idnits 2.17.1 draft-hares-i2nsf-capability-data-model-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 199 has weird spacing: '...cn-name strin...' == Line 218 has weird spacing: '...cn-name strin...' == Line 223 has weird spacing: '...cn-name strin...' == Line 228 has weird spacing: '...cn-name strin...' == Line 233 has weird spacing: '...cn-name strin...' == (32 more instances...) -- The document date (July 3, 2017) is 2487 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '2015' on line 182 Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Hares 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Jeong 5 Expires: January 4, 2018 J. Kim 6 Sungkyunkwan University 7 R. Moskowitz 8 HTT Consulting 9 L. Xia 10 Huawei 11 July 3, 2017 13 I2NSF Capability YANG Data Model 14 draft-hares-i2nsf-capability-data-model-02 16 Abstract 18 This document defines a YANG data model for capabilities that enables 19 an I2NSF user to control various network security functions in 20 network security devices via an I2NSF security controller. 22 Status of This Memo 24 This Internet-Draft is submitted to IETF in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF), its areas, and its working groups. Note that 29 other groups may also distribute working documents as Internet- 30 Drafts. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 The list of current Internet-Drafts can be accessed at 38 http://www.ietf.org/ietf/1id-abstracts.txt. 40 The list of Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 This Internet-Draft will expire on January 4, 2018. 45 Copyright Notice 47 Copyright (c) 2017 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 64 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 66 4. High-Level YANG . . . . . . . . . . . . . . . . . . . . . . . 4 67 4.1. Capabilities per NSF . . . . . . . . . . . . . . . . . . . 4 68 4.2. Network Security Control . . . . . . . . . . . . . . . . . 5 69 4.3. Content Security Control . . . . . . . . . . . . . . . . . 5 70 4.4. Attack Mitigation Control . . . . . . . . . . . . . . . . 7 71 4.5. Information on Capabilities . . . . . . . . . . . . . . . 10 72 4.6. Location for Capabilities . . . . . . . . . . . . . . . . 10 73 4.7. IT Resources linked to Capabilities . . . . . . . . . . . 10 74 4.8. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 11 75 5. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . . 11 76 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 77 7. Security Considerations . . . . . . . . . . . . . . . . . . . 34 78 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 34 79 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34 80 9.1. Normative References . . . . . . . . . . . . . . . . . . . 34 81 9.2. Informative References . . . . . . . . . . . . . . . . . . 34 82 Appendix A. Changes from 83 draft-hares-i2nsf-capability-data-model-01 . . . . . 35 85 1. Introduction 87 [i2nsf-problem-statement] proposes two different types of interfaces: 89 o Interface between I2NSF user and I2NSF security controller called 90 I2NSF consumer-facing interface 92 o Interface between I2NSF security controller and network security 93 functions (NSFs) called I2NSF NSF-facing interface 95 This document provides a YANG model that defines the capabilities for 96 security devices that can be utilized by I2NSF NSF-facing interface 97 between the I2NSF security controller and the NSF devices to express 98 the capabilities of NSF devices. This YANG model can also be used by 99 the IN2SF user (or I2NSF client) to provide security controller with 100 a complete list of the I2NSF capabilities that can be controlled by 101 security controller. This document defines a YANG [RFC6020] data 102 model based on the [i2nsf-nsf-cap-im]. Terms used in document are 103 defined in [i2nsf-terminology]. [i2nsf-nsf-cap-im] defines the 104 following type of functionality in NSFs. 106 o Network Security Control 108 o Content Security Control 110 o Attack Mitigation Control 112 This document contains high-level YANG for each type of control. 114 2. Requirements Language 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in [RFC2119]. 120 3. Terminology 122 This document uses the terminology described in [i2nsf-nsf-cap-im] 123 [i2rs-rib-data-model][supa-policy-info-model]. Especially, the 124 following terms are from [supa-policy-info-model]: 126 o Data Model: A data model is a representation of concepts of 127 interest to an environment in a form that is dependent on data 128 repository, data definition language, query language, 129 implementation language, and protocol. 131 o Information Model: An information model is a representation of 132 concepts of interest to an environment in a form that is 133 independent of data repository, data definition language, query 134 language, implementation language, and protocol. 136 3.1. Tree Diagrams 138 A simplified graphical representation of the data model is used in 139 this document. The meaning of the symbols in these diagrams 140 [i2rs-rib-data-model] is as follows: 142 o Brackets "[" and "]" enclose list keys. 144 o Abbreviations before data node names: "rw" means configuration 145 (read-write) and "ro" state data (read-only). 147 o Symbols after data node names: "?" means an optional node and "*" 148 denotes a "list" and "leaf-list". 