idnits 2.17.1 draft-ietf-i2nsf-capability-data-model-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 25, 2019) is 1735 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3688' is mentioned on line 1764, but not defined == Unused Reference: 'RFC3261' is defined on line 1829, but no explicit reference was found in the text == Unused Reference: 'RFC768' is defined on line 1849, but no explicit reference was found in the text == Unused Reference: 'RFC790' is defined on line 1852, but no explicit reference was found in the text == Unused Reference: 'RFC791' is defined on line 1854, but no explicit reference was found in the text == Unused Reference: 'RFC792' is defined on line 1856, but no explicit reference was found in the text == Unused Reference: 'RFC793' is defined on line 1859, but no explicit reference was found in the text == Unused Reference: 'RFC8200' is defined on line 1880, but no explicit reference was found in the text ** Obsolete normative reference: RFC 790 (Obsoleted by RFC 820) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 8192 ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 4 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group S. Hares 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Jeong 5 Expires: January 26, 2020 J. Kim 6 Sungkyunkwan University 7 R. Moskowitz 8 HTT Consulting 9 Q. Lin 10 Huawei 11 July 25, 2019 13 I2NSF Capability YANG Data Model 14 draft-ietf-i2nsf-capability-data-model-05 16 Abstract 18 This document defines a YANG data model for the capabilities of 19 various Network Security Functions (NSFs) in the Interface to Network 20 Security Functions (I2NSF) framework to centrally manage the 21 capabilities of the various NSFs. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 26, 2020. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 61 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 63 5.1. Network Security Function (NSF) Capabilities . . . . . . 6 64 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 65 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 66 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 67 8. Security Considerations . . . . . . . . . . . . . . . . . . . 38 68 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 39 69 9.1. Normative References . . . . . . . . . . . . . . . . . . 39 70 9.2. Informative References . . . . . . . . . . . . . . . . . 41 71 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 43 72 A.1. Example 1: Registration for Capabilities of General 73 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 43 74 A.2. Example 2: Registration for Capabilities of Time based 75 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44 76 A.3. Example 3: Registration for Capabilities of Web Filter . 45 77 A.4. Example 4: Registration for Capabilities of VoIP/VoLTE 78 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 45 79 A.5. Example 5: Registration for Capabilities of HTTP and 80 HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 46 81 Appendix B. Changes from draft-ietf-i2nsf-capability-data- 82 model-04 . . . . . . . . . . . . . . . . . . . . . . 47 83 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 47 84 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 48 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 87 1. Introduction 89 As the industry becomes more sophisticated and network devices (e.g., 90 Internet of Things, Self-driving vehicles, and VoIP/VoLTE 91 smartphones), service providers have a lot of problems described in 92 [RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability] 93 specifies the information model of the capabilities of Network 94 Security Functions (NSFs). 96 This document provides a YANG data model [RFC6020][RFC7950] that 97 defines the capabilities of NSFs to centrally manage the capabilities 98 of those security devices. The security devices can register their 99 own capabilities into a Network Operator Management (Mgmt) System 100 (i.e., Security Controller) with this YANG data model through the 101 registration interface [RFC8329]. With the capabilities of those 102 security devices maintained centrally, those security devices can be 103 easily managed [RFC8329]. This YANG data model is based on the 104 information model for I2NSF NSF capabilities 105 [draft-ietf-i2nsf-capability]. 107 This YANG data model uses an "Event-Condition-Action" (ECA) policy 108 model that is used as the basis for the design of I2NSF Policy as 109 described in [RFC8329] and [draft-ietf-i2nsf-capability].. The 110 "ietf-i2nsf-capability" YANG module defined in this document provides 111 the following features: 113 o Definition for general capabilities of network security functions. 115 o Definition for event capabilities of generic network security 116 functions. 118 o Definition for condition capabilities of generic network security 119 functions. 121 o Definition for condition capabilities of advanced network security 122 functions. 124 o Definition for action capabilities of generic network security 125 functions. 127 o Definition for resolution strategy capabilities of generic network 128 security functions. 130 o Definition for default action capabilities of generic network 131 security functions. 133 2. Requirements Language 135 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 136 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 137 document are to be interpreted as described in [RFC2119][RFC8174]. 139 3. Terminology 141 This document uses the terminology described in 142 [draft-ietf-i2nsf-terminology][draft-ietf-i2nsf-capability] 143 [RFC8431][draft-ietf-supa-generic-policy-info-model]. Especially, 144 the following terms are from 145 [draft-ietf-supa-generic-policy-info-model]: 147 o Data Model: A data model is a representation of concepts of 148 interest to an environment in a form that is dependent on data 149 repository, data definition language, query language, 150 implementation language, and protocol. 152 o Information Model: An information model is a representation of 153 concepts of interest to an environment in a form that is 154 independent of data repository, data definition language, query 155 language, implementation language, and protocol. 157 3.1. Tree Diagrams 159 A simplified graphical representation of the data model is used in 160 this document. The meaning of the symbols in these diagrams is 161 referred from [RFC8340]. 163 4. Overview 165 This section provides as overview of how the YANG data model can be 166 used in the I2NSF framework described in [RFC8329]. Figure 1 shows 167 the capabilities of NSFs in I2NSF Framework. As shown in this 168 figure, an NSF Developer's Mgmt System can register NSFs and the 169 capabilities that the network security device can support. To 170 register NSFs in this way, the Developer's Mgmt System utilizes this 171 standardized capabilities YANG data model through its registration 172 interface. With the capabilities of those network security devices 173 maintained centrally, those security devices can be easily managed, 174 which can resolve many of the problems described in [RFC8192]. The 175 use cases are described below. 177 Note that the NSF-Facing Interface is used to configure the security 178 policy rules of the generic network security functions 179 [draft-ietf-i2nsf-nsf-facing-interface-dm], and the NSF Monitoring 180 Interface is used to configure the security policy rules of advanced 181 network security functions [draft-dong-i2nsf-asf-config], 182 respectively, according to the capabilities of NSFs registered with 183 the I2NSF Framework. 185 +-------------------------------------------------------+ 186 | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | 187 | Network Mgmt, another network domain's mgmt, etc.) | 188 +--------------------+----------------------------------+ 189 | 190 Consumer-Facing Interface | 191 | 192 | 193 +-----------------+------------+ Registration +-------------+ 194 | Network Operator Mgmt System | Interface | Developer's | 195 | (i.e., Security Controller) | < --------- > | Mgmt System | 196 +-----------------+------------+ +-------------+ 197 | New NSF 198 | E = {} 199 NSF-Facing Interface | C = {IPv4, IPv6} 200 | A = {Allow, Deny} 201 | 202 +---------------+----+------------+-----------------+ 203 | | | | 204 +---+---+ +---+---+ +---+---+ +---+---+ 205 | NSF-1 | ... | NSF-m | | NSF-1 | ... | NSF-n | ... 