idnits 2.17.1 draft-ietf-i2nsf-capability-data-model-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (March 11, 2019) is 1866 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3688' is mentioned on line 1685, but not defined == Unused Reference: 'RFC6991' is defined on line 1743, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6087 (Obsoleted by RFC 8407) ** Downref: Normative reference to an Informational RFC: RFC 8192 ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group S. Hares 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Jeong 5 Expires: September 12, 2019 J. Kim 6 Sungkyunkwan University 7 R. Moskowitz 8 HTT Consulting 9 Q. Lin 10 Huawei 11 March 11, 2019 13 I2NSF Capability YANG Data Model 14 draft-ietf-i2nsf-capability-data-model-03 16 Abstract 18 This document defines a YANG data model for capabilities of various 19 Network Security Functions (NSFs) in Interface to Network Security 20 Functions (I2NSF) framework to cetrally manage capabilities of varios 21 NSFs. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 12, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 61 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 63 5.1. Capabilities of Network Security Function . . . . . . . . 6 64 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 8 65 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 66 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 67 8. Security Considerations . . . . . . . . . . . . . . . . . . . 37 68 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 69 9.1. Normative References . . . . . . . . . . . . . . . . . . 37 70 9.2. Informative References . . . . . . . . . . . . . . . . . 39 71 Appendix A. Changes from draft-ietf-i2nsf-capability-data- 72 model-02 . . . . . . . . . . . . . . . . . . . . . . 40 73 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 40 74 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 40 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 77 1. Introduction 79 As the industry becomes more sophisticated and network devices (e.g., 80 Internet of Things, Self-driving vehicles, and VoIP/VoLTE 81 smartphones), service providers have a lot of problems mentioned in 82 [RFC8192]. To resolve these problems, [i2nsf-nsf-cap-im] specifies 83 the information model of the capabilities of Network Security 84 Functions (NSFs). 86 This document provides a data model using YANG [RFC6020][RFC7950] 87 that defines the capabilities of NSFs to centrally manage 88 capabilities of those security devices. The security devices can 89 register their own capabilities into Network Operator Management 90 (Mgmt) System (i.e., Security Controller) with this YANG data model 91 through the registration interface [RFC8329]. With the capabilities 92 of those security devices registered centrally, those security 93 devices can be easily managed [RFC8329]. This YANG data model is 94 based on the information model for I2NSF NSF capabilities 95 [i2nsf-nsf-cap-im]. 97 This YANG data model uses an "Event-Condition-Action" (ECA) policy 98 model that is used as the basis for the design of I2NSF Policy 99 described in [RFC8329] and [i2nsf-nsf-cap-im]. Rules. The "ietf- 100 i2nsf-capability" YANG module defined in this document provides the 101 following features: 103 o Definition for general capabilities of network security functions. 105 o Definition for event capabilities of generic network security 106 function. 108 o Definition for condition capabilities of generic network security 109 function. 111 o Definition for condition capabilities of advanced network security 112 function. 114 o Definition for action capabilities of generic network security 115 function. 117 o Definition for resolution strategy capabilities of generic network 118 security function. 120 o Definition for default action capabilities of generic network 121 security function. 123 2. Requirements Language 125 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 127 document are to be interpreted as described in [RFC2119][RFC8174]. 129 3. Terminology 131 This document uses the terminology described in 132 [i2nsf-terminology][i2nsf-nsf-cap-im] 133 [RFC8431][supa-policy-info-model]. Especially, the following terms 134 are from [supa-policy-info-model]: 136 o Data Model: A data model is a representation of concepts of 137 interest to an environment in a form that is dependent on data 138 repository, data definition language, query language, 139 implementation language, and protocol. 141 o Information Model: An information model is a representation of 142 concepts of interest to an environment in a form that is 143 independent of data repository, data definition language, query 144 language, implementation language, and protocol. 146 3.1. Tree Diagrams 148 A simplified graphical representation of the data model is used in 149 this document. The meaning of the symbols in these diagrams 150 [RFC8340] is as follows: 152 o Brackets "[" and "]" enclose list keys. 154 o Abbreviations before data node names: "rw" means configuration 155 (read-write) and "ro" state data (read-only). 157 o Symbols after data node names: "?" means an optional node and "*" 158 denotes a "list" and "leaf-list". 160 o Parentheses enclose choice and case nodes, and case nodes are also 161 marked with a colon (":"). 163 o Ellipsis ("...") stands for contents of subtrees that are not 164 shown. 166 4. Overview 168 This section explains overview how the YANG data model can be used in 169 I2NSF framework described in [RFC8329]. Figure 1 shows capabilities 170 of NSFs in I2NSF Framework. As shown in this figure, Developer's 171 Mgmt System can register NSFs with capabilities that the network 172 security device can support. To register NSFs in this way, the 173 Developer's Mgmt System utilizes this standardized capabilities YANG 174 data model through registration interface. With the capabilities of 175 those network security devices registered centrally, those security 176 devices can be easily managed, which can resolve the a lot of 177 problems described in [RFC8192]. The following shows use cases. 179 Note [i2nsf-nsf-yang] is used to configure security policy rules of 180 generic network security functions and [i2nsf-advanced-nsf-dm] is 181 used to configure security policy rules of advanced network security 182 functions according to the capabilities of network security devices 183 registed in I2NSF Framework. 