150 o Parentheses enclose choice and case nodes, and case nodes are also 151 marked with a colon (":"). 153 o Ellipsis ("...") stands for contents of subtrees that are not 154 shown. 156 4. High-Level YANG 158 This section provides an overview of the high-level YANG. 160 4.1. Capabilities per NSF 162 The high-level YANG capabilities per NSF devices, controller, or 163 application is the following: 165 module : ietf-i2nsf-capability 166 +--rw sec-ctl-capabilities 167 +--rw nsf-capabilities* [nsf-capabilities-id] 168 +--rw nsf-capabilities-id uint 8 169 +--rw net-sec-control-capabilities 170 | uses i2nsf-net-sec-control-caps 171 +--rw con-sec-control-capabilities 172 | uses i2nsf-con-sec-control-caps 173 +--rw attack-mitigation-capabilities 174 | uses i2nsf-attack-mitigation-control-caps 176 Figure 1: High-Level YANG of I2NSF Capability Interface 178 Each of these section mirror sections in: [i2nsf-nsf-cap-im]. The 179 high-level YANG for net-sec-control-capabilities, con-sec-control- 180 capabilities, and attack-mitigation-capabilities. This draft is also 181 utilizes the concepts originated in Basile, Lioy, Pitscheider, and 182 Zhao[2015] concerning conflict resoulution, use of external data, and 183 IT-Resources. The authors are grateful to Cataldo for pointing out 184 this excellent work. 186 4.2. Network Security Control 188 This section expands the 190 +--rw net-sec-control-capabilities 191 | uses i2nsf-net-sec-control-caps 193 Network Security Control 195 +--rw i2nsf-net-sec-control-caps 196 +--rw network-security-control 197 +--rw nsc-support? boolean 198 +--rw nsc-fcn* [nsc-fcn-name] 199 +--rw nsc-fcn-name string //std or vendor name 200 | uses capabilities-information 202 Figure 2: High-Level YANG of Network Security Control 204 4.3. Content Security Control 206 This section expands the 208 +--rw net-sec-control-capabilities 209 | uses i2nsf-con-sec-control-caps 211 Content Security Control 213 +--rw i2nsf-con-sec-control-caps 214 +--rw content-security-control 215 +--rw antivirus 216 | +--rw antivirus-support? boolean 217 | +--rw antivirus-fcn* [antivirus-fcn-name] 218 | +--rw antivirus-fcn-name string //std or vendor name 219 | uses capabilities-information 220 +--rw ips 221 | +--rw ips-support? boolean 222 | +--rw ips-fcn* [ips-fcn-name] 223 | +--rw ips-fcn-name string //std or vendor name 224 | uses capabilities-information 225 +--rw ids 226 | +--rw ids-support? boolean 227 | +--rw ids-fcn* [ids-fcn-name] 228 | +--rw ids-fcn-name string //std or vendor name 229 | uses capabilities-information 230 +--rw url-filter 231 | +--rw url-filter-support? boolean 232 | +--rw url-filter-fcn* [url-filter-fcn-name] 233 | +--rw url-filter-fcn-name string //std or vendor name 234 | uses capabilities-information 235 +--rw data-filter 236 | +--rw data-filter-support? boolean 237 | +--rw data-filter-fcn* [data-filter-fcn-name] 238 | +--rw data-filter-fcn-name string //std or vendor name 239 | uses capabilities-information 240 +--rw mail-filter 241 | +--rw mail-filter-support? boolean 242 | +--rw mail-filter-fcn* [mail-filter-fcn-name] 243 | +--rw mail-filter-fcn-name string //std or vendor name 244 | uses capabilities-information 245 +--rw dns-filter 246 | +--rw dns-filter-support? boolean 247 | +--rw dns-filter-fcn* [dns-filter-name] 248 | +--rw dns-filter-fcn-name string //std or vendor name 249 | uses capabilities-information 250 +--rw ftp-filter 251 | +--rw ftp-filter-support? boolean 252 | +--rw ftp-filter-fcn* [ftp-filter-fcn-name] 253 | +--rw ftp-filter-fcn-name string //std or vendor name 254 | uses capabilities-information 255 +--rw games-filter 256 | +--rw games-filter-support? boolean 257 | +--rw games-filter-fcn* [games-filter-fcn-name] 258 | +--rw games-filter-fcn-name string //std or vendor name 259 | uses capabilities-information 260 +--rw p2p-filter 261 | +--rw p2p-filter-support? boolean 262 | +--rw p2p-filter-fcn* [p2p-filter-fcn-name] 263 | +--rw p2p-filter-fcn-name string //std or vendor name 264 | uses capabilities-information 265 +--rw rpc-filter 266 | +--rw rpc-filter-support? boolean 267 | +--rw rpc-filter-fcn* [rpc-filter-fcn-name] 268 | +--rw rpc-filter-fcn-name string //std or vendor name 269 | uses capabilities-information 270 +--rw sql-filter 271 | +--rw sql-filter-support? boolean 272 | +--rw sql-filter-fcn* [sql-filter-fcn-name] 273 | +--rw sql-filter-fcn-name string //std or vendor name 274 | uses capabilities-information 275 +--rw telnet-filter 276 | +--rw telnet-filter-support? boolean 277 | +--rw telnet-filter-fcn* [telnet-filter-fcn-name] 278 | +--rw telnet-filter-fcn-name string //std or vendor name 279 | uses capabilities-information 280 +--rw tftp-filter 281 | +--rw tftp-filter-support? boolean 282 | +--rw tftp-filter-fcn* [tftp-filter-fcn-name] 283 | +--rw tftp-filter-fcn-name string //std or vendor name 284 | uses capabilities-information 285 +--rw file-blocking 286 | +--rw file-blocking-support? boolean 287 | +--rw file-blocking-fcn* [file-blocking-fcn-name] 288 | +--rw file-blocking-fcn-name string //std or vendor name 289 | uses capabilities-information 290 +--rw pkt-capture 291 | +--rw pkt-capture-support? boolean 292 | +--rw pkt-capture-fcn* [pkt-capture-fcn-name] 293 | +--rw pkt-capture-fcn-name