idnits 2.17.1 draft-ietf-i2nsf-capability-data-model-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 5 instances of too long lines in the document, the longest one being 1 character in excess of 72. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 13, 2020) is 1382 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3688' is mentioned on line 1824, but not defined == Unused Reference: 'RFC3261' is defined on line 1908, but no explicit reference was found in the text == Unused Reference: 'RFC768' is defined on line 1933, but no explicit reference was found in the text == Unused Reference: 'RFC790' is defined on line 1936, but no explicit reference was found in the text == Unused Reference: 'RFC791' is defined on line 1938, but no explicit reference was found in the text == Unused Reference: 'RFC792' is defined on line 1940, but no explicit reference was found in the text == Unused Reference: 'RFC793' is defined on line 1943, but no explicit reference was found in the text == Unused Reference: 'RFC8200' is defined on line 1964, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 3444 ** Obsolete normative reference: RFC 790 (Obsoleted by RFC 820) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 8192 ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 6 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group S. Hares, Ed. 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Jeong, Ed. 5 Expires: January 14, 2021 J. Kim 6 Sungkyunkwan University 7 R. Moskowitz 8 HTT Consulting 9 Q. Lin 10 Huawei 11 July 13, 2020 13 I2NSF Capability YANG Data Model 14 draft-ietf-i2nsf-capability-data-model-06 16 Abstract 18 This document defines a YANG data model for the capabilities of 19 various Network Security Functions (NSFs) in the Interface to Network 20 Security Functions (I2NSF) framework to centrally manage the 21 capabilities of the various NSFs. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 14, 2021. 40 Copyright Notice 42 Copyright (c) 2020 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 61 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 63 5.1. Network Security Function (NSF) Capabilities . . . . . . 6 64 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 65 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 66 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 67 8. Security Considerations . . . . . . . . . . . . . . . . . . . 39 68 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 69 9.1. Normative References . . . . . . . . . . . . . . . . . . 40 70 9.2. Informative References . . . . . . . . . . . . . . . . . 43 71 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 44 72 A.1. Example 1: Registration for Capabilities of General 73 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44 74 A.2. Example 2: Registration for Capabilities of Time based 75 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 76 A.3. Example 3: Registration for Capabilities of Web Filter . 46 77 A.4. Example 4: Registration for Capabilities of VoIP/VoLTE 78 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 46 79 A.5. Example 5: Registration for Capabilities of HTTP and 80 HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 47 81 Appendix B. Changes from draft-ietf-i2nsf-capability-data- 82 model-05 . . . . . . . . . . . . . . . . . . . . . . 48 83 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 48 84 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 49 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 87 1. Introduction 89 As the industry becomes more sophisticated and network devices (e.g., 90 Internet of Things, Self-driving vehicles, and VoIP/VoLTE 91 smartphones), service providers have a lot of problems described in 92 [RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability] 93 specifies the information model of the capabilities of Network 94 Security Functions (NSFs). 96 This document provides a YANG data model [RFC6020][RFC7950] that 97 defines the capabilities of NSFs to centrally manage the capabilities 98 of those security devices. The security devices can register their 99 own capabilities into a Network Operator Management (Mgmt) System 100 (i.e., Security Controller) with this YANG data model through the 101 registration interface [RFC8329]. With the capabilities of those 102 security devices maintained centrally, those security devices can be 103 more easily managed [RFC8329]. This YANG data model is based on the 104 information model for I2NSF NSF capabilities 105 [draft-ietf-i2nsf-capability]. 107 This YANG data model uses an "Event-Condition-Action" (ECA) policy 108 model that is used as the basis for the design of I2NSF Policy as 109 described in [RFC8329] and [draft-ietf-i2nsf-capability]. The "ietf- 110 i2nsf-capability" YANG module defined in this document provides the 111 following features: 113 o Definition for general capabilities of network security functions. 115 o Definition for event capabilities of generic network security 116 functions. 118 o Definition for condition capabilities of generic network security 119 functions. 121 o Definition for condition capabilities of advanced network security 122 functions. 124 o Definition for action capabilities of generic network security 125 functions. 127 o Definition for resolution strategy capabilities of generic network 128 security functions. 130 o Definition for default action capabilities of generic network 131 security functions. 133 2. Requirements Language 135 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 136 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 137 document are to be interpreted as described in [RFC2119][RFC8174]. 139 3. Terminology 141 This document uses the terminology described in 142 [draft-ietf-i2nsf-capability][RFC8431]. Especially, the following 143 terms are from [RFC3444]: 145 o Data Model: A data model is a representation of concepts of 146 interest to an environment in a form that is dependent on data 147 repository, data definition language, query language, 148 implementation language, and protocol. 150 o Information Model: An information model is a representation of 151 concepts of interest to an environment in a form that is 152 independent of data repository, data definition language, query 153 language, implementation language, and protocol. 155 3.1. Tree Diagrams 157 A simplified graphical representation of the data model is used in 158 this document. The meaning of the symbols in these diagrams is 159 referred from [RFC8340]. 161 4. Overview 163 This section provides as overview of how the YANG data model can be 164 used in the I2NSF framework described in [RFC8329]. Figure 1 shows 165 the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF 166 Framework. As shown in this figure, an NSF Developer's Management 167 System can register NSFs and the capabilities that the network 168 security device can support. To register NSFs in this way, the 169 Developer's Management System utilizes this standardized capability 170 YANG data model through the I2NSF Registration Interface 171 [draft-ietf-i2nsf-registration-interface-dm]. That is, this 172 Registration Interface uses the YANG module described in this 173 document to describe the capability of a network security function 174 that is registered with the Security Controller. With the 175 capabilities of those network security devices maintained centrally, 176 those security devices can be more easily managed, which can resolve 177 many of the problems described in [RFC8192]. 179 In Figure 1, a new NSF at a Developer's Management Systems has 180 capabilities of Firewall (FW) and Web Filter (WF), which are denoted 181 as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy 182 rules where 'E', 'C', and 'A' mean "Event", "Condition", and 183 "Action", respectively. The condition involves IPv4 or IPv6 184 datagrams, and the action includes "Allow" and "Deny" for those 185 datagrams. 187 Note that the NSF-Facing Interface is used to configure the security 188 policy rules of the generic network security functions 189 [draft-ietf-i2nsf-nsf-facing-interface-dm], and The configuration of 190 advanced security functions over the NSF-Facing Interface is used to 191 configure the security policy rules of advanced network security 192 functions (e.g., anti-virus and anti-DDoS attack) 194 [draft-dong-i2nsf-asf-config], respectively, according to the 195 capabilities of NSFs registered with the I2NSF Framework. 