idnits 2.17.1 draft-hares-i2nsf-capability-data-model-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 167 has weird spacing: '...sf-name strin...' == Line 171 has weird spacing: '...address inet:...' == Line 173 has weird spacing: '...address inet:...' == Line 206 has weird spacing: '...cn-name strin...' == Line 224 has weird spacing: '...cn-name strin...' == (35 more instances...) -- The document date (March 12, 2017) is 2601 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '2015' on line 189 Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Hares 3 Internet-Draft Huawei 4 Intended status: Standards Track R. Moskowitz 5 Expires: September 13, 2017 HTT Consulting 6 L. Xia 7 Huawei 8 J. Jeong 9 J. Kim 10 Sungkyunkwan University 11 March 12, 2017 13 I2NSF Capability YANG Data Model 14 draft-hares-i2nsf-capability-data-model-01 16 Abstract 18 This document defines a YANG data model for capabilities that enables 19 an I2NSF user to control various network security functions in 20 network security devices via an I2NSF security controller. 22 Status of This Memo 24 This Internet-Draft is submitted to IETF in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF), its areas, and its working groups. Note that 29 other groups may also distribute working documents as Internet- 30 Drafts. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 The list of current Internet-Drafts can be accessed at 38 http://www.ietf.org/ietf/1id-abstracts.txt. 40 The list of Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 This Internet-Draft will expire on September 13, 2017. 45 Copyright Notice 47 Copyright (c) 2017 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 64 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 66 4. High-Level YANG . . . . . . . . . . . . . . . . . . . . . . . 4 67 4.1. Capabilities per NSF . . . . . . . . . . . . . . . . . . . 4 68 4.2. Network Security Control . . . . . . . . . . . . . . . . . 5 69 4.3. Content Security Control . . . . . . . . . . . . . . . . . 6 70 4.4. Attack Mitigation Control . . . . . . . . . . . . . . . . 7 71 4.5. IT Resources linked to Capabilities . . . . . . . . . . . 9 72 4.6. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 10 73 5. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . . 10 74 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 75 7. Security Considerations . . . . . . . . . . . . . . . . . . . 32 76 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 32 77 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32 78 9.1. Normative References . . . . . . . . . . . . . . . . . . . 32 79 9.2. Informative References . . . . . . . . . . . . . . . . . . 32 80 Appendix A. Changes from 81 draft-hares-i2nsf-capability-data-model-00 . . . . . 33 83 1. Introduction 85 [i2nsf-problem-statement] proposes two different types of interfaces: 87 o Interface between I2NSF user and I2NSF security controller called 88 I2NSF consumer-facing interface 90 o Interface between I2NSF security controller and network security 91 functions (NSFs) called I2NSF NSF-facing interface 93 This document provides a YANG model that defines the capabilities for 94 security devices that can be utilized by I2NSF NSF-facing interface 95 between the I2NSF security controller and the NSF devices to express 96 the capabilities of NSF devices. This YANG model can also be used by 97 the IN2SF user (or I2NSF client) to provide security controller with 98 a complete list of the I2NSF capabilities that can be controlled by 99 security controller. This document defines a YANG [RFC6020] data 100 model based on the [i2nsf-cap-im]. Terms used in document are 101 defined in [i2nsf-terminology]. [i2nsf-cap-im] defines the following 102 type of functionality in NSFs. 104 o Network Security Control 106 o Content Security Control 108 o Attack Mitigation Control 110 This document contains high-level YANG for each type of control. 112 2. Requirements Language 114 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 115 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 116 document are to be interpreted as described in [RFC2119]. 118 3. Terminology 120 This document uses the terminology described in [i2nsf-cap-im] 121 [i2rs-rib-data-model] [supa-policy-info-model]. Especially, the 122 following terms are from [supa-policy-info-model]: 124 o Data Model: A data model is a representation of concepts of 125 interest to an environment in a form that is dependent on data 126 repository, data definition language, query language, 127 implementation language, and protocol. 129 o Information Model: An information model is a representation of 130 concepts of interest to an environment in a form that is 131 independent of data repository, data definition language, query 132 language, implementation language, and protocol. 