206 +-------+ +-------+ +-------+ +-------+ 207 NSF-1 NSF-m NSF-1 NSF-n 208 E = {} E = {user} E = {dev} E = {time} 209 C = {IPv4} C = {IPv6} C = {IPv4, IPv6} C = {IPv4} 210 A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} 212 Developer's Mgmt System A Developer's Mgmt System B 214 Figure 1: Capabilities of NSFs in I2NSF Framework 216 o If a network manager wants to apply security policy rules to block 217 malicious users, it is a tremendous burden to apply all of the 218 needed rules to NSFs one-by-one. This problem can be resolved by 219 managing the capabilities of NSFs. If network manager wants to 220 block malicious users with IPv6, the network manager sends the 221 security policy rules to block the users to the Network Operator 222 Mgmt System using I2NSF user (i.e., a web browser or a software). 223 When the Network Operator Mgmt System receives the security policy 224 rules, it automatically sends that security policy rules to 225 appropriate NSFs (i.e., NSF-m in Developer's Mgmt System A and 226 NSF-1 in Developer's Mgmt System B) which can support the 227 capabilities (i.e., IPv6). Therefore, an I2NSF User need not 228 consider NSFs where to which NSFs the rules apply. 230 o If NSFs encounter the malicious packets, it is a tremendous burden 231 for the network manager to apply the rule to block the malicious 232 packets to NSFs one-by-one. This problem can be resolved by 233 managing the capabilities of NSFs. If NSFs encounter the 234 suspicious IPv4 packets, they can ask the Network Operator Mgmt 235 System for information about the suspicious IPv4 packets in order 236 to alter specific rules and/or configurations. When the Network 237 Operator Mgmt System receives information, it inspects the 238 information about the suspiciou IPv4 packets. If the suspicious 239 packets are determined to be malicious packets, the Network 240 Operator Mgmt System creates and sends the security policy rules 241 blocking malicious packets to appropriate NSFs (i.e., NSF-1 in 242 Developer's Mgmt System A and NSF-1 and NSF-n in Developer's Mgmt 243 System B) which can support the capabilities (i.e., IPv4). 244 Therefore, the new security policy rules blocking malicious 245 packets can be applied to appropriate NSFs without humans 246 intervention. 248 5. YANG Tree Diagram 250 This section shows an YANG tree diagram of capabilities for network 251 security functions, as defined in the [draft-ietf-i2nsf-capability]. 253 5.1. Network Security Function (NSF) Capabilities 255 This section shows YANG tree diagram for NSF capabilities. 257 module: ietf-i2nsf-capability 258 +--rw nsf* [nsf-name] 259 +--rw nsf-name string 260 +--rw time-capabilities* enumeration 261 +--rw event-capabilities 262 | +--rw system-event-capability* identityref 263 | +--rw system-alarm-capability* identityref 264 +--rw condition-capabilities 265 | +--rw generic-nsf-capabilities 266 | | +--rw ipv4-capability* identityref 267 | | +--rw ipv6-capability* identityref 268 | | +--rw tcp-capability* identityref 269 | | +--rw udp-capability* identityref 270 | | +--rw icmp-capability* identityref 271 | +--rw advanced-nsf-capabilities 272 | | +--rw anti-virus-capability* identityref 273 | | +--rw anti-ddos-capability* identityref 274 | | +--rw ips-capability* identityref 275 | | +--rw url-capability* identityref 276 | | +--rw voip-volte-capability* identityref 277 | +--rw context-capabilities* identityref 278 +--rw action-capabilities 279 | +--rw ingress-action-capability* identityref 280 | +--rw egress-action-capability* identityref 281 | +--rw log-action-capability* identityref 282 +--rw resolution-strategy-capabilities* identityref 283 +--rw default-action-capabilities* identityref 284 +--rw ipsec-method* identityref 286 Figure 2: YANG Tree Diagram for Capabilities of Network Security 287 Functions 289 This YANG tree diagram shows NSF capabilities. 291 The model includes NSF capabilities. The NSF capabilities include 292 time capabilities, event capabilities, condition capabilities, action 293 capabilities, resolution strategy capabilities, and default action 294 capabilities. 296 Time capabilities are used to specify the capabilities to specify 297 when to execute the I2NSF policy rule. The time capabilities are 298 defined in terms of absolute time and periodic time. The absolute 299 time means the exact time to start or end. The periodic time means 300 repeated time like day, week, or month. 302 Event capabilities are used to specify capabilities how to trigger 303 the evaluation of the condition clause of the I2NSF Policy Rule. The 304 defined event capabilities are defined as system event and system 305 alarm. The event capability can be extended according to specific 306 vendor condition features. The event capability is described in 307 detail in [draft-ietf-i2nsf-capability]. 309 Condition capabilities are used to specify capabilities of a set of 310 attributes, features, and/or values that are to be compared with a 311 set of known attributes, features, and/or values in order to 312 determine whether or not the set of actions in that (imperative) 313 I2NSF policy rule can be executed. The condition capabilities are 314 classified in terms of generic network security functions and 315 advanced network security functions. The condition capabilities of 316 generic network security functions are defined as IPv4 capability, 317 IPv6 capability, TCP capability, UDP capability, and ICMP capability. 318 The condition capabilities of advanced network security functions are 319 defined as anti-virus capability, anti-ddos capability, IPS 320 capability, HTTP capability, and VoIP/VoLTE capability. The 321 condition capability can be extended according to specific vendor 322 condition features. The condition capability is described in detail 323 in [draft-ietf-i2nsf-capability]. 325 Action capabilities are used to specify capabilities of how to 326 control and monitor aspects of flow-based NSFs when the event and 327 condition clauses are satisfied. The action capabilities are defined 328 as ingress-action capability, egress-action capability, and log- 329 action capability. The action capability can be extended according 330 to specific vendor action features. The action capability is 331 described in detail in [draft-ietf-i2nsf-capability]. 333 Resolution strategy capabilities are used to specify capabilities of 334 how to resolve conflicts that occur between the actions of the same 335 or different policy rules that are matched and contained in this 336 particular NSF. The resolution strategy capabilities are defined as 337 First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized 338 Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), 339 and Prioritized Matching Rule with No Errors (PMRN). The resolution 340 strategy capabilities can be extended according to specific vendor 341 action features. The resolution strategy capability is described in 342 detail in [draft-ietf-i2nsf-capability]. 344 Default action capabilities are used to specify capabilities of how 345 to execute I2NSF policy rules when no rule matches a packet. The 346 default action capabilities are defined as pass, drop, reject, alert, 347 and mirror. The default action capability can be extended according 348 to specific vendor action features. The default action capability is 349 described in detail in [draft-ietf-i2nsf-capability]. 351 IPsec method capabilities are used to specify capabilities of how to 352 support an Internet Key Exchange (IKE) for the security 353 communication. The default action capabilities are defined as IKE 354 and IKE-less. The default action capability can be extended 355 according to specific vendor action features. The default action 356 capability is described in detail in 357 [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. 359 6. YANG Data Modules 361 6.1. I2NSF Capability YANG Data Module 363 This section introduces a YANG data module for network security 364 functions capabilities, as defined in the 365 [draft-ietf-i2nsf-capability]. 