv4-capability>cap:destination-address</ipv4-capability>
-         <tcp-capability>cap:source-port-number</tcp-capability>
-         <tcp-capability>cap:destination-port-number</tcp-capability>
+         <ipv4-capability>nsfcap:next-header</ipv4-capability>
+         <ipv4-capability>nsfcap:source-address</ipv4-capability>
+         <ipv4-capability>nsfcap:destination-address</ipv4-capability>
+         <tcp-capability>nsfcap:source-port-number</tcp-capability>
+         <tcp-capability>nsfcap:destination-port-number</tcp-capability>
         </generic-nsf-capabilities>
        </condition-capabilities>
        <action-capabilities>
         <ingress-action-capability>
-         cap:pass
+         nsfcap:pass
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:drop
+         nsfcap:drop
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </ingress-action-capability>
         <egress-action-capability>
-         cap:pass
+         nsfcap:pass
         </egress-action-capability>
         <egress-action-capability>
-         cap:drop
+         nsfcap:drop
         </egress-action-capability>
         <egress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </egress-action-capability>
        </action-capabilities>
-
       </security-capability>
       <performance-capability>
        <processing>
         <processing-average>1000</processing-average>
         <processing-peak>5000</processing-peak>
        </processing>
        <bandwidth>
         <outbound>
          <outbound-average>1000</outbound-average>
          <outbound-peak>5000</outbound-peak>
@@ -999,23 +1009,22 @@
          <outbound-peak>5000</outbound-peak>
         </outbound>
         <inbound>
          <inbound-average>1000</inbound-average>
          <inbound-peak>5000</inbound-peak>
         </inbound>
        </bandwidth>
       </performance-capability>
      </nsf-capability-info>
      <nsf-access-info>
-      <capability-name>general_firewall</capability-name>
       <ip>192.0.2.11</ip>
-      <port>3000</port>
+      <port>49152</port>
      </nsf-access-info>
     </nsf-information>
    </nsf-registrations>
 
          Figure 12: Configuration XML for Registration of a General
                         Firewall in an IPv4 Network
 
    Figure 12 shows the configuration XML for registering a general
    firewall in an IPv4 network [RFC5737] and its capabilities as
    follows.
@@ -1031,56 +1040,56 @@
    4.  The NSF can determine whether the packets are allowed to pass,
        drop, or mirror.
 
    5.  The NSF can support IPsec not through IKEv2, but through a
        Security Controller [RFC9061].
 
    6.  The NSF can have processing power and bandwidth.
 
    7.  The IPv4 address of the NSF is 192.0.2.11.
 
-   8.  The port of the NSF is 3000.
+   8.  The port of the NSF is 49152.
 
    <nsf-registrations
     xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
     xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
     <nsf-information>
-     <capability-name>general_firewall_capability</capability-name>
+     <nsf-name>general_firewall</nsf-name>
      <nsf-capability-info>
       <security-capability>
        <condition-capabilities>
         <generic-nsf-capabilities>
-         <ipv6-capability>cap:next-header</ipv6-capability>
-         <ipv6-capability>cap:source-address</ipv6-capability>
-         <ipv6-capability>cap:destination-address</ipv6-capability>
-         <tcp-capability>cap:source-port-number</tcp-capability>
-         <tcp-capability>cap:destination-port-number</tcp-capability>
+         <ipv6-capability>nsfcap:next-header</ipv6-capability>
+         <ipv6-capability>nsfcap:source-address</ipv6-capability>
+         <ipv6-capability>nsfcap:destination-address</ipv6-capability>
+         <tcp-capability>nsfcap:source-port-number</tcp-capability>
+         <tcp-capability>nsfcap:destination-port-number</tcp-capability>
         </generic-nsf-capabilities>
        </condition-capabilities>
        <action-capabilities>
         <ingress-action-capability>
-         cap:pass
+         nsfcap:pass
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:drop
+         nsfcap:drop
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </ingress-action-capability>
         <egress-action-capability>
-         cap:pass
+         nsfcap:pass
         </egress-action-capability>
         <egress-action-capability>
-         cap:drop
+         nsfcap:drop
         </egress-action-capability>
         <egress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </egress-action-capability>
        </action-capabilities>
       </security-capability>
       <performance-capability>
        <processing>
         <processing-average>1000</processing-average>
         <processing-peak>5000</processing-peak>
        </processing>
        <bandwidth>
         <outbound>
@@ -1088,23 +1097,22 @@
          <outbound-peak>5000</outbound-peak>
         </outbound>
         <inbound>
          <inbound-average>1000</inbound-average>
          <inbound-peak>5000</inbound-peak>
         </inbound>
        </bandwidth>
       </performance-capability>
      </nsf-capability-info>
      <nsf-access-info>
-      <capability-name>general_firewall</capability-name>
       <ip>2001:DB8:0:1::11</ip>
-      <port>3000</port>
+      <port>49152</port>
      </nsf-access-info>
     </nsf-information>
    </nsf-registrations>
 