134 3.1. Tree Diagrams 136 A simplified graphical representation of the data model is used in 137 this document. The meaning of the symbols in these diagrams 138 [i2rs-rib-data-model] is as follows: 140 o Brackets "[" and "]" enclose list keys. 142 o Abbreviations before data node names: "rw" means configuration 143 (read-write) and "ro" state data (read-only). 145 o Symbols after data node names: "?" means an optional node and "*" 146 denotes a "list" and "leaf-list". 148 o Parentheses enclose choice and case nodes, and case nodes are also 149 marked with a colon (":"). 151 o Ellipsis ("...") stands for contents of subtrees that are not 152 shown. 154 4. High-Level YANG 156 This section provides an overview of the high-level YANG. 158 4.1. Capabilities per NSF 160 The high-level YANG capabilities per NSF devices, controller, or 161 application is the following: 163 module : ietf-i2nsf-capability 164 +--rw sec-ctl-capabilities 165 +--rw nsf-capabilities 166 +--rw nsf* [nsf-name] 167 +--rw nsf-name string 168 +--rw nsf-address 169 | +--rw (nsf-address-type)? 170 | +--: (ipv4-address) 171 | | +--rw ipv4-address inet:ipv4-address 172 | +--: (ipv6-address) 173 | +--rw ipv6-address inet:ipv6-address 174 +--rw net-sec-control-capabilities 175 | uses i2nsf-net-sec-control-caps 176 +--rw con-sec-control-capabilities 177 | uses i2nsf-con-sec-control-caps 178 +--rw attack-mitigation-capabilities 179 | uses i2nsf-attack-mitigation-control-caps 180 +--rw it-resource 181 | uses i2nsf-it-resources 183 Figure 1: High-Level YANG of I2NSF Capability Interface 185 Each of these section mirror sections in: [i2nsf-cap-im]. The high- 186 level YANG for net-sec-control-capabilities, con-sec-control- 187 capabilities, and attack-mitigation-capabilities. This draft is also 188 utilizes the concepts originated in Basile, Lioy, Pitscheider, and 189 Zhao[2015] concerning conflict resoulution, use of external data, and 190 IT-Resources. The authors are grateful to Cataldo for pointing out 191 this excellent work. 193 4.2. Network Security Control 195 This section expands the 197 +--rw net-sec-control-capabilities 198 | uses i2nsf-net-sec-control-caps 200 Network Security Control 202 +--rw i2nsf-net-sec-control-caps 203 +--rw network-security-control 204 +--rw nsc-support? boolean 205 +--rw nsc-fcn* [nsc-fcn-name] 206 +--rw nsc-fcn-name string //std or vendor name 208 Figure 2: High-Level YANG of Network Security Control 210 4.3. Content Security Control 212 This section expands the 214 +--rw net-sec-control-capabilities 215 | uses i2nsf-con-sec-control-caps 217 Content Security Control 219 +--rw i2nsf-con-sec-control-caps 220 +--rw content-security-control 221 +--rw antivirus 222 | +--rw antivirus-support? boolean 223 | +--rw antivirus-fcn* [antivirus-fcn-name] 224 | +--rw antivirus-fcn-name string //std or vendor name 225 +--rw ips 226 | +--rw ips-support? boolean 227 | +--rw ips-fcn* [ips-fcn-name] 228 | +--rw ips-fcn-name string //std or vendor name 229 +--rw ids 230 | +--rw ids-support? boolean 231 | +--rw ids-fcn* [ids-fcn-name] 232 | +--rw ids-fcn-name string //std or vendor name 233 +--rw url-filter 234 | +--rw url-filter-support? boolean 235 | +--rw url-filter-fcn* [url-filter-fcn-name] 236 | +--rw url-filter-fcn-name string //std or vendor name 237 +--rw data-filter 238 | +--rw data-filter-support? boolean 239 | +--rw data-filter-fcn* [data-filter-fcn-name] 240 | +--rw data-filter-fcn-name string //std or vendor name 241 +--rw mail-filter 242 | +--rw mail-filter-support? boolean 243 | +--rw mail-filter-fcn* [mail-filter-fcn-name] 244 | +--rw mail-filter-fcn-name string //std or vendor name 245 +--rw dns-filter 246 | +--rw dns-filter-support? boolean 247 | +--rw dns-filter-fcn* [dns-filter-name] 248 | +--rw dns-filter-fcn-name string //std or vendor name 249 +--rw ftp-filter 250 | +--rw ftp-filter-support? boolean 251 | +--rw ftp-filter-fcn* [ftp-filter-fcn-name] 252 | +--rw ftp-filter-fcn-name string //std or vendor name 253 +--rw games-filter 254 | +--rw games-filter-support? boolean 255 | +--rw games-filter-fcn* [games-filter-fcn-name] 256 | +--rw games-filter-fcn-name string //std or vendor name 257 +--rw p2p-filter 258 | +--rw p2p-filter-support? boolean 259 | +--rw p2p-filter-fcn* [p2p-filter-fcn-name] 260 | +--rw p2p-filter-fcn-name string //std or vendor name 261 +--rw rpc-filter 262 | +--rw rpc-filter-support? boolean 263 | +--rw rpc-filter-fcn* [rpc-filter-fcn-name] 264 | +--rw rpc-filter-fcn-name string //std or vendor name 265 +--rw sql-filter 266 | +--rw sql-filter-support? boolean 267 | +--rw sql-filter-fcn* [sql-filter-fcn-name] 268 | +--rw sql-filter-fcn-name string //std or vendor name 269 +--rw telnet-filter 270 | +--rw telnet-filter-support? boolean 271 | +--rw telnet-filter-fcn* [telnet-filter-fcn-name] 272 | +--rw telnet-filter-fcn-name