string //std or vendor name 294 | uses capabilities-information 295 +--rw app-control 296 | +--rw app-control-support? boolean 297 | +--rw app-control-fcn* [app-control-fcn-name] 298 | +--rw app-control-fcn-name string //std or vendor name 299 | uses capabilities-information 300 +--rw voip-volte 301 +--rw voip-volte-support? boolean 302 +--rw voip-volte-fcn* [voip-volte-fcn-name] 303 +--rw voip-volte-fcn-name string //std or vendor name 304 uses capabilities-information 306 Figure 3: High-Level YANG of Content Security Control 308 4.4. Attack Mitigation Control 310 This high-level YANG below expands the following section of the top- 311 level model: 313 +--rw attack-mitigation-control-capabilities 314 | uses i2nsf-attack-mitigation-control-caps 316 Attack Mitigation Control 318 +--rw i2nsf-attack-mitigation-control-caps 319 +--rw attack-mitigation-control 320 +--rw (attack-mitigation-control-type)? 321 +--: (ddos-attack) 322 | +--rw (ddos-attack-type)? 323 | +--: (network-layer-ddos-attack) 324 | | +--rw network-layer-ddos-attack-types 325 | | +--rw syn-flood-attack 326 | | | +--rw syn-flood-attack-support? boolean 327 | | | +--rw syn-flood-fcn* [syn-flood-fcn-name] 328 | | | +--rw syn-flood-fcn-name string 329 | | | uses capabilities-information 330 | | +--rw udp-flood-attack 331 | | | +--rw udp-flood-attack-support? boolean 332 | | | +--rw udp-flood-fcn* [udp-flood-fcn-name] 333 | | | +--rw udp-flood-fcn-name string 334 | | | uses capabilities-information 335 | | +--rw icmp-flood-attack 336 | | | +--rw icmp-flood-attack-support? boolean 337 | | | +--rw icmp-flood-fcn* [icmp-flood-fcn-name] 338 | | | +--rw icmp-flood-fcn-name string 339 | | | uses capabilities-information 340 | | +--rw ip-fragment-flood-attack 341 | | | +--rw ip-fragment-flood-attack-support? boolean 342 | | | +--rw ip-frag-flood-fcn* [ip-frag-flood-fcn-name] 343 | | | +--rw ip-frag-flood-fcn-name string 344 | | | uses capabilities-information 345 | | +--rw ipv6-related-attack 346 | | +--rw ipv6-related-attack-support? boolean 347 | | +--rw ipv6-related-fcn* [ipv6-related-fcn-name] 348 | | +--rw ipv6-related-fcn-name string 349 | | uses capabilities-information 350 | +--: (app-layer-ddos-attack) 351 | +--rw app-layer-ddos-attack-types 352 | +--rw http-flood-attack 353 | | +--rw http-flood-attack-support? boolean 354 | | +--rw http-flood-fcn* [http-flood-fcn-name] 355 | | +--rw http-flood-fcn-name string 356 | | uses capabilities-information 357 | +--rw https-flood-attack 358 | | +--rw https-flood-attack-support? boolean 359 | | +--rw https-flood-fcn* [https-flood-fcn-name] 360 | | +--rw https-flood-fcn-name string 361 | | uses capabilities-information 362 | +--rw dns-flood-attack 363 | | +--rw dns-flood-attack-support? boolean 364 | | +--rw dns-flood-fcn* [dns-flood-fcn-name] 365 | | +--rw dns-flood-fcn-name string 366 | | uses capabilities-information 367 | +--rw dns-amp-flood-attack 368 | | +--rw dns-amp-flood-attack-support? boolean 369 | | +--rw dns-amp-flood-fcn* [dns-amp-flood-fcn-name] 370 | | +--rw dns-amp-flood-fcn-name string 371 | | uses capabilities-information 372 | +--rw ssl-ddos-attack 373 | +--rw ssl-ddos-attack-support? boolean 374 | +--rw ssl-ddos-fcn* [ssl-ddos-fcn-name] 375 | +--rw ssl-ddos-fcn-name string 376 | uses capabilities-information 377 +--: (single-packet-attack) 378 +--rw (single-packet-attack-type)? 379 +--: (scan-and-sniff-attack) 380 | +--rw ip-sweep-attack 381 | | +--rw ip-sweep-attack-support? boolean 382 | | +--rw ip-sweep-fcn* [ip-sweep-fcn-name] 383 | | +--rw ip-sweep-fcn-name string 384 | | uses capabilities-information 385 | +--rw port-scanning-attack 386 | +--rw port-scanning-attack-support? boolean 387 | +--rw port-scanning-fcn* [port-scanning-fcn-name] 388 | +--rw port-scanning-fcn-name string 389 | uses capabilities-information 390 +--: (malformed-packet-attack) 391 | +--rw ping-of-death-attack 392 | | +--rw ping-of-death-attack-support? boolean 393 | | +--rw ping-of-death-fcn* [ping-of-death-fcn-name] 394 | | +--rw ping-of-death-fcn-name string 395 | | uses capabilities-information 396 | +--rw teardrop-attack 397 | +--rw teardrop-attack-support? boolean 398 | +--rw tear-drop-fcn* [tear-drop-fcn-name] 399 | +--rw tear-drop-fcn-name string 400 | uses capabilities-information 401 +--: (special-packet-attack) 402 +--rw oversized-icmp-attack 403 | +--rw oversized-icmp-attack-support? boolean 404 | +--rw oversized-icmp-fcn* [oversized-icmp-fcn-name] 405 | +--rw oversized-icmp-fcn-name string 406 | uses capabilities-information 407 +--rw tracert-attack 408 +--rw tracert-attack-support? boolean 409 +--rw tracert-fcn* [tracert-fcn-name] 410 +--rw tracert-fcn-name string 411 uses capabilities-information 413 Figure 4: High-Level YANG of Attack Mitigation Control 415 4.5. Information on Capabilities 417 This section provides information on capabilities. This section has 418 information on capabilities location and IT resources. Additional 419 input is needed. 421 Capabilities Information 423 +--rw capabilities-information 424 +--rw nsf-location 425 | uses i2nsf-nsf-location 426 +--rw it-resources 427 uses i2nsf-it-resources 429 Figure 5: High-Level YANG of Information on Capabilities 431 4.6. Location for Capabilities 433 This section provides location for capabilities. This section has 434 location for capabilities. Additional input is needed. 