idnits 2.17.1 draft-ietf-i2nsf-capability-data-model-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (March 28, 2019) is 1850 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3688' is mentioned on line 1779, but not defined == Unused Reference: 'RFC6087' is defined on line 1823, but no explicit reference was found in the text == Unused Reference: 'RFC6991' is defined on line 1836, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6087 (Obsoleted by RFC 8407) ** Downref: Normative reference to an Informational RFC: RFC 8192 ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group S. Hares 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Jeong 5 Expires: September 29, 2019 J. Kim 6 Sungkyunkwan University 7 R. Moskowitz 8 HTT Consulting 9 Q. Lin 10 Huawei 11 March 28, 2019 13 I2NSF Capability YANG Data Model 14 draft-ietf-i2nsf-capability-data-model-04 16 Abstract 18 This document defines a YANG data model for capabilities of various 19 Network Security Functions (NSFs) in Interface to Network Security 20 Functions (I2NSF) framework to cetrally manage capabilities of varios 21 NSFs. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 29, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 61 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 63 5.1. Capabilities of Network Security Function . . . . . . . . 6 64 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 65 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 66 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 67 8. Security Considerations . . . . . . . . . . . . . . . . . . . 39 68 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 39 69 9.1. Normative References . . . . . . . . . . . . . . . . . . 39 70 9.2. Informative References . . . . . . . . . . . . . . . . . 40 71 Appendix A. Changes from draft-ietf-i2nsf-capability-data- 72 model-03 . . . . . . . . . . . . . . . . . . . . . . 42 73 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 42 74 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 42 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42 77 1. Introduction 79 As the industry becomes more sophisticated and network devices (e.g., 80 Internet of Things, Self-driving vehicles, and VoIP/VoLTE 81 smartphones), service providers have a lot of problems mentioned in 82 [RFC8192]. To resolve these problems, [i2nsf-nsf-cap-im] specifies 83 the information model of the capabilities of Network Security 84 Functions (NSFs). 86 This document provides a data model using YANG [RFC6020][RFC7950] 87 that defines the capabilities of NSFs to centrally manage 88 capabilities of those security devices. The security devices can 89 register their own capabilities into Network Operator Management 90 (Mgmt) System (i.e., Security Controller) with this YANG data model 91 through the registration interface [RFC8329]. With the capabilities 92 of those security devices registered centrally, those security 93 devices can be easily managed [RFC8329]. This YANG data model is 94 based on the information model for I2NSF NSF capabilities 95 [i2nsf-nsf-cap-im]. 97 This YANG data model uses an "Event-Condition-Action" (ECA) policy 98 model that is used as the basis for the design of I2NSF Policy 99 described in [RFC8329] and [i2nsf-nsf-cap-im]. Rules. The "ietf- 100 i2nsf-capability" YANG module defined in this document provides the 101 following features: 103 o Definition for general capabilities of network security functions. 105 o Definition for event capabilities of generic network security 106 function. 108 o Definition for condition capabilities of generic network security 109 function. 111 o Definition for condition capabilities of advanced network security 112 function. 114 o Definition for action capabilities of generic network security 115 function. 117 o Definition for resolution strategy capabilities of generic network 118 security function. 120 o Definition for default action capabilities of generic network 121 security function. 123 2. Requirements Language 125 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 127 document are to be interpreted as described in [RFC2119][RFC8174]. 129 3. Terminology 131 This document uses the terminology described in 132 [i2nsf-terminology][i2nsf-nsf-cap-im] 133 [RFC8431][supa-policy-info-model]. Especially, the following terms 134 are from [supa-policy-info-model]: 136 o Data Model: A data model is a representation of concepts of 137 interest to an environment in a form that is dependent on data 138 repository, data definition language, query language, 139 implementation language, and protocol. 141 o Information Model: An information model is a representation of 142 concepts of interest to an environment in a form that is 143 independent of data repository, data definition language, query 144 language, implementation language, and protocol. 146 3.1. Tree Diagrams 148 A simplified graphical representation of the data model is used in 149 this document. The meaning of the symbols in these diagrams 150 [RFC8340] is as follows: 152 o Brackets "[" and "]" enclose list keys. 154 o Abbreviations before data node names: "rw" means configuration 155 (read-write) and "ro" state data (read-only). 157 o Symbols after data node names: "?" means an optional node and "*" 158 denotes a "list" and "leaf-list". 160 o Parentheses enclose choice and case nodes, and case nodes are also 161 marked with a colon (":"). 163 o Ellipsis ("...") stands for contents of subtrees that are not 164 shown. 166 4. Overview 168 This section explains overview how the YANG data model can be used in 169 I2NSF framework described in [RFC8329]. Figure 1 shows capabilities 170 of NSFs in I2NSF Framework. As shown in this figure, Developer's 171 Mgmt System can register NSFs with capabilities that the network 172 security device can support. To register NSFs in this way, the 173 Developer's Mgmt System utilizes this standardized capabilities YANG 174 data model through registration interface. With the capabilities of 175 those network security devices registered centrally, those security 176 devices can be easily managed, which can resolve the a lot of 177 problems described in [RFC8192]. The following shows use cases. 179 Note [i2nsf-nsf-yang] is used to configure security policy rules of 180 generic network security functions and [i2nsf-advanced-nsf-dm] is 181 used to configure security policy rules of advanced network security 182 functions according to the capabilities of network security devices 183 registed in I2NSF Framework. 185 +-------------------------------------------------------+ 186 | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | 187 | Network Mgmt, another network domain's mgmt, etc.) | 188 +--------------------+----------------------------------+ 189 | 190 Consumer-Facing Interface | 191 | 192 | I2NSF 193 +-----------------+------------+ Registration +-------------+ 194 | Network Operator Mgmt System | Interface | Developer's | 195 | (i.e., Security Controller) | < --------- > | Mgmt System | 196 +-----------------+------------+ +-------------+ 197 | New NSF 198 | E = {} 199 NSF-Facing Interface | C = {IPv4, IPv6} 200 | A = {Allow, Deny} 201 | 202 +---------------+----+------------+-----------------+ 203 | | | | 204 +---+---+ +---+---+ +---+---+ +---+---+ 205 | NSF-1 | ... | NSF-m | | NSF-1 | ... | NSF-n | ... 