185 +-------------------------------------------------------+ 186 | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | 187 | Network Mgmt, another network domain's mgmt, etc.) | 188 +--------------------+----------------------------------+ 189 | 190 Consumer-Facing Interface | 191 | 192 | I2NSF 193 +-----------------+------------+ Registration +-------------+ 194 | Network Operator Mgmt System | Interface | Developer's | 195 | (i.e., Security Controller) | < --------- > | Mgmt System | 196 +-----------------+------------+ +-------------+ 197 | New NSF 198 | E = {} 199 NSF-Facing Interface | C = {IPv4, IPv6} 200 | A = {Allow, Deny} 201 | 202 +---------------+----+------------+-----------------+ 203 | | | | 204 +---+---+ +---+---+ +---+---+ +---+---+ 205 | NSF-1 | ... | NSF-m | | NSF-1 | ... | NSF-n | ... 206 +-------+ +-------+ +-------+ +-------+ 207 NSF-1 NSF-m NSF-1 NSF-n 208 E = {} E = {user} E = {dev} E = {time} 209 C = {IPv4} C = {IPv6} C = {IPv4, IPv6} C = {IPv4} 210 A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} 212 Developer Mgmt System A Developer Mgmt System B 214 Figure 1: Capabilities of NSFs in I2NSF Framework 216 o If network manager wants to apply security policy rules about 217 blocking malicious users, it is a tremendous burden to apply all 218 of these rules to NSFs one by one. This problem can be resolved 219 by managing the capabilities of NSFs. If network manager wants to 220 block malicious users with IPv6, network manager sends the 221 security policy rules about blocking the users to Network Operator 222 Mgmt System using I2NSF user (i.e., a web browser or a software). 223 When the Network Operator Mgmt System receives the security policy 224 rules, it automatically sends that security policy rules to 225 appropriate NSFs (i.e., NSF-m in Developer Mgmt System A and NSF-1 226 in Developer Mgmt System B) which can support the capabilities 227 (i.e., IPv6). Therefore, I2NSF User need not consider NSFs where 228 to apply the rules. 230 o If NSFs find the malicious packets, it is a tremendous burden for 231 network manager to apply the rule about blocking the malicious 232 packets to NSFs one by one. This problem can be resolved by 233 managing the capabilities of NSFs. If NSFs find the suspicious 234 packets with IPv4, they can ask the Network Operator Mgmt System 235 for information about the suspicious packets with IPv4. to alter 236 specific rules and/or configurations. When the Network Operator 237 Mgmt System receives information, it inspects the information 238 about the suspicious packets with IPv4. If the suspicious packets 239 are determined to be malicious packets, the Network Operator Mgmt 240 System creates and sends the security policy rule against 241 malicious packets to appropriate NSFs (i.e., NSF-1 in Developer 242 Mgmt System A and NSF-1 and NSF-n in Developer Mgmt System B) 243 which can support the capabilities (i.e., IPv4). Therefore, the 244 new security policy rule against malicious packets can be applied 245 to appropriate NSFs without intervention of humans. 247 5. YANG Tree Diagram 249 This section shows an YANG tree diagram of capabilities for network 250 security functions, as defined in the [i2nsf-nsf-cap-im]. 252 5.1. Capabilities of Network Security Function 254 This section shows YANG tree diagram for capabilities of network 255 security functions. 257 module: ietf-i2nsf-capability 258 +--rw nsf 259 +--rw time-capabilities* enumeration 260 +--rw event-capabilities 261 | +--rw system-event-capa* identityref 262 | +--rw system-alarm-capa* identityref 263 +--rw condition-capabilities 264 | +--rw generic-nsf-capabilities 265 | | +--rw ipv4-capa* identityref 266 | | +--rw ipv6-capa* identityref 267 | | +--rw tcp-capa* identityref 268 | | +--rw udp-capa* identityref 269 | | +--rw icmp-capa* identityref 270 | +--rw advanced-nsf-capabilities 271 | +--rw antivirus-capa* identityref 272 | +--rw antiddos-capa* identityref 273 | +--rw ips-capa* identityref 274 | +--rw http-capa* identityref 275 | +--rw voip-volte-capa* identityref 276 +--rw action-capabilities 277 | +--rw ingress-action-capa* identityref 278 | +--rw egress-action-capa* identityref 279 | +--rw log-action-capa* identityref 280 +--rw resolution-strategy-capabilities* identityref 281 +--rw default-action-capabilities* identityref 283 Figure 2: YANG Tree Diagram for Capabilities of Network Security 284 Functions 286 This YANG tree diagram shows capabilities of network security 287 functions. 289 The NSF includes NSF capabilities. The NSF capabilities include time 290 capabilities, event capabilities, condition capabilities, action 291 capabilities, resolution strategy capabilities, and default action 292 capabilities. 294 Time capabilities are used to specify capabilities when to execute 295 the I2NSF policy rule. The time capabilities are defined as absolute 296 time and periodic time. 298 Event capabilities are used to specify capabilities how to trigger 299 the evaluation of the condition clause of the I2NSF Policy Rule. The 300 event capabilities are defined as system event and system alarm. The 301 event capability can be extended according to specific vendor 302 condition features. The event capability is described in detail in 303 [i2nsf-nsf-cap-im]. 305 Condition capabilities are used to specify capabilities of a set of 306 attributes, features, and/or values that are to be compared with a 307 set of known attributes, features, and/or values in order to 308 determine whether or not the set of actions in that (imperative) 309 I2NSF policy rule can be executed or not. The condition capability 310 is classified as condition capabilities of generic network security 311 functions and advanced network security functions. The condition 312 capabilities of generic network security functions are defined as 313 IPv4 capability, IPv6 capability, tcp capability, udp capability, and 314 icmp capability. The condition capabilities of advanced network 315 security functions are defined as antivirus capability, antiddos 316 capability, ips capability, http capability, and VoIP/VoLTE 317 capability. The condition capability can be extended according to 318 specific vendor condition features. The condition capability is 319 described in detail in [i2nsf-nsf-cap-im]. 321 Action capabilities is used to specify capabilities how to control 322 and monitor aspects of flow-based NSFs when the event and condition 323 clauses are satisfied. The action capabilities are defined as 324 ingress action capability, egress action capability, and log action 325 capability. The action capability can be extended according to 326 specific vendor action features. The action capability is described 327 in detail in [i2nsf-nsf-cap-im]. 329 Resolution strategy capabilities are used to specify capabilities how 330 to resolve conflicts that occur between the actions of the same or 331 different policy rules that are matched and contained in this 332 particular NSF. The resolution strategy capabilities are defined as 333 First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized 334 Matching Rule (PMR) with Errors (PMRE), and Prioritized Matching Rule 335 with No Errors (PMRN). The resolution strategy capability can be 336 extended according to specific vendor action features. The 337 resolution strategy capability is described in detail in 338 [i2nsf-nsf-cap-im]. 