436 +--rw nsf-location 437 | uses i2nsf-nsf-location 439 NSF Location 441 +--rw i2nsf-nsf-location 442 +--rw nsf-address 443 +--rw (nsf-address-type)? 444 +--:(ipv4-address) 445 | +--rw ipv4-address inet:ipv4-address 446 +--:(ipv6-address) 447 +--rw ipv6-address inet:ipv6-address 449 Figure 6: High-Level YANG of Capabilities Location 451 4.7. IT Resources linked to Capabilities 453 This section provides a link between capabilities and IT resources. 454 This section has a list of IT resources by name. Additional input is 455 needed. 457 +--rw it-resource 458 | uses i2nsf-it-resources 460 It Resource 462 +--rw i2nsf-it-resources 463 +--rw it-resources* [it-resource-id] 464 +--rw it-resource-id uint64 465 +--rw it-resource-name string 467 Figure 7: High-Level YANG of IT Resources 469 4.8. Actions 471 Notifications indicate when rules are added or deleted. These 472 notifications will be defined later. 474 5. YANG Modules 476 This section introduces a YANG module for the information model of 477 I2NSF capability interface, as defined in the [i2nsf-nsf-cap-im]. 479 file "ietf-i2nsf-capability@2017-07-03.yang" 481 module ietf-i2nsf-capability { 482 namespace 483 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 484 prefix 485 i2nsf-capability; 487 import ietf-inet-types{ 488 prefix inet; 489 } 491 organization 492 "IETF I2NSF (Interface to Network Security Functions) 493 Working Group"; 495 contact 496 "WG Web: 497 WG List: 499 WG Chair: Adrian Farrel 500 502 WG Chair: Linda Dunbar 503 505 Editor: Susan Hares 506 508 Editor: Jaehoon Paul Jeong 509 511 Editor: Jinyong Tim Kim 512 "; 514 description 515 "This module describes a capability model 516 for I2NSF devices."; 518 revision "2017-07-03"{ 519 description "The second revision"; 520 reference 521 "draft-xibassnez-i2nsf-capability-01 522 draft-hares-i2nsf-capability-data-model-02"; 523 } 525 container sec-ctl-capabilities { 526 description 527 "sec-ctl-capabilities"; 528 } 530 grouping i2nsf-nsf-location { 531 description 532 "This provides a location for capabilities."; 533 container nsf-address { 534 description 535 "This is location information for capabilities."; 536 choice nsf-address-type { 537 description 538 "nsf address type: ipv4 and ipv4"; 539 case ipv4-address { 540 description 541 "ipv4 case"; 542 leaf ipv4-address { 543 type inet:ipv4-address; 544 mandatory true; 545 description 546 "nsf address type is ipv4"; 547 } 548 } 549 case ipv6-address { 550 description 551 "ipv6 case"; 552 leaf ipv6-address { 553 type inet:ipv6-address; 554 mandatory true; 555 description 556 "nsf address type is ipv6"; 557 } 558 } 559 } 560 } 561 } 563 grouping i2nsf-it-resources { 564 description 565 "This provides a link between capabilities 566 and IT resources. This has a list of IT resources 567 by name."; 568 list it-resources { 569 key "it-resource-id"; 570 description 571 "it-resource"; 572 leaf it-resource-id { 573 type uint64; 574 mandatory true; 575 description 576 "it-resource-id"; 577 } 578 leaf it-resource-name { 579 type string; 580 mandatory true; 581 description 582 "it-resource-name"; 583 } 584 } 585 } 587 grouping capabilities-information { 588 description 589 "This includes information of capabilities."; 590 uses i2nsf-nsf-location; 591 uses i2nsf-it-resources; 592 } 594 grouping i2nsf-net-sec-control-caps { 595 description 596 "i2nsf-net-sec-control-caps"; 597 container network-security-control { 598 description 599 "i2nsf-net-sec-control-caps"; 600 leaf nsc-support { 601 type boolean; 602 mandatory true; 603 description 604 "nsc-support"; 605 } 606 list nsc-fcn { 607 key "nsc-fcn-name"; 608 description 609 "nsc-fcn"; 610 leaf nsc-fcn-name { 611 type string; 612 mandatory true; 613 description 614 "nsc-fcn-name"; 615 } 616 uses capabilities-information; 617 } 618 } 619 } 621 grouping i2nsf-con-sec-control-caps { 622 description 623 "i2nsf-con-sec-control-caps"; 625 container content-security-control { 626 description 627 "content-security-control"; 629 container antivirus { 630 description 631 "antivirus"; 633 leaf antivirus-support { 634 type boolean; 635 mandatory true; 636 description 637 "antivirus-support"; 638 } 639 list antivirus-fcn-name { 640 key "antivirus-fcn-name"; 641 description 642 "antivirus-fcn-name"; 644 leaf antivirus-fcn-name { 645 type string; 646 mandatory true; 647 description 648 "antivirus-fcn-name"; 649 } 650 uses capabilities-information; 651 } 652 } 654 container ips { 655 description 656 "ips"; 658 leaf ips-support { 659 type boolean; 660 mandatory true; 661 description 662 "ips-support"; 663 } 664 list ips-fcn { 665 key "ips-fcn-name"; 666 description 667 "ips-fcn"; 669 leaf ips-fcn-name { 670 type string; 671 mandatory true; 672 description 673 "ips-fcn-name"; 674 } 675 uses capabilities-information; 676 } 677 } 679 container ids { 680 description 681 "ids"; 683 leaf ids-support { 684 type boolean; 685 mandatory true; 686 description 687 "ids-support"; 688 } 689 list ids-fcn { 690 key "ids-fcn-name"; 691 description 692 "ids-fcn"; 694 leaf ids-fcn-name { 695 type string; 696 mandatory true; 697 description 698 "ids-fcn-name"; 699 } 700 uses capabilities-information; 701 } 702 } 704 container url-filter { 705 