206 +-------+ +-------+ +-------+ +-------+ 207 NSF-1 NSF-m NSF-1 NSF-n 208 E = {} E = {user} E = {dev} E = {time} 209 C = {IPv4} C = {IPv6} C = {IPv4, IPv6} C = {IPv4} 210 A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} 212 Developer Mgmt System A Developer Mgmt System B 214 Figure 1: Capabilities of NSFs in I2NSF Framework 216 o If network manager wants to apply security policy rules about 217 blocking malicious users, it is a tremendous burden to apply all 218 of these rules to NSFs one by one. This problem can be resolved 219 by managing the capabilities of NSFs. If network manager wants to 220 block malicious users with IPv6, network manager sends the 221 security policy rules about blocking the users to Network Operator 222 Mgmt System using I2NSF user (i.e., a web browser or a software). 223 When the Network Operator Mgmt System receives the security policy 224 rules, it automatically sends that security policy rules to 225 appropriate NSFs (i.e., NSF-m in Developer Mgmt System A and NSF-1 226 in Developer Mgmt System B) which can support the capabilities 227 (i.e., IPv6). Therefore, I2NSF User need not consider NSFs where 228 to apply the rules. 230 o If NSFs find the malicious packets, it is a tremendous burden for 231 network manager to apply the rule about blocking the malicious 232 packets to NSFs one by one. This problem can be resolved by 233 managing the capabilities of NSFs. If NSFs find the suspicious 234 packets with IPv4, they can ask the Network Operator Mgmt System 235 for information about the suspicious packets with IPv4. to alter 236 specific rules and/or configurations. When the Network Operator 237 Mgmt System receives information, it inspects the information 238 about the suspicious packets with IPv4. If the suspicious packets 239 are determined to be malicious packets, the Network Operator Mgmt 240 System creates and sends the security policy rule against 241 malicious packets to appropriate NSFs (i.e., NSF-1 in Developer 242 Mgmt System A and NSF-1 and NSF-n in Developer Mgmt System B) 243 which can support the capabilities (i.e., IPv4). Therefore, the 244 new security policy rule against malicious packets can be applied 245 to appropriate NSFs without intervention of humans. 247 5. YANG Tree Diagram 249 This section shows an YANG tree diagram of capabilities for network 250 security functions, as defined in the [i2nsf-nsf-cap-im]. 252 5.1. Capabilities of Network Security Function 254 This section shows YANG tree diagram for capabilities of network 255 security functions. 257 module: ietf-i2nsf-capability 258 +--rw nsf 259 +--rw time-capabilities* enumeration 260 +--rw event-capabilities 261 | +--rw system-event-capa* identityref 262 | +--rw system-alarm-capa* identityref 263 +--rw condition-capabilities 264 | +--rw generic-nsf-capabilities 265 | | +--rw ipv4-capa* identityref 266 | | +--rw ipv6-capa* identityref 267 | | +--rw tcp-capa* identityref 268 | | +--rw udp-capa* identityref 269 | | +--rw icmp-capa* identityref 270 | +--rw advanced-nsf-capabilities 271 | | +--rw antivirus-capa* identityref 272 | | +--rw antiddos-capa* identityref 273 | | +--rw ips-capa* identityref 274 | | +--rw url-capa* identityref 275 | | +--rw voip-volte-capa* identityref 276 | +--rw context-capabilities* identityref 277 +--rw action-capabilities 278 | +--rw ingress-action-capa* identityref 279 | +--rw egress-action-capa* identityref 280 | +--rw log-action-capa* identityref 281 +--rw resolution-strategy-capabilities* identityref 282 +--rw default-action-capabilities* identityref 283 +--rw ipsec-method* identityref 285 Figure 2: YANG Tree Diagram for Capabilities of Network Security 286 Functions 288 This YANG tree diagram shows capabilities of network security 289 functions. 291 The NSF includes NSF capabilities. The NSF capabilities include time 292 capabilities, event capabilities, condition capabilities, action 293 capabilities, resolution strategy capabilities, and default action 294 capabilities. 296 Time capabilities are used to specify capabilities when to execute 297 the I2NSF policy rule. The time capabilities are defined as absolute 298 time and periodic time. 300 Event capabilities are used to specify capabilities how to trigger 301 the evaluation of the condition clause of the I2NSF Policy Rule. The 302 event capabilities are defined as system event and system alarm. The 303 event capability can be extended according to specific vendor 304 condition features. The event capability is described in detail in 305 [i2nsf-nsf-cap-im]. 307 Condition capabilities are used to specify capabilities of a set of 308 attributes, features, and/or values that are to be compared with a 309 set of known attributes, features, and/or values in order to 310 determine whether or not the set of actions in that (imperative) 311 I2NSF policy rule can be executed or not. The condition capability 312 is classified as condition capabilities of generic network security 313 functions and advanced network security functions. The condition 314 capabilities of generic network security functions are defined as 315 IPv4 capability, IPv6 capability, tcp capability, udp capability, and 316 icmp capability. The condition capabilities of advanced network 317 security functions are defined as antivirus capability, antiddos 318 capability, ips capability, http capability, and VoIP/VoLTE 319 capability. The condition capability can be extended according to 320 specific vendor condition features. The condition capability is 321 described in detail in [i2nsf-nsf-cap-im]. 323 Action capabilities is used to specify capabilities how to control 324 and monitor aspects of flow-based NSFs when the event and condition 325 clauses are satisfied. The action capabilities are defined as 326 ingress action capability, egress action capability, and log action 327 capability. The action capability can be extended according to 328 specific vendor action features. The action capability is described 329 in detail in [i2nsf-nsf-cap-im]. 331 Resolution strategy capabilities are used to specify capabilities how 332 to resolve conflicts that occur between the actions of the same or 333 different policy rules that are matched and contained in this 334 particular NSF. The resolution strategy capabilities are defined as 335 First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized 336 Matching Rule (PMR) with Errors (PMRE), and Prioritized Matching Rule 337 with No Errors (PMRN). The resolution strategy capability can be 338 extended according to specific vendor action features. The 339 resolution strategy capability is described in detail in 340 [i2nsf-nsf-cap-im]. 