340 Default action capabilities are used to specify capabilities how to 341 execute I2NSF policy rule when no rule matches a packet. The default 342 action capabilities are defined as pass, drop, reject, alert, and 343 mirror. The default action capability can be extended according to 344 specific vendor action features. The default action capability is 345 described in detail in [i2nsf-nsf-cap-im]. 347 6. YANG Data Modules 348 6.1. I2NSF Capability YANG Data Module 350 This section introduces an YANG data module for capabilities of 351 network security functions, as defined in the [i2nsf-nsf-cap-im]. 353 file "ietf-i2nsf-capability@2019-03-11.yang" 355 module ietf-i2nsf-capability { 356 yang-version 1.1; 357 namespace 358 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 359 prefix 360 iicapa; 362 organization 363 "IETF I2NSF (Interface to Network Security Functions) 364 Working Group"; 366 contact 367 "WG Web: 368 WG List: 370 WG Chair: Adrian Farrel 371 373 WG Chair: Linda Dunbar 374 376 Editor: Susan Hares 377 379 Editor: Jaehoon Paul Jeong 380 382 Editor: Jinyong Tim Kim 383 "; 385 description 386 "This module describes a capability model 387 for I2NSF devices. 389 Copyright (c) 2018 IETF Trust and the persons 390 identified as authors of the code. All rights reserved. 392 Redistribution and use in source and binary forms, with or 393 without modification, is permitted pursuant to, and subject 394 to the license terms contained in, the Simplified BSD License 395 set forth in Section 4.c of the IETF Trust's Legal Provisions 396 Relating to IETF Documents 397 (http://trustee.ietf.org/license-info). 399 This version of this YANG module is part of RFC 8341; see 400 the RFC itself for full legal notices."; 402 revision "2019-03-11"{ 403 description "Initial revision."; 404 reference 405 "RFC XXXX: I2NSF Capability YANG Data Model"; 406 } 408 /* 409 * Identities 410 */ 412 identity event { 413 description 414 "Base identity for event of policy."; 415 reference 416 "draft-hong-i2nsf-nsf-monitoring-data-model-06 417 - Event"; 418 } 420 identity system-event-capa { 421 base event; 422 description 423 "Identity for system event"; 424 reference 425 "draft-hong-i2nsf-nsf-monitoring-data-model-06 426 - System alarm"; 427 } 429 identity system-alarm-capa { 430 base event; 431 description 432 "Identity for system alarm"; 433 reference 434 "draft-hong-i2nsf-nsf-monitoring-data-model-06 435 - System alarm"; 436 } 438 identity access-violation { 439 base system-event-capa; 440 description 441 "Identity for access violation 442 among system events"; 444 reference 445 "draft-hong-i2nsf-nsf-monitoring-data-model-06 446 - System event"; 447 } 449 identity configuration-change { 450 base system-event-capa; 451 description 452 "Identity for configuration change 453 among system events"; 454 reference 455 "draft-hong-i2nsf-nsf-monitoring-data-model-06 456 - System event"; 457 } 459 identity memory-alarm { 460 base system-alarm-capa; 461 description 462 "Identity for memory alarm 463 among system alarms"; 464 reference 465 "draft-hong-i2nsf-nsf-monitoring-data-model-06 466 - System alarm"; 467 } 469 identity cpu-alarm { 470 base system-alarm-capa; 471 description 472 "Identity for cpu alarm 473 among system alarms"; 474 reference 475 "draft-hong-i2nsf-nsf-monitoring-data-model-06 476 - System alarm"; 477 } 479 identity disk-alarm { 480 base system-alarm-capa; 481 description 482 "Identity for disk alarm 483 among system alarms"; 484 reference 485 "draft-hong-i2nsf-nsf-monitoring-data-model-06 486 - System alarm"; 487 } 489 identity hardware-alarm { 490 base system-alarm-capa; 491 description 492 "Identity for hardware alarm 493 among system alarms"; 494 reference 495 "draft-hong-i2nsf-nsf-monitoring-data-model-06 496 - System alarm"; 497 } 499 identity interface-alarm { 500 base system-alarm-capa; 501 description 502 "Identity for interface alarm 503 among system alarms"; 504 reference 505 "draft-hong-i2nsf-nsf-monitoring-data-model-06 506 - System alarm"; 507 } 509 identity condition { 510 description 511 "Base identity for conditions of policy"; 512 } 514 identity ipv4-capa { 515 base condition; 516 description 517 "Identity for capabilities of IPv4 condition"; 518 reference 519 "RFC 791: Internet Protocol"; 520 } 522 identity exact-ipv4-header-length { 523 base ipv4-capa; 524 description 525 "Identity for exact header length capability 526 of IPv4 condition"; 527 reference 528 "RFC 791: Internet Protocol - Header Length"; 529 } 531 identity range-ipv4-header-length { 532 base ipv4-capa; 533 description 534 "Identity for range header length capability 535 of IPv4 condition"; 536 reference 537 "RFC 791: Internet Protocol - Header Length"; 538 } 539 identity ipv4-tos { 540 base ipv4-capa; 541 description 542 "Identity for type of service capability 543 of IPv4 condition"; 544 reference 545 "RFC 791: Internet Protocol - Type of Service"; 546 } 548 identity exact-ipv4-total-length { 549 base ipv4-capa; 550 description 551 "Identity for exact total length capability 552 of IPv4 condition"; 553 reference 554 "RFC 791: Internet Protocol - Total Length"; 555 } 557 identity range-ipv4-total-length { 558 base ipv4-capa; 559 description 560 "Identity for range total length capability 561 of IPv4 condition"; 562 reference 563 "RFC 791: Internet Protocol - Total Length"; 564 } 566 identity ipv4-id { 567 base ipv4-capa; 568 description 569 "Identity for identification capability 570 of IPv4 condition"; 571 reference 572 "RFC 791: Internet Protocol - Identification"; 573 } 575 identity ipv4-fragment-flags { 576 base ipv4-capa; 577 description 578 "Identity for fragment flags capability 579 of IPv4 condition"; 580 reference 581 "RFC 791: Internet Protocol - Fragmentation Flags"; 582 } 584 identity exact-ipv4-fragment-offset { 585 base ipv4-capa; 586 description 587 "Identity for exact fragment offset capability 588 of IPv4 condition"; 589 reference 590 "RFC 791: Internet Protocol - Fragmentation Offset"; 591 } 593 identity range-ipv4-fragment-offset { 594 base ipv4-capa; 595 description 596 "Identity for range fragment offset capability 597 of IPv4 condition"; 598 reference 599 "RFC 791: Internet Protocol - Fragmentation Offset"; 600 } 602 identity exact-ipv4-ttl { 603 base ipv4-capa; 604 description 605 "Identity for exact time to live capability 606 of IPv4 condition"; 607 reference 608 "RFC 791: Internet Protocol - Time To Live (TTL)"; 609 } 611 identity range-ipv4-ttl { 612 base ipv4-capa; 613 description 614 "Identity for range time to live capability 615 of IPv4 condition"; 616 reference 617 "RFC 791: Internet Protocol - Time To Live (TTL)"; 