description 706 "url-filter"; 708 leaf url-filter-support { 709 type boolean; 710 mandatory true; 711 description 712 "url-filter-support"; 713 } 714 list url-filter-fcn { 715 key "url-filter-fcn-name"; 716 description 717 "url-filter-fcn"; 719 leaf url-filter-fcn-name { 720 type string; 721 mandatory true; 722 description 723 "url-filter-fcn-name"; 724 } 725 uses capabilities-information; 726 } 727 } 729 container data-filter { 730 description 731 "data-filter"; 733 leaf data-filter-support { 734 type boolean; 735 mandatory true; 736 description 737 "data-filter-support"; 738 } 739 list data-filter-fcn { 740 key "data-filter-fcn-name"; 741 description 742 "data-filter-fcn"; 744 leaf data-filter-fcn-name { 745 type string; 746 mandatory true; 747 description 748 "data-filter-fcn-name"; 749 } 750 uses capabilities-information; 751 } 752 } 754 container mail-filter { 755 description 756 "mail-filter"; 758 leaf mail-filter-support { 759 type boolean; 760 mandatory true; 761 description 762 "mail-filter-support"; 763 } 764 list mail-filter-fcn { 765 key "mail-filter-fcn-name"; 766 description 767 "mail-filter-fcn"; 769 leaf mail-filter-fcn-name { 770 type string; 771 mandatory true; 772 description 773 "mail-filter-fcn-name"; 774 } 775 uses capabilities-information; 776 } 777 } 779 container dns-filter { 780 description 781 "dns-filter"; 783 leaf dns-filter-support { 784 type boolean; 785 mandatory true; 786 description 787 "dns-filter-support"; 788 } 789 list dns-filter-fcn { 790 key "dns-filter-fcn-name"; 791 description 792 "dns-filter-fcn"; 794 leaf dns-filter-fcn-name { 795 type string; 796 mandatory true; 797 description 798 "dns-filter-fcn-name"; 799 } 800 uses capabilities-information; 801 } 802 } 804 container ftp-filter { 805 description 806 "ftp-filter"; 808 leaf ftp-filter-support { 809 type boolean; 810 mandatory true; 811 description 812 "ftp-filter-support"; 813 } 814 list ftp-filter-fcn { 815 key "ftp-filter-fcn-name"; 816 description 817 "ftp-filter-fcn"; 819 leaf ftp-filter-fcn-name { 820 type string; 821 mandatory true; 822 description 823 "ftp-filter-fcn-name"; 824 } 825 uses capabilities-information; 826 } 827 } 829 container games-filter { 830 description 831 "games-filter"; 833 leaf games-filter-support { 834 type boolean; 835 mandatory true; 836 description 837 "games-filter-support"; 839 } 840 list games-filter-fcn { 841 key "games-filter-fcn-name"; 842 description 843 "games-filter-fcn"; 845 leaf games-filter-fcn-name { 846 type string; 847 mandatory true; 848 description 849 "games-filter-fcn-name"; 850 } 851 uses capabilities-information; 852 } 853 } 855 container p2p-filter { 856 description 857 "p2p-filter"; 859 leaf p2p-filter-support { 860 type boolean; 861 mandatory true; 862 description 863 "p2p-filter-support"; 864 } 865 list p2p-filter-fcn { 866 key "p2p-filter-fcn-name"; 867 description 868 "p2p-filter-fcn"; 870 leaf p2p-filter-fcn-name { 871 type string; 872 mandatory true; 873 description 874 "p2p-filter-fcn-name"; 875 } 876 uses capabilities-information; 877 } 878 } 880 container rpc-filter { 881 description 882 "rpc-filter"; 884 leaf rpc-filter-support { 885 type boolean; 886 mandatory true; 887 description 888 "rpc-filter-support"; 889 } 890 list rpc-filter-fcn { 891 key "rpc-filter-fcn-name"; 892 description 893 "rpc-filter-fcn"; 895 leaf rpc-filter-fcn-name { 896 type string; 897 mandatory true; 898 description 899 "rpc-filter-fcn-name"; 900 } 901 uses capabilities-information; 902 } 903 } 905 container sql-filter { 906 description 907 "sql-filter"; 909 leaf sql-filter-support { 910 type boolean; 911 mandatory true; 912 description 913 "sql-filter-support"; 914 } 915 list sql-filter-fcn { 916 key "sql-filter-fcn-name"; 917 description 918 "sql-filter-fcn"; 920 leaf sql-filter-fcn-name { 921 type string; 922 mandatory true; 923 description 924 "sql-filter-fcn-name"; 925 } 926 uses capabilities-information; 927 } 928 } 930 container telent-filter { 931 description 932 "telent-filter"; 934 leaf telent-filter-support { 935 type boolean; 936 mandatory true; 937 description 938 "telent-filter-support"; 939 } 940 list telent-filter-fcn { 941 key "telent-filter-fcn-name"; 942 description 943 "telent-filter-fcn"; 945 leaf telent-filter-fcn-name { 946 type string; 947 mandatory true; 948 description 949 "telent-filter-fcn-name"; 950 } 951 uses capabilities-information; 952 } 953 } 955 container tftp-filter { 956 description 957 "tftp-filter"; 959 leaf tftp-filter-support { 960 type boolean; 961 mandatory true; 962 description 963 "tftp-filter-support"; 964 } 965 list tftp-filter-fcn { 966 key "tftp-filter-fcn-name"; 967 description 968 "tftp-filter-fcn"; 970 leaf tftp-filter-fcn-name { 971 type string; 972 mandatory true; 973 description 974 "tftp-filter-fcn-name"; 975 } 976 uses capabilities-information; 977 } 978 } 980 container file-blocking { 981 description 982 "file-blocking"; 984 leaf file-blocking-support { 985 type boolean; 986 mandatory true; 987 description 988 "file-blocking-support"; 989 } 990 list file-blocking-fcn { 991 key "file-blocking-fcn-name"; 992 description 993 "file-blocking-fcn"; 995 leaf file-blocking-fcn-name { 996 type string; 997 mandatory true; 998 description 999 "file-blocking-fcn-name"; 1000 } 1001 uses