342 Default action capabilities are used to specify capabilities how to 343 execute I2NSF policy rule when no rule matches a packet. The default 344 action capabilities are defined as pass, drop, reject, alert, and 345 mirror. The default action capability can be extended according to 346 specific vendor action features. The default action capability is 347 described in detail in [i2nsf-nsf-cap-im]. 349 IPsec method capabilities are used to specify capabilities how to 350 support an Internet key exchange for the security communication. The 351 default action capabilities are defined as ike and ikeless. The 352 default action capability can be extended according to specific 353 vendor action features. The default action capability is described 354 in detail in [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. 356 6. YANG Data Modules 358 6.1. I2NSF Capability YANG Data Module 360 This section introduces an YANG data module for capabilities of 361 network security functions, as defined in the [i2nsf-nsf-cap-im]. 363 file "ietf-i2nsf-capability@2019-03-28.yang" 365 module ietf-i2nsf-capability { 366 yang-version 1.1; 367 namespace 368 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 369 prefix 370 iicapa; 372 organization 373 "IETF I2NSF (Interface to Network Security Functions) 374 Working Group"; 376 contact 377 "WG Web: 378 WG List: 380 WG Chair: Adrian Farrel 381 383 WG Chair: Linda Dunbar 384 386 Editor: Susan Hares 387 389 Editor: Jaehoon Paul Jeong 390 392 Editor: Jinyong Tim Kim 393 "; 395 description 396 "This module describes a capability model 397 for I2NSF devices. 399 Copyright (c) 2018 IETF Trust and the persons 400 identified as authors of the code. All rights reserved. 402 Redistribution and use in source and binary forms, with or 403 without modification, is permitted pursuant to, and subject 404 to the license terms contained in, the Simplified BSD License 405 set forth in Section 4.c of the IETF Trust's Legal Provisions 406 Relating to IETF Documents 407 (http://trustee.ietf.org/license-info). 409 This version of this YANG module is part of RFC 8341; see 410 the RFC itself for full legal notices."; 412 revision "2019-03-28"{ 413 description "Initial revision."; 414 reference 415 "RFC XXXX: I2NSF Capability YANG Data Model"; 416 } 418 /* 419 * Identities 420 */ 422 identity event { 423 description 424 "Base identity for event of policy."; 425 reference 426 "draft-hong-i2nsf-nsf-monitoring-data-model-06 427 - Event"; 428 } 430 identity system-event-capa { 431 base event; 432 description 433 "Identity for system event"; 434 reference 435 "draft-hong-i2nsf-nsf-monitoring-data-model-06 436 - System alarm"; 437 } 439 identity system-alarm-capa { 440 base event; 441 description 442 "Identity for system alarm"; 443 reference 444 "draft-hong-i2nsf-nsf-monitoring-data-model-06 445 - System alarm"; 446 } 447 identity access-violation { 448 base system-event-capa; 449 description 450 "Identity for access violation 451 among system events"; 452 reference 453 "draft-hong-i2nsf-nsf-monitoring-data-model-06 454 - System event"; 455 } 457 identity configuration-change { 458 base system-event-capa; 459 description 460 "Identity for configuration change 461 among system events"; 462 reference 463 "draft-hong-i2nsf-nsf-monitoring-data-model-06 464 - System event"; 465 } 467 identity memory-alarm { 468 base system-alarm-capa; 469 description 470 "Identity for memory alarm 471 among system alarms"; 472 reference 473 "draft-hong-i2nsf-nsf-monitoring-data-model-06 474 - System alarm"; 475 } 477 identity cpu-alarm { 478 base system-alarm-capa; 479 description 480 "Identity for cpu alarm 481 among system alarms"; 482 reference 483 "draft-hong-i2nsf-nsf-monitoring-data-model-06 484 - System alarm"; 485 } 487 identity disk-alarm { 488 base system-alarm-capa; 489 description 490 "Identity for disk alarm 491 among system alarms"; 492 reference 493 "draft-hong-i2nsf-nsf-monitoring-data-model-06 494 - System alarm"; 496 } 498 identity hardware-alarm { 499 base system-alarm-capa; 500 description 501 "Identity for hardware alarm 502 among system alarms"; 503 reference 504 "draft-hong-i2nsf-nsf-monitoring-data-model-06 505 - System alarm"; 506 } 508 identity interface-alarm { 509 base system-alarm-capa; 510 description 511 "Identity for interface alarm 512 among system alarms"; 513 reference 514 "draft-hong-i2nsf-nsf-monitoring-data-model-06 515 - System alarm"; 516 } 518 identity condition { 519 description 520 "Base identity for conditions of policy"; 521 } 523 identity context-capa { 524 base condition; 525 description 526 "Identity for capabilities of context condition"; 527 } 529 identity acl-number { 530 base context-capa; 531 description 532 "Identity for acl number capability 533 of context condition"; 534 } 536 identity application { 537 base context-capa; 538 description 539 "Identity for application capability 540 of context condition"; 541 } 543 identity target { 544 base context-capa; 545 description 546 "Identity for target capability 547 of context condition"; 548 } 550 identity user { 551 base context-capa; 552 description 553 "Identity for user capability 554 of context condition"; 555 } 557 identity group { 558 base context-capa; 559 description 560 "Identity for group capability 561 of context condition"; 562 } 564 identity geography { 565 base context-capa; 566 description 567 "Identity for geography capability 568 of context condition"; 569 } 571 identity ipv4-capa { 572 base condition; 573 description 574 "Identity for capabilities of IPv4 condition"; 575 reference 576 "RFC 791: Internet Protocol"; 577 } 579 identity exact-ipv4-header-length { 580 base ipv4-capa; 581 description 582 "Identity for exact header length capability 583 of IPv4 condition"; 584 reference 585 "RFC 791: Internet Protocol - Header Length"; 586 } 588 identity range-ipv4-header-length { 589 base ipv4-capa; 590 description 591 "Identity for range header length capability 592 of IPv4 condition"; 593 reference 594 "RFC 791: Internet Protocol - Header Length"; 595 } 597 identity ipv4-tos { 598 base ipv4-capa; 599 description 600 "Identity for type of service capability 601 of IPv4 condition"; 602 reference 603 "RFC 791: Internet Protocol - Type of Service"; 604 } 606 identity exact-ipv4-total-length { 607 base ipv4-capa; 608 description 609 "Identity for exact total length capability 610 of IPv4 condition"; 611 reference 612 "RFC 791: Internet Protocol - Total Length"; 613 } 615 identity range-ipv4-total-length { 616 base ipv4-capa; 617 description 618 "Identity for range total length capability 619 of IPv4 condition"; 620 reference 621 "RFC 791: Internet Protocol - Total Length"; 622 } 624 identity ipv4-id { 625 base ipv4-capa; 626 description 627 "Identity for identification capability 628 of IPv4 condition"; 629 reference 630 "RFC 791: Internet Protocol - Identification"; 631 } 633 identity ipv4-fragment-flags { 634 base ipv4-capa; 635 description 636 "Identity for fragment flags capability 637 of IPv4 condition"; 638 reference 639 "RFC 791: Internet Protocol - Fragmentation Flags"; 641 } 643 identity exact-ipv4-fragment-offset { 644 base ipv4-capa; 645 description 646 "Identity for exact fragment offset capability 647 of IPv4 condition"; 648 reference 649 "RFC 791: Internet Protocol - Fragmentation Offset"; 650 } 652 identity range-ipv4-fragment-offset { 653 base ipv4-capa; 654 description 655 "Identity for range fragment offset capability 656 of IPv4 condition"; 657 reference 658 "RFC 791: Internet Protocol - Fragmentation Offset"; 659 } 661 identity exact-ipv4-ttl { 662 base ipv4-capa; 663 description 664 "Identity for exact time to live capability 665 of IPv4 condition"; 666 reference 667 "RFC 791: Internet Protocol - Time To Live (TTL)"; 668 } 670 identity range-ipv4-ttl { 671 base ipv4-capa; 672 description 673 "Identity for range time to live capability 674 of IPv4 condition"; 675 reference 676 "RFC 791: Internet Protocol - Time To Live (TTL)"; 677 } 679 identity ipv4-protocol { 680 base ipv4-capa; 681 description 682 "Identity for protocol capability 683 of IPv4 condition"; 684 reference 685 "RFC 790: Assigned numbers - Assigned Internet 686 Protocol Number 687 RFC 791: Internet Protocol - Protocol"; 688 } 689 identity exact-ipv4-address { 690 base ipv4-capa; 691 description 692 "Identity for exact address capability 693 of IPv4 condition"; 694 reference 695 "RFC 791: Internet Protocol - Address"; 696 } 698 identity range-ipv4-address { 699 base ipv4-capa; 700 description 701 "Identity for range-address capability 702 of IPv4 condition"; 703 reference 704 "RFC 791: Internet Protocol - Address"; 705 } 707 identity ipv4-ipopts { 708 base ipv4-capa; 709 description 710 "Identity for option capability 711 of IPv4 condition"; 712 reference 713 "RFC 791: Internet Protocol - Options"; 714 } 716 identity ipv4-sameip { 717 base ipv4-capa; 718 description 719 "Identity for sameIP capability 720 of IPv4 condition"; 721 } 723 identity ipv4-geoip { 724 base ipv4-capa; 725 description 726 "Identity for geography capability 727 of IPv4 condition"; 728 } 730 identity ipv6-capa { 731 base condition; 732 description 733 "Identity for capabilities of IPv6 condition"; 734 reference 735 "RFC 2460: Internet Protocol, Version 6 (IPv6) 736 Specification"; 738 } 740 identity ipv6-traffic-class { 741 base ipv6-capa; 742 description 743 "Identity for traffic class capability 744 of IPv6 condition"; 745 reference 746 "RFC 2460: Internet Protocol, Version 6 (IPv6) 747 Specification - Traffic Class"; 748 } 750 identity exact-ipv6-flow-label { 751 base ipv6-capa; 752 description 753 "Identity for exact flow label capability 754 of IPv6 condition"; 755 reference 756 "RFC 2460: Internet Protocol, Version 6 (IPv6) 757 Specification - Flow Label"; 758 } 760 identity range-ipv6-flow-label { 761 base ipv6-capa; 762 description 763 "Identity for range flow label capability 764 of IPv6 condition"; 765 reference 766 "RFC 2460: Internet Protocol, Version 6 (IPv6) 767 Specification - Flow Label"; 768 } 770 identity exact-ipv6-payload-length { 771 base ipv6-capa; 772 description 773 "Identity for exact payload length capability 774 of IPv6 condition"; 775 reference 776 "RFC 2460: Internet Protocol, Version 6 (IPv6) 777 Specification - Payload Length"; 778 } 780 identity range-ipv6-payload-length { 781 base ipv6-capa; 782 description 783 "Identity for range payload length capability 784 of IPv6 condition"; 785 reference 786 "RFC 2460: Internet Protocol, Version 6 (IPv6) 787 Specification - Payload Length"; 788 } 790 identity ipv6-next-header { 791 base ipv6-capa; 792 description 793 "Identity for next header capability 794 of IPv6 condition"; 795 reference 796 "RFC 2460: Internet Protocol, Version 6 (IPv6) 797 Specification - Next Header"; 798 } 800 identity exact-ipv6-hop-limit { 801 base ipv6-capa; 802 description 803 "Identity for exact hop limit capability 804 of IPv6 condition"; 805 reference 806 "RFC 2460: Internet Protocol, Version 6 (IPv6) 807 Specification - Hop Limit"; 808 } 810 identity range-ipv6-hop-limit { 811 base ipv6-capa; 812 description 813 "Identity for range hop limit capability 814 of IPv6 condition"; 815 reference 816 "RFC 2460: Internet Protocol, Version 6 (IPv6) 817 Specification - Hop Limit"; 818 } 820 identity exact-ipv6-address { 821 base ipv6-capa; 822 description 823 "Identity for exact address capability 824 of IPv6 condition"; 825 reference 826 "RFC 2460: Internet Protocol, Version 6 (IPv6) 827 Specification - Address"; 828 } 830 identity range-ipv6-address { 831 base ipv6-capa; 832 description 833 "Identity for range address capability 834 of IPv6 condition"; 835 reference 836 "RFC 2460: Internet Protocol, Version 6 (IPv6) 837 Specification - Address"; 838 } 840 identity tcp-capa { 841 base condition; 842 description 843 "Identity for capabilities of tcp condition"; 844 reference 845 "RFC 793: Transmission Control Protocol"; 846 } 848 identity exact-tcp-port-num { 849 base tcp-capa; 850 description 851 "Identity for exact port number capability 852 of tcp condition"; 853 reference 854 "RFC 793: Transmission Control Protocol - Port Number"; 855 } 857 identity range-tcp-port-num { 858 base tcp-capa; 859 description 860 "Identity for range port number capability 861 of tcp condition"; 862 reference 863 "RFC 793: Transmission Control Protocol - Port Number"; 864 } 866 identity exact-tcp-seq-num { 867 base tcp-capa; 868 description 869 "Identity for exact sequence number capability 870 of tcp condition"; 871 reference 872 "RFC 793: Transmission Control Protocol - Sequence Number"; 873 } 875 identity range-tcp-seq-num { 876 base tcp-capa; 877 description 878 "Identity for range sequence number capability 879 of tcp condition"; 880 reference 881 "RFC 793: Transmission Control Protocol - Sequence Number"; 883 } 885 identity exact-tcp-ack-num { 886 base tcp-capa; 887 description 888 "Identity for exact acknowledgement number capability 889 of tcp condition"; 890 reference 891 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 892 } 894 identity range-tcp-ack-num { 895 base tcp-capa; 896 description 897 "Identity for range acknowledgement number capability 898 of tcp condition"; 899 reference 900 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 901 } 903 identity exact-tcp-window-size { 904 base tcp-capa; 905 description 906 "Identity for exact window size capability 907 of tcp condition"; 908 reference 909 "RFC 793: Transmission Control Protocol - Window Size"; 910 } 912 identity range-tcp-window-size { 913 base tcp-capa; 914 description 915 "Identity for range window size capability 916 of tcp condition"; 917 reference 918 "RFC 793: Transmission Control Protocol - Window Size"; 919 } 921 identity tcp-flags { 922 base tcp-capa; 923 description 924 "Identity for flags capability 925 of tcp condition"; 926 reference 927 "RFC 793: Transmission Control Protocol - Flags"; 928 } 930 identity udp-capa { 931 base condition; 932 description 933 "Identity for capabilities of udp condition"; 934 reference 935 "RFC 768: User Datagram Protocol"; 936 } 938 identity exact-udp-port-num { 939 base udp-capa; 940 description 941 "Identity for exact port number capability 942 of udp condition"; 943 reference 944 "RFC 768: User Datagram Protocol - Port Number"; 945 } 947 identity range-udp-port-num { 948 base udp-capa; 949 description 950 "Identity for range port number capability 