string //std or vendor name 273 +--rw tftp-filter 274 | +--rw tftp-filter-support? boolean 275 | +--rw tftp-filter-fcn* [tftp-filter-fcn-name] 276 | +--rw tftp-filter-fcn-name string //std or vendor name 277 +--rw file-blocking 278 | +--rw file-blocking-support? boolean 279 | +--rw file-blocking-fcn* [file-blocking-fcn-name] 280 | +--rw file-blocking-fcn-name string //std or vendor name 281 +--rw pkt-capture 282 | +--rw pkt-capture-support? boolean 283 | +--rw pkt-capture-fcn* [pkt-capture-fcn-name] 284 | +--rw pkt-capture-fcn-name string //std or vendor name 285 +--rw app-control 286 | +--rw app-control-support? boolean 287 | +--rw app-control-fcn* [app-control-fcn-name] 288 | +--rw app-control-fcn-name string //std or vendor name 289 +--rw voip-volte 290 +--rw voip-volte-support? boolean 291 +--rw voip-volte-fcn* [voip-volte-fcn-name] 292 +--rw voip-volte-fcn-name string //std or vendor name 294 Figure 3: High-Level YANG of Content Security Control 296 4.4. Attack Mitigation Control 298 This high-level YANG below expands the following section of the top- 299 level model: 301 +--rw attack-mitigation-control-capabilities 302 | uses i2nsf-attack-mitigation-control-caps 304 Attack Mitigation Control 305 +--rw i2nsf-attack-mitigation-control-caps 306 +--rw attack-mitigation-control 307 +--rw (attack-mitigation-control-type)? 308 +--: (ddos-attack) 309 | +--rw (ddos-attack-type)? 310 | +--: (network-layer-ddos-attack) 311 | | +--rw network-layer-ddos-attack-types 312 | | +--rw syn-flood-attack 313 | | | +--rw syn-flood-attack-support? boolean 314 | | | +--rw syn-flood-fcn* [syn-flood-fcn-name] 315 | | | +--rw syn-flood-fcn-name string 316 | | +--rw udp-flood-attack 317 | | | +--rw udp-flood-attack-support? boolean 318 | | | +--rw udp-flood-fcn* [udp-flood-fcn-name] 319 | | | +--rw udp-flood-fcn-name string 320 | | +--rw icmp-flood-attack 321 | | | +--rw icmp-flood-attack-support? boolean 322 | | | +--rw icmp-flood-fcn* [icmp-flood-fcn-name] 323 | | | +--rw icmp-flood-fcn-name string 324 | | +--rw ip-fragment-flood-attack 325 | | | +--rw ip-fragment-flood-attack-support? boolean 326 | | | +--rw ip-frag-flood-fcn* [ip-frag-flood-fcn-name] 327 | | | +--rw ip-frag-flood-fcn-name string 328 | | +--rw ipv6-related-attack 329 | | +--rw ipv6-related-attack-support? boolean 330 | | +--rw ipv6-related-fcn* [ipv6-related-fcn-name] 331 | | +--rw ipv6-related-fcn-name string 332 | +--: (app-layer-ddos-attack) 333 | +--rw app-layer-ddos-attack-types 334 | +--rw http-flood-attack 335 | | +--rw http-flood-attack-support? boolean 336 | | +--rw http-flood-fcn* [http-flood-fcn-name] 337 | | +--rw http-flood-fcn-name string 338 | +--rw https-flood-attack 339 | | +--rw https-flood-attack-support? boolean 340 | | +--rw https-flood-fcn* [https-flood-fcn-name] 341 | | +--rw https-flood-fcn-name string 342 | +--rw dns-flood-attack 343 | | +--rw dns-flood-attack-support? boolean 344 | | +--rw dns-flood-fcn* [dns-flood-fcn-name] 345 | | +--rw dns-flood-fcn-name string 346 | +--rw dns-amp-flood-attack 347 | | +--rw dns-amp-flood-attack-support? boolean 348 | | +--rw dns-amp-flood-fcn* [dns-amp-flood-fcn-name] 349 | | +--rw dns-amp-flood-fcn-name string 350 | +--rw ssl-ddos-attack 351 | +--rw ssl-ddos-attack-support? boolean 352 | +--rw ssl-ddos-fcn* [ssl-ddos-fcn-name] 353 | +--rw ssl-ddos-fcn-name string 354 +--: (single-packet-attack) 355 +--rw (single-packet-attack-type)? 356 +--: (scan-and-sniff-attack) 357 | +--rw ip-sweep-attack 358 | | +--rw ip-sweep-attack-support? boolean 359 | | +--rw ip-sweep-fcn* [ip-sweep-fcn-name] 360 | | +--rw ip-sweep-fcn-name string 361 | +--rw port-scanning-attack 362 | +--rw port-scanning-attack-support? boolean 363 | +--rw port-scanning-fcn* [port-scanning-fcn-name] 364 | +--rw port-scanning-fcn-name string 365 +--: (malformed-packet-attack) 366 | +--rw ping-of-death-attack 367 | | +--rw ping-of-death-attack-support? boolean 368 | | +--rw ping-of-death-fcn* [ping-of-death-fcn-name] 369 | | +--rw ping-of-death-fcn-name string 370 | +--rw teardrop-attack 371 | +--rw teardrop-attack-support? boolean 372 | +--rw tear-drop-fcn* [tear-drop-fcn-name] 373 | +--rw tear-drop-fcn-name string 374 +--: (special-packet-attack) 375 +--rw oversized-icmp-attack 376 | +--rw oversized-icmp-attack-support? boolean 377 | +--rw oversized-icmp-fcn* [oversized-icmp-fcn-name] 378 | +--rw oversized-icmp-fcn-name string 379 +--rw tracert-attack 380 +--rw tracert-attack-support? boolean 381 +--rw tracert-fcn* [tracert-fcn-name] 382 +--rw tracert-fcn-name string 384 Figure 4: High-Level YANG of Attack Mitigation Control 386 4.5. IT Resources linked to Capabilities 388 This section provides a link between capabilities and IT resources. 389 This section has a list of IT resources by name. Additional input is 390 needed. 