          Figure 13: Configuration XML for Registration of a General
                         Firewall in an IPv6 Network
 
    In addition, Figure 13 shows the configuration XML for registering a
    general firewall in an IPv6 network [RFC3849] and its capabilities as
    follows.
@@ -1117,67 +1125,68 @@
    3.  The NSF can inspect the port number(s) and flow direction for the
        transport layer protocol, i.e., TCP and UDP.
 
    4.  The NSF can determine whether the packets are allowed to pass,
        drop, or mirror.
 
    5.  The NSF can have processing power and bandwidth.
 
    6.  The IPv6 address of the NSF is 2001:DB8:0:1::11.
 
-   7.  The port of the NSF is 3000.
+   7.  The port of the NSF is 49152.
 
 A.2.  Example 2: Registration for the Capabilities of a Time-based
       Firewall
 
    This section shows an XML example for registering the capabilities of
    a time-based firewall in either IPv4 networks [RFC5737] or IPv6
    networks [RFC3849].
 
    <nsf-registrations
     xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
     xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
     <nsf-information>
-     <capability-name>time_based_firewall_capability</capability-name>
+     <nsf-name>time_based_firewall</nsf-name>
      <nsf-capability-info>
       <security-capability>
        <event-capabilities>
-        <time-capabilities>cap:absolute-time</time-capabilities>
-        <time-capabilities>cap:periodic-time</time-capabilities>
+        <time-capabilities>nsfcap:absolute-time</time-capabilities>
+        <time-capabilities>nsfcap:periodic-time</time-capabilities>
        </event-capabilities>
        <condition-capabilities>
         <generic-nsf-capabilities>
-         <ipv4-capability>cap:next-header</ipv4-capability>
-         <ipv4-capability>cap:source-address</ipv4-capability>
-         <ipv4-capability>cap:destination-address</ipv4-capability>
-         <tcp-capability>cap:source-port-number</tcp-capability>
-         <tcp-capability>cap:destination-port-number</tcp-capability>
+         <ipv4-capability>nsfcap:next-header</ipv4-capability>
+         <ipv4-capability>nsfcap:source-address</ipv4-capability>
+         <ipv4-capability>nsfcap:destination-address</ipv4-capability>
+         <tcp-capability>nsfcap:source-port-number</tcp-capability>
+         <tcp-capability>nsfcap:destination-port-number</tcp-capability>
         </generic-nsf-capabilities>
        </condition-capabilities>
        <action-capabilities>
         <ingress-action-capability>
-         cap:pass
+         nsfcap:pass
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:drop
+         nsfcap:drop
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:mirror
+         nsfcap:mirror
+
         </ingress-action-capability>
         <egress-action-capability>
-         cap:pass
+         nsfcap:pass
         </egress-action-capability>
         <egress-action-capability>
-         cap:drop
+         nsfcap:drop
         </egress-action-capability>
         <egress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </egress-action-capability>
        </action-capabilities>
       </security-capability>
       <performance-capability>
        <processing>
         <processing-average>1000</processing-average>
         <processing-peak>5000</processing-peak>
        </processing>
        <bandwidth>
         <outbound>
@@ -1185,23 +1194,22 @@
          <outbound-peak>5000</outbound-peak>
         </outbound>
         <inbound>
          <inbound-average>1000</inbound-average>
          <inbound-peak>5000</inbound-peak>
         </inbound>
        </bandwidth>
       </performance-capability>
      </nsf-capability-info>
      <nsf-access-info>
-      <capability-name>time_based_firewall</capability-name>
       <ip>192.0.2.11</ip>
-      <port>3000</port>
+      <port>49152</port>
      </nsf-access-info>
     </nsf-information>
    </nsf-registrations>
 
        Figure 14: Configuration XML for Registration of a Time-based
                         Firewall in an IPv4 Network
 
    Figure 14 shows the configuration XML for registering a time-based
    firewall in an IPv4 network [RFC5737] and its capabilities as
    follows.
@@ -1215,60 +1223,61 @@
        address(es), IPv4 destination address(es), TCP source port
        number(s), and TCP destination port number(s).
 