951 of udp condition"; 952 reference 953 "RFC 768: User Datagram Protocol - Port Number"; 954 } 956 identity exact-udp-total-length { 957 base udp-capa; 958 description 959 "Identity for exact total-length capability 960 of udp condition"; 961 reference 962 "RFC 768: User Datagram Protocol - Total Length"; 963 } 965 identity range-udp-total-length { 966 base udp-capa; 967 description 968 "Identity for range total-length capability 969 of udp condition"; 970 reference 971 "RFC 768: User Datagram Protocol - Total Length"; 972 } 974 identity icmp-capa { 975 base condition; 976 description 977 "Identity for capabilities of icmp condition"; 978 reference 979 "RFC 792: Internet Control Message Protocol"; 980 } 982 identity icmp-type { 983 base icmp-capa; 984 description 985 "Identity for icmp type capability 986 of icmp condition"; 987 reference 988 "RFC 792: Internet Control Message Protocol"; 989 } 991 identity url-capa { 992 base condition; 993 description 994 "Identity for capabilities of url condition"; 995 } 997 identity pre-defined { 998 base url-capa; 999 description 1000 "Identity for pre-defined capabilities of 1001 url condition"; 1002 } 1004 identity user-defined { 1005 base url-capa; 1006 description 1007 "Identity for user-defined capabilities of 1008 url condition"; 1009 } 1011 identity log-action-capa { 1012 description 1013 "Identity for capabilities of log action"; 1014 } 1016 identity rule-log { 1017 base log-action-capa; 1018 description 1019 "Identity for rule log capability 1020 of log action"; 1021 } 1023 identity session-log { 1024 base log-action-capa; 1025 description 1026 "Identity for session log capability 1027 of log action"; 1028 } 1030 identity ingress-action-capa { 1031 description 1032 "Identity for capabilities of ingress action"; 1033 reference 1034 "draft-ietf-i2nsf-capability-04: Information Model 1035 of NSFs Capabilities - Action"; 1036 } 1038 identity egress-action-capa { 1039 description 1040 "Base identity for egress action"; 1041 } 1043 identity default-action-capa { 1044 description 1045 "Identity for capabilities of default action"; 1046 reference 1047 "draft-ietf-i2nsf-capability-04: Information Model 1048 of NSFs Capabilities - Default action"; 1049 } 1051 identity pass { 1052 base ingress-action-capa; 1053 base egress-action-capa; 1054 base default-action-capa; 1055 description 1056 "Identity for pass"; 1057 reference 1058 "draft-ietf-i2nsf-capability-04: Information Model 1059 of NSFs Capabilities - Actions and 1060 default action"; 1061 } 1063 identity drop { 1064 base ingress-action-capa; 1065 base egress-action-capa; 1066 base default-action-capa; 1067 description 1068 "Identity for drop"; 1069 reference 1070 "draft-ietf-i2nsf-capability-04: Information Model 1071 of NSFs Capabilities - Actions and 1072 default action"; 1073 } 1074 identity reject { 1075 base ingress-action-capa; 1076 base egress-action-capa; 1077 base default-action-capa; 1078 description 1079 "Identity for reject"; 1080 reference 1081 "draft-ietf-i2nsf-capability-04: Information Model 1082 of NSFs Capabilities - Actions and 1083 default action"; 1084 } 1086 identity alert { 1087 base ingress-action-capa; 1088 base egress-action-capa; 1089 base default-action-capa; 1090 description 1091 "Identity for alert"; 1092 reference 1093 "draft-ietf-i2nsf-capability-04: Information Model 1094 of NSFs Capabilities - Actions and 1095 default action"; 1096 } 1098 identity mirror { 1099 base ingress-action-capa; 1100 base egress-action-capa; 1101 base default-action-capa; 1102 description 1103 "Identity for mirror"; 1104 reference 1105 "draft-ietf-i2nsf-capability-04: Information Model 1106 of NSFs Capabilities - Actions and 1107 default action"; 1108 } 1110 identity invoke-signaling { 1111 base egress-action-capa; 1112 description 1113 "Identity for invoke signaling"; 1114 } 1116 identity tunnel-encapsulation { 1117 base egress-action-capa; 1118 description 1119 "Identity for tunnel encapsulation"; 1120 } 1121 identity forwarding { 1122 base egress-action-capa; 1123 description 1124 "Identity for forwarding"; 1125 } 1127 identity redirection { 1128 base egress-action-capa; 1129 description 1130 "Identity for redirection"; 1131 } 1133 identity resolution-strategy-capa { 1134 description 1135 "Base identity for resolution strategy"; 1136 reference 1137 "draft-ietf-i2nsf-capability-04: Information Model 1138 of NSFs Capabilities - Resolution Strategy"; 1139 } 1141 identity fmr { 1142 base resolution-strategy-capa; 1143 description 1144 "Identity for First Matching Rule (FMR)"; 1145 reference 1146 "draft-ietf-i2nsf-capability-04: Information Model 1147 of NSFs Capabilities - Resolution Strategy"; 1148 } 1150 identity lmr { 1151 base resolution-strategy-capa; 1152 description 1153 "Identity for Last Matching Rule (LMR)"; 1154 reference 1155 "draft-ietf-i2nsf-capability-04: Information Model 1156 of NSFs Capabilities - Resolution Strategy"; 1157 } 1159 identity pmr { 1160 base resolution-strategy-capa; 1161 description 1162 "Identity for Prioritized Matching Rule (PMR)"; 1163 reference 1164 "draft-ietf-i2nsf-capability-04: Information Model 1165 of NSFs Capabilities - Resolution Strategy"; 1166 } 1168 identity pmre { 1169 base resolution-strategy-capa; 1170 description 1171 "Identity for Prioritized Matching Rule 1172 with Errors (PMRE)"; 1173 reference 1174 "draft-ietf-i2nsf-capability-04: Information Model 1175 of NSFs Capabilities - Resolution Strategy"; 1176 } 1178 identity pmrn { 1179 base resolution-strategy-capa; 1180 description 1181 "Identity for Prioritized Matching Rule 1182 with No Errors (PMRN)"; 1183 reference 1184 "draft-ietf-i2nsf-capability-04: Information Model 1185 of NSFs Capabilities - Resolution Strategy"; 1186 } 1188 identity advanced-nsf-capa { 1189 description 1190 "Base identity for advanced 1191 network security function capabilities"; 1192 reference 1193 "RFC 8329: Framework for Interface to Network Security 1194 Functions - Differences from ACL Data Models 1195 draft-dong-i2nsf-asf-config-01: Configuration of 1196 Advanced Security Functions with I2NSF Security 1197 Controller"; 1198 } 1200 identity antivirus-capa { 1201 base advanced-nsf-capa; 1202 description 1203 "Identity for antivirus capabilities"; 1204 reference 1205 "RFC 8329: Framework for Interface to Network Security 1206 Functions - Differences from ACL Data Models 1207 draft-dong-i2nsf-asf-config-01: Configuration of 1208 Advanced Security Functions with I2NSF Security 1209 Controller - Antivirus"; 1210 } 1212 identity antiddos-capa { 1213 base advanced-nsf-capa; 1214 description 1215 "Identity for antiddos capabilities"; 1216 reference 1217 "RFC 8329: Framework for Interface to Network Security 1218 Functions - Differences from ACL Data Models 1219 draft-dong-i2nsf-asf-config-01: Configuration of 1220 Advanced Security Functions with I2NSF Security 1221 Controller - Antiddos"; 1222 } 1224 identity ips-capa { 1225 base advanced-nsf-capa; 1226 description 1227 "Identity for IPS capabilities"; 1228 reference 1229 "RFC 8329: Framework for Interface to Network Security 1230 Functions - Differences from ACL Data Models 1231 draft-dong-i2nsf-asf-config-01: Configuration of 1232 Advanced Security Functions with I2NSF Security 1233 Controller - Intrusion Prevention System"; 1234 } 1236 identity voip-volte-capa { 1237 base advanced-nsf-capa; 1238 description 1239 "Identity for VoIP/VoLTE capabilities"; 1240 reference 1241 "RFC 3261: SIP: Session Initiation Protocol 1242 RFC 8329: Framework for Interface to Network Security 1243 Functions - Differences from ACL Data Models 1244 draft-dong-i2nsf-asf-config-01: Configuration of 1245 Advanced Security Functions with I2NSF Security 1246 Controller"; 1247 } 1249 identity detect { 1250 base antivirus-capa; 1251 description 1252 "Identity for detect capabilities 1253 of antivirus"; 1254 reference 1255 "draft-dong-i2nsf-asf-config-01: Configuration of 1256 Advanced Security Functions with I2NSF Security 1257 Controller - Antivirus"; 1258 } 1260 identity exception-application { 1261 base antivirus-capa; 1262 description 1263 "Identity for exception application capabilities 1264 of antivirus"; 1266 reference 1267 "draft-dong-i2nsf-asf-config-01: Configuration of 1268 Advanced Security Functions with I2NSF Security 1269 Controller - Antivirus"; 1270 } 1272 identity exception-signature { 1273 base antivirus-capa; 1274 description 1275 "Identity for exception signature capabilities 1276 of antivirus"; 1277 reference 1278 "draft-dong-i2nsf-asf-config-01: Configuration of 1279 Advanced Security Functions with I2NSF Security 1280 Controller - Antivirus"; 1281 } 1283 identity whitelists { 1284 base antivirus-capa; 1285 description 1286 "Identity for whitelists capabilities 1287 of antivirus"; 1288 reference 1289 "draft-dong-i2nsf-asf-config-01: Configuration of 1290 Advanced Security Functions with I2NSF Security 1291 Controller - Antivirus"; 1292 } 1294 identity syn-flood-action { 1295 base antiddos-capa; 1296 description 1297 "Identity for syn flood action capabilities 1298 of antiddos"; 1299 reference 1300 "draft-dong-i2nsf-asf-config-01: Configuration of 1301 Advanced Security Functions with I2NSF Security 1302 Controller - Antiddos"; 1303 } 1305 identity udp-flood-action { 1306 base antiddos-capa; 1307 description 1308 "Identity for udp flood action capabilities 1309 of antiddos"; 1310 reference 1311 "draft-dong-i2nsf-asf-config-01: Configuration of 1312 Advanced Security Functions with I2NSF Security 1313 Controller - Antiddos"; 1315 } 1317 identity http-flood-action { 1318 base antiddos-capa; 1319 description 1320 "Identity for http flood action capabilities 1321 of antiddos"; 1322 reference 1323 "draft-dong-i2nsf-asf-config-01: Configuration of 1324 Advanced Security Functions with I2NSF Security 1325 Controller - Antiddos"; 1326 } 1328 identity https-flood-action { 1329 base antiddos-capa; 1330 description 1331 "Identity for https flood action capabilities 1332 of antiddos"; 1333 reference 1334 "draft-dong-i2nsf-asf-config-01: Configuration of 1335 Advanced Security Functions with I2NSF Security 1336 Controller - Antiddos"; 1337 } 1339 identity dns-request-flood-action { 1340 base antiddos-capa; 1341 description 1342 "Identity for dns request flood action capabilities 1343 of antiddos"; 1344 reference 1345 "draft-dong-i2nsf-asf-config-01: Configuration of 1346 Advanced Security Functions with I2NSF Security 1347 Controller - Antiddos"; 1348 } 1350 identity dns-reply-flood-action { 1351 base antiddos-capa; 1352 description 1353 "Identity for dns reply flood action capabilities 1354 of antiddos"; 1355 reference 1356 "draft-dong-i2nsf-asf-config-01: Configuration of 1357 Advanced Security Functions with I2NSF Security 1358 Controller - Antiddos"; 1359 } 1361 identity icmp-flood-action { 1362 base antiddos-capa; 1363 description 1364 "Identity for icmp flood action capabilities 1365 of antiddos"; 1366 reference 1367 "draft-dong-i2nsf-asf-config-01: Configuration of 1368 Advanced Security Functions with I2NSF Security 1369 Controller - Antiddos"; 1370 } 1372 identity sip-flood-action { 1373 base antiddos-capa; 1374 description 1375 "Identity for sip flood action capabilities 1376 of antiddos"; 1377 reference 1378 "draft-dong-i2nsf-asf-config-01: Configuration of 1379 Advanced Security Functions with I2NSF Security 1380 Controller - Antiddos"; 1381 } 1383 identity detect-mode { 1384 base antiddos-capa; 1385 description 1386 "Identity for detect mode capabilities 1387 of antiddos"; 1388 reference 1389 "draft-dong-i2nsf-asf-config-01: Configuration of 1390 Advanced Security Functions with I2NSF Security 1391 Controller - Antiddos"; 1392 } 1394 identity baseline-learn { 1395 base antiddos-capa; 1396 description 1397 "Identity for baseline learn capabilities 1398 of antiddos"; 1399 reference 1400 "draft-dong-i2nsf-asf-config-01: Configuration of 1401 Advanced Security Functions with I2NSF Security 1402 Controller - Antiddos"; 1403 } 1405 identity signature-set { 1406 base ips-capa; 1407 description 1408 "Identity for signature set capabilities 1409 of IPS"; 1410 reference 1411 "draft-dong-i2nsf-asf-config-01: Configuration of 1412 Advanced Security Functions with I2NSF Security 1413 Controller - Intrusion Prevention System"; 1414 } 1416 identity ips-exception-signature { 1417 base ips-capa; 1418 description 1419 "Identity for ips exception signature capabilities 1420 of IPS"; 1421 reference 1422 "draft-dong-i2nsf-asf-config-01: Configuration of 1423 Advanced Security Functions with I2NSF Security 1424 Controller - Intrusion Prevention System"; 1425 } 1427 identity voice-id { 1428 base voip-volte-capa; 1429 description 1430 "Identity for voice-id capabilities 1431 of VoIP/VoLTE"; 1432 reference 1433 "RFC 3261: SIP: Session Initiation Protocol"; 1434 } 1436 identity user-agent { 1437 base voip-volte-capa; 1438 description 1439 "Identity for user agent capabilities 1440 of VoIP/VoLTE"; 1441 reference 1442 "RFC 3261: SIP: Session Initiation Protocol"; 1443 } 1445 identity ipsec-capa { 1446 description 1447 "Base identity for an IPsec"; 1448 } 1450 identity ike { 1451 base ipsec-capa; 1452 description 1453 "Identity for an IKE"; 1454 } 1456 identity ikeless { 1457 base ipsec-capa; 1458 description 1459 "Identity for an IKEless"; 1460 } 1462 /* 1463 * Grouping 1464 */ 1466 grouping nsf-capabilities { 1467 description 1468 "Capabilities of network security funtion"; 1469 reference 1470 "RFC 8329: Framework for Interface to Network Security 1471 Functions - I2NSF Flow Security Policy Structure 1472 draft-ietf-i2nsf-capability-04: Information Model 1473 of NSFs Capabilities - Capability Information Model Design"; 1475 leaf-list time-capabilities { 1476 type enumeration { 1477 enum absolute-time { 1478 description 1479 "Capabilities of absolute time. 1480 If network security function has the absolute time 1481 capability, the network security function 1482 supports rule execution according to absolute time."; 1483 } 1484 enum periodic-time { 1485 description 1486 "Capabilities of periodic time. 1487 If network security function has the periodic time 1488 capability, the network security function 1489 supports rule execution according to periodic time."; 1490 } 1491 } 1492 description 1493 "This is capabilities for time"; 1494 } 1496 container event-capabilities { 1497 description 1498 "Capabilities of events. 