367 file "ietf-i2nsf-capability@2019-07-24.yang" 369 module ietf-i2nsf-capability { 370 yang-version 1.1; 371 namespace 372 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 373 prefix 374 nsfcap; 376 organization 377 "IETF I2NSF (Interface to Network Security Functions) 378 Working Group"; 380 contact 381 "WG Web: 382 WG List: 384 WG Chair: Linda Dunbar 385 387 WG Chair: Yoav Nir 388 390 Editor: Susan Hares 391 393 Editor: Jaehoon Paul Jeong 394 396 Editor: Jinyong Tim Kim 397 "; 399 description 400 "This module describes a capability model 401 for I2NSF devices. 403 Copyright (c) 2018 IETF Trust and the persons 404 identified as authors of the code. All rights reserved. 406 Redistribution and use in source and binary forms, with or 407 without modification, is permitted pursuant to, and subject 408 to the license terms contained in, the Simplified BSD License 409 set forth in Section 4.c of the IETF Trust's Legal Provisions 410 Relating to IETF Documents 411 (http://trustee.ietf.org/license-info). 413 This version of this YANG module is part of RFC 8341; see 414 the RFC itself for full legal notices."; 416 revision "2019-07-24"{ 417 description "Initial revision."; 418 reference 419 "RFC XXXX: I2NSF Capability YANG Data Model"; 420 } 422 /* 423 * Identities 424 */ 426 identity event { 427 description 428 "Base identity for I2NSF policy events."; 429 reference 430 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 431 - Event"; 432 } 434 identity system-event-capability { 435 base event; 436 description 437 "Identity for system events"; 438 reference 439 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 440 - System alarm"; 441 } 443 identity system-alarm-capability { 444 base event; 445 description 446 "Identity for system alarms"; 448 reference 449 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 450 - System alarm"; 451 } 453 identity access-violation { 454 base system-event-capability; 455 description 456 "Identity for access violation events"; 457 reference 458 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 459 - System event"; 460 } 462 identity configuration-change { 463 base system-event-capability; 464 description 465 "Identity for configuration change events"; 466 reference 467 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 468 - System event"; 469 } 471 identity memory-alarm { 472 base system-alarm-capability; 473 description 474 "Identity for memory alarm events"; 475 reference 476 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 477 - System alarm"; 478 } 480 identity cpu-alarm { 481 base system-alarm-capability; 482 description 483 "Identity for CPU alarm events"; 484 reference 485 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 486 - System alarm"; 487 } 489 identity disk-alarm { 490 base system-alarm-capability; 491 description 492 "Identity for disk alarm events"; 493 reference 494 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 495 - System alarm"; 497 } 499 identity hardware-alarm { 500 base system-alarm-capability; 501 description 502 "Identity for hardware alarm events"; 503 reference 504 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 505 - System alarm"; 506 } 508 identity interface-alarm { 509 base system-alarm-capability; 510 description 511 "Identity for interface alarm events"; 512 reference 513 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 514 - System alarm"; 515 } 517 identity condition { 518 description 519 "Base identity for policy conditions"; 520 } 522 identity context-capability { 523 base condition; 524 description 525 "Identity for context condition capabilities"; 526 } 528 identity acl-number { 529 base context-capability; 530 description 531 "Identity for ACL number condition capability"; 532 } 534 identity application { 535 base context-capability; 536 description 537 "Identity for application condition capability"; 538 } 540 identity target { 541 base context-capability; 542 description 543 "Identity for target condition capability"; 544 } 545 identity user { 546 base context-capability; 547 description 548 "Identity for user condition capability"; 549 } 551 identity group { 552 base context-capability; 553 description 554 "Identity for group condition capability"; 555 } 557 identity geography { 558 base context-capability; 559 description 560 "Identity for geography condition capability"; 561 } 563 identity ipv4-capability { 564 base condition; 565 description 566 "Identity for IPv4 condition capabilities"; 567 reference 568 "RFC 791: Internet Protocol"; 569 } 571 identity exact-ipv4-header-length { 572 base ipv4-capability; 573 description 574 "Identity for exact-match IPv4 header-length 575 condition capability"; 576 reference 577 "RFC 791: Internet Protocol - Header Length"; 578 } 580 identity range-ipv4-header-length { 581 base ipv4-capability; 582 description 583 "Identity for range-match IPv4 header-length 584 condition capability"; 585 reference 586 "RFC 791: Internet Protocol - Header Length"; 587 } 589 identity ipv4-tos { 590 base ipv4-capability; 591 description 592 "Identity for IPv4 Type-Of-Service (TOS) 593 condition capability"; 594 reference 595 "RFC 791: Internet Protocol - Type of Service"; 596 } 598 identity exact-ipv4-total-length { 599 base ipv4-capability; 600 description 601 "Identity for exact-match IPv4 total length 602 condition capability"; 603 reference 604 "RFC 791: Internet Protocol - Total Length"; 605 } 607 identity range-ipv4-total-length { 608 base ipv4-capability; 609 description 610 "Identity for range-match IPv4 total length 611 condition capability"; 612 reference 613 "RFC 791: Internet Protocol - Total Length"; 614 } 616 identity ipv4-id { 617 base ipv4-capability; 618 description 619 "Identity for identification condition capability"; 620 reference 621 "RFC 791: Internet Protocol - Identification"; 622 } 624 identity ipv4-fragment-flags { 625 base ipv4-capability; 626 description 627 "Identity for IPv4 fragment flags condition capability"; 628 reference 629 "RFC 791: Internet Protocol - Fragmentation Flags"; 630 } 632 identity exact-ipv4-fragment-offset { 633 base ipv4-capability; 634 description 635 "Identity for exact-match IPv4 fragment offset 636 condition capability"; 637 reference 638 "RFC 791: Internet Protocol - Fragmentation Offset"; 639 } 640 identity range-ipv4-fragment-offset { 641 base ipv4-capability; 642 description 643 "Identity for range-match IPv4 fragment offset 644 condition capability"; 645 reference 646 "RFC 791: Internet Protocol - Fragmentation Offset"; 647 } 649 identity exact-ipv4-ttl { 650 base ipv4-capability; 651 description 652 "Identity for exact-match IPv4 Time-To-Live (TTL) 653 condition capability"; 654 reference 655 "RFC 791: Internet Protocol - Time To Live (TTL)"; 656 } 658 identity range-ipv4-ttl { 659 base ipv4-capability; 660 description 661 "Identity for range-match IPv4 Time-To-Live (TTL) 662 condition capability"; 663 reference 664 "RFC 791: Internet Protocol - Time To Live (TTL)"; 665 } 667 identity ipv4-protocol { 668 base ipv4-capability; 669 description 670 "Identity for IPv4 protocol condition capability"; 671 reference 672 "RFC 790: Assigned numbers - Assigned Internet 673 Protocol Number 674 RFC 791: Internet Protocol - Protocol"; 675 } 677 identity exact-ipv4-address { 678 base ipv4-capability; 679 description 680 "Identity for exact-match IPv4 address 681 condition capability"; 682 reference 683 "RFC 791: Internet Protocol - Address"; 684 } 686 identity range-ipv4-address { 687 base ipv4-capability; 688 description 689 "Identity for range-match IPv4 address 690 condition capability"; 691 reference 692 "RFC 791: Internet Protocol - Address"; 693 } 695 identity ipv4-ip-opts { 696 base ipv4-capability; 697 description 698 "Identity for IPv4 option condition capability"; 699 reference 700 "RFC 791: Internet Protocol - Options"; 701 } 703 identity ipv4-geo-ip { 704 base ipv4-capability; 705 description 706 "Identity for geography condition capability"; 707 reference 708 "draft-ietf-i2nsf-capability-04: Information Model 709 of NSFs Capabilities - Geo-IP"; 710 } 712 identity ipv6-capability { 713 base condition; 714 description 715 "Identity for IPv6 condition capabilities"; 716 reference 717 "RFC 8200: Internet Protocol, Version 6 (IPv6) 718 Specification"; 719 } 721 identity ipv6-traffic-class { 722 base ipv6-capability; 723 description 724 "Identity for IPv6 traffic class 725 condition