    4.  The NSF can determine whether the packets are allowed to pass,
        drop, or mirror.
 
    5.  The NSF can have processing power and bandwidth.
 
    6.  The IPv4 address of the NSF is 192.0.2.11.
 
-   7.  The port of the NSF is 3000.
+   7.  The port of the NSF is 49152.
 
    <nsf-registrations
     xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
     xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
     <nsf-information>
-     <capability-name>time_based_firewall_capability</capability-name>
+     <nsf-name>time_based_firewall</nsf-name>
      <nsf-capability-info>
       <security-capability>
        <event-capabilities>
-        <time-capabilities>cap:absolute-time</time-capabilities>
-        <time-capabilities>cap:periodic-time</time-capabilities>
+        <time-capabilities>nsfcap:absolute-time</time-capabilities>
+        <time-capabilities>nsfcap:periodic-time</time-capabilities>
        </event-capabilities>
        <condition-capabilities>
         <generic-nsf-capabilities>
-         <ipv6-capability>cap:next-header</ipv6-capability>
-         <ipv6-capability>cap:source-address</ipv6-capability>
-         <ipv6-capability>cap:destination-address</ipv6-capability>
-         <tcp-capability>cap:source-port-number</tcp-capability>
-         <tcp-capability>cap:destination-port-number</tcp-capability>
+         <ipv6-capability>nsfcap:next-header</ipv6-capability>
+         <ipv6-capability>nsfcap:source-address</ipv6-capability>
+         <ipv6-capability>nsfcap:destination-address</ipv6-capability>
+         <tcp-capability>nsfcap:source-port-number</tcp-capability>
+         <tcp-capability>nsfcap:destination-port-number</tcp-capability>
         </generic-nsf-capabilities>
        </condition-capabilities>
        <action-capabilities>
         <ingress-action-capability>
-         cap:pass
+         nsfcap:pass
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:drop
+         nsfcap:drop
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </ingress-action-capability>
         <egress-action-capability>
-         cap:pass
+         nsfcap:pass
         </egress-action-capability>
         <egress-action-capability>
-         cap:drop
+         nsfcap:drop
+
         </egress-action-capability>
         <egress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </egress-action-capability>
        </action-capabilities>
       </security-capability>
       <performance-capability>
        <processing>
         <processing-average>1000</processing-average>
         <processing-peak>5000</processing-peak>
        </processing>
        <bandwidth>
         <outbound>
@@ -1276,23 +1285,22 @@
          <outbound-peak>5000</outbound-peak>
         </outbound>
         <inbound>
          <inbound-average>1000</inbound-average>
          <inbound-peak>5000</inbound-peak>
         </inbound>
        </bandwidth>
       </performance-capability>
      </nsf-capability-info>
      <nsf-access-info>
-      <capability-name>time_based_firewall</capability-name>
       <ip>2001:DB8:0:1::11</ip>
-      <port>3000</port>
+      <port>49152</port>
      </nsf-access-info>
     </nsf-information>
    </nsf-registrations>
 
        Figure 15: Configuration XML for Registration of a Time-based
                         Firewall in an IPv6 Network
 
    In addition, Figure 15 shows the configuration XML for registering a
    time-based firewall in an IPv6 network [RFC3849] and its capabilities
    as follows.
@@ -1306,58 +1314,58 @@
        address(es), IPv6 destination address(es), TCP source port
        number(s), and TCP destination port number(s).
 
    4.  The NSF can determine whether the packets are allowed to pass,
        drop, or mirror.
 
    5.  The NSF can have processing power and bandwidth.
 
    6.  The IPv6 address of the NSF is 2001:DB8:0:1::11.
 
-   7.  The port of the NSF is 3000.
+   7.  The port of the NSF is 49152.
 
 A.3.  Example 3: Registration for the Capabilities of a Web Filter
 
    This section shows an XML example for registering the capabilities of
    a web filter in either IPv4 networks [RFC5737] or IPv6 networks
    [RFC3849].
 