1499 If network security function has 1500 the event capabilities, the network security functions 1501 supports rule execution according to system event 1502 and system alarm."; 1504 reference 1505 "RFC 8329: Framework for Interface to Network Security 1506 Functions - I2NSF Flow Security Policy Structure 1507 draft-ietf-i2nsf-capability-04: Information Model 1508 of NSFs Capabilities - Design Principles and ECA 1509 Policy Model Overview 1510 draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG 1511 Data Model for Monitoring I2NSF Network Security 1512 Functions - System Alarm and System Events"; 1514 leaf-list system-event-capa { 1515 type identityref { 1516 base system-event-capa; 1517 } 1518 description 1519 "Capabilities for a system event"; 1520 } 1522 leaf-list system-alarm-capa { 1523 type identityref { 1524 base system-alarm-capa; 1525 } 1526 description 1527 "Capabilities for a system alarm"; 1528 } 1529 } 1531 container condition-capabilities { 1532 description 1533 "Capabilities of conditions."; 1535 container generic-nsf-capabilities { 1536 description 1537 "Capabilities of conditions. 1538 If a network security function has 1539 the condition capabilities, the network security function 1540 supports rule execution according to conditions of IPv4, 1541 IPv6, foruth layer, ICMP, and payload."; 1542 reference 1543 "RFC 791: Internet Protocol 1544 RFC 792: Internet Control Message Protocol 1545 RFC 793: Transmission Control Protocol 1546 RFC 2460: Internet Protocol, Version 6 (IPv6) 1547 Specification - Next Header 1548 RFC 8329: Framework for Interface to Network Security 1549 Functions - I2NSF Flow Security Policy Structure 1550 draft-ietf-i2nsf-capability-04: Information Model 1551 of NSFs Capabilities - Design Principles and ECA Policy 1552 Model Overview"; 1554 leaf-list ipv4-capa { 1555 type identityref { 1556 base ipv4-capa; 1557 } 1558 description 1559 "Capabilities for an IPv4 packet"; 1560 reference 1561 "RFC 791: Internet Protocol"; 1562 } 1564 leaf-list ipv6-capa { 1565 type identityref { 1566 base ipv6-capa; 1567 } 1568 description 1569 "Capabilities for an IPv6 packet"; 1570 reference 1571 "RFC 2460: Internet Protocol, Version 6 (IPv6) 1572 Specification - Next Header"; 1573 } 1575 leaf-list tcp-capa { 1576 type identityref { 1577 base tcp-capa; 1578 } 1579 description 1580 "Capabilities for a tcp packet"; 1581 reference 1582 "RFC 793: Transmission Control Protocol"; 1583 } 1585 leaf-list udp-capa { 1586 type identityref { 1587 base udp-capa; 1588 } 1589 description 1590 "Capabilities for an udp packet"; 1591 reference 1592 "RFC 768: User Datagram Protocol"; 1593 } 1595 leaf-list icmp-capa { 1596 type identityref { 1597 base icmp-capa; 1598 } 1599 description 1600 "Capabilities for an ICMP packet"; 1601 reference 1602 "RFC 2460: Internet Protocol, Version 6 (IPv6) "; 1603 } 1604 } 1606 container advanced-nsf-capabilities { 1607 description 1608 "Capabilities of advanced network security functions, 1609 such as anti virus, anti DDoS, IPS, and VoIP/VoLTE."; 1610 reference 1611 "RFC 8329: Framework for Interface to Network Security 1612 Functions - Differences from ACL Data Models 1613 draft-dong-i2nsf-asf-config-01: Configuration of 1614 Advanced Security Functions with I2NSF Security 1615 Controller"; 1617 leaf-list antivirus-capa { 1618 type identityref { 1619 base antivirus-capa; 1620 } 1621 description 1622 "Capabilities for an antivirus"; 1623 reference 1624 "draft-dong-i2nsf-asf-config-01: Configuration of 1625 Advanced Security Functions with I2NSF Security 1626 Controller"; 1627 } 1629 leaf-list antiddos-capa { 1630 type identityref { 1631 base antiddos-capa; 1632 } 1633 description 1634 "Capabilities for an antiddos"; 1635 reference 1636 "draft-dong-i2nsf-asf-config-01: Configuration of 1637 Advanced Security Functions with I2NSF Security 1638 Controller"; 1639 } 1641 leaf-list ips-capa { 1642 type identityref { 1643 base ips-capa; 1644 } 1645 description 1646 "Capabilities for an ips"; 1647 reference 1648 "draft-dong-i2nsf-asf-config-01: Configuration of 1649 Advanced Security Functions with I2NSF Security 1650 Controller"; 1651 } 1653 leaf-list url-capa { 1654 type identityref { 1655 base url-capa; 1656 } 1657 description 1658 "Capabilities for a url category"; 1659 reference 1660 "draft-dong-i2nsf-asf-config-01: Configuration of 1661 Advanced Security Functions with I2NSF Security 1662 Controller"; 1663 } 1665 leaf-list voip-volte-capa { 1666 type identityref { 1667 base voip-volte-capa; 1668 } 1669 description 1670 "Capabilities for a voip and volte"; 1671 reference 1672 "draft-dong-i2nsf-asf-config-01: Configuration of 1673 Advanced Security Functions with I2NSF Security 1674 Controller"; 1675 } 1676 } 1678 leaf-list context-capabilities { 1679 type identityref { 1680 base context-capa; 1681 } 1682 description 1683 "Capabilities for a context security"; 1684 } 1686 } 1687 container action-capabilities { 1688 description 1689 "Capabilities of actions. 1690 If network security function has 1691 the action capabilities, the network security function 1692 supports rule execution according to actions."; 1694 leaf-list ingress-action-capa { 1695 type identityref { 1696 base ingress-action-capa; 1697 } 1698 description 1699 "Capabilities for an action"; 1700 } 1702 leaf-list egress-action-capa { 1703 type identityref { 1704 base egress-action-capa; 1705 } 1706 description 1707 "Capabilities for an egress action"; 1708 } 1710 leaf-list log-action-capa { 1711 type identityref { 1712 base log-action-capa; 1713 } 1714 description 1715 "Capabilities for a log action"; 1716 } 1717 } 1719 leaf-list resolution-strategy-capabilities { 1720 type identityref { 1721 base resolution-strategy-capa; 1722 } 1723 description 1724 "Capabilities for a resolution strategy. 1725 The resolution strategies can be used to 1726 specify how to resolve conflicts that occur between 1727 the actions of the same or different policy rules that 1728 are matched and contained in this particular NSF"; 1729 reference 1730 "draft-ietf-i2nsf-capability-04: Information Model 1731 of NSFs Capabilities - Resolution strategy"; 1732 } 1734 leaf-list default-action-capabilities { 1735 type identityref { 1736 base default-action-capa; 1737 } 1738 description 1739 "Capabilities for a default action. 1740 A default action is used to execute I2NSF policy rule 1741 when no rule matches a packet. The default action is 1742 defined as pass, drop, reject, alert, and mirror."; 1743 reference 1744 "draft-ietf-i2nsf-capability-04: Information Model 1745 of NSFs Capabilities - Default action"; 1747 } 1749 leaf-list ipsec-method { 1750 type identityref { 1751 base ipsec-capa; 1752 } 1753 description 1754 "Capabilities for an IPsec method"; 1755 reference 1756 " draft-ietf-i2nsf-sdn-ipsec-flow-protection-04"; 1757 } 1758 } 1760 /* 1761 * Data nodes 1762 */ 1764 container nsf { 1765 description 1766 "The list of capabilities of 1767 network security function"; 1768 uses nsf-capabilities; 1769 } 1770 } 1772 1774 Figure 3: YANG Data Module of I2NSF Capability 1776 7. IANA Considerations 1778 This document requests IANA to register the following URI in the 1779 "IETF XML Registry" [RFC3688]: 1781 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1783 Registrant Contact: The IESG. 1785 XML: N/A; the requested URI is an XML namespace. 