618 } 620 identity ipv4-protocol { 621 base ipv4-capa; 622 description 623 "Identity for protocol capability 624 of IPv4 condition"; 625 reference 626 "RFC 790: Assigned numbers - Assigned Internet 627 Protocol Number 628 RFC 791: Internet Protocol - Protocol"; 629 } 631 identity exact-ipv4-address { 632 base ipv4-capa; 633 description 634 "Identity for exact address capability 635 of IPv4 condition"; 636 reference 637 "RFC 791: Internet Protocol - Address"; 638 } 640 identity range-ipv4-address { 641 base ipv4-capa; 642 description 643 "Identity for range-address capability 644 of IPv4 condition"; 645 reference 646 "RFC 791: Internet Protocol - Address"; 647 } 649 identity ipv4-ipopts { 650 base ipv4-capa; 651 description 652 "Identity for option capability 653 of IPv4 condition"; 654 reference 655 "RFC 791: Internet Protocol - Options"; 656 } 658 identity ipv4-sameip { 659 base ipv4-capa; 660 description 661 "Identity for sameIP capability 662 of IPv4 condition"; 663 } 665 identity ipv4-geoip { 666 base ipv4-capa; 667 description 668 "Identity for geography capability 669 of IPv4 condition"; 670 } 672 identity ipv6-capa { 673 base condition; 674 description 675 "Identity for capabilities of IPv6 condition"; 676 reference 677 "RFC 2460: Internet Protocol, Version 6 (IPv6) 678 Specification"; 679 } 681 identity ipv6-traffic-class { 682 base ipv6-capa; 683 description 684 "Identity for traffic class capability 685 of IPv6 condition"; 686 reference 687 "RFC 2460: Internet Protocol, Version 6 (IPv6) 688 Specification - Traffic Class"; 689 } 691 identity exact-ipv6-flow-label { 692 base ipv6-capa; 693 description 694 "Identity for exact flow label capability 695 of IPv6 condition"; 696 reference 697 "RFC 2460: Internet Protocol, Version 6 (IPv6) 698 Specification - Flow Label"; 699 } 701 identity range-ipv6-flow-label { 702 base ipv6-capa; 703 description 704 "Identity for range flow label capability 705 of IPv6 condition"; 706 reference 707 "RFC 2460: Internet Protocol, Version 6 (IPv6) 708 Specification - Flow Label"; 709 } 711 identity exact-ipv6-payload-length { 712 base ipv6-capa; 713 description 714 "Identity for exact payload length capability 715 of IPv6 condition"; 716 reference 717 "RFC 2460: Internet Protocol, Version 6 (IPv6) 718 Specification - Payload Length"; 719 } 721 identity range-ipv6-payload-length { 722 base ipv6-capa; 723 description 724 "Identity for range payload length capability 725 of IPv6 condition"; 726 reference 727 "RFC 2460: Internet Protocol, Version 6 (IPv6) 728 Specification - Payload Length"; 729 } 730 identity ipv6-next-header { 731 base ipv6-capa; 732 description 733 "Identity for next header capability 734 of IPv6 condition"; 735 reference 736 "RFC 2460: Internet Protocol, Version 6 (IPv6) 737 Specification - Next Header"; 738 } 740 identity exact-ipv6-hop-limit { 741 base ipv6-capa; 742 description 743 "Identity for exact hop limit capability 744 of IPv6 condition"; 745 reference 746 "RFC 2460: Internet Protocol, Version 6 (IPv6) 747 Specification - Hop Limit"; 748 } 750 identity range-ipv6-hop-limit { 751 base ipv6-capa; 752 description 753 "Identity for range hop limit capability 754 of IPv6 condition"; 755 reference 756 "RFC 2460: Internet Protocol, Version 6 (IPv6) 757 Specification - Hop Limit"; 758 } 760 identity exact-ipv6-address { 761 base ipv6-capa; 762 description 763 "Identity for exact address capability 764 of IPv6 condition"; 765 reference 766 "RFC 2460: Internet Protocol, Version 6 (IPv6) 767 Specification - Address"; 768 } 770 identity range-ipv6-address { 771 base ipv6-capa; 772 description 773 "Identity for range address capability 774 of IPv6 condition"; 775 reference 776 "RFC 2460: Internet Protocol, Version 6 (IPv6) 777 Specification - Address"; 779 } 781 identity tcp-capa { 782 base condition; 783 description 784 "Identity for capabilities of tcp condition"; 785 reference 786 "RFC 793: Transmission Control Protocol"; 787 } 789 identity exact-tcp-port-num { 790 base tcp-capa; 791 description 792 "Identity for exact port number capability 793 of tcp condition"; 794 reference 795 "RFC 793: Transmission Control Protocol - Port Number"; 796 } 798 identity range-tcp-port-num { 799 base tcp-capa; 800 description 801 "Identity for range port number capability 802 of tcp condition"; 803 reference 804 "RFC 793: Transmission Control Protocol - Port Number"; 805 } 807 identity exact-tcp-seq-num { 808 base tcp-capa; 809 description 810 "Identity for exact sequence number capability 811 of tcp condition"; 812 reference 813 "RFC 793: Transmission Control Protocol - Sequence Number"; 814 } 816 identity range-tcp-seq-num { 817 base tcp-capa; 818 description 819 "Identity for range sequence number capability 820 of tcp condition"; 821 reference 822 "RFC 793: Transmission Control Protocol - Sequence Number"; 823 } 825 identity exact-tcp-ack-num { 826 base tcp-capa; 827 description 828 "Identity for exact acknowledgement number capability 829 of tcp condition"; 830 reference 831 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 832 } 834 identity range-tcp-ack-num { 835 base tcp-capa; 836 description 837 "Identity for range acknowledgement number capability 838 of tcp condition"; 839 reference 840 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 841 } 843 identity exact-tcp-window-size { 844 base tcp-capa; 845 description 846 "Identity for exact window size capability 847 of tcp condition"; 848 reference 849 "RFC 793: Transmission Control Protocol - Window Size"; 850 } 852 identity range-tcp-window-size { 853 base tcp-capa; 854 description 855 "Identity for range window size capability 856 of tcp condition"; 857 reference 858 "RFC 793: Transmission Control Protocol - Window Size"; 859 } 861 identity tcp-flags { 862 base tcp-capa; 863 description 864 "Identity for flags capability 865 of tcp condition"; 866 reference 867 "RFC 793: Transmission Control Protocol - Flags"; 868 } 870 identity udp-capa { 871 base condition; 872 description 873 "Identity for capabilities of udp condition"; 874 reference 875 "RFC 768: User Datagram Protocol"; 876 } 878 identity exact-udp-port-num { 879 base udp-capa; 880 description 881 "Identity for exact port number capability 882 of udp condition"; 883 reference 884 "RFC 768: User Datagram Protocol - Port Number"; 885 } 887 identity range-udp-port-num { 888 base udp-capa; 889 description 890 "Identity for range port number capability 891 of udp condition"; 892 reference 893 "RFC 768: User Datagram Protocol - Port Number"; 894 } 896 identity exact-udp-total-length { 897 base udp-capa; 898 description 899 "Identity for exact total-length capability 900 of udp condition"; 901 reference 902 "RFC 768: User Datagram Protocol - Total Length"; 903 } 905 identity range-udp-total-length { 906 base udp-capa; 907 description 