capability"; 726 reference 727 "RFC 8200: Internet Protocol, Version 6 (IPv6) 728 Specification - Traffic Class"; 729 } 731 identity exact-ipv6-flow-label { 732 base ipv6-capability; 733 description 734 "Identity for exact-match IPv6 flow label 735 condition capability"; 737 reference 738 "RFC 8200: Internet Protocol, Version 6 (IPv6) 739 Specification - Flow Label"; 740 } 742 identity range-ipv6-flow-label { 743 base ipv6-capability; 744 description 745 "Identity for range-match IPv6 flow label 746 condition capability"; 747 reference 748 "RFC 8200: Internet Protocol, Version 6 (IPv6) 749 Specification - Flow Label"; 750 } 752 identity exact-ipv6-payload-length { 753 base ipv6-capability; 754 description 755 "Identity for exact-match IPv6 payload length 756 condition capability"; 757 reference 758 "RFC 8200: Internet Protocol, Version 6 (IPv6) 759 Specification - Payload Length"; 760 } 762 identity range-ipv6-payload-length { 763 base ipv6-capability; 764 description 765 "Identity for range-match IPv6 payload length 766 condition capability"; 767 reference 768 "RFC 8200: Internet Protocol, Version 6 (IPv6) 769 Specification - Payload Length"; 770 } 772 identity ipv6-next-header { 773 base ipv6-capability; 774 description 775 "Identity for IPv6 next header condition capability"; 776 reference 777 "RFC 8200: Internet Protocol, Version 6 (IPv6) 778 Specification - Next Header"; 779 } 781 identity exact-ipv6-hop-limit { 782 base ipv6-capability; 783 description 784 "Identity for exact-match IPv6 hop limit 785 condition capability"; 786 reference 787 "RFC 8200: Internet Protocol, Version 6 (IPv6) 788 Specification - Hop Limit"; 789 } 791 identity range-ipv6-hop-limit { 792 base ipv6-capability; 793 description 794 "Identity for range-match IPv6 hop limit 795 condition capability"; 796 reference 797 "RFC 8200: Internet Protocol, Version 6 (IPv6) 798 Specification - Hop Limit"; 799 } 801 identity exact-ipv6-address { 802 base ipv6-capability; 803 description 804 "Identity for exact-match IPv6 address 805 condition capability"; 806 reference 807 "RFC 8200: Internet Protocol, Version 6 (IPv6) 808 Specification - Address"; 809 } 811 identity range-ipv6-address { 812 base ipv6-capability; 813 description 814 "Identity for range-match IPv6 address 815 condition capability"; 816 reference 817 "RFC 8200: Internet Protocol, Version 6 (IPv6) 818 Specification - Address"; 819 } 821 identity tcp-capability { 822 base condition; 823 description 824 "Identity for TCP condition capabilities"; 825 reference 826 "RFC 793: Transmission Control Protocol"; 827 } 829 identity exact-tcp-port-num { 830 base tcp-capability; 831 description 832 "Identity for exact-match TCP port number 833 condition capability"; 834 reference 835 "RFC 793: Transmission Control Protocol - Port Number"; 836 } 838 identity range-tcp-port-num { 839 base tcp-capability; 840 description 841 "Identity for range-match TCP port number 842 condition capability"; 843 reference 844 "RFC 793: Transmission Control Protocol - Port Number"; 845 } 847 identity exact-tcp-seq-num { 848 base tcp-capability; 849 description 850 "Identity for exact-match TCP sequence number 851 condition capability"; 852 reference 853 "RFC 793: Transmission Control Protocol - Sequence Number"; 854 } 856 identity range-tcp-seq-num { 857 base tcp-capability; 858 description 859 "Identity for range-match TCP sequence number 860 condition capability"; 861 reference 862 "RFC 793: Transmission Control Protocol - Sequence Number"; 863 } 865 identity exact-tcp-ack-num { 866 base tcp-capability; 867 description 868 "Identity for exact-match TCP acknowledgement number 869 condition capability"; 870 reference 871 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 872 } 874 identity range-tcp-ack-num { 875 base tcp-capability; 876 description 877 "Identity for range-match TCP acknowledgement number 878 condition capability"; 879 reference 880 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 882 } 884 identity exact-tcp-window-size { 885 base tcp-capability; 886 description 887 "Identity for exact-match TCP window size 888 condition capability"; 889 reference 890 "RFC 793: Transmission Control Protocol - Window Size"; 891 } 893 identity range-tcp-window-size { 894 base tcp-capability; 895 description 896 "Identity for range-match TCP window size 897 condition capability"; 898 reference 899 "RFC 793: Transmission Control Protocol - Window Size"; 900 } 902 identity tcp-flags { 903 base tcp-capability; 904 description 905 "Identity for TCP flags condition capability"; 906 reference 907 "RFC 793: Transmission Control Protocol - Flags"; 908 } 910 identity udp-capability { 911 base condition; 912 description 913 "Identity for UDP condition capabilities"; 914 reference 915 "RFC 768: User Datagram Protocol"; 916 } 918 identity exact-udp-port-num { 919 base udp-capability; 920 description 921 "Identity for exact-match UDP port number 922 condition capability"; 923 reference 924 "RFC 768: User Datagram Protocol - Port Number"; 925 } 927 identity range-udp-port-num { 928 base udp-capability; 929 description 930 "Identity for range-match UDP port number 931 condition capability"; 932 reference 933 "RFC 768: User Datagram Protocol - Port Number"; 934 } 936 identity exact-udp-total-length { 937 base udp-capability; 938 description 939 "Identity for exact-match UDP total-length 940 condition capability"; 941 reference 942 "RFC 768: User Datagram Protocol - Total Length"; 943 } 945 identity range-udp-total-length { 946 base udp-capability; 947 description 948 "Identity for range-match UDP total-length 949 condition capability"; 950 reference 951 "RFC 768: User Datagram Protocol - Total Length"; 952 } 954 identity icmp-capability { 955 base condition; 956 description 957 "Identity for ICMP condition capabilities"; 958 reference 959 "RFC 792: Internet Control Message Protocol"; 960 } 962 identity icmp-type { 963 base icmp-capability; 964 description 965 "Identity for ICMP type condition capability"; 966 reference 967 "RFC 792: Internet Control Message Protocol"; 968 } 970 identity url-capability { 971 base condition; 972 description 973 "Identity for URL condition capabilities"; 974 } 976 identity pre-defined { 977 base url-capability; 978 description 979 "Identity for URL pre-defined condition capabilities"; 980 } 982 identity user-defined { 983 base url-capability; 984 description 985 "Identity for URL user-defined condition capabilities"; 986 } 988 identity log-action-capability { 989 description 990 "Identity for log-action capabilities"; 991 } 993 identity rule-log { 994 base log-action-capability; 995 description 996 "Identity for rule log log-action capability"; 997 } 999 identity session-log { 1000 base log-action-capability; 1001 description 1002 "Identity for session log log-action capability"; 1003 } 1005 identity ingress-action-capability { 1006 description 1007 "Identity for ingress-action capabilities"; 1008 reference 1009 "draft-ietf-i2nsf-capability-04: Information Model 1010 of NSFs Capabilities - Action"; 1011 } 1013 identity egress-action-capability { 1014 description 1015 "Base identity for egress-action capabilities"; 1016 reference 1017 "draft-ietf-i2nsf-capability-04: Information Model 1018 of NSFs Capabilities - Egress action"; 1019 } 1021 identity default-action-capability { 1022 description 1023 "Identity for default-action capabilities"; 1024 reference 1025 "draft-ietf-i2nsf-capability-04: Information Model 1026 of NSFs Capabilities - Default action"; 1027 } 1029 identity pass { 1030 base ingress-action-capability; 1031 base egress-action-capability; 1032 base default-action-capability; 1033 description 1034 "Identity for pass action capability"; 1035 reference 1036 "draft-ietf-i2nsf-capability-04: Information Model 1037 of NSFs Capabilities - Actions and 1038 default action"; 1039 } 1041 identity drop { 1042 base ingress-action-capability; 1043 base egress-action-capability; 1044 base default-action-capability; 1045 description 1046 "Identity for drop action capability"; 1047 reference 1048 "draft-ietf-i2nsf-capability-04: Information Model 1049 of NSFs Capabilities - Actions and 1050 default action"; 1051 } 1053 identity reject { 1054 base ingress-action-capability; 1055 base egress-action-capability; 1056 base default-action-capability; 