1787 This document requests IANA to register the following YANG module in 1788 the "YANG Module Names" registry [RFC7950]. 1790 name: ietf-i2nsf-capability 1792 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1793 prefix: iicapa 1795 reference: RFC XXXX 1797 8. Security Considerations 1799 The YANG module specified in this document defines a data schema 1800 designed to be accessed through network management protocols such as 1801 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 1802 the secure transport layer, and the required transport secure 1803 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1804 is HTTPS, and the required transport secure transport is TLS 1805 [RFC8446]. 1807 The NETCONF access control model [RFC8341] provides a means of 1808 restricting access to specific NETCONF or RESTCONF users to a 1809 preconfigured subset of all available NETCONF or RESTCONF protocol 1810 operations and content. 1812 9. References 1814 9.1. Normative References 1816 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1817 Requirement Levels", BCP 14, RFC 2119, March 1997. 1819 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 1820 Network Configuration Protocol (NETCONF)", RFC 6020, 1821 October 2010. 1823 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 1824 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 1825 January 2011, . 1827 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1828 and A. Bierman, Ed., "Network Configuration Protocol 1829 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1830 . 1832 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1833 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1834 . 1836 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 1837 RFC 6991, DOI 10.17487/RFC6991, July 2013, 1838 . 1840 [RFC7950] Bjorklund, M., "The YANG 1.1 Data Modeling Language", 1841 RFC 7950, August 2016. 1843 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1844 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1845 . 1847 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1848 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1849 May 2017, . 1851 [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., 1852 and J. Jeong, "Interface to Network Security Functions 1853 (I2NSF): Problem Statement and Use Cases", RFC 8192, July 1854 2017. 1856 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1857 Kumar, "Framework for Interface to Network Security 1858 Functions", RFC 8329, February 2018. 1860 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1861 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1862 . 1864 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1865 Access Control Model", STD 91, RFC 8341, 1866 DOI 10.17487/RFC8341, March 2018, 1867 . 1869 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 1870 S., and N. Bahadur, "A YANG Data Model for Routing 1871 Information Base (RIB)", RFC RFC8431, September 2018. 1873 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1874 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1875 . 1877 9.2. Informative References 1879 [draft-ietf-i2nsf-sdn-ipsec-flow-protection] 1880 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 1881 Garcia, "Software-Defined Networking (SDN)-based IPsec 1882 Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- 1883 protection-04 (work in progress), March 2019. 1885 [i2nsf-advanced-nsf-dm] 1886 Pan, W. and L. Xia, "Configuration of Advanced Security 1887 Functions with I2NSF Security Controller", draft-dong- 1888 i2nsf-asf-config-01 (work in progress), October 2018. 1890 [i2nsf-nsf-cap-im] 1891 Xia, L., Strassner, J., Basile, C., and D. Lopez, 1892 "Information Model of NSFs Capabilities", draft-ietf- 1893 i2nsf-capability-04 (work in progress), October 2018. 1895 [i2nsf-nsf-yang] 1896 Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, 1897 "I2NSF Network Security Function-Facing Interface YANG 1898 Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-04 1899 (work in progress), March 2019. 1901 [i2nsf-terminology] 1902 Hares, S., Strassner, J., Lopez, D., Xia, L., and H. 1903 Birkholz, "Interface to Network Security Functions (I2NSF) 1904 Terminology", draft-ietf-i2nsf-terminology-07 (work in 1905 progress), January 2019. 1907 [supa-policy-info-model] 1908 Strassner, J., Halpern, J., and S. Meer, "Generic Policy 1909 Information Model for Simplified Use of Policy 1910 Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- 1911 model-03 (work in progress), May 2017. 1913 Appendix A. Changes from draft-ietf-i2nsf-capability-data-model-03 1915 The following changes are made from draft-ietf-i2nsf-capability-data- 1916 model-03: 1918 o We added a leaf-list for IPsec method capabilities (e.g., ike and 1919 ikeless). 1921 o We changed http capa fields to url category capa fields. 1923 o We added context capa fields (e.g., acl number, application, 1924 target, users, group, and geography). 1926 Appendix B. Acknowledgments 1928 This work was supported by Institute for Information & communications 1929 Technology Promotion (IITP) grant funded by the Korea government 1930 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 1931 Technology Development for the Customized Security Service 1932 Provisioning). 1934 Appendix C. Contributors 1936 This document is made by the group effort of I2NSF working group. 1937 Many people actively contributed to this document. The following are 1938 considered co-authors: 1940 o Hyoungshick Kim (Sungkyunkwan University) 1942 o Daeyoung Hyun (Sungkyunkwan University) 1944 o Dongjin Hong (Sungkyunkwan University) 1946 o Liang Xia (Huawei) 1948 o Jung-Soo Park (ETRI) 1950 o Tae-Jin Ahn (Korea Telecom) 1952 o Se-Hui Lee (Korea Telecom) 1954 Authors' Addresses 1955 Susan Hares 1956 Huawei 1957 7453 Hickory Hill 1958 Saline, MI 48176 1959 USA 1961 Phone: +1-734-604-0332 1962 EMail: shares@ndzh.com 1964 Jaehoon Paul Jeong 1965 Department of Software 1966 Sungkyunkwan University 1967 2066 Seobu-Ro, Jangan-Gu 1968 Suwon, Gyeonggi-Do 16419 1969 Republic of Korea 1971 Phone: +82 31 299 4957 1972 Fax: +82 31 290 7996 1973 EMail: pauljeong@skku.edu 1974 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 1976 Jinyong Tim Kim 1977 Department of Computer Engineering 1978 Sungkyunkwan University 1979 2066 Seobu-Ro, Jangan-Gu 1980 Suwon, Gyeonggi-Do 16419 1981 Republic of Korea 1983 Phone: +82 10 8273 0930 1984 EMail: timkim@skku.edu 1986 Robert Moskowitz 1987 HTT Consulting 1988 Oak Park, MI 1989 USA 1991 Phone: +1-248-968-9809 1992 EMail: rgm@htt-consult.com 1993 Qiushi Lin 1994 Huawei 1995 Huawei Industrial Base 1996 Shenzhen, Guangdong 518129 1997 China 1999 EMail: linqiushi@huawei.com