197 +------------------------------------------------------+ 198 | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | 199 | Network Mgmt, another network domain's mgmt, etc.) | 200 +--------------------+---------------------------------+ 201 I2NSF ^ 202 Consumer-Facing Interface | 203 | 204 v I2NSF 205 +-----------------+------------+ Registration +-------------+ 206 | Network Operator Mgmt System | Interface | Developer's | 207 | (i.e., Security Controller) |<-------------->| Mgmt System | 208 +-----------------+------------+ +-------------+ 209 ^ New NSF 210 | Cap = {FW, WF} 211 I2NSF | E = {} 212 NSF-Facing Interface | C = {IPv4, IPv6} 213 | A = {Allow, Deny} 214 v 215 +---------------+----+------------+-----------------+ 216 | | | | 217 +---+---+ +---+---+ +---+---+ +---+---+ 218 | NSF-1 | ... | NSF-m | | NSF-1 | ... | NSF-n | ... 219 +-------+ +-------+ +-------+ +-------+ 220 NSF-1 NSF-m NSF-1 NSF-n 221 Cap = {FW, WF} Cap = {FW, WF} Cap = {FW, WF} Cap = {FW, WF} 222 E = {} E = {user} E = {dev} E = {time} 223 C = {IPv4} C = {IPv6} C = {IPv4, IPv6} C = {IPv4} 224 A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} 226 Developer's Mgmt System A Developer's Mgmt System B 228 Figure 1: Capabilities of NSFs in I2NSF Framework 230 A use case of an NSF with the capabilities of firewall and web filter 231 is described as follows. 233 o If a network manager wants to apply security policy rules to block 234 malicious users with firewall and web filter, it is a tremendous 235 burden for a network administrator to apply all of the needed 236 rules to NSFs one by one. This problem can be resolved by 237 managing the capabilities of NSFs in this document. 239 o If a network administrator wants to block malicious users for IPv6 240 traffic, he sends a security policy rule to block the users to the 241 Network Operator Management System using the I2NSF User (i.e., web 242 application). 244 o When the Network Operator Management System receives the security 245 policy rule, it automatically sends that security policy rules to 246 appropriate NSFs (i.e., NSF-m in Developer's Management System A 247 and NSF-1 in Developer's Management System B) which can support 248 the capabilities (i.e., IPv6). This lets an I2NSF User not 249 consider NSFs where the rule is applied. 251 o If NSFs encounter the suspicious IPv6 packets of malicious users, 252 they can filter the packets out according to the configured 253 security policy rule. Therefore, the security policy rule against 254 the malicious users' packets can be automatically applied to 255 appropriate NSFs without human intervention. 257 5. YANG Tree Diagram 259 This section shows a YANG tree diagram of capabilities of network 260 security functions, as defined in the [draft-ietf-i2nsf-capability]. 262 5.1. Network Security Function (NSF) Capabilities 264 This section explains a YANG tree diagram of NSF capabilities and its 265 features. Figure 2 shows a YANG tree diagram of NSF capabilities. 266 The NSF capabilities in the tree include time capabilities, event 267 capabilities, condition capabilities, action capabilities, resolution 268 strategy capabilities, and default action capabilities. Those 269 capabilities can be tailored or extended according to a vendor's 270 specific requirements. Refer to the NSF capabilities information 271 model for detailed discussion [draft-ietf-i2nsf-capability]. 273 module: ietf-i2nsf-capability 274 +--rw nsf* [nsf-name] 275 +--rw nsf-name string 276 +--rw time-capabilities* enumeration 277 +--rw event-capabilities 278 | +--rw system-event-capability* identityref 279 | +--rw system-alarm-capability* identityref 280 +--rw condition-capabilities 281 | +--rw generic-nsf-capabilities 282 | | +--rw ipv4-capability* identityref 283 | | +--rw icmp-capability* identityref 284 | | +--rw ipv6-capability* identityref 285 | | +--rw icmpv6-capability* identityref 286 | | +--rw tcp-capability* identityref 287 | | +--rw udp-capability* identityref 288 | +--rw advanced-nsf-capabilities 289 | | +--rw anti-virus-capability* identityref 290 | | +--rw anti-ddos-capability* identityref 291 | | +--rw ips-capability* identityref 292 | | +--rw url-capability* identityref 293 | | +--rw voip-volte-capability* identityref 294 | +--rw context-capabilities* identityref 295 +--rw action-capabilities 296 | +--rw ingress-action-capability* identityref 297 | +--rw egress-action-capability* identityref 298 | +--rw log-action-capability* identityref 299 +--rw resolution-strategy-capabilities* identityref 300 +--rw default-action-capabilities* identityref 301 +--rw ipsec-method* identityref 303 Figure 2: YANG Tree Diagram of Capabilities of Network Security 304 Functions 306 Time capabilities are used to specify the capabilities which describe 307 when to execute the I2NSF policy rule. The time capabilities are 308 defined in terms of absolute time and periodic time. The absolute 309 time means the exact time to start or end. The periodic time means 310 repeated time like day, week, or month. See Section 3.4.6 311 (Capability Algebra) in [draft-ietf-i2nsf-capability] for more 312 information about the time-based condition (e.g., time period) in the 313 capability algebra. 315 Event capabilities are used to specify the capabilities that describe 316 the event that would trigger the evaluation of the condition clause 317 of the I2NSF Policy Rule. The defined event capabilities are system 318 event and system alarm. See Section 3.1 (Design Principles and ECA 319 Policy Model Overview) in [draft-ietf-i2nsf-capability] for more 320 information about the event in the ECA policy model. 322 Condition capabilities are used to specify capabilities of a set of 323 attributes, features, and/or values that are to be compared with a 324 set of known attributes, features, and/or values in order to 325 determine whether or not the set of actions in that (imperative) 326 I2NSF policy rule can be executed. The condition capabilities are 327 classified in terms of generic network security functions and 328 advanced network security functions. The condition capabilities of 329 generic network security functions are defined as IPv4 capability, 330 IPv6 capability, TCP capability, UDP capability, and ICMP capability. 331 The condition capabilities of advanced network security functions are 332 defined as anti-virus capability, anti-DDoS capability, IPS 333 capability, HTTP capability, and VoIP/VoLTE capability. See 334 Section 3.1 (Design Principles and ECA Policy Model Overview) in 335 [draft-ietf-i2nsf-capability] for more information about the 336 condition in the ECA policy model. Also, see Section 3.4.3 (I2NSF 337 Condition Clause Operator Types) in [draft-ietf-i2nsf-capability] for 338 more information about the operator types in an I2NSF condition 339 clause. 341 Action capabilities are used to specify the capabilities that 342 describe the control and monitoring aspects of flow-based NSFs when 343 the event and condition clauses are satisfied. The action 344 capabilities are defined as ingress-action capability, egress-action 345 capability, and log-action capability. See Section 3.1 (Design 346 Principles and ECA Policy Model Overview) in 347 [draft-ietf-i2nsf-capability] for more information about the action 348 in the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow 349 Security Policy Structure) in [RFC8329] for more information about 350 the ingress and egress actions. In addition, see Section 9.1 (Flow- 351 Based NSF Capability Characterization) for more information about 352 logging at NSFs. 354 Resolution strategy capabilities are used to specify the capabilities 355 that describe conflicts that occur between the actions of the same or 356 different policy rules that are matched and contained in this 357 particular NSF. The resolution strategy capabilities are defined as 358 First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized 359 Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), 360 and Prioritized Matching Rule with No Errors (PMRN). See 361 Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in 362 [draft-ietf-i2nsf-capability] for more information about the 363 resolution strategy. 365 Default action capabilities are used to specify the capabilities that 366 describe how to execute I2NSF policy rules when no rule matches a 367 packet. The default action capabilities are defined as pass, drop, 368 alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy 369 and Default Action) in [draft-ietf-i2nsf-capability] for more 370 information about the default action. 