1057 description 1058 "Identity for reject action capability"; 1059 reference 1060 "draft-ietf-i2nsf-capability-04: Information Model 1061 of NSFs Capabilities - Actions and 1062 default action"; 1063 } 1065 identity alert { 1066 base ingress-action-capability; 1067 base egress-action-capability; 1068 base default-action-capability; 1069 description 1070 "Identity for alert action capability"; 1071 reference 1072 "draft-ietf-i2nsf-capability-04: Information Model 1073 of NSFs Capabilities - Actions and 1074 default action"; 1075 } 1077 identity mirror { 1078 base ingress-action-capability; 1079 base egress-action-capability; 1080 base default-action-capability; 1081 description 1082 "Identity for mirror action capability"; 1083 reference 1084 "draft-ietf-i2nsf-capability-04: Information Model 1085 of NSFs Capabilities - Actions and 1086 default action"; 1087 } 1089 identity invoke-signaling { 1090 base egress-action-capability; 1091 description 1092 "Identity for invoke signaling action capability"; 1093 } 1095 identity tunnel-encapsulation { 1096 base egress-action-capability; 1097 description 1098 "Identity for tunnel encapsulation action capability"; 1099 } 1101 identity forwarding { 1102 base egress-action-capability; 1103 description 1104 "Identity for forwarding action capability"; 1105 } 1107 identity redirection { 1108 base egress-action-capability; 1109 description 1110 "Identity for redirection action capability"; 1111 } 1113 identity resolution-strategy-capability { 1114 description 1115 "Base identity for resolution strategy capability"; 1116 reference 1117 "draft-ietf-i2nsf-capability-04: Information Model 1118 of NSFs Capabilities - Resolution Strategy"; 1119 } 1121 identity fmr { 1122 base resolution-strategy-capability; 1123 description 1124 "Identity for First Matching Rule (FMR) 1125 resolution strategy capability"; 1126 reference 1127 "draft-ietf-i2nsf-capability-04: Information Model 1128 of NSFs Capabilities - Resolution Strategy"; 1129 } 1131 identity lmr { 1132 base resolution-strategy-capability; 1133 description 1134 "Identity for Last Matching Rule (LMR) 1135 resolution strategy capability"; 1136 reference 1137 "draft-ietf-i2nsf-capability-04: Information Model 1138 of NSFs Capabilities - Resolution Strategy"; 1139 } 1141 identity pmr { 1142 base resolution-strategy-capability; 1143 description 1144 "Identity for Prioritized Matching Rule (PMR) 1145 resolution strategy capability"; 1146 reference 1147 "draft-ietf-i2nsf-capability-04: Information Model 1148 of NSFs Capabilities - Resolution Strategy"; 1149 } 1151 identity pmre { 1152 base resolution-strategy-capability; 1153 description 1154 "Identity for Prioritized Matching Rule 1155 with Errors (PMRE) resolution strategy capability"; 1156 reference 1157 "draft-ietf-i2nsf-capability-04: Information Model 1158 of NSFs Capabilities - Resolution Strategy"; 1159 } 1161 identity pmrn { 1162 base resolution-strategy-capability; 1163 description 1164 "Identity for Prioritized Matching Rule 1165 with No Errors (PMRN) resolution strategy capability"; 1166 reference 1167 "draft-ietf-i2nsf-capability-04: Information Model 1168 of NSFs Capabilities - Resolution Strategy"; 1169 } 1170 identity advanced-nsf-capability { 1171 description 1172 "Base identity for advanced 1173 network security function (NSF) capabilities"; 1174 reference 1175 "RFC 8329: Framework for Interface to Network Security 1176 Functions - Differences from ACL Data Models 1177 draft-dong-i2nsf-asf-config-01: Configuration of 1178 Advanced Security Functions with I2NSF Security 1179 Controller"; 1180 } 1182 identity anti-virus-capability { 1183 base advanced-nsf-capability; 1184 description 1185 "Identity for advanced NSF anti-virus capabilities"; 1186 reference 1187 "RFC 8329: Framework for Interface to Network Security 1188 Functions - Differences from ACL Data Models 1189 draft-dong-i2nsf-asf-config-01: Configuration of 1190 Advanced Security Functions with I2NSF Security 1191 Controller - Anti-virus"; 1192 } 1194 identity anti-ddos-capability { 1195 base advanced-nsf-capability; 1196 description 1197 "Identity for advanced NSF anti-ddos capabilities"; 1198 reference 1199 "RFC 8329: Framework for Interface to Network Security 1200 Functions - Differences from ACL Data Models 1201 draft-dong-i2nsf-asf-config-01: Configuration of 1202 Advanced Security Functions with I2NSF Security 1203 Controller - Anti-ddos"; 1204 } 1206 identity ips-capability { 1207 base advanced-nsf-capability; 1208 description 1209 "Identity for advanced NSF Intrusion Prevention System 1210 (IPS) capabilities"; 1211 reference 1212 "RFC 8329: Framework for Interface to Network Security 1213 Functions - Differences from ACL Data Models 1214 draft-dong-i2nsf-asf-config-01: Configuration of 1215 Advanced Security Functions with I2NSF Security 1216 Controller - Intrusion Prevention System"; 1217 } 1218 identity voip-volte-capability { 1219 base advanced-nsf-capability; 1220 description 1221 "Identity for advanced NSF VoIP/VoLTE capabilities"; 1222 reference 1223 "RFC 3261: SIP: Session Initiation Protocol 1224 RFC 8329: Framework for Interface to Network Security 1225 Functions - Differences from ACL Data Models 1226 draft-dong-i2nsf-asf-config-01: Configuration of 1227 Advanced Security Functions with I2NSF Security 1228 Controller"; 1229 } 1231 identity detect { 1232 base anti-virus-capability; 1233 description 1234 "Identity for advanced NSF anti-virus detect capability"; 1235 reference 1236 "draft-dong-i2nsf-asf-config-01: Configuration of 1237 Advanced Security Functions with I2NSF Security 1238 Controller - Anti-virus"; 1239 } 1241 identity exception-application { 1242 base anti-virus-capability; 1243 description 1244 "Identity for advanced NSF anti-virus exception 1245 application capability"; 1246 reference 1247 "draft-dong-i2nsf-asf-config-01: Configuration of 1248 Advanced Security Functions with I2NSF Security 1249 Controller - Anti-virus"; 1250 } 1252 identity exception-signature { 1253 base anti-virus-capability; 1254 description 1255 "Identity for advanced NSF anti-virus exception 1256 signature capability"; 1257 reference 1258 "draft-dong-i2nsf-asf-config-01: Configuration of 1259 Advanced Security Functions with I2NSF Security 1260 Controller - Anti-virus"; 1261 } 1263 identity whitelists { 1264 base anti-virus-capability; 1265 description 1266 "Identity for advanced NSF anti-virus whitelists 1267 capability"; 1268 reference 1269 "draft-dong-i2nsf-asf-config-01: Configuration of 1270 Advanced Security Functions with I2NSF Security 1271 Controller - Anti-virus"; 1272 } 1274 identity syn-flood-action { 1275 base anti-ddos-capability; 1276 description 1277 "Identity for advanced NSF anti-DDoS syn flood 1278 action capability"; 1279 reference 1280 "draft-dong-i2nsf-asf-config-01: Configuration of 1281 Advanced Security Functions with I2NSF Security 1282 Controller - Anti-DDoS"; 1283 } 1285 identity udp-flood-action { 1286 base anti-ddos-capability; 1287 description 1288 "Identity for advanced NSF anti-DDoS UDP flood 1289 action capability"; 1290 reference 1291 "draft-dong-i2nsf-asf-config-01: Configuration of 1292 Advanced Security Functions with I2NSF Security 1293 Controller - Anti-DDoS"; 1294 } 1296 identity http-flood-action { 1297 base anti-ddos-capability; 1298 description 1299 "Identity for advanced NSF anti-DDoS http flood 1300 action capability"; 1301 reference 1302 "draft-dong-i2nsf-asf-config-01: Configuration of 1303 Advanced Security Functions with I2NSF Security 1304 Controller - Anti-DDoS"; 1305 } 1307 identity https-flood-action { 1308 base anti-ddos-capability; 1309 description 1310 "Identity for advanced NSF anti-DDoS https flood 1311 action capability"; 1312 reference 1313 "draft-dong-i2nsf-asf-config-01: Configuration of 1314 Advanced Security Functions with I2NSF Security 1315 Controller - Anti-DDoS"; 1316 } 1318 identity dns-request-flood-action { 1319 base anti-ddos-capability; 1320 description 1321 "Identity for advanced NSF anti-DDoS dns request 1322 flood action capability"; 1323 reference 1324 "draft-dong-i2nsf-asf-config-01: Configuration of 1325 Advanced Security Functions with I2NSF Security 1326 Controller - Anti-DDoS"; 1327 } 1329 identity dns-reply-flood-action { 1330 base anti-ddos-capability; 