392 +--rw it-resource 393 | uses i2nsf-it-resources 395 It Resource 397 +--rw i2nsf-it-resources 398 +--rw it-resources* [it-resource-id] 399 +--rw it-resource-id uint64 400 +--rw it-resource-name string 402 Figure 5: High-Level YANG of IT Resources 404 4.6. Actions 406 Notifications indicate when rules are added or deleted. These 407 notifications will be defined later. 409 5. YANG Modules 411 This section introduces a YANG module for the information model of 412 I2NSF capability interface, as defined in the [i2nsf-cap-im]. 414 file "ietf-i2nsf-capability@2017-03-12.yang" 416 module ietf-i2nsf-capability { 417 namespace 418 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 419 prefix 420 i2nsf-capability; 422 import ietf-inet-types{ 423 prefix inet; 424 } 426 organization 427 "IETF I2NSF (Interface to Network Security Functions) 428 Working Group"; 430 contact 431 "WG Web: 432 WG List: 434 WG Chair: Adrian Farrel 435 437 WG Chair: Linda Dunbar 438 440 Editor: Susan Hares 441 443 Editor: Jaehoon Paul Jeong 444 446 Editor: Jinyong Tim Kim 447 "; 449 description 450 "This module describes a capability model 451 for I2NSF devices."; 453 revision "2017-03-12"{ 454 description "The fourth revision"; 455 reference 456 "draft-xibassnez-i2nsf-capability-00 457 draft-hares-i2nsf-capability-data-model-01"; 458 } 460 container sec-ctl-capabilities { 461 description 462 "sec-ctl-capabilities"; 463 } 465 grouping i2nsf-net-sec-control-caps { 466 description 467 "i2nsf-net-sec-control-caps"; 468 container network-security-control { 469 description 470 "i2nsf-net-sec-control-caps"; 471 leaf nsc-support { 472 type boolean; 473 mandatory true; 474 description 475 "nsc-support"; 476 } 477 list nsc-fcn { 478 key "nsc-fcn-name"; 479 description 480 "nsc-fcn"; 481 leaf nsc-fcn-name { 482 type string; 483 mandatory true; 484 description 485 "nsc-fcn-name"; 486 } 487 } 488 } 489 } 491 grouping i2nsf-con-sec-control-caps { 492 description 493 "i2nsf-con-sec-control-caps"; 495 container content-security-control { 496 description 497 "content-security-control"; 499 container antivirus { 500 description 501 "antivirus"; 503 leaf antivirus-support { 504 type boolean; 505 mandatory true; 506 description 507 "antivirus-support"; 508 } 509 list antivirus-fcn-name { 510 key "antivirus-fcn-name"; 511 description 512 "antivirus-fcn-name"; 514 leaf antivirus-fcn-name { 515 type string; 516 mandatory true; 517 description 518 "antivirus-fcn-name"; 519 } 520 } 521 } 523 container ips { 524 description 525 "ips"; 527 leaf ips-support { 528 type boolean; 529 mandatory true; 530 description 531 "ips-support"; 533 } 534 list ips-fcn { 535 key "ips-fcn-name"; 536 description 537 "ips-fcn"; 539 leaf ips-fcn-name { 540 type string; 541 mandatory true; 542 description 543 "ips-fcn-name"; 544 } 545 } 546 } 548 container ids { 549 description 550 "ids"; 552 leaf ids-support { 553 type boolean; 554 mandatory true; 555 description 556 "ids-support"; 557 } 558 list ids-fcn { 559 key "ids-fcn-name"; 560 description 561 "ids-fcn"; 563 leaf ids-fcn-name { 564 type string; 565 mandatory true; 566 description 567 "ids-fcn-name"; 568 } 569 } 570 } 572 container url-filter { 573 description 574 "url-filter"; 576 leaf url-filter-support { 577 type boolean; 578 mandatory true; 579 description 580 "url-filter-support"; 582 } 583 list url-filter-fcn { 584 key "url-filter-fcn-name"; 585 description 586 "url-filter-fcn"; 588 leaf url-filter-fcn-name { 589 type string; 590 mandatory true; 591 description 592 "url-filter-fcn-name"; 593 } 594 } 595 } 597 container data-filter { 598 description 599 "data-filter"; 601 leaf data-filter-support { 602 type boolean; 603 mandatory true; 604 description 605 "data-filter-support"; 606 } 607 list data-filter-fcn { 608 key "data-filter-fcn-name"; 609 description 610 "data-filter-fcn"; 612 leaf data-filter-fcn-name { 613 type string; 614 mandatory true; 615 description 616 "data-filter-fcn-name"; 617 } 618 } 619 } 621 container mail-filter { 622 description 623 "mail-filter"; 625 leaf mail-filter-support { 626 type boolean; 627 mandatory true; 628 description 629 "mail-filter-support"; 631 } 632 list mail-filter-fcn { 633 key "mail-filter-fcn-name"; 634 description 635 "mail-filter-fcn"; 637 leaf mail-filter-fcn-name { 638 type string; 639 mandatory true; 640 description 641 "mail-filter-fcn-name"; 642 } 643 } 644 } 646 container dns-filter { 647 description 648 "dns-filter"; 650 leaf dns-filter-support { 651 type boolean; 652 mandatory true; 653 description 654 "dns-filter-support"; 655 } 656 list dns-filter-fcn { 657 key "dns-filter-fcn-name"; 658 description 659 "dns-filter-fcn"; 661 leaf dns-filter-fcn-name { 662 type string; 663 mandatory true; 664 description 665 "dns-filter-fcn-name"; 666 } 667 } 668 } 670 container ftp-filter { 671 description 672 "ftp-filter"; 674 