908 "Identity for range total-length capability 909 of udp condition"; 910 reference 911 "RFC 768: User Datagram Protocol - Total Length"; 912 } 914 identity icmp-capa { 915 base condition; 916 description 917 "Identity for capabilities of icmp condition"; 918 reference 919 "RFC 792: Internet Control Message Protocol"; 920 } 922 identity icmp-type { 923 base icmp-capa; 924 description 925 "Identity for icmp type capability 926 of icmp condition"; 927 reference 928 "RFC 792: Internet Control Message Protocol"; 929 } 931 identity http-capa { 932 base condition; 933 description 934 "Identity for capabilities of http condition"; 935 } 937 identity uri { 938 base http-capa; 939 description 940 "Identity for uri capabilities of 941 http condition"; 942 } 944 identity url { 945 base http-capa; 946 description 947 "Identity for url capabilities of 948 http condition"; 949 } 951 identity log-action-capa { 952 description 953 "Identity for capabilities of log action"; 954 } 956 identity rule-log { 957 base log-action-capa; 958 description 959 "Identity for rule log capability 960 of log action"; 961 } 963 identity session-log { 964 base log-action-capa; 965 description 966 "Identity for session log capability 967 of log action"; 968 } 970 identity ingress-action-capa { 971 description 972 "Identity for capabilities of ingress action"; 973 reference 974 "draft-ietf-i2nsf-capability-04: Information Model 975 of NSFs Capabilities - Action"; 976 } 978 identity egress-action-capa { 979 description 980 "Base identity for egress action"; 981 } 983 identity default-action-capa { 984 description 985 "Identity for capabilities of default action"; 986 reference 987 "draft-ietf-i2nsf-capability-04: Information Model 988 of NSFs Capabilities - Default action"; 989 } 991 identity pass { 992 base ingress-action-capa; 993 base egress-action-capa; 994 base default-action-capa; 995 description 996 "Identity for pass"; 997 reference 998 "draft-ietf-i2nsf-capability-04: Information Model 999 of NSFs Capabilities - Actions and 1000 default action"; 1001 } 1003 identity drop { 1004 base ingress-action-capa; 1005 base egress-action-capa; 1006 base default-action-capa; 1007 description 1008 "Identity for drop"; 1009 reference 1010 "draft-ietf-i2nsf-capability-04: Information Model 1011 of NSFs Capabilities - Actions and 1012 default action"; 1013 } 1015 identity reject { 1016 base ingress-action-capa; 1017 base egress-action-capa; 1018 base default-action-capa; 1019 description 1020 "Identity for reject"; 1021 reference 1022 "draft-ietf-i2nsf-capability-04: Information Model 1023 of NSFs Capabilities - Actions and 1024 default action"; 1025 } 1027 identity alert { 1028 base ingress-action-capa; 1029 base egress-action-capa; 1030 base default-action-capa; 1031 description 1032 "Identity for alert"; 1033 reference 1034 "draft-ietf-i2nsf-capability-04: Information Model 1035 of NSFs Capabilities - Actions and 1036 default action"; 1037 } 1039 identity mirror { 1040 base ingress-action-capa; 1041 base egress-action-capa; 1042 base default-action-capa; 1043 description 1044 "Identity for mirror"; 1045 reference 1046 "draft-ietf-i2nsf-capability-04: Information Model 1047 of NSFs Capabilities - Actions and 1048 default action"; 1049 } 1051 identity invoke-signaling { 1052 base egress-action-capa; 1053 description 1054 "Identity for invoke signaling"; 1055 } 1057 identity tunnel-encapsulation { 1058 base egress-action-capa; 1059 description 1060 "Identity for tunnel encapsulation"; 1061 } 1063 identity forwarding { 1064 base egress-action-capa; 1065 description 1066 "Identity for forwarding"; 1068 } 1070 identity redirection { 1071 base egress-action-capa; 1072 description 1073 "Identity for redirection"; 1074 } 1076 identity resolution-strategy-capa { 1077 description 1078 "Base identity for resolution strategy"; 1079 reference 1080 "draft-ietf-i2nsf-capability-04: Information Model 1081 of NSFs Capabilities - Resolution Strategy"; 1082 } 1084 identity fmr { 1085 base resolution-strategy-capa; 1086 description 1087 "Identity for First Matching Rule (FMR)"; 1088 reference 1089 "draft-ietf-i2nsf-capability-04: Information Model 1090 of NSFs Capabilities - Resolution Strategy"; 1091 } 1093 identity lmr { 1094 base resolution-strategy-capa; 1095 description 1096 "Identity for Last Matching Rule (LMR)"; 1097 reference 1098 "draft-ietf-i2nsf-capability-04: Information Model 1099 of NSFs Capabilities - Resolution Strategy"; 1100 } 1102 identity pmr { 1103 base resolution-strategy-capa; 1104 description 1105 "Identity for Prioritized Matching Rule (PMR)"; 1106 reference 1107 "draft-ietf-i2nsf-capability-04: Information Model 1108 of NSFs Capabilities - Resolution Strategy"; 1109 } 1111 identity pmre { 1112 base resolution-strategy-capa; 1113 description 1114 "Identity for Prioritized Matching Rule 1115 with Errors (PMRE)"; 1117 reference 1118 "draft-ietf-i2nsf-capability-04: Information Model 1119 of NSFs Capabilities - Resolution Strategy"; 1120 } 1122 identity pmrn { 1123 base resolution-strategy-capa; 1124 description 1125 "Identity for Prioritized Matching Rule 1126 with No Errors (PMRN)"; 1127 reference 1128 "draft-ietf-i2nsf-capability-04: Information Model 1129 of NSFs Capabilities - Resolution Strategy"; 1130 } 1132 identity advanced-nsf-capa { 1133 description 1134 "Base identity for advanced 1135 network security function capabilities"; 1136 reference 1137 "RFC 8329: Framework for Interface to Network Security 1138 Functions - Differences from ACL Data Models 1139 draft-dong-i2nsf-asf-config-01: Configuration of 1140 Advanced Security Functions with I2NSF Security 1141 Controller"; 1142 } 1144 identity antivirus-capa { 1145 base advanced-nsf-capa; 1146 description 1147 "Identity for antivirus capabilities"; 1148 reference 1149 "RFC 8329: Framework for Interface to Network Security 1150 Functions - Differences from ACL Data Models 1151 draft-dong-i2nsf-asf-config-01: Configuration of 1152 Advanced Security Functions with I2NSF Security 1153 Controller - Antivirus"; 1154 } 1156 identity antiddos-capa { 1157 base advanced-nsf-capa; 1158 description 1159 "Identity for antiddos capabilities"; 1160 reference 1161 "RFC 8329: Framework for Interface to Network Security 1162 Functions - Differences from ACL Data Models 1163 draft-dong-i2nsf-asf-config-01: Configuration of 1164 Advanced Security Functions with I2NSF Security 1165 Controller - Antiddos"; 1166 } 1168 identity ips-capa { 1169 base advanced-nsf-capa; 1170 description 1171 "Identity for IPS capabilities"; 1172 reference 1173 "RFC 8329: Framework for Interface to Network Security 1174 Functions - Differences from ACL Data Models 1175 draft-dong-i2nsf-asf-config-01: Configuration of 1176 Advanced Security Functions with I2NSF Security 1177 Controller - Intrusion Prevention