372 IPsec method capabilities are used to specify capabilities of how to 373 support an Internet Key Exchange (IKE) for the security 374 communication. The default action capabilities are defined as IKE or 375 IKE-less. See [draft-ietf-i2nsf-sdn-ipsec-flow-protection] for more 376 information about the SDN-based IPsec flow protection in I2NSF. 378 6. YANG Data Modules 380 6.1. I2NSF Capability YANG Data Module 382 This section introduces a YANG data module for network security 383 functions capabilities, as defined in the 384 [draft-ietf-i2nsf-capability]. 386 file "ietf-i2nsf-capability@2020-07-13.yang" 388 module ietf-i2nsf-capability { 389 yang-version 1.1; 390 namespace 391 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 392 prefix 393 nsfcap; 395 organization 396 "IETF I2NSF (Interface to Network Security Functions) 397 Working Group"; 399 contact 400 "WG Web: 401 WG List: 403 WG Chair: Linda Dunbar 404 406 WG Chair: Yoav Nir 407 409 Editor: Susan Hares 410 412 Editor: Jaehoon Paul Jeong 413 414 Editor: Jinyong Tim Kim 415 "; 417 description 418 "This module describes a capability model for I2NSF devices. 420 Copyright (c) 2020 IETF Trust and the persons identified as 421 authors of the code. All rights reserved. 423 Redistribution and use in source and binary forms, with or 424 without modification, is permitted pursuant to, and subject 425 to the license terms contained in, the Simplified BSD License 426 set forth in Section 4.c of the IETF Trust's Legal Provisions 427 Relating to IETF Documents 428 (http://trustee.ietf.org/license-info). 430 This version of this YANG module is part of RFC 8341; see 431 the RFC itself for full legal notices."; 433 revision "2020-07-13"{ 434 description "Initial revision."; 435 reference 436 "RFC XXXX: I2NSF Capability YANG Data Model"; 437 } 439 /* 440 * Identities 441 */ 443 identity event { 444 description 445 "Base identity for I2NSF policy events."; 446 reference 447 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 448 - Event"; 449 } 451 identity system-event-capability { 452 base event; 453 description 454 "Identity for system events"; 455 reference 456 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 457 - System alarm"; 458 } 460 identity system-alarm-capability { 461 base event; 462 description 463 "Identity for system alarms"; 464 reference 465 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 466 - System alarm"; 467 } 469 identity access-violation { 470 base system-event-capability; 471 description 472 "Identity for access violation events"; 473 reference 474 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 475 - System event"; 476 } 478 identity configuration-change { 479 base system-event-capability; 480 description 481 "Identity for configuration change events"; 482 reference 483 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 484 - System event"; 485 } 487 identity memory-alarm { 488 base system-alarm-capability; 489 description 490 "Identity for memory alarm events"; 491 reference 492 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 493 - System alarm"; 494 } 496 identity cpu-alarm { 497 base system-alarm-capability; 498 description 499 "Identity for CPU alarm events"; 500 reference 501 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 502 - System alarm"; 503 } 505 identity disk-alarm { 506 base system-alarm-capability; 507 description 508 "Identity for disk alarm events"; 509 reference 510 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 511 - System alarm"; 512 } 514 identity hardware-alarm { 515 base system-alarm-capability; 516 description 517 "Identity for hardware alarm events"; 518 reference 519 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 520 - System alarm"; 521 } 523 identity interface-alarm { 524 base system-alarm-capability; 525 description 526 "Identity for interface alarm events"; 527 reference 528 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 529 - System alarm"; 530 } 532 identity condition { 533 description 534 "Base identity for policy conditions"; 535 } 537 identity context-capability { 538 base condition; 539 description 540 "Identity for context condition capabilities"; 541 } 543 identity acl-number { 544 base context-capability; 545 description 546 "Identity for ACL number condition capability"; 547 } 549 identity application { 550 base context-capability; 551 description 552 "Identity for application condition capability"; 553 } 555 identity target { 556 base context-capability; 557 description 558 "Identity for target condition capability"; 559 } 561 identity user { 562 base context-capability; 563 description 564 "Identity for user condition capability"; 565 } 567 identity group { 568 base context-capability; 569 description 570 "Identity for group condition capability"; 571 } 573 identity geography { 574 base context-capability; 575 description 576 "Identity for geography condition capability"; 577 } 579 identity ipv4-capability { 580 base condition; 581 description 582 "Identity for IPv4 condition capabilities"; 583 reference 584 "RFC 791: Internet Protocol"; 585 } 587 identity exact-ipv4-header-length { 588 base ipv4-capability; 589 description 590 "Identity for exact-match IPv4 header-length 591 condition capability"; 592 reference 593 "RFC 791: Internet Protocol - Header Length"; 594 } 596 identity range-ipv4-header-length { 597 base ipv4-capability; 598 description 599 "Identity for range-match IPv4 header-length 600 condition capability"; 601 reference 602 "RFC 791: Internet Protocol - Header Length"; 603 } 605 identity ipv4-tos { 606 base ipv4-capability; 607 description 608 "Identity for IPv4 Type-Of-Service (TOS) 609 condition capability"; 610 reference 611 "RFC 791: Internet Protocol - Type of Service"; 612 } 614 identity exact-ipv4-total-length { 615 base ipv4-capability; 616 description 617 "Identity for exact-match IPv4 total length 618 condition capability"; 619 reference 620 "RFC 791: Internet Protocol - Total Length"; 621 } 623 identity range-ipv4-total-length { 624 base ipv4-capability; 625 description 626 "Identity for range-match IPv4 total length 627 condition capability"; 628 reference 629 "RFC 791: Internet Protocol - Total Length"; 630 } 632 identity ipv4-id { 633 base ipv4-capability; 634 description 635 "Identity for identification condition capability"; 636 reference 637 "RFC 791: Internet Protocol - Identification"; 638 } 640 identity ipv4-fragment-flags { 641 base ipv4-capability; 642 description 643 "Identity for IPv4 fragment flags condition capability"; 644 reference 645 "RFC 791: Internet Protocol - Fragmentation Flags"; 646 } 648 identity exact-ipv4-fragment-offset { 649 base ipv4-capability; 650 description 651 "Identity for exact-match IPv4 fragment offset 652 condition capability"; 653 reference 654 "RFC 791: Internet Protocol - Fragmentation Offset"; 655 } 657 identity range-ipv4-fragment-offset { 658 base ipv4-capability; 659 description 660 "Identity for range-match IPv4 fragment offset 661 condition capability"; 662 reference 663 "RFC 791: Internet Protocol - Fragmentation Offset"; 664 } 666 identity exact-ipv4-ttl { 667 base ipv4-capability; 668 description 669 "Identity for exact-match IPv4 Time-To-Live (TTL) 670 condition capability"; 671 reference 672 "RFC 791: Internet Protocol - Time To Live (TTL)"; 673 } 675 identity range-ipv4-ttl { 676 base ipv4-capability; 677 description 678 "Identity for range-match IPv4 Time-To-Live (TTL) 679 condition capability"; 680 reference 681 "RFC 791: Internet Protocol - Time To Live (TTL)"; 682 } 684 identity ipv4-protocol { 685 base ipv4-capability; 686 description 687 "Identity for IPv4 protocol condition capability"; 688 reference 689 "RFC 790: Assigned numbers - Assigned Internet 690 Protocol Number 691 RFC 791: Internet Protocol - Protocol"; 692 } 694 identity exact-ipv4-address { 695 base ipv4-capability; 696 description 697 "Identity for exact-match IPv4 address 698 condition capability"; 699 reference 700 "RFC 791: Internet Protocol - Address"; 701 } 702 identity range-ipv4-address { 703 base ipv4-capability; 704 description 705 "Identity for range-match IPv4 address condition 706 capability"; 707 reference 708 "RFC 791: Internet Protocol - Address"; 709 } 711 identity ipv4-ip-opts { 712 base ipv4-capability; 713 description 714 "Identity for IPv4 option condition capability"; 715 reference 716 "RFC 791: Internet Protocol - Options"; 717 } 719 identity ipv4-geo-ip { 720 base ipv4-capability; 721 description 722 "Identity for geography condition capability"; 723 reference 724 "draft-ietf-i2nsf-capability-05: Information Model 725 of NSFs Capabilities - Geo-IP"; 