    <nsf-registrations
     xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
     xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
     <nsf-information>
-     <capability-name>web_filter</capability-name>
+     <nsf-name>web_filter</nsf-name>
      <nsf-capability-info>
       <security-capability>
        <condition-capabilities>
         <advanced-nsf-capabilities>
-         <url-capability>cap:user-defined</url-capability>
+         <url-capability>nsfcap:user-defined</url-capability>
         </advanced-nsf-capabilities>
        </condition-capabilities>
        <action-capabilities>
         <ingress-action-capability>
-         cap:pass
+         nsfcap:pass
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:drop
+         nsfcap:drop
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </ingress-action-capability>
         <egress-action-capability>
-         cap:pass
+         nsfcap:pass
         </egress-action-capability>
         <egress-action-capability>
-         cap:drop
+         nsfcap:drop
         </egress-action-capability>
         <egress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </egress-action-capability>
        </action-capabilities>
       </security-capability>
       <performance-capability>
        <processing>
         <processing-average>1000</processing-average>
         <processing-peak>5000</processing-peak>
        </processing>
        <bandwidth>
         <outbound>
@@ -1362,27 +1370,25 @@
        <bandwidth>
         <outbound>
          <outbound-average>1000</outbound-average>
          <outbound-peak>5000</outbound-peak>
         </outbound>
         <inbound>
          <inbound-average>1000</inbound-average>
          <inbound-peak>5000</inbound-peak>
         </inbound>
        </bandwidth>
-
       </performance-capability>
      </nsf-capability-info>
      <nsf-access-info>
-      <capability-name>web_filter</capability-name>
       <ip>192.0.2.11</ip>
-      <port>3000</port>
+      <port>49152</port>
      </nsf-access-info>
     </nsf-information>
    </nsf-registrations>
 
       Figure 16: Configuration XML for Registration of a Web Filter in
                               an IPv4 Network
 
    Figure 16 shows the configuration XML for registering a web filter in
    an IPv4 network [RFC5737] and its capabilities are as follows.
 
@@ -1391,53 +1397,53 @@
    2.  The NSF can inspect URL from a pre-defined database or a added
        new URL by user (user-defined).
 
    3.  The NSF can determine whether the packets are allowed to pass,
        drop, or mirror.
 
    4.  The NSF can have processing power and bandwidth.
 
    5.  The IPv4 address of the NSF is 192.0.2.11.
 
-   6.  The port of the NSF is 3000.
+   6.  The port of the NSF is 49152.
 
    <nsf-registrations
     xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
     xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
     <nsf-information>
-     <capability-name>web_filter</capability-name>
+     <nsf-name>web_filter</nsf-name>
      <nsf-capability-info>
       <security-capability>
        <condition-capabilities>
         <advanced-nsf-capabilities>
-         <url-capability>cap:user-defined</url-capability>
-         <url-capability>cap:pre-defined</url-capability>
+         <url-capability>nsfcap:user-defined</url-capability>
+         <url-capability>nsfcap:pre-defined</url-capability>
         </advanced-nsf-capabilities>
        </condition-capabilities>
        <action-capabilities>
         <ingress-action-capability>
-         cap:pass
+         nsfcap:pass
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:drop
+         nsfcap:drop
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </ingress-action-capability>
         <egress-action-capability>
-         cap:pass
+         nsfcap:pass
         </egress-action-capability>
         <egress-action-capability>
-         cap:drop
+         nsfcap:drop
         </egress-action-capability>
         <egress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </egress-action-capability>
        </action-capabilities>
       </security-capability>
       <performance-capability>
        <processing>
         <processing-average>1000</processing-average>
         <processing-peak>5000</processing-peak>
        </processing>
        <bandwidth>
         <outbound>
@@ -1445,24 +1451,24 @@
          <outbound-peak>5000</outbound-peak>
         </outbound>
         <inbound>
          <inbound-average>1000</inbound-average>
          <inbound-peak>5000</inbound-peak>
         </inbound>
        </bandwidth>
       </performance-capability>
      </nsf-capability-info>
      <nsf-access-info>
-      <capability-name>web_filter</capability-name>
       <ip>2001:DB8:0:1::11</ip>
-      <port>3000</port>
+      <port>49152</port>
      </nsf-access-info>
+
     </nsf-information>
    </nsf-registrations>
 
       Figure 17: Configuration XML for Registration of a Web Filter in
                               an IPv6 Network
 
    In addition, Figure 17 shows the configuration XML for registering a
    web filter in an IPv6 network [RFC3849] and its capabilities are as
    follows.
 