System"; 1178 } 1180 identity voip-volte-capa { 1181 base advanced-nsf-capa; 1182 description 1183 "Identity for VoIP/VoLTE capabilities"; 1184 reference 1185 "RFC 3261: SIP: Session Initiation Protocol 1186 RFC 8329: Framework for Interface to Network Security 1187 Functions - Differences from ACL Data Models 1188 draft-dong-i2nsf-asf-config-01: Configuration of 1189 Advanced Security Functions with I2NSF Security 1190 Controller"; 1191 } 1193 identity detect { 1194 base antivirus-capa; 1195 description 1196 "Identity for detect capabilities 1197 of antivirus"; 1198 reference 1199 "draft-dong-i2nsf-asf-config-01: Configuration of 1200 Advanced Security Functions with I2NSF Security 1201 Controller - Antivirus"; 1202 } 1204 identity exception-application { 1205 base antivirus-capa; 1206 description 1207 "Identity for exception application capabilities 1208 of antivirus"; 1209 reference 1210 "draft-dong-i2nsf-asf-config-01: Configuration of 1211 Advanced Security Functions with I2NSF Security 1212 Controller - Antivirus"; 1214 } 1216 identity exception-signature { 1217 base antivirus-capa; 1218 description 1219 "Identity for exception signature capabilities 1220 of antivirus"; 1221 reference 1222 "draft-dong-i2nsf-asf-config-01: Configuration of 1223 Advanced Security Functions with I2NSF Security 1224 Controller - Antivirus"; 1225 } 1227 identity whitelists { 1228 base antivirus-capa; 1229 description 1230 "Identity for whitelists capabilities 1231 of antivirus"; 1232 reference 1233 "draft-dong-i2nsf-asf-config-01: Configuration of 1234 Advanced Security Functions with I2NSF Security 1235 Controller - Antivirus"; 1236 } 1238 identity syn-flood-action { 1239 base antiddos-capa; 1240 description 1241 "Identity for syn flood action capabilities 1242 of antiddos"; 1243 reference 1244 "draft-dong-i2nsf-asf-config-01: Configuration of 1245 Advanced Security Functions with I2NSF Security 1246 Controller - Antiddos"; 1247 } 1249 identity udp-flood-action { 1250 base antiddos-capa; 1251 description 1252 "Identity for udp flood action capabilities 1253 of antiddos"; 1254 reference 1255 "draft-dong-i2nsf-asf-config-01: Configuration of 1256 Advanced Security Functions with I2NSF Security 1257 Controller - Antiddos"; 1258 } 1260 identity http-flood-action { 1261 base antiddos-capa; 1262 description 1263 "Identity for http flood action capabilities 1264 of antiddos"; 1265 reference 1266 "draft-dong-i2nsf-asf-config-01: Configuration of 1267 Advanced Security Functions with I2NSF Security 1268 Controller - Antiddos"; 1269 } 1271 identity https-flood-action { 1272 base antiddos-capa; 1273 description 1274 "Identity for https flood action capabilities 1275 of antiddos"; 1276 reference 1277 "draft-dong-i2nsf-asf-config-01: Configuration of 1278 Advanced Security Functions with I2NSF Security 1279 Controller - Antiddos"; 1280 } 1282 identity dns-request-flood-action { 1283 base antiddos-capa; 1284 description 1285 "Identity for dns request flood action capabilities 1286 of antiddos"; 1287 reference 1288 "draft-dong-i2nsf-asf-config-01: Configuration of 1289 Advanced Security Functions with I2NSF Security 1290 Controller - Antiddos"; 1291 } 1293 identity dns-reply-flood-action { 1294 base antiddos-capa; 1295 description 1296 "Identity for dns reply flood action capabilities 1297 of antiddos"; 1298 reference 1299 "draft-dong-i2nsf-asf-config-01: Configuration of 1300 Advanced Security Functions with I2NSF Security 1301 Controller - Antiddos"; 1302 } 1304 identity icmp-flood-action { 1305 base antiddos-capa; 1306 description 1307 "Identity for icmp flood action capabilities 1308 of antiddos"; 1309 reference 1310 "draft-dong-i2nsf-asf-config-01: Configuration of 1311 Advanced Security Functions with I2NSF Security 1312 Controller - Antiddos"; 1313 } 1315 identity sip-flood-action { 1316 base antiddos-capa; 1317 description 1318 "Identity for sip flood action capabilities 1319 of antiddos"; 1320 reference 1321 "draft-dong-i2nsf-asf-config-01: Configuration of 1322 Advanced Security Functions with I2NSF Security 1323 Controller - Antiddos"; 1324 } 1326 identity detect-mode { 1327 base antiddos-capa; 1328 description 1329 "Identity for detect mode capabilities 1330 of antiddos"; 1331 reference 1332 "draft-dong-i2nsf-asf-config-01: Configuration of 1333 Advanced Security Functions with I2NSF Security 1334 Controller - Antiddos"; 1335 } 1337 identity baseline-learn { 1338 base antiddos-capa; 1339 description 1340 "Identity for baseline learn capabilities 1341 of antiddos"; 1342 reference 1343 "draft-dong-i2nsf-asf-config-01: Configuration of 1344 Advanced Security Functions with I2NSF Security 1345 Controller - Antiddos"; 1346 } 1348 identity signature-set { 1349 base ips-capa; 1350 description 1351 "Identity for signature set capabilities 1352 of IPS"; 1353 reference 1354 "draft-dong-i2nsf-asf-config-01: Configuration of 1355 Advanced Security Functions with I2NSF Security 1356 Controller - Intrusion Prevention System"; 1357 } 1358 identity ips-exception-signature { 1359 base ips-capa; 1360 description 1361 "Identity for ips exception signature capabilities 1362 of IPS"; 1363 reference 1364 "draft-dong-i2nsf-asf-config-01: Configuration of 1365 Advanced Security Functions with I2NSF Security 1366 Controller - Intrusion Prevention System"; 1367 } 1369 identity voice-id { 1370 base voip-volte-capa; 1371 description 1372 "Identity for voice-id capabilities 1373 of VoIP/VoLTE"; 1374 reference 1375 "RFC 3261: SIP: Session Initiation Protocol"; 1376 } 1378 identity user-agent { 1379 base voip-volte-capa; 1380 description 1381 "Identity for user agent capabilities 1382 of VoIP/VoLTE"; 1383 reference 1384 "RFC 3261: SIP: Session Initiation Protocol"; 1385 } 1387 /* 1388 * Grouping 1389 */ 1391 grouping nsf-capabilities { 1392 description 1393 "Capabilities of network security funtion"; 1394 reference 1395 "RFC 8329: Framework for Interface to Network Security 1396 Functions - I2NSF Flow Security Policy Structure 1397 draft-ietf-i2nsf-capability-04: Information Model 1398 of NSFs Capabilities - Capability Information Model Design"; 1400 leaf-list time-capabilities { 1401 type enumeration { 1402 enum absolute-time { 1403 description 1404 "Capabilities of absolute time. 1405 If network security function has the absolute time 1406 capability, the network security function 1407 supports rule execution according to absolute time."; 1408 } 1409 enum periodic-time { 1410 description 1411 "Capabilities of periodic time. 1412 If network security function has the periodic time 1413 capability, the network security function 1414 supports rule execution according to periodic time."; 1415 } 1416 } 1417 description 1418 "This is capabilities for time"; 1419 } 1421 container event-capabilities { 1422 description 1423 "Capabilities of events. 