726 } 728 identity ipv6-capability { 729 base condition; 730 description 731 "Identity for IPv6 condition capabilities"; 732 reference 733 "RFC 8200: Internet Protocol, Version 6 (IPv6) 734 Specification"; 735 } 737 identity ipv6-traffic-class { 738 base ipv6-capability; 739 description 740 "Identity for IPv6 traffic class 741 condition capability"; 742 reference 743 "RFC 8200: Internet Protocol, Version 6 (IPv6) 744 Specification - Traffic Class"; 745 } 747 identity exact-ipv6-flow-label { 748 base ipv6-capability; 749 description 750 "Identity for exact-match IPv6 flow label 751 condition capability"; 752 reference 753 "RFC 8200: Internet Protocol, Version 6 (IPv6) 754 Specification - Flow Label"; 755 } 757 identity range-ipv6-flow-label { 758 base ipv6-capability; 759 description 760 "Identity for range-match IPv6 flow label 761 condition capability"; 762 reference 763 "RFC 8200: Internet Protocol, Version 6 (IPv6) 764 Specification - Flow Label"; 765 } 767 identity exact-ipv6-payload-length { 768 base ipv6-capability; 769 description 770 "Identity for exact-match IPv6 payload length 771 condition capability"; 772 reference 773 "RFC 8200: Internet Protocol, Version 6 (IPv6) 774 Specification - Payload Length"; 775 } 777 identity range-ipv6-payload-length { 778 base ipv6-capability; 779 description 780 "Identity for range-match IPv6 payload length 781 condition capability"; 782 reference 783 "RFC 8200: Internet Protocol, Version 6 (IPv6) 784 Specification - Payload Length"; 785 } 787 identity ipv6-next-header { 788 base ipv6-capability; 789 description 790 "Identity for IPv6 next header condition capability"; 791 reference 792 "RFC 8200: Internet Protocol, Version 6 (IPv6) 793 Specification - Next Header"; 794 } 796 identity exact-ipv6-hop-limit { 797 base ipv6-capability; 798 description 799 "Identity for exact-match IPv6 hop limit condition 800 capability"; 801 reference 802 "RFC 8200: Internet Protocol, Version 6 (IPv6) 803 Specification - Hop Limit"; 804 } 806 identity range-ipv6-hop-limit { 807 base ipv6-capability; 808 description 809 "Identity for range-match IPv6 hop limit condition 810 capability"; 811 reference 812 "RFC 8200: Internet Protocol, Version 6 (IPv6) 813 Specification - Hop Limit"; 814 } 816 identity exact-ipv6-address { 817 base ipv6-capability; 818 description 819 "Identity for exact-match IPv6 address condition 820 capability"; 821 reference 822 "RFC 8200: Internet Protocol, Version 6 (IPv6) 823 Specification - Address"; 824 } 826 identity range-ipv6-address { 827 base ipv6-capability; 828 description 829 "Identity for range-match IPv6 address condition 830 capability"; 831 reference 832 "RFC 8200: Internet Protocol, Version 6 (IPv6) 833 Specification - Address"; 834 } 836 identity tcp-capability { 837 base condition; 838 description 839 "Identity for TCP condition capabilities"; 840 reference 841 "RFC 793: Transmission Control Protocol"; 842 } 844 identity exact-tcp-port-num { 845 base tcp-capability; 846 description 847 "Identity for exact-match TCP port number condition 848 capability"; 849 reference 850 "RFC 793: Transmission Control Protocol - Port Number"; 851 } 853 identity range-tcp-port-num { 854 base tcp-capability; 855 description 856 "Identity for range-match TCP port number condition 857 capability"; 858 reference 859 "RFC 793: Transmission Control Protocol - Port Number"; 860 } 862 identity exact-tcp-seq-num { 863 base tcp-capability; 864 description 865 "Identity for exact-match TCP sequence number condition 866 capability"; 867 reference 868 "RFC 793: Transmission Control Protocol - Sequence Number"; 869 } 871 identity range-tcp-seq-num { 872 base tcp-capability; 873 description 874 "Identity for range-match TCP sequence number condition 875 capability"; 876 reference 877 "RFC 793: Transmission Control Protocol - Sequence Number"; 878 } 880 identity exact-tcp-ack-num { 881 base tcp-capability; 882 description 883 "Identity for exact-match TCP acknowledgement number condition 884 capability"; 885 reference 886 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 887 } 889 identity range-tcp-ack-num { 890 base tcp-capability; 891 description 892 "Identity for range-match TCP acknowledgement number condition 893 capability"; 895 reference 896 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 897 } 899 identity exact-tcp-window-size { 900 base tcp-capability; 901 description 902 "Identity for exact-match TCP window size condition capability"; 903 reference 904 "RFC 793: Transmission Control Protocol - Window Size"; 905 } 907 identity range-tcp-window-size { 908 base tcp-capability; 909 description 910 "Identity for range-match TCP window size condition capability"; 911 reference 912 "RFC 793: Transmission Control Protocol - Window Size"; 913 } 915 identity tcp-flags { 916 base tcp-capability; 917 description 918 "Identity for TCP flags condition capability"; 919 reference 920 "RFC 793: Transmission Control Protocol - Flags"; 921 } 923 identity udp-capability { 924 base condition; 925 description 926 "Identity for UDP condition capabilities"; 927 reference 928 "RFC 768: User Datagram Protocol"; 929 } 931 identity exact-udp-port-num { 932 base udp-capability; 933 description 934 "Identity for exact-match UDP port number condition capability"; 935 reference 936 "RFC 768: User Datagram Protocol - Port Number"; 937 } 939 identity range-udp-port-num { 940 base udp-capability; 941 description 942 "Identity for range-match UDP port number condition capability"; 944 reference 945 "RFC 768: User Datagram Protocol - Port Number"; 946 } 948 identity exact-udp-total-length { 949 base udp-capability; 950 description 951 "Identity for exact-match UDP total-length condition capability"; 952 reference 953 "RFC 768: User Datagram Protocol - Total Length"; 954 } 956 identity range-udp-total-length { 957 base udp-capability; 958 description 959 "Identity for range-match UDP total-length condition capability"; 960 reference 961 "RFC 768: User Datagram Protocol - Total Length"; 962 } 964 identity icmp-capability { 965 base condition; 966 description 967 "Identity for ICMP condition capabilities"; 968 reference 969 "RFC 792: Internet Control Message Protocol"; 970 } 972 identity icmp-type { 973 base icmp-capability; 974 description 975 "Identity for ICMP type condition capability"; 976 reference 977 "RFC 792: Internet Control Message Protocol"; 978 } 980 identity icmpv6-capability { 981 base condition; 982 description 983 "Identity for ICMPv6 condition capabilities"; 984 reference 985 "RFC 4443: Internet Control Message Protocol (ICMPv6) 986 for the Internet Protocol Version 6 (IPv6) Specification 987 - ICMPv6"; 988 } 990 identity icmpv6-type { 991 base icmpv6-capability; 992 description 993 "Identity for ICMPv6 type condition capability"; 994 reference 995 "RFC 4443: Internet Control Message Protocol (ICMPv6) 996 for the Internet Protocol Version 6 (IPv6) Specification 997 - ICMPv6"; 998 } 1000 identity url-capability { 1001 base condition; 1002 description 1003 "Identity for URL condition capabilities"; 1004 } 1006 identity pre-defined { 1007 base url-capability; 1008 description 1009 "Identity for URL pre-defined condition capabilities"; 1010 } 1012 identity user-defined { 1013 base url-capability; 1014 description 1015 "Identity for URL user-defined condition capabilities"; 1016 } 1018 identity log-action-capability { 1019 description 1020 "Identity for log-action capabilities"; 1021 } 1023 identity rule-log { 1024 base log-action-capability; 1025 description 1026 "Identity for rule log log-action capability"; 1027 } 1029 identity session-log { 1030 base log-action-capability; 1031 description 1032 "Identity for session log log-action capability"; 1033 } 1035 identity ingress-action-capability { 1036 description 1037 "Identity for ingress-action capabilities"; 1038 reference 1039 "RFC 8329: Framework for Interface to Network Security 1040 Functions - Ingress action"; 1041 } 1043 identity egress-action-capability { 1044 description 1045 "Base identity for egress-action capabilities"; 1046 reference 1047 "RFC 8329: Framework for Interface to Network Security 1048 Functions - Egress action"; 1049 } 1051 identity default-action-capability { 1052 description 1053 "Identity for default-action capabilities"; 1054 reference 1055 "draft-ietf-i2nsf-capability-05: Information Model of 1056 NSFs Capabilities - Default action"; 1057 } 1059 identity pass { 1060 base ingress-action-capability; 1061 base egress-action-capability; 1062 base default-action-capability; 1063 description 1064 "Identity