@@ -1471,60 +1477,59 @@
    2.  The NSF can inspect URL from a pre-defined database or a added
        new URL by user (user-defined).
 
    3.  The NSF can determine whether the packets are allowed to pass,
        drop, or mirror.
 
    4.  The NSF can have processing power and bandwidth.
 
    5.  The IPv6 address of the NSF is 2001:DB8:0:1::11.
 
-   6.  The port of the NSF is 3000.
+   6.  The port of the NSF is 49152.
 
 A.4.  Example 4: Registration for the Capabilities of a VoIP/VoLTE
       Filter
 
    This section shows an XML example for registering the capabilities of
    a VoIP/VoLTE filter in either IPv4 networks [RFC5737] or IPv6
    networks [RFC3849].
 
    <nsf-registrations
     xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
     xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
     <nsf-information>
-     <capability-name>voip_volte_filter</capability-name>
+     <nsf-name>voip_volte_filter</nsf-name>
      <nsf-capability-info>
       <security-capability>
        <condition-capabilities>
         <advanced-nsf-capabilities>
-         <voip-volte-capability>cap:call-id</voip-volte-capability>
+         <voip-volte-capability>nsfcap:call-id</voip-volte-capability>
         </advanced-nsf-capabilities>
        </condition-capabilities>
        <action-capabilities>
         <ingress-action-capability>
-         cap:pass
+         nsfcap:pass
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:drop
+         nsfcap:drop
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </ingress-action-capability>
         <egress-action-capability>
-         cap:pass
+         nsfcap:pass
         </egress-action-capability>
         <egress-action-capability>
-         cap:drop
-
+         nsfcap:drop
         </egress-action-capability>
         <egress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </egress-action-capability>
        </action-capabilities>
       </security-capability>
       <performance-capability>
        <processing>
         <processing-average>1000</processing-average>
         <processing-peak>5000</processing-peak>
        </processing>
        <bandwidth>
         <outbound>
@@ -1532,23 +1537,22 @@
          <outbound-peak>5000</outbound-peak>
         </outbound>
         <inbound>
          <inbound-average>1000</inbound-average>
          <inbound-peak>5000</inbound-peak>
         </inbound>
        </bandwidth>
       </performance-capability>
      </nsf-capability-info>
      <nsf-access-info>
-      <capability-name>voip_volte_filter</capability-name>
       <ip>192.0.2.11</ip>
-      <port>3000</port>
+      <port>49152</port>
      </nsf-access-info>
     </nsf-information>
    </nsf-registrations>
 
        Figure 18: Configuration XML for Registration of a VoIP/VoLTE
                          Filter in an IPv4 Network
 
    Figure 18 shows the configuration XML for registering a VoIP/VoLTE
    filter in an IPv4 network [RFC5737] and its capabilities are as
    follows.
@@ -1557,77 +1561,76 @@
 
    2.  The NSF can inspect a call id for VoIP/VoLTE packets.
 
    3.  The NSF can determine whether the packets are allowed to pass,
        drop, or mirror.
 
    4.  The NSF can have processing power and bandwidth.
 
    5.  The IPv4 address of the NSF is 192.0.2.11.
 
-   6.  The port of the NSF is 3000.
+   6.  The port of the NSF is 49152.
 
    <nsf-registrations
     xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
     xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
     <nsf-information>
-     <capability-name>voip_volte_filter</capability-name>
+     <nsf-name>voip_volte_filter</nsf-name>
      <nsf-capability-info>
       <security-capability>
        <condition-capabilities>
         <advanced-nsf-capabilities>
-         <voip-volte-capability>cap:call-id</voip-volte-capability>
+         <voip-volte-capability>nsfcap:call-id</voip-volte-capability>
         </advanced-nsf-capabilities>
        </condition-capabilities>
        <action-capabilities>
         <ingress-action-capability>
-         cap:pass
+         nsfcap:pass
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:drop
+         nsfcap:drop
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </ingress-action-capability>
         <egress-action-capability>
-         cap:pass
+         nsfcap:pass
         </egress-action-capability>
         <egress-action-capability>
-         cap:drop
+         nsfcap:drop
         </egress-action-capability>
         <egress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </egress-action-capability>
        </action-capabilities>
       </security-capability>
       <performance-capability>
        <processing>
         <processing-average>1000</processing-average>
         <processing-peak>5000</processing-peak>
+
        </processing>
        <bandwidth>
         <outbound>
          <outbound-average>1000</outbound-average>
          <outbound-peak>5000</outbound-peak>
         </outbound>
         <inbound>
          <inbound-average>1000</inbound-average>
          <inbound-peak>5000</inbound-peak>
-
         </inbound>
        </bandwidth>
       </performance-capability>
      </nsf-capability-info>
      <nsf-access-info>
-      <capability-name>voip_volte_filter</capability-name>
       <ip>2001:DB8:0:1::11</ip>
-      <port>3000</port>
+      <port>49152</port>
      </nsf-access-info>
     </nsf-information>
    </nsf-registrations>
 