leaf ftp-filter-support { 675 type boolean; 676 mandatory true; 677 description 678 "ftp-filter-support"; 680 } 681 list ftp-filter-fcn { 682 key "ftp-filter-fcn-name"; 683 description 684 "ftp-filter-fcn"; 686 leaf ftp-filter-fcn-name { 687 type string; 688 mandatory true; 689 description 690 "ftp-filter-fcn-name"; 691 } 692 } 693 } 695 container games-filter { 696 description 697 "games-filter"; 699 leaf games-filter-support { 700 type boolean; 701 mandatory true; 702 description 703 "games-filter-support"; 704 } 705 list games-filter-fcn { 706 key "games-filter-fcn-name"; 707 description 708 "games-filter-fcn"; 710 leaf games-filter-fcn-name { 711 type string; 712 mandatory true; 713 description 714 "games-filter-fcn-name"; 715 } 716 } 717 } 719 container p2p-filter { 720 description 721 "p2p-filter"; 723 leaf p2p-filter-support { 724 type boolean; 725 mandatory true; 726 description 727 "p2p-filter-support"; 729 } 730 list p2p-filter-fcn { 731 key "p2p-filter-fcn-name"; 732 description 733 "p2p-filter-fcn"; 735 leaf p2p-filter-fcn-name { 736 type string; 737 mandatory true; 738 description 739 "p2p-filter-fcn-name"; 740 } 741 } 742 } 744 container rpc-filter { 745 description 746 "rpc-filter"; 748 leaf rpc-filter-support { 749 type boolean; 750 mandatory true; 751 description 752 "rpc-filter-support"; 753 } 754 list rpc-filter-fcn { 755 key "rpc-filter-fcn-name"; 756 description 757 "rpc-filter-fcn"; 759 leaf rpc-filter-fcn-name { 760 type string; 761 mandatory true; 762 description 763 "rpc-filter-fcn-name"; 764 } 765 } 766 } 768 container sql-filter { 769 description 770 "sql-filter"; 772 leaf sql-filter-support { 773 type boolean; 774 mandatory true; 775 description 776 "sql-filter-support"; 778 } 779 list sql-filter-fcn { 780 key "sql-filter-fcn-name"; 781 description 782 "sql-filter-fcn"; 784 leaf sql-filter-fcn-name { 785 type string; 786 mandatory true; 787 description 788 "sql-filter-fcn-name"; 789 } 790 } 791 } 793 container telent-filter { 794 description 795 "telent-filter"; 797 leaf telent-filter-support { 798 type boolean; 799 mandatory true; 800 description 801 "telent-filter-support"; 802 } 803 list telent-filter-fcn { 804 key "telent-filter-fcn-name"; 805 description 806 "telent-filter-fcn"; 808 leaf telent-filter-fcn-name { 809 type string; 810 mandatory true; 811 description 812 "telent-filter-fcn-name"; 813 } 814 } 815 } 817 container tftp-filter { 818 description 819 "tftp-filter"; 821 leaf tftp-filter-support { 822 type boolean; 823 mandatory true; 824 description 825 "tftp-filter-support"; 827 } 828 list tftp-filter-fcn { 829 key "tftp-filter-fcn-name"; 830 description 831 "tftp-filter-fcn"; 833 leaf tftp-filter-fcn-name { 834 type string; 835 mandatory true; 836 description 837 "tftp-filter-fcn-name"; 838 } 839 } 840 } 842 container file-blocking { 843 description 844 "file-blocking"; 846 leaf file-blocking-support { 847 type boolean; 848 mandatory true; 849 description 850 "file-blocking-support"; 851 } 852 list file-blocking-fcn { 853 key "file-blocking-fcn-name"; 854 description 855 "file-blocking-fcn"; 857 leaf file-blocking-fcn-name { 858 type string; 859 mandatory true; 860 description 861 "file-blocking-fcn-name"; 862 } 863 } 864 } 866 container file-isolate { 867 description 868 "file-isolate"; 870 leaf file-isolate-support { 871 type boolean; 872 mandatory true; 873 description 874 "file-isolate-support"; 876 } 877 list file-isolate-fcn { 878 key "file-isolate-fcn-name"; 879 description 880 "file-isolate-fcn"; 882 leaf file-isolate-fcn-name { 883 type string; 884 mandatory true; 885 description 886 "file-isolate-fcn-name"; 887 } 888 } 889 } 891 container pkt-capture { 892 description 893 "pkt-capture"; 895 leaf pkt-capture-support { 896 type boolean; 897 mandatory true; 898 description 899 "pkt-capture-support"; 900 } 901 list pkt-capture-fcn { 902 key "pkt-capture-fcn-name"; 903 description 904 "pkt-capture-fcn"; 906 leaf pkt-capture-fcn-name { 907 type string; 908 mandatory true; 909 description 910 "pkt-capture-fcn-name"; 911 } 912 } 913 } 915 container app-control { 916 description 917 "app-control"; 919 leaf app-control-support { 920 type boolean; 921 mandatory true; 922 description 923 "app-control-support"; 925 } 926 list app-control-fcn { 927 key "app-control-fcn-name"; 928 description 929 "app-control-fcn"; 931 leaf app-control-fcn-name { 932 type string; 933 mandatory true; 934 description 935 "app-control-fcn-name"; 936 } 937 } 938 } 940 container voip-volte { 941 description 942 "voip-volte"; 944 leaf voip-volte-support { 945 type boolean; 946 mandatory true; 947 description 948 "voip-volte-support"; 949 } 950 list voip-volte-fcn { 951 key "voip-volte-fcn-name"; 952 description 953 "voip-volte-fcn"; 955 leaf voip-volte-fcn-name { 956 type string; 957 mandatory true; 958 description 