for pass action capability"; 1065 reference 1066 "RFC 8329: Framework for Interface to Network Security 1067 Functions - Ingress, egress, and pass actions 1068 draft-ietf-i2nsf-capability-05: Information Model of 1069 NSFs Capabilities - Actions and default action"; 1070 } 1072 identity drop { 1073 base ingress-action-capability; 1074 base egress-action-capability; 1075 base default-action-capability; 1076 description 1077 "Identity for drop action capability"; 1078 reference 1079 "RFC 8329: Framework for Interface to Network Security 1080 Functions - Ingress, egress, and drop actions 1081 draft-ietf-i2nsf-capability-05: Information Model of 1082 NSFs Capabilities - Actions and default action"; 1083 } 1085 identity alert { 1086 base ingress-action-capability; 1087 base egress-action-capability; 1088 base default-action-capability; 1089 description 1090 "Identity for alert action capability"; 1091 reference 1092 "RFC 8329: Framework for Interface to Network Security 1093 Functions - Ingress, egress, and alert actions 1094 draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF 1095 NSF Monitoring YANG Data Model - Alarm (i.e., alert) 1096 draft-ietf-i2nsf-capability-05: Information Model of 1097 NSFs Capabilities - Actions and default action"; 1098 } 1100 identity mirror { 1101 base ingress-action-capability; 1102 base egress-action-capability; 1103 base default-action-capability; 1104 description 1105 "Identity for mirror action capability"; 1106 reference 1107 "RFC 8329: Framework for Interface to Network Security 1108 Functions - Ingress, egress, and mirror actions 1109 draft-ietf-i2nsf-capability-05: Information Model of 1110 NSFs Capabilities - Actions and default action"; 1111 } 1113 identity invoke-signaling { 1114 base egress-action-capability; 1115 description 1116 "Identity for invoke signaling action capability"; 1117 reference 1118 "RFC 8329: Framework for Interface to Network Security 1119 Functions - Invoke-signaling action"; 1120 } 1122 identity tunnel-encapsulation { 1123 base egress-action-capability; 1124 description 1125 "Identity for tunnel encapsulation action capability"; 1126 reference 1127 "RFC 8329: Framework for Interface to Network Security 1128 Functions - Tunnel-encapsulation action"; 1129 } 1131 identity forwarding { 1132 base egress-action-capability; 1133 description 1134 "Identity for forwarding action capability"; 1135 reference 1136 "RFC 8329: Framework for Interface to Network Security 1137 Functions - Forwarding action"; 1138 } 1140 identity redirection { 1141 base egress-action-capability; 1142 description 1143 "Identity for redirection action capability"; 1144 reference 1145 "RFC 8329: Framework for Interface to Network Security 1146 Functions - Redirection action"; 1147 } 1149 identity resolution-strategy-capability { 1150 description 1151 "Base identity for resolution strategy capability"; 1152 reference 1153 "draft-ietf-i2nsf-capability-05: Information Model of 1154 NSFs Capabilities - Resolution Strategy"; 1155 } 1157 identity fmr { 1158 base resolution-strategy-capability; 1159 description 1160 "Identity for First Matching Rule (FMR) resolution 1161 strategy capability"; 1162 reference 1163 "draft-ietf-i2nsf-capability-05: Information Model of 1164 NSFs Capabilities - Resolution Strategy"; 1165 } 1167 identity lmr { 1168 base resolution-strategy-capability; 1169 description 1170 "Identity for Last Matching Rule (LMR) resolution 1171 strategy capability"; 1172 reference 1173 "draft-ietf-i2nsf-capability-05: Information Model of 1174 NSFs Capabilities - Resolution Strategy"; 1175 } 1177 identity pmr { 1178 base resolution-strategy-capability; 1179 description 1180 "Identity for Prioritized Matching Rule (PMR) resolution 1181 strategy capability"; 1182 reference 1183 "draft-ietf-i2nsf-capability-05: Information Model of 1184 NSFs Capabilities - Resolution Strategy"; 1185 } 1187 identity pmre { 1188 base resolution-strategy-capability; 1189 description 1190 "Identity for Prioritized Matching Rule with Errors (PMRE) 1191 resolution strategy capability"; 1192 reference 1193 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 1194 Capabilities - Resolution Strategy"; 1195 } 1197 identity pmrn { 1198 base resolution-strategy-capability; 1199 description 1200 "Identity for Prioritized Matching Rule with No Errors (PMRN) 1201 resolution strategy capability"; 1202 reference 1203 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 1204 Capabilities - Resolution Strategy"; 1205 } 1207 identity advanced-nsf-capability { 1208 description 1209 "Base identity for advanced network security function (NSF) 1210 capabilities"; 1211 reference 1212 "RFC 8329: Framework for Interface to Network Security 1213 Functions - Differences from ACL Data Models 1214 draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1215 Security Functions with I2NSF Security Controller - 1216 Advanced NSF Capability"; 1217 } 1219 identity anti-virus-capability { 1220 base advanced-nsf-capability; 1221 description 1222 "Identity for advanced NSF anti-virus capabilities"; 1223 reference 1224 "RFC 8329: Framework for Interface to Network Security 1225 Functions - Differences from ACL Data Models 1226 draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1227 Security Functions with I2NSF Security Controller - 1228 Anti-Virus"; 1229 } 1231 identity anti-ddos-capability { 1232 base advanced-nsf-capability; 1233 description 1234 "Identity for advanced NSF anti-ddos capabilities"; 1235 reference 1236 "RFC 8329: Framework for Interface to Network Security 1237 Functions - Differences from ACL Data Models 1238 draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1239 Security Functions with I2NSF Security Controller - 1240 Anti-DDoS"; 1241 } 1243 identity ips-capability { 1244 base advanced-nsf-capability; 1245 description 1246 "Identity for advanced NSF Intrusion Prevention System 1247 (IPS) capabilities"; 1248 reference 1249 "RFC 8329: Framework for Interface to Network Security 1250 Functions - Differences from ACL Data Models 1251 draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1252 Security Functions with I2NSF Security Controller - 1253 Intrusion Prevention System"; 1254 } 1256 identity voip-volte-capability { 1257 base advanced-nsf-capability; 1258 description 1259 "Identity for advanced NSF VoIP/VoLTE capabilities"; 1260 reference 1261 "RFC 3261: SIP: Session Initiation Protocol 1262 RFC 8329: Framework for Interface to Network Security 1263 Functions - Differences from ACL Data Models 1264 draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1265 Security Functions with I2NSF Security Controller"; 1266 } 1268 identity detect { 1269 base anti-virus-capability; 1270 description 1271 "Identity for advanced NSF Anti-Virus detection capability"; 1272 reference 1273 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1274 Security Functions with I2NSF Security Controller - 1275 Anti-Virus"; 1276 } 1278 identity exception-application { 1279 base anti-virus-capability; 1280 description 1281 "Identity for advanced NSF Anti-Virus exception application 1282 capability"; 1283 reference 1284 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1285 Security Functions with I2NSF Security Controller - 1286 Anti-Virus"; 1287 } 1289 identity exception-signature { 1290 base anti-virus-capability; 1291 description 1292 "Identity for advanced NSF Anti-Virus exception signature 1293 capability"; 1294 reference 1295 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1296 Security Functions with I2NSF Security Controller - 1297 Anti-Virus"; 1298 } 1300 identity whitelists { 1301 base anti-virus-capability; 1302 description 1303 "Identity for advanced NSF Anti-Virus whitelists capability"; 1304 reference 1305 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1306 Security Functions with I2NSF Security Controller - 1307 Anti-virus"; 1308 } 1310 identity syn-flood-action { 1311 base anti-ddos-capability; 1312 description 1313 "Identity for advanced NSF Anti-DDoS syn flood action 1314 capability"; 1315 reference 1316 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1317 Security Functions with I2NSF Security Controller - 1318 Anti-DDoS"; 1319 } 1321 identity udp-flood-action { 1322 base anti-ddos-capability; 1323 description 1324 "Identity for advanced NSF anti-DDoS UDP flood action 1325 capability"; 1326 reference 1327 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1328 Security Functions with I2NSF Security Controller - 1329 Anti-DDoS"; 1330 } 1332 identity http-flood-action { 1333 base anti-ddos-capability; 