capabilities-information; 1002 } 1003 } 1005 container file-isolate { 1006 description 1007 "file-isolate"; 1009 leaf file-isolate-support { 1010 type boolean; 1011 mandatory true; 1012 description 1013 "file-isolate-support"; 1014 } 1015 list file-isolate-fcn { 1016 key "file-isolate-fcn-name"; 1017 description 1018 "file-isolate-fcn"; 1020 leaf file-isolate-fcn-name { 1021 type string; 1022 mandatory true; 1023 description 1024 "file-isolate-fcn-name"; 1025 } 1026 uses capabilities-information; 1027 } 1028 } 1030 container pkt-capture { 1031 description 1032 "pkt-capture"; 1034 leaf pkt-capture-support { 1035 type boolean; 1036 mandatory true; 1037 description 1038 "pkt-capture-support"; 1039 } 1040 list pkt-capture-fcn { 1041 key "pkt-capture-fcn-name"; 1042 description 1043 "pkt-capture-fcn"; 1045 leaf pkt-capture-fcn-name { 1046 type string; 1047 mandatory true; 1048 description 1049 "pkt-capture-fcn-name"; 1050 } 1051 uses capabilities-information; 1052 } 1053 } 1055 container app-control { 1056 description 1057 "app-control"; 1059 leaf app-control-support { 1060 type boolean; 1061 mandatory true; 1062 description 1063 "app-control-support"; 1064 } 1065 list app-control-fcn { 1066 key "app-control-fcn-name"; 1067 description 1068 "app-control-fcn"; 1070 leaf app-control-fcn-name { 1071 type string; 1072 mandatory true; 1073 description 1074 "app-control-fcn-name"; 1075 } 1076 uses capabilities-information; 1077 } 1078 } 1079 container voip-volte { 1080 description 1081 "voip-volte"; 1083 leaf voip-volte-support { 1084 type boolean; 1085 mandatory true; 1086 description 1087 "voip-volte-support"; 1088 } 1089 list voip-volte-fcn { 1090 key "voip-volte-fcn-name"; 1091 description 1092 "voip-volte-fcn"; 1094 leaf voip-volte-fcn-name { 1095 type string; 1096 mandatory true; 1097 description 1098 "voip-volte-fcn-name"; 1099 } 1100 uses capabilities-information; 1101 } 1102 } 1103 } 1104 } 1106 grouping i2nsf-attack-mitigation-control-caps { 1107 description 1108 "i2nsf-attack-mitigation-control-caps"; 1110 container attack-mitigation-control { 1111 description 1112 "attack-mitigation-control"; 1113 choice attack-mitigation-control-type { 1114 description 1115 "attack-mitigation-control-type"; 1116 case ddos-attack { 1117 description 1118 "ddos-attack"; 1119 choice ddos-attack-type { 1120 description 1121 "ddos-attack-type"; 1122 case network-layer-ddos-attack { 1123 description 1124 "network-layer-ddos-attack"; 1125 container network-layer-ddos-attack-types { 1126 description 1127 "network-layer-ddos-attack-type"; 1128 container syn-flood-attack { 1129 description 1130 "syn-flood-attack"; 1131 leaf syn-flood-attack-support { 1132 type boolean; 1133 mandatory true; 1134 description 1135 "syn-flood-attack-support"; 1136 } 1137 list syn-flood-fcn { 1138 key "syn-flood-fcn-name"; 1139 description 1140 "syn-flood-fcn"; 1141 leaf syn-flood-fcn-name { 1142 type string; 1143 mandatory true; 1144 description 1145 "syn-flood-fcn-name"; 1146 } 1147 uses capabilities-information; 1148 } 1149 } 1150 container udp-flood-attack { 1151 description 1152 "udp-flood-attack"; 1153 leaf udp-flood-attack-support { 1154 type boolean; 1155 mandatory true; 1156 description 1157 "udp-flood-attack-support"; 1158 } 1159 list udp-flood-fcn { 1160 key "udp-flood-fcn-name"; 1161 description 1162 "udp-flood-fcn"; 1163 leaf udp-flood-fcn-name { 1164 type string; 1165 mandatory true; 1166 description 1167 "udp-flood-fcn-name"; 1168 } 1169 uses capabilities-information; 1170 } 1171 } 1172 container icmp-flood-attack { 1173 description 1174 "icmp-flood-attack"; 1176 leaf icmp-flood-attack-support { 1177 type boolean; 1178 mandatory true; 1179 description 1180 "icmp-flood-attack-support"; 1181 } 1182 list icmp-flood-fcn { 1183 key "icmp-flood-fcn-name"; 1184 description 1185 "icmp-flood-fcn"; 1186 leaf icmp-flood-fcn-name { 1187 type string; 1188 mandatory true; 1189 description 1190 "icmp-flood-fcn-name"; 1191 } 1192 uses capabilities-information; 1193 } 1194 } 1195 container ip-fragment-flood-attack { 1196 description 1197 "ip-fragment-flood-attack"; 1198 leaf ip-fragment-flood-attack-support { 1199 type boolean; 1200 mandatory true; 1201 description 1202 "ip-fragment-flood-attack-support"; 1203 } 1204 list frag-flood-fcn { 1205 key "ip-frag-flood-fcn-name"; 1206 description 1207 "frag-flood-fcn"; 1208 leaf ip-frag-flood-fcn-name { 1209 type string; 1210 mandatory true; 1211 description 1212 "ip-frag-flood-fcn-name"; 1213 } 1214 uses capabilities-information; 1215 } 1216 } 1217 container ipv6-related-attack { 1218 description 1219 "ipv6-related-attack"; 1220 leaf ipv6-related-attack-support { 1221 type boolean; 1222 mandatory true; 1223 description 1224 "ipv6-related-attack-support"; 1225 } 1226 list ipv6-related-fcn { 1227 key "ipv6-related-fcn-name"; 1228 description 1229 "ipv6-related-fcn"; 1230 leaf ipv6-related-fcn-name { 1231 type string; 1232 mandatory true; 1233 description 1234 "ipv6-related-fcn-name"; 1235 } 1236 uses capabilities-information; 1237 } 1238 } 1239 } 1240 } 1241 case app-layer-ddos-attack { 1242 description 1243 "app-layer-ddos-attack"; 1244 container app-layer-ddos-attack-types { 1245 description 1246 "app-layer-ddos-attack-types"; 1247 container http-flood-attack { 1248 description 1249 "http-flood-attack"; 1250 leaf http-flood-attack-support { 1251 type boolean; 1252 mandatory true; 1253 description 1254 "http-flood-attack-support"; 1255 } 1256 list http-flood-fcn { 1257 key "http-flood-fcn-name"; 1258 description 1259 "http-flood-fcn"; 1260 leaf http-flood-fcn-name { 1261 type string; 1262 mandatory true; 1263 description 1264 "http-flood-fcn-name"; 1265 } 1266 uses capabilities-information; 1267 } 1268 } 1269 container https-flood-attack { 1270 description 1271 "https-flood-attack"; 1273 leaf https-flood-attack-support { 1274 type boolean; 1275 mandatory true; 1276 description 1277 "https-flood-attack-support"; 1278 } 1279 list https-flood-fcn { 1280 key "https-flood-fcn-name"; 1281 description 1282 "https-flood-fcn"; 1283 leaf https-flood-fcn-name { 1284 type string; 1285 mandatory true; 1286 description 1287 "https-flood-fcn-name"; 1288 } 1289 uses capabilities-information; 1290 } 1291 } 1292 container dns-flood-attack { 1293 description 1294 "dns-flood-attack"; 1295 leaf dns-flood-attack-support { 1296 type boolean; 1297 mandatory true; 1298 description 1299 "dns-flood-attack-support"; 1300 } 1301 list dns-flood-fcn { 1302 key "dns-flood-fcn-name"; 1303 description 1304 "dns-flood-fcn"; 1305 leaf dns-flood-fcn-name { 1306 type string; 1307 mandatory true; 1308 description 1309 "dns-flood-fcn-name"; 1310 } 1311 uses capabilities-information; 1312 } 1313 } 1314 container dns-amp-flood-attack { 1315 description 1316 "dns-amp-flood-attack"; 1317 leaf dns-flood-attack-support { 1318 type boolean; 1319 mandatory true; 1320 description 1321 "dns-flood-attack-support"; 1322 } 1323 list dns-amp-flood-fcn { 1324 key "dns-amp-flood-fcn-name"; 1325 description 1326 "dns-amp-flood-fcn"; 1327 leaf dns-amp-flood-fcn-name { 1328 type string; 1329 mandatory true; 1330 description 1331 "dns-amp-flood-fcn-name"; 1332 } 1333 uses capabilities-information; 1334 } 1335 } 1336 container ssl-ddos-attack { 1337 description 1338 "ssl-ddos-attack"; 1339 leaf ssl-ddos-attack-support { 1340 type boolean; 1341 mandatory true; 1342 description 1343 "ssl-ddos-attack-support"; 1344 } 1345 list ssl-ddos-fcn { 1346 key "ssl-ddos-fcn-name"; 1347 description 1348 "ssl-ddos-fcn"; 1349 leaf ssl-ddos-fcn-name { 1350 type string; 1351 mandatory true; 1352 description 1353 "ssl-ddos-fcn-name"; 1354 } 1355 uses capabilities-information; 1356 } 1357 } 1358 } 1359 } 1360 } 1361 } 1363 case single-packet-attack { 1364 description 1365 "single-packet-attack"; 1366 choice single-packet-attack-type { 1367 description 1368 "single-packet-attack-type"; 1370 case scan-and-sniff-attack { 1371 description 1372 "scan-and-sniff-attack"; 1373 container ip-sweep-attack { 1374 description 1375 "ip-sweep-attack"; 1376 leaf ip-sweep-attack-suppor { 1377 type boolean; 1378 mandatory true; 1379 description 1380 "ip-sweep-attack-suppor"; 1381 } 1382 list ip-sweep-fcn { 1383 key "ip-sweep-fcn-name"; 1384 description 1385 "ip-sweep-fcn"; 1386 leaf ip-sweep-fcn-name { 1387 type string; 1388 mandatory true; 1389 description 1390 "ip-sweep-fcn-name"; 1391 } 1392 uses capabilities-information; 1393 } 1394 } 1395 container port-scanning-attack { 1396 description 1397 "port-scanning-attack"; 1398 leaf port-scanning-attack-support { 1399 type boolean; 1400 mandatory true; 1401 description 1402 "port-scanning-attack-support"; 1403 } 1404 list port-scanning-fcn { 1405 key "port-scanning-fcn-name"; 1406 description 1407 "port-scanning-fcn"; 1408 leaf port-scanning-fcn-name { 1409 type string; 1410 mandatory true; 1411 description 1412 "port-scanning-fcn-name"; 1413 } 1414 uses capabilities-information; 1415 } 1416 } 1417 } 1418 case malformed-packet-attack { 1419 description 1420 "malformed-packet-attack"; 1421 container ping-of-death-attack { 1422 description 1423 "ping-of-death-attack"; 1424 leaf ping-of-death-attack-support { 1425 type boolean; 1426 mandatory true; 1427 description 1428 "ping-of-death-attack-support"; 1429 } 1430 list ping-of-death-fcn { 1431 key "ping-of-death-fcn-name"; 1432 description 1433 "ping-of-death-fcn"; 1434 leaf ping-of-death-fcn-name { 1435 type string; 1436 mandatory true; 1437 description 1438 "ping-of-death-fcn-name"; 1439 } 1440 uses capabilities-information; 1441 } 1442 } 1443 container teardrop-attack { 1444 description 1445 "teardrop-attack"; 1446 leaf teardrop-attack-support { 1447 type boolean; 1448 mandatory true; 1449 description 1450 "teardrop-attack-support"; 1451 } 1452 list tear-drop-fcn { 1453 key "tear-drop-fcn-name"; 1454 description 1455 "tear-drop-fcn"; 1456 leaf tear-drop-fcn-name { 1457 type string; 1458 mandatory true; 1459 description 1460 "tear-drop-fcn-name"; 1461 } 1462 uses capabilities-information; 1463 } 1464 } 1465 } 1466 case special-packet-attack { 1467 description 1468 "special-packet-attack"; 1469 container oversized-icmp-attack { 1470 description 1471 "oversized-icmp-attack"; 1472 leaf oversized-icmp-attack-support { 1473 type boolean; 1474 mandatory true; 1475 description 1476 "oversized-icmp-attack-support"; 1477 } 1478 list oversized-icmp-fcn { 1479 key "oversized-icmp-fcn-name"; 1480 description 1481 "oversized-icmp-fcn"; 1482 leaf oversized-icmp-fcn-name { 1483 type string; 1484 mandatory true; 1485 description 1486 "oversized-icmp-fcn-name"; 1487 } 1488 uses