959 "voip-volte-fcn-name"; 960 } 961 } 962 } 963 } 964 } 966 grouping i2nsf-attack-mitigation-control-caps { 967 description 968 "i2nsf-attack-mitigation-control-caps"; 970 container attack-mitigation-control { 971 description 972 "attack-mitigation-control"; 974 choice attack-mitigation-control-type { 975 description 976 "attack-mitigation-control-type"; 977 case ddos-attack { 978 description 979 "ddos-attack"; 980 choice ddos-attack-type { 981 description 982 "ddos-attack-type"; 983 case network-layer-ddos-attack { 984 description 985 "network-layer-ddos-attack"; 986 container network-layer-ddos-attack-types { 987 description 988 "network-layer-ddos-attack-type"; 989 container syn-flood-attack { 990 description 991 "syn-flood-attack"; 992 leaf syn-flood-attack-support { 993 type boolean; 994 mandatory true; 995 description 996 "syn-flood-attack-support"; 997 } 998 list syn-flood-fcn { 999 key "syn-flood-fcn-name"; 1000 description 1001 "syn-flood-fcn"; 1002 leaf syn-flood-fcn-name { 1003 type string; 1004 mandatory true; 1005 description 1006 "syn-flood-fcn-name"; 1007 } 1008 } 1009 } 1010 container udp-flood-attack { 1011 description 1012 "udp-flood-attack"; 1013 leaf udp-flood-attack-support { 1014 type boolean; 1015 mandatory true; 1016 description 1017 "udp-flood-attack-support"; 1018 } 1019 list udp-flood-fcn { 1020 key "udp-flood-fcn-name"; 1021 description 1022 "udp-flood-fcn"; 1023 leaf udp-flood-fcn-name { 1024 type string; 1025 mandatory true; 1026 description 1027 "udp-flood-fcn-name"; 1028 } 1029 } 1030 } 1031 container icmp-flood-attack { 1032 description 1033 "icmp-flood-attack"; 1034 leaf icmp-flood-attack-support { 1035 type boolean; 1036 mandatory true; 1037 description 1038 "icmp-flood-attack-support"; 1039 } 1040 list icmp-flood-fcn { 1041 key "icmp-flood-fcn-name"; 1042 description 1043 "icmp-flood-fcn"; 1044 leaf icmp-flood-fcn-name { 1045 type string; 1046 mandatory true; 1047 description 1048 "icmp-flood-fcn-name"; 1049 } 1050 } 1051 } 1052 container ip-fragment-flood-attack { 1053 description 1054 "ip-fragment-flood-attack"; 1055 leaf ip-fragment-flood-attack-support { 1056 type boolean; 1057 mandatory true; 1058 description 1059 "ip-fragment-flood-attack-support"; 1060 } 1061 list frag-flood-fcn { 1062 key "ip-frag-flood-fcn-name"; 1063 description 1064 "frag-flood-fcn"; 1065 leaf ip-frag-flood-fcn-name { 1066 type string; 1067 mandatory true; 1068 description 1069 "ip-frag-flood-fcn-name"; 1071 } 1072 } 1073 } 1074 container ipv6-related-attack { 1075 description 1076 "ipv6-related-attack"; 1077 leaf ipv6-related-attack-support { 1078 type boolean; 1079 mandatory true; 1080 description 1081 "ipv6-related-attack-support"; 1082 } 1083 list ipv6-related-fcn { 1084 key "ipv6-related-fcn-name"; 1085 description 1086 "ipv6-related-fcn"; 1087 leaf ipv6-related-fcn-name { 1088 type string; 1089 mandatory true; 1090 description 1091 "ipv6-related-fcn-name"; 1092 } 1093 } 1094 } 1095 } 1096 } 1097 case app-layer-ddos-attack { 1098 description 1099 "app-layer-ddos-attack"; 1100 container app-layer-ddos-attack-types { 1101 description 1102 "app-layer-ddos-attack-types"; 1103 container http-flood-attack { 1104 description 1105 "http-flood-attack"; 1106 leaf http-flood-attack-support { 1107 type boolean; 1108 mandatory true; 1109 description 1110 "http-flood-attack-support"; 1111 } 1112 list http-flood-fcn { 1113 key "http-flood-fcn-name"; 1114 description 1115 "http-flood-fcn"; 1116 leaf http-flood-fcn-name { 1117 type string; 1118 mandatory true; 1119 description 1120 "http-flood-fcn-name"; 1121 } 1122 } 1123 } 1124 container https-flood-attack { 1125 description 1126 "https-flood-attack"; 1127 leaf https-flood-attack-support { 1128 type boolean; 1129 mandatory true; 1130 description 1131 "https-flood-attack-support"; 1132 } 1133 list https-flood-fcn { 1134 key "https-flood-fcn-name"; 1135 description 1136 "https-flood-fcn"; 1137 leaf https-flood-fcn-name { 1138 type string; 1139 mandatory true; 1140 description 1141 "https-flood-fcn-name"; 1142 } 1143 } 1144 } 1145 container dns-flood-attack { 1146 description 1147 "dns-flood-attack"; 1148 leaf dns-flood-attack-support { 1149 type boolean; 1150 mandatory true; 1151 description 1152 "dns-flood-attack-support"; 1153 } 1154 list dns-flood-fcn { 1155 key "dns-flood-fcn-name"; 1156 description 1157 "dns-flood-fcn"; 1158 leaf dns-flood-fcn-name { 1159 type string; 1160 mandatory true; 1161 description 1162 "dns-flood-fcn-name"; 1163 } 1164 } 1165 } 1166 container dns-amp-flood-attack { 1167 description 1168 "dns-amp-flood-attack"; 1169 leaf dns-flood-attack-support { 1170 type boolean; 1171 mandatory true; 1172 description 1173 "dns-flood-attack-support"; 1174 } 1175 list dns-amp-flood-fcn { 1176 key "dns-amp-flood-fcn-name"; 1177 description 1178 "dns-amp-flood-fcn"; 