1331 description 1332 "Identity for advanced NSF anti-DDoS dns reply flood 1333 action capability"; 1334 reference 1335 "draft-dong-i2nsf-asf-config-01: Configuration of 1336 Advanced Security Functions with I2NSF Security 1337 Controller - Anti-DDoS"; 1338 } 1340 identity icmp-flood-action { 1341 base anti-ddos-capability; 1342 description 1343 "Identity for advanced NSF anti-DDoS icmp flood 1344 action capability"; 1345 reference 1346 "draft-dong-i2nsf-asf-config-01: Configuration of 1347 Advanced Security Functions with I2NSF Security 1348 Controller - Anti-DDoS"; 1349 } 1351 identity sip-flood-action { 1352 base anti-ddos-capability; 1353 description 1354 "Identity for advanced NSF anti-DDoS sip flood 1355 action capability"; 1356 reference 1357 "draft-dong-i2nsf-asf-config-01: Configuration of 1358 Advanced Security Functions with I2NSF Security 1359 Controller - Anti-DDoS"; 1360 } 1361 identity detect-mode { 1362 base anti-ddos-capability; 1363 description 1364 "Identity for advanced NSF anti-DDoS detect 1365 mode capability"; 1366 reference 1367 "draft-dong-i2nsf-asf-config-01: Configuration of 1368 Advanced Security Functions with I2NSF Security 1369 Controller - Anti-DDoS"; 1370 } 1372 identity baseline-learning { 1373 base anti-ddos-capability; 1374 description 1375 "Identity for advanced NSF anti-DDoS baseline 1376 learning capability"; 1377 reference 1378 "draft-dong-i2nsf-asf-config-01: Configuration of 1379 Advanced Security Functions with I2NSF Security 1380 Controller - Anti-DDoS"; 1381 } 1383 identity signature-set { 1384 base ips-capability; 1385 description 1386 "Identity for advanced NSF IPS signature set 1387 capability"; 1388 reference 1389 "draft-dong-i2nsf-asf-config-01: Configuration of 1390 Advanced Security Functions with I2NSF Security 1391 Controller - Intrusion Prevention System"; 1392 } 1394 identity ips-exception-signature { 1395 base ips-capability; 1396 description 1397 "Identity for advanced NSF IPS exception signature 1398 capability"; 1399 reference 1400 "draft-dong-i2nsf-asf-config-01: Configuration of 1401 Advanced Security Functions with I2NSF Security 1402 Controller - Intrusion Prevention System"; 1403 } 1405 identity voice-id { 1406 base voip-volte-capability; 1407 description 1408 "Identity for advanced NSF VoIP/VoLTE voice-id 1409 capability"; 1410 reference 1411 "RFC 3261: SIP: Session Initiation Protocol"; 1412 } 1414 identity user-agent { 1415 base voip-volte-capability; 1416 description 1417 "Identity for advanced NSF VoIP/VoLTE user agent 1418 capability"; 1419 reference 1420 "RFC 3261: SIP: Session Initiation Protocol"; 1421 } 1423 identity ipsec-capability { 1424 description 1425 "Base identity for an IPsec capabilities"; 1426 } 1428 identity ike { 1429 base ipsec-capability; 1430 description 1431 "Identity for an IPSec Internet Key Exchange (IKE) 1432 capability"; 1433 } 1435 identity ikeless { 1436 base ipsec-capability; 1437 description 1438 "Identity for an IPSec without Internet Key Exchange (IKE) 1439 capability"; 1440 } 1442 /* 1443 * Grouping 1444 */ 1446 grouping nsf-capabilities { 1447 description 1448 "Network Security Funtion (NSF) Capabilities"; 1449 reference 1450 "RFC 8329: Framework for Interface to Network Security 1451 Functions - I2NSF Flow Security Policy Structure 1452 draft-ietf-i2nsf-capability-04: Information Model 1453 of NSFs Capabilities - Capability Information Model Design"; 1455 leaf-list time-capabilities { 1456 type enumeration { 1457 enum absolute-time { 1458 description 1459 "absolute time capabilities. 1460 If network security function has the absolute time 1461 capability, the network security function 1462 supports rule execution according to absolute time."; 1463 } 1464 enum periodic-time { 1465 description 1466 "periodic time capabilities. 1467 If network security function has the periodic time 1468 capability, the network security function 1469 supports rule execution according to periodic time."; 1470 } 1471 } 1472 description 1473 "Time capabilities"; 1474 } 1476 container event-capabilities { 1477 description 1478 "Capabilities of events. 1479 If network security function has 1480 the event capabilities, the network security functions 1481 supports rule execution according to system event 1482 and system alarm."; 1484 reference 1485 "RFC 8329: Framework for Interface to Network Security 1486 Functions - I2NSF Flow Security Policy Structure 1487 draft-ietf-i2nsf-capability-04: Information Model 1488 of NSFs Capabilities - Design Principles and ECA 1489 Policy Model Overview 1490 draft-ietf-i2nsf-nsf-monitoring-data-model-01: A YANG 1491 Data Model for Monitoring I2NSF Network Security 1492 Functions - System Alarm and System Events"; 1494 leaf-list system-event-capability { 1495 type identityref { 1496 base system-event-capability; 1497 } 1498 description 1499 "System event capabilities"; 1500 } 1502 leaf-list system-alarm-capability { 1503 type identityref { 1504 base system-alarm-capability; 1505 } 1506 description 1507 "System alarm Capabilities"; 1508 } 1509 } 1511 container condition-capabilities { 1512 description 1513 "Conditions capabilities."; 1515 container generic-nsf-capabilities { 1516 description 1517 "Conditions capabilities. 1518 If a network security function has 1519 the condition capabilities, the network security function 1520 supports rule execution according to conditions of IPv4, 1521 IPv6, TCP, UDP, ICMP, and payload."; 1522 reference 1523 "RFC 791: Internet Protocol 1524 RFC 792: Internet Control Message Protocol 1525 RFC 793: Transmission Control Protocol 1526 RFC 8200: Internet Protocol, Version 6 (IPv6) 1527 Specification - Next Header 1528 RFC 8329: Framework for Interface to Network Security 1529 Functions - I2NSF Flow Security Policy Structure 1530 draft-ietf-i2nsf-capability-04: Information Model 1531 of NSFs Capabilities - Design Principles and ECA Policy 1532 Model Overview"; 1534 leaf-list ipv4-capability { 1535 type identityref { 1536 base ipv4-capability; 1537 } 1538 description 1539 "IPv4 packet capabilities"; 1540 reference 1541 "RFC 791: Internet Protocol"; 1542 } 1544 leaf-list ipv6-capability { 1545 type identityref { 1546 base ipv6-capability; 1547 } 1548 description 1549 "IPv6 packet capabilities"; 1550 reference 1551 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1552 Specification - Next Header"; 1553 } 1555 leaf-list tcp-capability { 1556 type identityref { 1557 base tcp-capability; 1558 } 1559 description 1560 "TCP packet capabilities"; 1561 reference 1562 "RFC 793: Transmission Control Protocol"; 1563 } 1565 leaf-list udp-capability { 1566 type identityref { 1567 base udp-capability; 1568 } 1569 description 1570 "UDP packet capabilities"; 1571 reference 1572 "RFC 768: User Datagram Protocol"; 1573 } 1575 leaf-list icmp-capability { 1576 type identityref { 1577 base icmp-capability; 1578 } 1579 description 1580 "ICMP packet capabilities"; 1581 reference 1582 "RFC 8200: Internet Protocol, Version 6 (IPv6)"; 1583 } 1584 } 1586 container advanced-nsf-capabilities { 1587 description 1588 "Advanced Network Security Function (NSF) capabilities, 1589 such as anti-virus, anti-DDoS, IPS, and VoIP/VoLTE."; 1590 reference 1591 "RFC 8329: Framework for Interface to Network Security 1592 Functions - Differences from ACL Data Models 1593 draft-dong-i2nsf-asf-config-01: Configuration of 1594 Advanced Security Functions with I2NSF Security 1595 Controller"; 1597 leaf-list anti-virus-capability { 1598 type identityref { 1599 base anti-virus-capability; 1600 } 1601 description 1602 "Anti-virus capabilities"; 1603 reference 1604 "draft-dong-i2nsf-asf-config-01: Configuration of 1605 Advanced Security Functions with I2NSF Security 1606 Controller"; 1607 } 1609 leaf-list anti-ddos-capability { 1610 type identityref { 1611 base anti-ddos-capability; 1612 } 1613 description 1614 "Anti-ddos capabilities"; 1615 reference 1616 "draft-dong-i2nsf-asf-config-01: Configuration of 1617 Advanced Security Functions with I2NSF Security 1618 Controller"; 1619 } 1621 leaf-list ips-capability { 1622 type identityref { 1623 base ips-capability; 1624 } 1625 description 1626 "Intrusion Prevention System (IPS) capabilities"; 1627 reference 1628 "draft-dong-i2nsf-asf-config-01: Configuration of 1629 Advanced Security Functions with I2NSF Security 1630 Controller"; 1631 } 1633 leaf-list url-capability { 1634 type identityref { 1635 base url-capability; 1636 } 1637 description 1638 "URL capabilities"; 1639 reference 1640 "draft-dong-i2nsf-asf-config-01: Configuration of 1641 Advanced Security Functions with I2NSF Security 1642 Controller"; 1643 } 1645 leaf-list voip-volte-capability { 1646 type identityref { 1647 base voip-volte-capability; 1648 } 1649 description 1650 "VoIP and VoLTE capabilities"; 1651 reference 1652 "draft-dong-i2nsf-asf-config-01: Configuration of 1653 Advanced Security Functions with I2NSF Security 1654 Controller"; 1655 } 1656 } 1658 leaf-list context-capabilities { 1659 type identityref { 1660 base context-capability; 1661 } 1662 description 1663 "Security context capabilities"; 1664 } 1666 } 1667 container action-capabilities { 1668 description 1669 "Action capabilities. 