        Figure 19: Configuration XML for Registration of a VoIP/VoLTE
                          Filter in an IPv6 Network
 
    Figure 19 shows the configuration XML for registering a VoIP/VoLTE
    filter in an IPv6 network [RFC3849] and its capabilities are as
    follows.
@@ -1636,72 +1639,72 @@
 
    2.  The NSF can inspect a call id for VoIP/VoLTE packets.
 
    3.  The NSF can determine whether the packets are allowed to pass,
        drop, or mirror.
 
    4.  The NSF can have processing power and bandwidth.
 
    5.  The IPv6 address of the NSF is 2001:DB8:0:1::11.
 
-   6.  The port of the NSF is 3000.
+   6.  The port of the NSF is 49152.
 
 A.5.  Example 5: Registration for the Capabilities of a DDoS Mitigator
 
    This section shows an XML example for registering the capabilities of
    a DDoS mitigator in either IPv4 networks [RFC5737] or IPv6 networks
    [RFC3849].
 
    <nsf-registrations
     xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
     xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
     <nsf-information>
-     <capability-name>anti_DDoS</capability-name>
+     <nsf-name>anti_DDoS</nsf-name>
      <nsf-capability-info>
       <security-capability>
        <condition-capabilities>
         <advanced-nsf-capabilities>
          <anti-ddos-capability>
-          cap:packet-rate
+          nsfcap:packet-rate
          </anti-ddos-capability>
          <anti-ddos-capability>
-          cap:flow-rate
+          nsfcap:flow-rate
          </anti-ddos-capability>
          <anti-ddos-capability>
-          cap:byte-rate
+          nsfcap:byte-rate
          </anti-ddos-capability>
         </advanced-nsf-capabilities>
        </condition-capabilities>
        <action-capabilities>
         <ingress-action-capability>
-         cap:pass
+         nsfcap:pass
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:drop
+         nsfcap:drop
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:rate-limit
+         nsfcap:rate-limit
         </ingress-action-capability>
         <egress-action-capability>
-         cap:pass
+         nsfcap:pass
         </egress-action-capability>
         <egress-action-capability>
-         cap:drop
+         nsfcap:drop
         </egress-action-capability>
         <egress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </egress-action-capability>
         <egress-action-capability>
-         cap:rate-limit
+         nsfcap:rate-limit
         </egress-action-capability>
        </action-capabilities>
       </security-capability>
       <performance-capability>
        <processing>
         <processing-average>1000</processing-average>
         <processing-peak>5000</processing-peak>
        </processing>
        <bandwidth>
         <outbound>
@@ -1709,25 +1712,22 @@
          <outbound-peak>5000</outbound-peak>
         </outbound>
         <inbound>
          <inbound-average>1000</inbound-average>
          <inbound-peak>5000</inbound-peak>
         </inbound>
        </bandwidth>
       </performance-capability>
      </nsf-capability-info>
      <nsf-access-info>
-      <capability-name>
-       http_and_https_flood_mitigation
-      </capability-name>
       <ip>192.0.2.11</ip>
-      <port>3000</port>
+      <port>49152</port>
      </nsf-access-info>
     </nsf-information>
    </nsf-registrations>
 
      Figure 20: Configuration XML for Registration of a DDoS Mitigator
                              in an IPv4 Network
 
    Figure 20 shows the configuration XML for registering a DDoS
    mitigator in an IPv4 network [RFC5737] and its capabilities are as
    follows.
@@ -1737,68 +1737,66 @@
    2.  The NSF can detect the amount of packet, flow, and byte rate in
        the network for potential DDoS Attack.
 