1179 leaf dns-amp-flood-fcn-name { 1180 type string; 1181 mandatory true; 1182 description 1183 "dns-amp-flood-fcn-name"; 1184 } 1185 } 1186 } 1187 container ssl-ddos-attack { 1188 description 1189 "ssl-ddos-attack"; 1190 leaf ssl-ddos-attack-support { 1191 type boolean; 1192 mandatory true; 1193 description 1194 "ssl-ddos-attack-support"; 1195 } 1196 list ssl-ddos-fcn { 1197 key "ssl-ddos-fcn-name"; 1198 description 1199 "ssl-ddos-fcn"; 1200 leaf ssl-ddos-fcn-name { 1201 type string; 1202 mandatory true; 1203 description 1204 "ssl-ddos-fcn-name"; 1205 } 1206 } 1207 } 1208 } 1209 } 1210 } 1211 } 1213 case single-packet-attack { 1214 description 1215 "single-packet-attack"; 1216 choice single-packet-attack-type { 1217 description 1218 "single-packet-attack-type"; 1219 case scan-and-sniff-attack { 1220 description 1221 "scan-and-sniff-attack"; 1222 container ip-sweep-attack { 1223 description 1224 "ip-sweep-attack"; 1225 leaf ip-sweep-attack-suppor { 1226 type boolean; 1227 mandatory true; 1228 description 1229 "ip-sweep-attack-suppor"; 1230 } 1231 list ip-sweep-fcn { 1232 key "ip-sweep-fcn-name"; 1233 description 1234 "ip-sweep-fcn"; 1235 leaf ip-sweep-fcn-name { 1236 type string; 1237 mandatory true; 1238 description 1239 "ip-sweep-fcn-name"; 1240 } 1241 } 1242 } 1243 container port-scanning-attack { 1244 description 1245 "port-scanning-attack"; 1246 leaf port-scanning-attack-support { 1247 type boolean; 1248 mandatory true; 1249 description 1250 "port-scanning-attack-support"; 1251 } 1252 list port-scanning-fcn { 1253 key "port-scanning-fcn-name"; 1254 description 1255 "port-scanning-fcn"; 1256 leaf port-scanning-fcn-name { 1257 type string; 1258 mandatory true; 1259 description 1260 "port-scanning-fcn-name"; 1261 } 1262 } 1264 } 1265 } 1266 case malformed-packet-attack { 1267 description 1268 "malformed-packet-attack"; 1269 container ping-of-death-attack { 1270 description 1271 "ping-of-death-attack"; 1272 leaf ping-of-death-attack-support { 1273 type boolean; 1274 mandatory true; 1275 description 1276 "ping-of-death-attack-support"; 1277 } 1278 list ping-of-death-fcn { 1279 key "ping-of-death-fcn-name"; 1280 description 1281 "ping-of-death-fcn"; 1282 leaf ping-of-death-fcn-name { 1283 type string; 1284 mandatory true; 1285 description 1286 "ping-of-death-fcn-name"; 1287 } 1288 } 1289 } 1290 container teardrop-attack { 1291 description 1292 "teardrop-attack"; 1293 leaf teardrop-attack-support { 1294 type boolean; 1295 mandatory true; 1296 description 1297 "teardrop-attack-support"; 1298 } 1299 list tear-drop-fcn { 1300 key "tear-drop-fcn-name"; 1301 description 1302 "tear-drop-fcn"; 1303 leaf tear-drop-fcn-name { 1304 type string; 1305 mandatory true; 1306 description 1307 "tear-drop-fcn-name"; 1308 } 1309 } 1310 } 1311 } 1312 case special-packet-attack { 1313 description 1314 "special-packet-attack"; 1315 container oversized-icmp-attack { 1316 description 1317 "oversized-icmp-attack"; 1318 leaf oversized-icmp-attack-support { 1319 type boolean; 1320 mandatory true; 1321 description 1322 "oversized-icmp-attack-support"; 1323 } 1324 list oversized-icmp-fcn { 1325 key "oversized-icmp-fcn-name"; 1326 description 1327 "oversized-icmp-fcn"; 1328 leaf oversized-icmp-fcn-name { 1329 type string; 1330 mandatory true; 1331 description 1332 "oversized-icmp-fcn-name"; 1333 } 1334 } 1335 } 1336 container tracert-attack { 1337 description 1338 "tracert-attack"; 1339 leaf tracert-attack-support { 1340 type boolean; 1341 mandatory true; 1342 description 1343 "tracert-attack-support"; 1344 } 1345 list tracert-fcn { 1346 key "tracert-fcn-name"; 1347 description 1348 "tracert-fcn"; 1349 leaf tracert-fcn-name { 1350 type string; 1351 mandatory true; 1352 description 1353 "tracert-fcn-name"; 1354 } 1355 } 1356 } 1357 } 1358 } 1359 } 1361 } 1362 } 1363 } 1365 grouping i2nsf-it-resources { 1366 description 1367 "i2nsf-it-resource"; 1368 list it-resources { 1369 key "it-resource-id"; 1370 description 1371 "it-resource"; 1372 leaf it-resource-id { 1373 type uint64; 1374 mandatory true; 1375 description 1376 "it-resource-id"; 1377 } 1378 leaf it-resource-name { 1379 type string; 1380 mandatory true; 1381 description 1382 "it-resource-name"; 1383 } 1384 } 1385 } 1387 container nsf-capabilities { 1388 description 1389 "nsf-capabilities"; 1391 list nsf { 1392 key "nsf-name"; 1393 description 1394 "nsf"; 1395 leaf nsf-name { 1396 type string; 1397 mandatory true; 1398 description 1399 "nsf-name"; 1400 } 1401 container nsf-address { 1402 description 1403 "nsf-address"; 1404 choice nsf-address-type { 1405 description 1406 "nsf address type: ipv4 and ipv4"; 1407 case ipv4-address { 1408 description 1409 "ipv4 case"; 1410 leaf ipv4-address { 1411 type inet:ipv4-address; 1412 mandatory true; 1413 description 1414 "nsf address type is ipv4"; 1415 } 1416 } 