1424 If network security function has 1425 the event capabilities, the network security functions 1426 supports rule execution according to system event 1427 and system alarm."; 1429 reference 1430 "RFC 8329: Framework for Interface to Network Security 1431 Functions - I2NSF Flow Security Policy Structure 1432 draft-ietf-i2nsf-capability-04: Information Model 1433 of NSFs Capabilities - Design Principles and ECA 1434 Policy Model Overview 1435 draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG 1436 Data Model for Monitoring I2NSF Network Security 1437 Functions - System Alarm and System Events"; 1439 leaf-list system-event-capa { 1440 type identityref { 1441 base system-event-capa; 1442 } 1443 description 1444 "Capabilities for a system event"; 1445 } 1447 leaf-list system-alarm-capa { 1448 type identityref { 1449 base system-alarm-capa; 1450 } 1451 description 1452 "Capabilities for a system alarm"; 1453 } 1455 } 1457 container condition-capabilities { 1458 description 1459 "Capabilities of conditions."; 1461 container generic-nsf-capabilities { 1462 description 1463 "Capabilities of conditions. 1464 If a network security function has 1465 the condition capabilities, the network security function 1466 supports rule execution according to conditions of IPv4, 1467 IPv6, foruth layer, ICMP, and payload."; 1468 reference 1469 "RFC 791: Internet Protocol 1470 RFC 792: Internet Control Message Protocol 1471 RFC 793: Transmission Control Protocol 1472 RFC 2460: Internet Protocol, Version 6 (IPv6) 1473 Specification - Next Header 1474 RFC 8329: Framework for Interface to Network Security 1475 Functions - I2NSF Flow Security Policy Structure 1476 draft-ietf-i2nsf-capability-04: Information Model 1477 of NSFs Capabilities - Design Principles and ECA Policy 1478 Model Overview"; 1480 leaf-list ipv4-capa { 1481 type identityref { 1482 base ipv4-capa; 1483 } 1484 description 1485 "Capabilities for an IPv4 packet"; 1486 reference 1487 "RFC 791: Internet Protocol"; 1488 } 1490 leaf-list ipv6-capa { 1491 type identityref { 1492 base ipv6-capa; 1493 } 1494 description 1495 "Capabilities for an IPv6 packet"; 1496 reference 1497 "RFC 2460: Internet Protocol, Version 6 (IPv6) 1498 Specification - Next Header"; 1499 } 1501 leaf-list tcp-capa { 1502 type identityref { 1503 base tcp-capa; 1504 } 1505 description 1506 "Capabilities for a tcp packet"; 1507 reference 1508 "RFC 793: Transmission Control Protocol"; 1509 } 1511 leaf-list udp-capa { 1512 type identityref { 1513 base udp-capa; 1514 } 1515 description 1516 "Capabilities for an udp packet"; 1517 reference 1518 "RFC 768: User Datagram Protocol"; 1519 } 1521 leaf-list icmp-capa { 1522 type identityref { 1523 base icmp-capa; 1524 } 1525 description 1526 "Capabilities for an ICMP packet"; 1527 reference 1528 "RFC 2460: Internet Protocol, Version 6 (IPv6) "; 1529 } 1530 } 1532 container advanced-nsf-capabilities { 1533 description 1534 "Capabilities of advanced network security functions, 1535 such as anti virus, anti DDoS, IPS, and VoIP/VoLTE."; 1536 reference 1537 "RFC 8329: Framework for Interface to Network Security 1538 Functions - Differences from ACL Data Models 1539 draft-dong-i2nsf-asf-config-01: Configuration of 1540 Advanced Security Functions with I2NSF Security 1541 Controller"; 1543 leaf-list antivirus-capa { 1544 type identityref { 1545 base antivirus-capa; 1546 } 1547 description 1548 "Capabilities for an antivirus"; 1549 reference 1550 "draft-dong-i2nsf-asf-config-01: Configuration of 1551 Advanced Security Functions with I2NSF Security 1552 Controller"; 1553 } 1555 leaf-list antiddos-capa { 1556 type identityref { 1557 base antiddos-capa; 1558 } 1559 description 1560 "Capabilities for an antiddos"; 1561 reference 1562 "draft-dong-i2nsf-asf-config-01: Configuration of 1563 Advanced Security Functions with I2NSF Security 1564 Controller"; 1565 } 1567 leaf-list ips-capa { 1568 type identityref { 1569 base ips-capa; 1570 } 1571 description 1572 "Capabilities for an ips"; 1573 reference 1574 "draft-dong-i2nsf-asf-config-01: Configuration of 1575 Advanced Security Functions with I2NSF Security 1576 Controller"; 1577 } 1579 leaf-list http-capa { 1580 type identityref { 1581 base http-capa; 1582 } 1583 description 1584 "Capabilities for a http"; 1585 reference 1586 "draft-dong-i2nsf-asf-config-01: Configuration of 1587 Advanced Security Functions with I2NSF Security 1588 Controller"; 1589 } 1591 leaf-list voip-volte-capa { 1592 type identityref { 1593 base voip-volte-capa; 1594 } 1595 description 1596 "Capabilities for a voip and volte"; 1597 reference 1598 "draft-dong-i2nsf-asf-config-01: Configuration of 1599 Advanced Security Functions with I2NSF Security 1600 Controller"; 1601 } 1602 } 1603 } 1604 container action-capabilities { 1605 description 1606 "Capabilities of actions. 1607 If network security function has 1608 the action capabilities, the network security function 1609 supports rule execution according to actions."; 1611 leaf-list ingress-action-capa { 1612 type identityref { 1613 base ingress-action-capa; 1614 } 1615 description 1616 "Capabilities for an action"; 1617 } 1619 leaf-list egress-action-capa { 1620 type identityref { 1621 base egress-action-capa; 1622 } 1623 description 1624 "Capabilities for an egress action"; 1625 } 1627 leaf-list log-action-capa { 1628 type identityref { 1629 base log-action-capa; 1630 } 1631 description 1632 "Capabilities for a log action"; 1633 } 1634 } 1636 leaf-list resolution-strategy-capabilities { 1637 type identityref { 1638 base resolution-strategy-capa; 1639 } 1640 description 1641 "Capabilities for a resolution strategy. 1642 The resolution strategies can be used to 1643 specify how to resolve conflicts that occur between 1644 the actions of the same or different policy rules that 1645 are matched and contained in this particular NSF"; 1646 reference 1647 "draft-ietf-i2nsf-capability-04: Information Model 1648 of NSFs Capabilities - Resolution strategy"; 1649 } 1651 leaf-list default-action-capabilities { 1652 type identityref { 1653 base default-action-capa; 1654 } 1655 description 1656 "Capabilities for a default action. 1657 A default action is used to execute I2NSF policy rule 1658 when no rule matches a packet. The default action is 1659 defined as pass, drop, reject, alert, and mirror."; 1660 reference 1661 "draft-ietf-i2nsf-capability-04: Information Model 1662 of NSFs Capabilities - Default action"; 1663 } 1664 } 1666 /* 1667 * Data nodes 1668 */ 1670 container nsf { 1671 description 1672 "The list of capabilities of 1673 network security function"; 1674 uses nsf-capabilities; 1675 } 1676 } 1678 1680 Figure 3: YANG Data Module of I2NSF Capability 1682 7. IANA Considerations 1684 This document requests IANA to register the following URI in the 1685 "IETF XML Registry" [RFC3688]: 1687 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1689 Registrant Contact: The IESG. 1691 XML: N/A; the requested URI is an XML namespace. 