    3.  The NSF can determine whether the packets are allowed to pass,
        drop, or mirror.
 
    4.  The NSF can have processing power and bandwidth.
 
    5.  The IPv4 address of the NSF is 192.0.2.11.
 
-   6.  The port of the NSF is 3000.
+   6.  The port of the NSF is 49152.
 
    <nsf-registrations
     xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
     xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
     <nsf-information>
-     <capability-name>
-      anti_DDoS
-     </capability-name>
+     <nsf-name>anti_DDoS</nsf-name>
      <nsf-capability-info>
       <security-capability>
        <condition-capabilities>
         <advanced-nsf-capabilities>
          <anti-ddos-capability>
-          cap:packet-rate
+          nsfcap:packet-rate
          </anti-ddos-capability>
          <anti-ddos-capability>
-          cap:flow-rate
+          nsfcap:flow-rate
          </anti-ddos-capability>
          <anti-ddos-capability>
-          cap:byte-rate
+          nsfcap:byte-rate
          </anti-ddos-capability>
         </advanced-nsf-capabilities>
        </condition-capabilities>
        <action-capabilities>
         <ingress-action-capability>
-         cap:pass
+         nsfcap:pass
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:drop
+         nsfcap:drop
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </ingress-action-capability>
         <ingress-action-capability>
-         cap:rate-limit
+         nsfcap:rate-limit
         </ingress-action-capability>
         <egress-action-capability>
-         cap:pass
+         nsfcap:pass
         </egress-action-capability>
         <egress-action-capability>
-         cap:drop
+         nsfcap:drop
         </egress-action-capability>
         <egress-action-capability>
-         cap:mirror
+         nsfcap:mirror
         </egress-action-capability>
         <egress-action-capability>
-         cap:rate-limit
+         nsfcap:rate-limit
         </egress-action-capability>
        </action-capabilities>
       </security-capability>
       <performance-capability>
        <processing>
         <processing-average>1000</processing-average>
         <processing-peak>5000</processing-peak>
        </processing>
        <bandwidth>
         <outbound>
@@ -1806,23 +1804,22 @@
          <outbound-peak>5000</outbound-peak>
         </outbound>
         <inbound>
          <inbound-average>1000</inbound-average>
          <inbound-peak>5000</inbound-peak>
         </inbound>
        </bandwidth>
       </performance-capability>
      </nsf-capability-info>
      <nsf-access-info>
-      <capability-name>anti_DDoS</capability-name>
       <ip>2001:DB8:0:1::11</ip>
-      <port>3000</port>
+      <port>49152</port>
      </nsf-access-info>
     </nsf-information>
    </nsf-registrations>
 
      Figure 21: Configuration XML for Registration of a DDoS Mitigator
                              in an IPv6 Network
 
    In addition, Figure 21 shows the configuration XML for registering a
    DDoS mitigator in an IPv6 network [RFC3849] and its capabilities are
    as follows.
@@ -1832,141 +1829,142 @@
    2.  The NSF can detect the amount of packet, flow, and byte rate in
        the network for potential DDoS Attack.
 
    3.  The NSF can determine whether the packets are allowed to pass,
        drop, mirror, or rate-limit.
 
    4.  The NSF can have processing power and bandwidth.
 
    5.  The IPv6 address of the NSF is 2001:DB8:0:1::11.
 
-   6.  The port of the NSF is 3000.
+   6.  The port of the NSF is 49152.
 
 A.6.  Example 6: Query for the Capabilities of a Time-based Firewall
 
    This section shows an XML example for querying the capabilities of a
    time-based firewall in either IPv4 networks [RFC5737] or IPv6
    networks [RFC3849].
 
    <rpc message-id="101"
     xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <nsf-capability-query
      xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
      xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
      <query-i2nsf-capability-info>
       <time-capabilities>absolute-time</time-capabilities>
       <time-capabilities>periodic-time</time-capabilities>
       <condition-capabilities>
        <generic-nsf-capabilities>
-        <ipv4-capability>cap:next-header</ipv4-capability>
-        <ipv4-capability>cap:source-address</ipv4-capability>
-        <ipv4-capability>cap:destination-address</ipv4-capability>
+        <ipv4-capability>nsfcap:next-header</ipv4-capability>
+        <ipv4-capability>nsfcap:source-address</ipv4-capability>
+        <ipv4-capability>nsfcap:destination-address</ipv4-capability>
        </generic-nsf-capabilities>
       </condition-capabilities>
       <action-capabilities>
        <ingress-action-capability>
-        cap:pass
+        nsfcap:pass
        </ingress-action-capability>
        <ingress-action-capability>
-        cap:drop
+        nsfcap:drop
        </ingress-action-capability>
        <ingress-action-capability>
-        cap:mirror
+        nsfcap:mirror
        </ingress-action-capability>
        <egress-action-capability>
-        cap:pass
+        nsfcap:pass
        </egress-action-capability>
        <egress-action-capability>
-        cap:drop
+        nsfcap:drop
        </egress-action-capability>
        <egress-action-capability>
-        cap:mirror
+        nsfcap:mirror
        </egress-action-capability>
       </action-capabilities>
      </query-i2nsf-capability-info>
     </nsf-capability-query>
    </rpc>
 