1417 case ipv6-address { 1418 description 1419 "ipv6 case"; 1420 leaf ipv6-address { 1421 type inet:ipv6-address; 1422 mandatory true; 1423 description 1424 "nsf address type is ipv6"; 1425 } 1426 } 1427 } 1428 } 1430 container net-sec-control-capabilities { 1431 uses i2nsf-net-sec-control-caps; 1432 description 1433 "net-sec-control-capabilities"; 1434 } 1435 container con-sec-control-capabilities { 1436 uses i2nsf-con-sec-control-caps; 1437 description 1438 "con-sec-control-capabilities"; 1439 } 1440 container attack-mitigation-capabilities { 1441 uses i2nsf-attack-mitigation-control-caps; 1442 description 1443 "attack-mitigation-capabilities"; 1444 } 1445 container it-resource { 1446 uses i2nsf-it-resources; 1447 description 1448 "it-resource"; 1449 } 1450 } 1451 } 1452 } 1454 1455 Figure 6: Data Model of I2NSF Capability Interface 1457 6. IANA Considerations 1459 No IANA considerations exist for this document at this time. URL 1460 will be added. 1462 7. Security Considerations 1464 This document introduces no additional security threats and SHOULD 1465 follow the security requirements as stated in [i2nsf-framework]. 1467 8. Acknowledgements 1469 This work was supported by Institute for Information & communications 1470 Technology Promotion (IITP) grant funded by the Korea government 1471 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 1472 Technology Development for the Customized Security Service 1473 Provisioning). 1475 This document has greatly benefited from inputs by Daeyoung Hyun, 1476 Hyoungshick Kim, Jung-Soo Park, Tae-Jin Ahn, and Se-Hui Lee. 1478 9. References 1480 9.1. Normative References 1482 [RFC2119] Bradner, S., "Key words for use in RFCs to 1483 Indicate Requirement Levels", BCP 14, 1484 RFC 2119, March 1997. 1486 [RFC6020] Bjorklund, M., "YANG - A Data Modeling 1487 Language for the Network Configuration 1488 Protocol (NETCONF)", RFC 6020, 1489 October 2010. 1491 9.2. Informative References 1493 [i2nsf-cap-im] Xia, L., Strassner, J., Zhang, D., Li, K., 1494 Basile, C., Lioy, A., Lopez, D., Lopez, 1495 E., BOUTHORS, N., and L. Fang, 1496 "Information Model of NSFs Capabilities", 1497 draft-xibassnez-i2nsf-capability-00 (work 1498 in progress), Novemver 2016. 1500 [i2nsf-problem-statement] Hares, S., Lopez, D., Zarny, M., 1501 Jacquenet, C., Kumar, R., and J. Jeong, 1502 "I2NSF Problem Statement and Use cases", 1503 (work in progress), March 2017. 1505 [i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, 1506 L., and H. Birkholz, "Interface to Network 1507 Security Functions (I2NSF) Terminology", 1508 draft-ietf-i2nsf-terminology-03 (work in 1509 progress), March 2017. 1511 [i2rs-rib-data-model] Wang, L., Ananthakrishnan, H., Chen, M., 1512 Dass, A., Kini, S., and N. Bahadur, "A 1513 YANG Data Model for Routing Information 1514 Base (RIB)", 1515 draft-ietf-i2rs-rib-data-model-07 (work in 1516 progress), January 2017. 1518 [supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer, 1519 "Generic Policy Information Model for 1520 Simplified Use of Policy Abstractions 1521 (SUPA)", draft-ietf-supa-generic-policy- 1522 info-model-02 (work in progress), 1523 January 2017. 1525 [i2nsf-framework] Lopez, D., Lopez, E., Dunbar, L., 1526 Strassner, J., and R. Kumar, "Framework 1527 for Interface to Network Security 1528 Functions", draft-ietf-i2nsf-framework-04 1529 (work in progress), October 2016. 1531 Appendix A. Changes from draft-hares-i2nsf-capability-data-model-00 1533 The following changes are made from 1534 draft-hares-i2nsf-capability-data-model-00: 1536 o IPv6 is supported for the addresses of NSF devices. 1538 o Content Security Control is supported for various content-based 1539 security services, such as dns-filter, ftp-filter, games-filter, 1540 p2p-filter, rpc-filter, sql-filter, telnet-filter, and tftp- 1541 filter. 1543 Authors' Addresses 1545 Susan Hares 1546 Huawei 1547 7453 Hickory Hill 1548 Saline, MI 48176 1549 USA 1551 Phone: +1-734-604-0332 1552 EMail: shares@ndzh.com 1554 Robert Moskowitz 1555 HTT Consulting 1556 Oak Park, MI 1557 USA 1559 Phone: +1-248-968-9809 1560 EMail: rgm@htt-consult.com 1562 Liang Xia (Frank) 1563 Huawei 1564 101 Software Avenue, Yuhuatai District 1565 Nanjing, Jiangsu 1566 China 1568 Phone: 1569 EMail: Frank.xialiang@huawei.com 1571 Jaehoon Paul Jeong 1572 Department of Software 1573 Sungkyunkwan University 1574 2066 Seobu-Ro, Jangan-Gu 1575 Suwon, Gyeonggi-Do 16419 1576 Republic of Korea 1578 Phone: +82 31 299 4957 1579 Fax: +82 31 290 7996 1580 EMail: pauljeong@skku.edu 1581 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 1582 Jinyong Tim Kim 1583 Department of Computer Engineering 1584 Sungkyunkwan University 1585 2066 Seobu-Ro, Jangan-Gu 1586 Suwon, Gyeonggi-Do 16419 1587 Republic of Korea 1589 Phone: +82 10 8273 0930 1590 EMail: wlsdyd0930@nate.com