1334 description 1335 "Identity for advanced NSF anti-DDoS http flood action 1336 capability"; 1337 reference 1338 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1339 Security Functions with I2NSF Security Controller - 1340 Anti-DDoS"; 1341 } 1343 identity https-flood-action { 1344 base anti-ddos-capability; 1345 description 1346 "Identity for advanced NSF Anti-DDoS https flood action 1347 capability"; 1348 reference 1349 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1350 Security Functions with I2NSF Security Controller - 1351 Anti-DDoS"; 1352 } 1354 identity dns-request-flood-action { 1355 base anti-ddos-capability; 1356 description 1357 "Identity for advanced NSF anti-DDoS dns request 1358 flood action capability"; 1359 reference 1360 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1361 Security Functions with I2NSF Security Controller - 1362 Anti-DDoS"; 1363 } 1365 identity dns-reply-flood-action { 1366 base anti-ddos-capability; 1367 description 1368 "Identity for advanced NSF Anti-DDoS DNS reply flood action 1369 capability"; 1370 reference 1371 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1372 Security Functions with I2NSF Security Controller - 1373 Anti-DDoS"; 1374 } 1375 identity icmp-flood-action { 1376 base anti-ddos-capability; 1377 description 1378 "Identity for advanced NSF Anti-DDoS ICMP flood action 1379 capability"; 1380 reference 1381 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1382 Security Functions with I2NSF Security Controller - 1383 Anti-DDoS"; 1384 } 1386 identity icmpv6-flood-action { 1387 base anti-ddos-capability; 1388 description 1389 "Identity for advanced NSF Anti-DDoS ICMPv6 flood action 1390 capability"; 1391 reference 1392 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1393 Security Functions with I2NSF Security Controller - 1394 Anti-DDoS"; 1395 } 1397 identity sip-flood-action { 1398 base anti-ddos-capability; 1399 description 1400 "Identity for advanced NSF Anti-DDoS SIP flood action 1401 capability"; 1402 reference 1403 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1404 Security Functions with I2NSF Security Controller - 1405 Anti-DDoS"; 1406 } 1408 identity detect-mode { 1409 base anti-ddos-capability; 1410 description 1411 "Identity for advanced NSF Anti-DDoS detection mode 1412 capability"; 1413 reference 1414 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1415 Security Functions with I2NSF Security Controller - 1416 Anti-DDoS"; 1417 } 1419 identity baseline-learning { 1420 base anti-ddos-capability; 1421 description 1422 "Identity for advanced NSF Anti-DDoS baseline learning 1423 capability"; 1424 reference 1425 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1426 Security Functions with I2NSF Security Controller - 1427 Anti-DDoS"; 1428 } 1430 identity signature-set { 1431 base ips-capability; 1432 description 1433 "Identity for advanced NSF IPS signature set capability"; 1434 reference 1435 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1436 Security Functions with I2NSF Security Controller - 1437 Intrusion Prevention System"; 1438 } 1440 identity ips-exception-signature { 1441 base ips-capability; 1442 description 1443 "Identity for advanced NSF IPS exception signature 1444 capability"; 1445 reference 1446 "draft-dong-i2nsf-asf-config-01: Configuration of Advanced 1447 Security Functions with I2NSF Security Controller - 1448 Intrusion Prevention System"; 1449 } 1451 identity voice-id { 1452 base voip-volte-capability; 1453 description 1454 "Identity for advanced NSF VoIP/VoLTE voice-id capability"; 1455 reference 1456 "RFC 3261: SIP: Session Initiation Protocol"; 1457 } 1459 identity user-agent { 1460 base voip-volte-capability; 1461 description 1462 "Identity for advanced NSF VoIP/VoLTE user agent capability"; 1463 reference 1464 "RFC 3261: SIP: Session Initiation Protocol"; 1465 } 1467 identity ipsec-capability { 1468 description 1469 "Base identity for an IPsec capabilities"; 1470 } 1471 identity ike { 1472 base ipsec-capability; 1473 description 1474 "Identity for an IPSec Internet Key Exchange (IKE) 1475 capability"; 1476 } 1478 identity ikeless { 1479 base ipsec-capability; 1480 description 1481 "Identity for an IPSec without Internet Key Exchange (IKE) 1482 capability"; 1483 } 1485 /* 1486 * Grouping 1487 */ 1489 grouping nsf-capabilities { 1490 description 1491 "Network Security Function (NSF) Capabilities"; 1492 reference 1493 "RFC 8329: Framework for Interface to Network Security 1494 Functions - I2NSF Flow Security Policy Structure 1495 draft-ietf-i2nsf-capability-05: Information Model of 1496 NSFs Capabilities - Capability Information Model Design"; 1498 leaf-list time-capabilities { 1499 type enumeration { 1500 enum absolute-time { 1501 description 1502 "absolute time capabilities. 1503 If a network security function has the absolute time 1504 capability, the network security function supports 1505 rule execution according to absolute time."; 1506 } 1507 enum periodic-time { 1508 description 1509 "periodic time capabilities. 1510 If a network security function has the periodic time 1511 capability, the network security function supports 1512 rule execution according to periodic time."; 1513 } 1514 } 1515 description 1516 "Time capabilities"; 1517 } 1518 container event-capabilities { 1519 description 1520 "Capabilities of events. 1521 If a network security function has the event capabilities, 1522 the network security function supports rule execution 1523 according to system event and system alarm."; 1525 reference 1526 "RFC 8329: Framework for Interface to Network Security 1527 Functions - I2NSF Flow Security Policy Structure 1528 draft-ietf-i2nsf-capability-05: Information Model of 1529 NSFs Capabilities - Design Principles and ECA Policy 1530 Model Overview 1531 draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF 1532 NSF Monitoring YANG Data Model - System Alarm and 1533 System Events"; 1535 leaf-list system-event-capability { 1536 type identityref { 1537 base system-event-capability; 1538 } 1539 description 1540 "System event capabilities"; 1541 } 1543 leaf-list system-alarm-capability { 1544 type identityref { 1545 base system-alarm-capability; 1546 } 1547 description 1548 "System alarm Capabilities"; 1549 } 1550 } 1552 container condition-capabilities { 1553 description 1554 "Conditions capabilities."; 1556 container generic-nsf-capabilities { 1557 description 1558 "Conditions capabilities. 1559 If a network security function has the condition 1560 capabilities, the network security function 1561 supports rule execution according to conditions of 1562 IPv4, IPv6, TCP, UDP, ICMP, ICMPv6, and payload."; 1563 reference 1564 "RFC 791: Internet Protocol - IPv4 1565 RFC 792: Internet Control Message Protocol - ICMP 1566 RFC 793: Transmission Control Protocol - TCP 1567 RFC 768: User Datagram Protocol - UDP 1568 RFC 8200: Internet Protocol, Version 6 (IPv6) 1569 Specification - IPv6 1570 RFC 4443: Internet Control Message Protocol (ICMPv6) 1571 for the Internet Protocol Version 6 (IPv6) Specification 1572 - ICMPv6 1573 RFC 8329: Framework for Interface to Network Security 1574 Functions - I2NSF Flow Security Policy Structure 1575 draft-ietf-i2nsf-capability-05: Information Model of 1576 NSFs Capabilities - Design Principles and ECA Policy 1577 Model Overview"; 1579 leaf-list ipv4-capability { 1580 type identityref { 1581 base ipv4-capability; 1582 } 1583 description 1584 "IPv4 packet capabilities"; 1585 reference 1586 "RFC 791: Internet Protocol"; 1587 } 1589 leaf-list icmp-capability { 1590 type identityref { 1591 base icmp-capability; 1592 } 1593 description 1594 "ICMP packet capabilities"; 1595 reference 1596 "RFC 792: Internet Control Message Protocol - ICMP"; 1597 } 1599 leaf-list ipv6-capability { 1600 type identityref { 1601 base ipv6-capability; 1602 } 1603 description 1604 "IPv6 packet capabilities"; 1605 reference 1606 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1607 Specification - IPv6"; 1608 } 1610 leaf-list icmpv6-capability { 1611 type identityref { 1612 base icmpv6-capability; 1613 } 1614 description 1615 "ICMPv6 packet capabilities"; 1616 reference 1617 "RFC 4443: Internet Control Message Protocol (ICMPv6) 1618 for the Internet Protocol Version 6 (IPv6) Specification 1619 - ICMPv6"; 1620 } 1622 leaf-list tcp-capability { 1623 type identityref { 1624 base tcp-capability; 1625 } 1626 description 1627 "TCP packet capabilities"; 1628 reference 1629 "RFC 793: Transmission Control Protocol - TCP"; 1630 } 1632 leaf-list udp-capability { 1633 type identityref { 1634 base udp-capability; 1635 } 1636 description 1637 "UDP packet capabilities"; 1638 reference 1639 "RFC 768: User Datagram Protocol - UDP"; 1640 } 1641 } 1643 container advanced-nsf-capabilities { 1644 description 1645 "Advanced Network Security Function (NSF) capabilities, 1646 such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE."; 1647 reference 1648 "RFC 8329: Framework for Interface to Network Security 1649 Functions - Differences from ACL Data Models 1650 draft-dong-i2nsf-asf-config-01: Configuration of 1651 Advanced Security Functions with I2NSF Security 1652 Controller"; 1654 leaf-list anti-virus-capability { 1655 type identityref { 1656 base anti-virus-capability; 1657 } 1658 description 1659 "Anti-virus capabilities"; 1660 reference 1661 "draft-dong-i2nsf-asf-config-01: Configuration of 1662 Advanced Security Functions with I2NSF Security 1663 Controller"; 1664 } 1666 leaf-list anti-ddos-capability { 1667 type identityref { 1668 base anti-ddos-capability; 1669 } 1670 description 1671 "Anti-ddos capabilities"; 1672 reference 1673 "draft-dong-i2nsf-asf-config-01: Configuration of 1674 Advanced Security Functions with I2NSF Security 1675 Controller"; 1676 } 1678 leaf-list ips-capability { 1679 type identityref { 1680 base ips-capability; 1681 } 1682 description 1683 "Intrusion Prevention System (IPS) capabilities"; 1684 reference 1685 "draft-dong-i2nsf-asf-config-01: Configuration of 1686 Advanced Security Functions with I2NSF Security 1687 Controller"; 1688 } 1690 leaf-list url-capability { 1691 type identityref { 1692 base url-capability; 1693 } 1694 description 1695 "URL capabilities"; 1696 reference 1697 "draft-dong-i2nsf-asf-config-01: Configuration of 1698 Advanced Security Functions with I2NSF Security 1699 Controller"; 1700 } 1702 leaf-list voip-volte-capability { 1703 type identityref { 1704 base voip-volte-capability; 1705 } 1706 description 1707 "VoIP and VoLTE capabilities"; 1708 reference 1709 "draft-dong-i2nsf-asf-config-01: Configuration of 1710 Advanced Security Functions with I2NSF Security 1711 Controller"; 1712 } 1713 } 1715 leaf-list context-capabilities { 1716 type identityref { 1717 base context-capability; 1718 } 1719 description 1720 "Security context capabilities"; 1721 } 1722 } 1724 container action-capabilities { 1725 description 1726 "Action capabilities. 1727 If a network security function has the action 1728 capabilities, the network security function supports 1729 the attendant actions for policy rules."; 1731 leaf-list ingress-action-capability { 1732 type identityref { 1733 base ingress-action-capability; 1734 } 1735 description 1736 "Ingress-action capabilities"; 1737 } 1739 leaf-list egress-action-capability { 1740 type identityref { 1741 base egress-action-capability; 1742 } 1743 description 1744 "Egress-action capabilities"; 1745 } 1747 leaf-list log-action-capability { 1748 type identityref { 1749 base log-action-capability; 1750 } 1751 description 1752 "Log-action capabilities"; 1753 } 1754 } 1756 leaf-list resolution-strategy-capabilities { 1757 type identityref { 1758 base resolution-strategy-capability; 1759 } 1760 description 1761 "Resolution strategy capabilities. 1762 The resolution strategies can be used to specify how 1763 to resolve conflicts that occur between the actions 1764 of the same or different policy rules that are matched 1765 for the same packet and by particular NSF"; 1766 reference 1767 "draft-ietf-i2nsf-capability-05: Information Model of 1768 NSFs Capabilities - Resolution strategy"; 1769 } 1771 leaf-list default-action-capabilities { 1772 type identityref { 1773 base default-action-capability; 1774 } 1775 description 1776 "Default action capabilities. 1777 A default action is used to execute I2NSF policy rules 1778 when no rule matches a packet. The default action is 1779 defined as pass, drop, alert, or mirror."; 1780 reference 1781 "RFC 8329: Framework for Interface to Network Security 1782 Functions - Ingress and egress actions 1783 draft-ietf-i2nsf-capability-05: Information Model of 1784 NSFs Capabilities - Default action"; 1785 } 1787 leaf-list ipsec-method { 1788 type identityref { 1789 base ipsec-capability; 1790 } 1791 description 1792 "IPsec method capabilities"; 1793 reference 1794 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1795 Software-Defined Networking (SDN)-based IPsec Flow 1796 Protection - IPsec methods such as IKE and IKE-less"; 1797 } 1798 } 1800 /* 1801 * Data nodes 1802 */ 1804 list nsf { 1805 key "nsf-name"; 1806 description 1807 "The list of Network Security Function (NSF) capabilities"; 1808 leaf nsf-name { 1809 type string; 1810 mandatory true; 1811 description 1812 "The name of network security function"; 1813 } 1814 } 1815 } 1817 1819 Figure 3: YANG Data Module of I2NSF Capability 1821 7. IANA Considerations 1823 This document requests IANA to register the following URI in the 1824 "IETF XML Registry" [RFC3688]: 1826 Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1828 Registrant Contact: The IESG. 1830 XML: N/A; the requested URI is an XML namespace. 1832 This document requests IANA to register the following YANG module in 1833 the "YANG Module Names" registry [RFC7950]. 1835 name: ietf-i2nsf-capability 1837 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1839 prefix: nsfcap 1841 reference: RFC XXXX 1843 8. Security Considerations 1845 The YANG module specified in this document defines a data schema 1846 designed to be accessed through network management protocols such as 1847 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 1848 the secure transport layer, and the required transport secure 1849 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1850 is HTTPS, and the required transport secure transport is TLS 1851 [RFC8446]. 1853 The NETCONF access control model [RFC8341] provides a means of 1854 restricting access to specific NETCONF or RESTCONF users to a 1855 preconfigured subset of all available NETCONF or RESTCONF protocol 1856 operations and content. 1858 There are a number of data nodes defined in this YANG module that are 1859 writable, creatable, and deletable (i.e., config true, which is the 1860 default). These data nodes may be considered sensitive or vulnerable 1861 in some network environments. Write operations to these data nodes 1862 could have a negative effect on network and security operations. 1864 o ietf-i2nsf-capability: An attacker could alter the security 1865 capabilities associated with an NSF whereby disabling or enabling 1866 the evasion of security mitigations. 1868 Some of the readable data nodes in this YANG module may be considered 1869 sensitive or vulnerable in some network environments. It is thus 1870 important to control read access (e.g., via get, get-config, or 1871 notification) to these data nodes. These are the subtrees and data 1872 nodes and their sensitivity/vulnerability: 1874 o ietf-i2nsf-capability: An attacker could gather the security 1875 capability information of any NSF and use this information to 1876 evade detection or filtering. 1878 9. References 1880 9.1. Normative References 1882 [draft-dong-i2nsf-asf-config] 1883 Pan, W. and L. Xia, "Configuration of Advanced Security 1884 Functions with I2NSF Security Controller", draft-dong- 1885 i2nsf-asf-config-01 (work in progress), October 2018. 1887 [draft-ietf-i2nsf-capability] 1888 Xia, L., Strassner, J., Basile, C., and D. Lopez, 1889 "Information Model of NSFs Capabilities", draft-ietf- 1890 i2nsf-capability-05 (work in progress), April 2019. 1892 [draft-ietf-i2nsf-nsf-monitoring-data-model] 1893 Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, 1894 "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- 1895 nsf-monitoring-data-model-03 (work in progress), May 2020. 1897 [draft-ietf-i2nsf-sdn-ipsec-flow-protection] 1898 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 1899 Garcia, "Software-Defined Networking (SDN)-based IPsec 1900 Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- 1901 protection-08 (work in progress), June 2020. 1903 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1904 Requirement Levels", BCP 14, RFC 2119, 1905 DOI 10.17487/RFC2119, March 1997, 1906 . 1908 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1909 A., Peterson, J., Sparks, R., Handley, M., and E. 1910 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1911 DOI 10.17487/RFC3261, June 2002, 1912 . 1914 [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between 1915 Information Models and Data Models", RFC 3444, 1916 DOI 10.17487/RFC3444, January 2003, 1917 . 