1670 If network security function has 1671 the action capabilities, it supports 1672 the attendant actions for policy rules."; 1674 leaf-list ingress-action-capability { 1675 type identityref { 1676 base ingress-action-capability; 1677 } 1678 description 1679 "Ingress-action capabilities"; 1680 } 1682 leaf-list egress-action-capability { 1683 type identityref { 1684 base egress-action-capability; 1685 } 1686 description 1687 "Egress-action capabilities"; 1688 } 1690 leaf-list log-action-capability { 1691 type identityref { 1692 base log-action-capability; 1693 } 1694 description 1695 "Log-action capabilities"; 1696 } 1697 } 1699 leaf-list resolution-strategy-capabilities { 1700 type identityref { 1701 base resolution-strategy-capability; 1702 } 1703 description 1704 "Resolution strategy capabilities. 1705 The resolution strategies can be used to 1706 specify how to resolve conflicts that occur between 1707 the actions of the same or different policy rules that 1708 are matched for the smae packet and by particular NSF"; 1709 reference 1710 "draft-ietf-i2nsf-capability-04: Information Model 1711 of NSFs Capabilities - Resolution strategy"; 1712 } 1714 leaf-list default-action-capabilities { 1715 type identityref { 1716 base default-action-capability; 1717 } 1718 description 1719 "Default action capabilities. 1720 A default action is used to execute I2NSF policy rules 1721 when no rule matches a packet. The default action is 1722 defined as pass, drop, reject, alert, or mirror."; 1723 reference 1724 "draft-ietf-i2nsf-capability-04: Information Model 1725 of NSFs Capabilities - Default action"; 1726 } 1728 leaf-list ipsec-method { 1729 type identityref { 1730 base ipsec-capability; 1731 } 1732 description 1733 "IPsec method capabilities"; 1734 reference 1735 " draft-ietf-i2nsf-sdn-ipsec-flow-protection-04"; 1736 } 1737 } 1739 /* 1740 * Data nodes 1741 */ 1743 list nsf { 1744 key "nsf-name"; 1745 description 1746 "The list of Network security Function (NSF) 1747 capabilities"; 1748 leaf nsf-name { 1749 type string; 1750 mandatory true; 1751 description 1752 "The name of network security function"; 1753 } 1754 } 1755 } 1757 1759 Figure 3: YANG Data Module of I2NSF Capability 1761 7. IANA Considerations 1763 This document requests IANA to register the following URI in the 1764 "IETF XML Registry" [RFC3688]: 1766 Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1768 Registrant Contact: The IESG. 1770 XML: N/A; the requested URI is an XML namespace. 1772 This document requests IANA to register the following YANG module in 1773 the "YANG Module Names" registry [RFC7950]. 1775 name: ietf-i2nsf-capability 1777 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1779 prefix: nsfcap 1781 reference: RFC XXXX 1783 8. Security Considerations 1785 The YANG module specified in this document defines a data schema 1786 designed to be accessed through network management protocols such as 1787 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 1788 the secure transport layer, and the required transport secure 1789 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1790 is HTTPS, and the required transport secure transport is TLS 1791 [RFC8446]. 1793 The NETCONF access control model [RFC8341] provides a means of 1794 restricting access to specific NETCONF or RESTCONF users to a 1795 preconfigured subset of all available NETCONF or RESTCONF protocol 1796 operations and content. 1798 There are a number of data nodes defined in this YANG module that are 1799 writable/creatable/deletable (i.e., config true, which is the 1800 default). These data nodes may be considered sensitive or vulnerable 1801 in some network environments. Write operations (e.g., edit-config) 1802 to these data nodes without proper protection can have a negative 1803 effect on network operations. These are the subtrees and data nodes 1804 and their sensitivity/vulnerability: 1806 o ietf-i2nsf-capability: The attacker may provide incorrect 1807 information of the security capability of any target NSF by 1808 illegally modifying this. 1810 Some of the readable data nodes in this YANG module may be considered 1811 sensitive or vulnerable in some network environments. It is thus 1812 important to control read access (e.g., via get, get-config, or 1813 notification) to these data nodes. These are the subtrees and data 1814 nodes and their sensitivity/vulnerability: 1816 o ietf-i2nsf-capability: The attacker may gather the security 1817 capability information of any target NSF and misuse the 1818 information for subsequent attacks. 1820 9. References 1822 9.1. Normative References 1824 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1825 Requirement Levels", BCP 14, RFC 2119, 1826 DOI 10.17487/RFC2119, March 1997, 1827 . 1829 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1830 A., Peterson, J., Sparks, R., Handley, M., and E. 1831 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1832 DOI 10.17487/RFC3261, June 2002, 1833 . 1835 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1836 the Network Configuration Protocol (NETCONF)", RFC 6020, 1837 DOI 10.17487/RFC6020, October 2010, 1838 . 1840 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1841 and A. Bierman, Ed., "Network Configuration Protocol 1842 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1843 . 1845 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1846 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1847 . 1849 [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August 1850 1980. 1852 [RFC790] Postel, J., "Assigned Numbers", RFC 790, September 1981. 1854 [RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981. 1856 [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, 1857 September 1981. 1859 [RFC793] Postel, J., "Transmission Control Protocol", RFC 793, 1860 September 1981. 1862 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1863 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1864 . 1866 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1867 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1868 . 1870 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1871 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1872 May 2017, . 1874 [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., 1875 and J. Jeong, "Interface to Network Security Functions 1876 (I2NSF): Problem Statement and Use Cases", RFC 8192, 1877 DOI 10.17487/RFC8192, July 2017, 1878 . 1880 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1881 (IPv6) Specification", STD 86, RFC 8200, 1882 DOI 10.17487/RFC8200, July 2017, 1883 . 1885 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1886 Kumar, "Framework for Interface to Network Security 1887 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 1888 . 1890 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1891 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1892 . 1894 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1895 Access Control Model", STD 91, RFC 8341, 1896 DOI 10.17487/RFC8341, March 2018, 1897 . 1899 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 1900 S., and N. Bahadur, "A YANG Data Model for the Routing 1901 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 1902 September 2018, . 1904 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1905 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1906 . 