capabilities-information; 1489 } 1490 } 1491 container tracert-attack { 1492 description 1493 "tracert-attack"; 1494 leaf tracert-attack-support { 1495 type boolean; 1496 mandatory true; 1497 description 1498 "tracert-attack-support"; 1499 } 1500 list tracert-fcn { 1501 key "tracert-fcn-name"; 1502 description 1503 "tracert-fcn"; 1504 leaf tracert-fcn-name { 1505 type string; 1506 mandatory true; 1507 description 1508 "tracert-fcn-name"; 1509 } 1510 uses capabilities-information; 1511 } 1512 } 1513 } 1515 } 1516 } 1517 } 1518 } 1519 } 1521 list nsf-capabilities { 1522 key "nsf-capabilities-id"; 1523 description 1524 "nsf-capabilities"; 1525 leaf nsf-capabilities-id { 1526 type uint8; 1527 mandatory true; 1528 description 1529 "nsf-capabilities-id"; 1530 } 1532 container net-sec-control-capabilities { 1533 uses i2nsf-net-sec-control-caps; 1534 description 1535 "net-sec-control-capabilities"; 1536 } 1537 container con-sec-control-capabilities { 1538 uses i2nsf-con-sec-control-caps; 1539 description 1540 "con-sec-control-capabilities"; 1541 } 1542 container attack-mitigation-capabilities { 1543 uses i2nsf-attack-mitigation-control-caps; 1544 description 1545 "attack-mitigation-capabilities"; 1546 } 1547 } 1548 } 1550 1552 Figure 8: Data Model of I2NSF Capability Interface 1554 6. IANA Considerations 1556 No IANA considerations exist for this document at this time. URL 1557 will be added. 1559 7. Security Considerations 1561 This document introduces no additional security threats and SHOULD 1562 follow the security requirements as stated in [i2nsf-framework]. 1564 8. Acknowledgements 1566 This work was supported by Institute for Information & communications 1567 Technology Promotion (IITP) grant funded by the Korea government 1568 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 1569 Technology Development for the Customized Security Service 1570 Provisioning). 1572 This document has greatly benefited from inputs by Daeyoung Hyun, 1573 Dongjin Hong, Hyoungshick Kim, Jung-Soo Park, Tae-Jin Ahn, and Se-Hui 1574 Lee. 1576 9. References 1578 9.1. Normative References 1580 [RFC2119] Bradner, S., "Key words for use in RFCs to 1581 Indicate Requirement Levels", BCP 14, 1582 RFC 2119, March 1997. 1584 [RFC6020] Bjorklund, M., "YANG - A Data Modeling 1585 Language for the Network Configuration 1586 Protocol (NETCONF)", RFC 6020, 1587 October 2010. 1589 9.2. Informative References 1591 [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., and D. 1592 Lopez, "Information Model of NSFs 1593 Capabilities", 1594 draft-xibassnez-i2nsf-capability-01 (work 1595 in progress), March 2017. 1597 [i2nsf-problem-statement] Hares, S., Lopez, D., Zarny, M., 1598 Jacquenet, C., Kumar, R., and J. Jeong, 1599 "I2NSF Problem Statement and Use cases", 1600 draft-ietf-i2nsf-problem-and-use-cases-16 1601 (work in progress), May 2017. 1603 [i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, 1604 L., and H. Birkholz, "Interface to Network 1605 Security Functions (I2NSF) Terminology", 1606 draft-ietf-i2nsf-terminology-03 (work in 1607 progress), March 2017. 1609 [i2rs-rib-data-model] Wang, L., Ananthakrishnan, H., Chen, M., 1610 Dass, A., Kini, S., and N. Bahadur, "A 1611 YANG Data Model for Routing Information 1612 Base (RIB)", 1613 draft-ietf-i2rs-rib-data-model-07 (work in 1614 progress), January 2017. 1616 [supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer, 1617 "Generic Policy Information Model for 1618 Simplified Use of Policy Abstractions 1619 (SUPA)", draft-ietf-supa-generic-policy- 1620 info-model-03 (work in progress), 1621 May 2017. 1623 [i2nsf-framework] Lopez, D., Lopez, E., Dunbar, L., 1624 Strassner, J., and R. Kumar, "Framework 1625 for Interface to Network Security 1626 Functions", draft-ietf-i2nsf-framework-05 1627 (work in progress), May 2017. 1629 Appendix A. Changes from draft-hares-i2nsf-capability-data-model-01 1631 The following changes are made from 1632 draft-hares-i2nsf-capability-data-model-01: 1634 o This draft is revised to support the acquision of the information 1635 of NSFs such as an NSF's IP address and resources related to 1636 capabilities. 1638 o To support the capability information, location, and resources of 1639 an NSF, container component is replaced with grouping component. 1641 Authors' Addresses 1643 Susan Hares 1644 Huawei 1645 7453 Hickory Hill 1646 Saline, MI 48176 1647 USA 1649 Phone: +1-734-604-0332 1650 EMail: shares@ndzh.com 1651 Jaehoon Paul Jeong 1652 Department of Software 1653 Sungkyunkwan University 1654 2066 Seobu-Ro, Jangan-Gu 1655 Suwon, Gyeonggi-Do 16419 1656 Republic of Korea 1658 Phone: +82 31 299 4957 1659 Fax: +82 31 290 7996 1660 EMail: pauljeong@skku.edu 1661 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 1663 Jinyong Tim Kim 1664 Department of Computer Engineering 1665 Sungkyunkwan University 1666 2066 Seobu-Ro, Jangan-Gu 1667 Suwon, Gyeonggi-Do 16419 1668 Republic of Korea 1670 Phone: +82 10 8273 0930 1671 EMail: timkim@skku.edu 1673 Robert Moskowitz 1674 HTT Consulting 1675 Oak Park, MI 1676 USA 1678 Phone: +1-248-968-9809 1679 EMail: rgm@htt-consult.com 1681 Liang Xia (Frank) 1682 Huawei 1683 101 Software Avenue, Yuhuatai District 1684 Nanjing, Jiangsu 1685 China 1687 Phone: 1688 EMail: Frank.xialiang@huawei.com