    <rpc-reply message-id="101"
     xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <nsf-access-info
      xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface">
-     <capability-name>time-based-firewall</capability-name>
+     <nsf-name>time_based_firewall</nsf-name>
      <ip>192.0.2.11</ip>
-     <port>3000</port>
+     <port>49152</port>
     </nsf-access-info>
    </rpc-reply>
 
       Figure 22: Configuration XML for Query of a Time-based Firewall
                              in an IPv4 Network
 
    Figure 22 shows the XML configuration for querying the capabilities
    of a time-based firewall in an IPv4 network [RFC5737].  The access
    information of the announced time-based firewall has the IPv4 address
-   of 192.0.2.11 and the port number of 3000.
+   of 192.0.2.11 and the port number of 49152.
 
    <rpc message-id="101"
     xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <nsf-capability-query
      xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
      xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
      <query-i2nsf-capability-info>
       <time-capabilities>absolute-time</time-capabilities>
       <time-capabilities>periodic-time</time-capabilities>
       <condition-capabilities>
        <generic-nsf-capabilities>
-        <ipv6-capability>cap:next-header</ipv6-capability>
-        <ipv6-capability>cap:source-address</ipv6-capability>
-        <ipv6-capability>cap:destination-address</ipv6-capability>
+        <ipv6-capability>nsfcap:next-header</ipv6-capability>
+        <ipv6-capability>nsfcap:source-address</ipv6-capability>
+        <ipv6-capability>nsfcap:destination-address</ipv6-capability>
        </generic-nsf-capabilities>
       </condition-capabilities>
       <action-capabilities>
        <ingress-action-capability>
-        cap:pass
+        nsfcap:pass
        </ingress-action-capability>
        <ingress-action-capability>
-        cap:drop
+        nsfcap:drop
        </ingress-action-capability>
        <ingress-action-capability>
-        cap:mirror
+        nsfcap:mirror
        </ingress-action-capability>
        <egress-action-capability>
-        cap:pass
+        nsfcap:pass
        </egress-action-capability>
        <egress-action-capability>
-        cap:drop
+        nsfcap:drop
        </egress-action-capability>
        <egress-action-capability>
-        cap:mirror
+        nsfcap:mirror
+
        </egress-action-capability>
       </action-capabilities>
      </query-i2nsf-capability-info>
     </nsf-capability-query>
    </rpc>
 
    <rpc-reply message-id="101"
     xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <nsf-access-info
      xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface">
-     <capability-name>time-based-firewall</capability-name>
+     <nsf-name>time_based_firewall</nsf-name>
      <ip>2001:DB8:0:1::11</ip>
-     <port>3000</port>
+     <port>49152</port>
     </nsf-access-info>
    </rpc-reply>
 
       Figure 23: Configuration XML for Query of a Time-based Firewall
                              in an IPv6 Network
 
    In addition, Figure 23 shows the XML configuration for querying the
    capabilities of a time-based firewall in an IPv6 network [RFC3849].
    The access information of the announced time-based firewall has the
-   IPv6 address of 2001:DB8:0:1::11 and the port number of 3000.
+   IPv6 address of 2001:DB8:0:1::11 and the port number of 49152.
 
 Appendix B.  NSF Lifecycle Management in NFV Environments
 
    Network Functions Virtualization (NFV) can be used to implement I2NSF
    framework.  In NFV environments, NSFs are deployed as virtual network
    functions (VNFs).  Security Controller can be implemented as an
    Element Management (EM) of the NFV architecture, and is connected
    with the VNF Manager (VNFM) via the Ve-Vnfm interface
    [nfv-framework].  Security Controller can use this interface for the
    purpose of the lifecycle management of NSFs.  If some NSFs need to be