1908 9.2. Informative References 1910 [draft-dong-i2nsf-asf-config] 1911 Pan, W. and L. Xia, "Configuration of Advanced Security 1912 Functions with I2NSF Security Controller", draft-dong- 1913 i2nsf-asf-config-01 (work in progress), October 2018. 1915 [draft-ietf-i2nsf-capability] 1916 Xia, L., Strassner, J., Basile, C., and D. Lopez, 1917 "Information Model of NSFs Capabilities", draft-ietf- 1918 i2nsf-capability-05 (work in progress), April 2019. 1920 [draft-ietf-i2nsf-nsf-facing-interface-dm] 1921 Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, 1922 "I2NSF Network Security Function-Facing Interface YANG 1923 Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-07 1924 (work in progress), July 2019. 1926 [draft-ietf-i2nsf-nsf-monitoring-data-model] 1927 Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, 1928 "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- 1929 nsf-monitoring-data-model-01 (work in progress), July 1930 2019. 1932 [draft-ietf-i2nsf-sdn-ipsec-flow-protection] 1933 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 1934 Garcia, "Software-Defined Networking (SDN)-based IPsec 1935 Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- 1936 protection-05 (work in progress), July 2019. 1938 [draft-ietf-i2nsf-terminology] 1939 Hares, S., Strassner, J., Lopez, D., Xia, L., and H. 1940 Birkholz, "Interface to Network Security Functions (I2NSF) 1941 Terminology", draft-ietf-i2nsf-terminology-08 (work in 1942 progress), July 2019. 1944 [draft-ietf-supa-generic-policy-info-model] 1945 Strassner, J., Halpern, J., and S. Meer, "Generic Policy 1946 Information Model for Simplified Use of Policy 1947 Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- 1948 model-03 (work in progress), May 2017. 1950 Appendix A. Configuration Examples 1952 This section shows configuration examples of "ietf-i2nsf-capability" 1953 module for capabilities registration of general firewall. 1955 A.1. Example 1: Registration for Capabilities of General Firewall 1957 This section shows a configuration example for capabilities 1958 registration of general firewall. 1960 1961 general_firewall 1962 1963 1964 ipv4-protocol 1965 exact-ipv4-address 1966 range-ipv4-address 1967 exact-fourth-layer-port-num 1968 range-fourth-layer-port-num 1969 1970 1971 1972 pass 1973 drop 1974 alert 1975 pass 1976 drop 1977 alert 1978 1979 1981 Figure 4: Configuration XML for Capabilities Registration of General 1982 Firewall 1984 Figure 4 shows the configuration XML for capabilities registration of 1985 general firewall and its capabilities are as follows. 1987 1. The name of the NSF is general_firewall. 1989 2. The NSF can inspect protocol, exact IPv4 address, and range IPv4 1990 address for IPv4 packets. 1992 3. The NSF can inspect exact port number and range port number for 1993 fourth layer packets. 1995 4. The NSF can control whether the packets are allowed to pass, 1996 drop, or alert. 1998 A.2. Example 2: Registration for Capabilities of Time based Firewall 2000 This section shows a configuration example for capabilities 2001 registration of time based firewall. 2003 2004 time_based_firewall 2005 absolute-time 2006 periodic-time 2007 2008 2009 ipv4-protocol 2010 exact-ipv4-address 2011 range-ipv4-address 2012 2013 2014 2015 pass 2016 drop 2017 alert 2018 pass 2019 drop 2020 alert 2021 2022 2024 Figure 5: Configuration XML for Capabilities Registration of Time 2025 based Firewall 2027 Figure 5 shows the configuration XML for capabilities registration of 2028 time based firewall and its capabilities are as follows. 2030 1. The name of the NSF is time_based_firewall. 2032 2. The NSF can execute the security policy rule according to 2033 absolute time and periodic time. 2035 3. The NSF can inspect protocol, exact IPv4 address, and range IPv4 2036 address for IPv4 packets. 2038 4. The NSF can control whether the packets are allowed to pass, 2039 drop, or alert. 2041 A.3. Example 3: Registration for Capabilities of Web Filter 2043 This section shows a configuration example for capabilities 2044 registration of web filter. 2046 2047 web_filter 2048 2049 2050 user-defined 2051 2052 2053 2054 pass 2055 drop 2056 alert 2057 pass 2058 drop 2059 alert 2060 2061 2063 Figure 6: Configuration XML for Capabilities Registration of Web 2064 Filter 2066 Figure 6 shows the configuration XML for capabilities registration of 2067 web filter and its capabilities are as follows. 2069 1. The name of the NSF is web_filter. 2071 2. The NSF can inspect url for http and https packets. 2073 3. The NSF can control whether the packets are allowed to pass, 2074 drop, or alert. 2076 A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter 2078 This section shows a configuration example for capabilities 2079 registration of VoIP/VoLTE filter. 2081 2082 voip_volte_filter 2083 2084 2085 voice-id 2086 2087 2088 2089 pass 2090 drop 2091 alert 2092 pass 2093 drop 2094 alert 2095 2096 2098 Figure 7: Configuration XML for Capabilities Registration of VoIP/ 2099 VoLTE Filter 2101 Figure 7 shows the configuration XML for capabilities registration of 2102 VoIP/VoLTE filter and its capabilities are as follows. 2104 1. The name of the NSF is voip_volte_filter. 2106 2. The NSF can inspect voice id for VoIP/VoLTE packets. 2108 3. The NSF can control whether the packets are allowed to pass, 2109 drop, or alert. 2111 A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood 2112 Mitigation 2114 This section shows a configuration example for capabilities 2115 registration of http and https flood mitigation. 2117 2118 http_and_https_flood_mitigation 2119 2120 2121 http-flood-action 2122 https-flood-action 2123 2124 2125 2126 pass 2127 drop 2128 alert 2129 pass 2130 drop 2131 alert 2132 2133 2135 Figure 8: Configuration XML for Capabilities Registration of HTTP and 2136 HTTPS Flood Mitigation 2138 Figure 8 shows the configuration XML for capabilities registration of 2139 http and https flood mitigation and its capabilities are as follows. 2141 1. The name of the NSF is http_and_https_flood_mitigation. 2143 2. The location of the NSF is 221.159.112.140. 2145 3. The NSF can control the amount of packets for http and https 2146 packets. 2148 4. The NSF can control whether the packets are allowed to pass, 2149 drop, or alert. 2151 Appendix B. Changes from draft-ietf-i2nsf-capability-data-model-04 2153 The following changes are made from draft-ietf-i2nsf-capability-data- 2154 model-04: 2156 o The version is revised according to the comments from Acee Lindem 2157 and Carl Moberg who are YANG doctors for review. 2159 Appendix C. Acknowledgments 2161 This work was supported by Institute of Information & Communications 2162 Technology Planning & Evaluation (IITP) grant funded by the Korea 2163 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 2164 Security Intelligence Technology Development for the Customized 2165 Security Service Provisioning). 2167 Appendix D. Contributors 2169 This document is made by the group effort of I2NSF working group. 2170 Many people actively contributed to this document. The following are 2171 considered co-authors: 2173 o Hyoungshick Kim (Sungkyunkwan University) 2175 o Daeyoung Hyun (Sungkyunkwan University) 2177 o Dongjin Hong (Sungkyunkwan University) 2179 o Liang Xia (Huawei) 2181 o Jung-Soo Park (ETRI) 2183 o Tae-Jin Ahn (Korea Telecom) 2185 o Se-Hui Lee (Korea Telecom) 2187 Authors' Addresses 2189 Susan Hares 2190 Huawei 2191 7453 Hickory Hill 2192 Saline, MI 48176 2193 USA 2195 Phone: +1-734-604-0332 2196 EMail: shares@ndzh.com 2198 Jaehoon Paul Jeong 2199 Department of Computer Science and Engineering 2200 Sungkyunkwan University 2201 2066 Seobu-Ro, Jangan-Gu 2202 Suwon, Gyeonggi-Do 16419 2203 Republic of Korea 2205 Phone: +82 31 299 4957 2206 Fax: +82 31 290 7996 2207 EMail: pauljeong@skku.edu 2208 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2209 Jinyong Tim Kim 2210 Department of Electronic, Electrical and Computer Engineering 2211 Sungkyunkwan University 2212 2066 Seobu-Ro, Jangan-Gu 2213 Suwon, Gyeonggi-Do 16419 2214 Republic of Korea 2216 Phone: +82 10 8273 0930 2217 EMail: timkim@skku.edu 2219 Robert Moskowitz 2220 HTT Consulting 2221 Oak Park, MI 2222 USA 2224 Phone: +1-248-968-9809 2225 EMail: rgm@htt-consult.com 2227 Qiushi Lin 2228 Huawei 2229 Huawei Industrial Base 2230 Shenzhen, Guangdong 518129 2231 China 2233 EMail: linqiushi@huawei.com