1693 This document requests IANA to register the following YANG module in 1694 the "YANG Module Names" registry [RFC7950]. 1696 name: ietf-i2nsf-capability 1698 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1700 prefix: iicapa 1702 reference: RFC XXXX 1704 8. Security Considerations 1706 The YANG module specified in this document defines a data schema 1707 designed to be accessed through network management protocols such as 1708 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 1709 the secure transport layer, and the required transport secure 1710 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1711 is HTTPS, and the required transport secure transport is TLS 1712 [RFC8446]. 1714 The NETCONF access control model [RFC8341] provides a means of 1715 restricting access to specific NETCONF or RESTCONF users to a 1716 preconfigured subset of all available NETCONF or RESTCONF protocol 1717 operations and content. 1719 9. References 1721 9.1. Normative References 1723 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1724 Requirement Levels", BCP 14, RFC 2119, March 1997. 1726 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 1727 Network Configuration Protocol (NETCONF)", RFC 6020, 1728 October 2010. 1730 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 1731 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 1732 January 2011, . 1734 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1735 and A. Bierman, Ed., "Network Configuration Protocol 1736 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1737 . 1739 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1740 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1741 . 1743 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 1744 RFC 6991, DOI 10.17487/RFC6991, July 2013, 1745 . 1747 [RFC7950] Bjorklund, M., "The YANG 1.1 Data Modeling Language", 1748 RFC 7950, August 2016. 1750 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1751 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1752 . 1754 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1755 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1756 May 2017, . 1758 [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., 1759 and J. Jeong, "Interface to Network Security Functions 1760 (I2NSF): Problem Statement and Use Cases", RFC 8192, July 1761 2017. 1763 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1764 Kumar, "Framework for Interface to Network Security 1765 Functions", RFC 8329, February 2018. 1767 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1768 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1769 . 1771 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1772 Access Control Model", STD 91, RFC 8341, 1773 DOI 10.17487/RFC8341, March 2018, 1774 . 1776 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 1777 S., and N. Bahadur, "A YANG Data Model for Routing 1778 Information Base (RIB)", RFC RFC8431, September 2018. 1780 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1781 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1782 . 1784 9.2. Informative References 1786 [i2nsf-advanced-nsf-dm] 1787 Pan, W. and L. Xia, "Configuration of Advanced Security 1788 Functions with I2NSF Security Controller", draft-dong- 1789 i2nsf-asf-config-01 (work in progress), October 2018. 1791 [i2nsf-nsf-cap-im] 1792 Xia, L., Strassner, J., Basile, C., and D. Lopez, 1793 "Information Model of NSFs Capabilities", draft-ietf- 1794 i2nsf-capability-04 (work in progress), October 2018. 1796 [i2nsf-nsf-yang] 1797 Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, 1798 "I2NSF Network Security Function-Facing Interface YANG 1799 Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-01 1800 (work in progress), July 2018. 1802 [i2nsf-terminology] 1803 Hares, S., Strassner, J., Lopez, D., Xia, L., and H. 1804 Birkholz, "Interface to Network Security Functions (I2NSF) 1805 Terminology", draft-ietf-i2nsf-terminology-07 (work in 1806 progress), January 2019. 1808 [supa-policy-info-model] 1809 Strassner, J., Halpern, J., and S. Meer, "Generic Policy 1810 Information Model for Simplified Use of Policy 1811 Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- 1812 model-03 (work in progress), May 2017. 1814 Appendix A. Changes from draft-ietf-i2nsf-capability-data-model-02 1816 The following changes are made from draft-ietf-i2nsf-capability-data- 1817 model-03: 1819 o We revised this YANG data module according to guidelines for 1820 authors and reviewers of YANG data model documents [RFC6087]. 1822 o We changed the structure of the overall YANG data module. 1824 o We changed enumeration type to identity type for scalable 1825 components. 1827 o We added a description for the YANG tree diagram of the YANG data 1828 module. 1830 o We revised overall sentences of this YANG data model document. 1832 o We added configuration examples to make it easier for reviewers to 1833 understand. 1835 Appendix B. Acknowledgments 1837 This work was supported by Institute for Information & communications 1838 Technology Promotion (IITP) grant funded by the Korea government 1839 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 1840 Technology Development for the Customized Security Service 1841 Provisioning). 1843 Appendix C. Contributors 1845 This document is made by the group effort of I2NSF working group. 1846 Many people actively contributed to this document. The following are 1847 considered co-authors: 1849 o Hyoungshick Kim (Sungkyunkwan University) 1851 o Daeyoung Hyun (Sungkyunkwan University) 1853 o Dongjin Hong (Sungkyunkwan University) 1855 o Liang Xia (Huawei) 1857 o Jung-Soo Park (ETRI) 1859 o Tae-Jin Ahn (Korea Telecom) 1861 o Se-Hui Lee (Korea Telecom) 1863 Authors' Addresses 1865 Susan Hares 1866 Huawei 1867 7453 Hickory Hill 1868 Saline, MI 48176 1869 USA 1871 Phone: +1-734-604-0332 1872 EMail: shares@ndzh.com 1874 Jaehoon Paul Jeong 1875 Department of Software 1876 Sungkyunkwan University 1877 2066 Seobu-Ro, Jangan-Gu 1878 Suwon, Gyeonggi-Do 16419 1879 Republic of Korea 1881 Phone: +82 31 299 4957 1882 Fax: +82 31 290 7996 1883 EMail: pauljeong@skku.edu 1884 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 1886 Jinyong Tim Kim 1887 Department of Computer Engineering 1888 Sungkyunkwan University 1889 2066 Seobu-Ro, Jangan-Gu 1890 Suwon, Gyeonggi-Do 16419 1891 Republic of Korea 1893 Phone: +82 10 8273 0930 1894 EMail: timkim@skku.edu 1896 Robert Moskowitz 1897 HTT Consulting 1898 Oak Park, MI 1899 USA 1901 Phone: +1-248-968-9809 1902 EMail: rgm@htt-consult.com 1903 Qiushi Lin 1904 Huawei 1905 Huawei Industrial Base 1906 Shenzhen, Guangdong 518129 1907 China 1909 EMail: linqiushi@huawei.com