1919 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1920 the Network Configuration Protocol (NETCONF)", RFC 6020, 1921 DOI 10.17487/RFC6020, October 2010, 1922 . 1924 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1925 and A. Bierman, Ed., "Network Configuration Protocol 1926 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1927 . 1929 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1930 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1931 . 1933 [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August 1934 1980. 1936 [RFC790] Postel, J., "Assigned Numbers", RFC 790, September 1981. 1938 [RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981. 1940 [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, 1941 September 1981. 1943 [RFC793] Postel, J., "Transmission Control Protocol", RFC 793, 1944 September 1981. 1946 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1947 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1948 . 1950 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1951 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1952 . 1954 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1955 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1956 May 2017, . 1958 [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., 1959 and J. Jeong, "Interface to Network Security Functions 1960 (I2NSF): Problem Statement and Use Cases", RFC 8192, 1961 DOI 10.17487/RFC8192, July 2017, 1962 . 1964 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1965 (IPv6) Specification", STD 86, RFC 8200, 1966 DOI 10.17487/RFC8200, July 2017, 1967 . 1969 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1970 Kumar, "Framework for Interface to Network Security 1971 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 1972 . 1974 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1975 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1976 . 1978 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1979 Access Control Model", STD 91, RFC 8341, 1980 DOI 10.17487/RFC8341, March 2018, 1981 . 1983 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 1984 S., and N. Bahadur, "A YANG Data Model for the Routing 1985 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 1986 September 2018, . 1988 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1989 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1990 . 1992 9.2. Informative References 1994 [draft-ietf-i2nsf-nsf-facing-interface-dm] 1995 Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, 1996 "I2NSF Network Security Function-Facing Interface YANG 1997 Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-09 1998 (work in progress), May 2020. 2000 [draft-ietf-i2nsf-registration-interface-dm] 2001 Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF 2002 Registration Interface YANG Data Model", draft-ietf-i2nsf- 2003 registration-interface-dm (work in progress), March 2020. 2005 Appendix A. Configuration Examples 2007 This section shows configuration examples of "ietf-i2nsf-capability" 2008 module for capabilities registration of general firewall. 2010 A.1. Example 1: Registration for Capabilities of General Firewall 2012 This section shows a configuration example for capabilities 2013 registration of general firewall. 2015 2016 general_firewall 2017 2018 2019 ipv4-protocol 2020 exact-ipv4-address 2021 range-ipv4-address 2022 exact-fourth-layer-port-num 2023 range-fourth-layer-port-num 2024 2025 2026 2027 pass 2028 drop 2029 alert 2030 pass 2031 drop 2032 alert 2033 2034 2036 Figure 4: Configuration XML for Capabilities Registration of General 2037 Firewall 2039 Figure 4 shows the configuration XML for capabilities registration of 2040 general firewall and its capabilities are as follows. 2042 1. The name of the NSF is general_firewall. 2044 2. The NSF can inspect protocol, exact IPv4 address, and range IPv4 2045 address for IPv4 packets. 2047 3. The NSF can inspect exact port number and range port number for 2048 fourth layer packets. 2050 4. The NSF can control whether the packets are allowed to pass, 2051 drop, or alert. 2053 A.2. Example 2: Registration for Capabilities of Time based Firewall 2055 This section shows a configuration example for capabilities 2056 registration of time based firewall. 2058 2059 time_based_firewall 2060 absolute-time 2061 periodic-time 2062 2063 2064 ipv4-protocol 2065 exact-ipv4-address 2066 range-ipv4-address 2067 2068 2069 2070 pass 2071 drop 2072 alert 2073 pass 2074 drop 2075 alert 2076 2077 2079 Figure 5: Configuration XML for Capabilities Registration of Time 2080 based Firewall 2082 Figure 5 shows the configuration XML for capabilities registration of 2083 time based firewall and its capabilities are as follows. 2085 1. The name of the NSF is time_based_firewall. 2087 2. The NSF can execute the security policy rule according to 2088 absolute time and periodic time. 2090 3. The NSF can inspect protocol, exact IPv4 address, and range IPv4 2091 address for IPv4 packets. 2093 4. The NSF can control whether the packets are allowed to pass, 2094 drop, or alert. 2096 A.3. Example 3: Registration for Capabilities of Web Filter 2098 This section shows a configuration example for capabilities 2099 registration of web filter. 2101 2102 web_filter 2103 2104 2105 user-defined 2106 2107 2108 2109 pass 2110 drop 2111 alert 2112 pass 2113 drop 2114 alert 2115 2116 2118 Figure 6: Configuration XML for Capabilities Registration of Web 2119 Filter 2121 Figure 6 shows the configuration XML for capabilities registration of 2122 web filter and its capabilities are as follows. 2124 1. The name of the NSF is web_filter. 2126 2. The NSF can inspect url for http and https packets. 2128 3. The NSF can control whether the packets are allowed to pass, 2129 drop, or alert. 2131 A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter 2133 This section shows a configuration example for capabilities 2134 registration of VoIP/VoLTE filter. 2136 2137 voip_volte_filter 2138 2139 2140 voice-id 2141 2142 2143 2144 pass 2145 drop 2146 alert 2147 pass 2148 drop 2149 alert 2150 2151 2153 Figure 7: Configuration XML for Capabilities Registration of VoIP/ 2154 VoLTE Filter 2156 Figure 7 shows the configuration XML for capabilities registration of 2157 VoIP/VoLTE filter and its capabilities are as follows. 2159 1. The name of the NSF is voip_volte_filter. 2161 2. The NSF can inspect voice id for VoIP/VoLTE packets. 2163 3. The NSF can control whether the packets are allowed to pass, 2164 drop, or alert. 2166 A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood 2167 Mitigation 2169 This section shows a configuration example for capabilities 2170 registration of http and https flood mitigation. 2172 2173 http_and_https_flood_mitigation 2174 2175 2176 http-flood-action 2177 https-flood-action 2178 2179 2180 2181 pass 2182 drop 2183 alert 2184 pass 2185 drop 2186 alert 2187 2188 2190 Figure 8: Configuration XML for Capabilities Registration of HTTP and 2191 HTTPS Flood Mitigation 2193 Figure 8 shows the configuration XML for capabilities registration of 2194 http and https flood mitigation and its capabilities are as follows. 2196 1. The name of the NSF is http_and_https_flood_mitigation. 2198 2. The location of the NSF is 221.159.112.140. 2200 3. The NSF can control the amount of packets for http and https 2201 packets. 2203 4. The NSF can control whether the packets are allowed to pass, 2204 drop, or alert. 2206 Appendix B. Changes from draft-ietf-i2nsf-capability-data-model-05 2208 The following changes are made from draft-ietf-i2nsf-capability-data- 2209 model-05: 2211 o The version is revised according to the comments from Romans 2212 Danyliw for his AD review. 2214 Appendix C. Acknowledgments 2216 This work was supported by Institute of Information & Communications 2217 Technology Planning & Evaluation (IITP) grant funded by the Korea 2218 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 2219 Security Intelligence Technology Development for the Customized 2220 Security Service Provisioning). 2222 Appendix D. Contributors 2224 This document is made by the group effort of I2NSF working group. 2225 Many people actively contributed to this document. The following are 2226 considered co-authors: 2228 o Hyoungshick Kim (Sungkyunkwan University) 2230 o Daeyoung Hyun (Sungkyunkwan University) 2232 o Dongjin Hong (Sungkyunkwan University) 2234 o Liang Xia (Huawei) 2236 o Jung-Soo Park (ETRI) 2238 o Tae-Jin Ahn (Korea Telecom) 2240 o Se-Hui Lee (Korea Telecom) 2242 Authors' Addresses 2244 Susan Hares (editor) 2245 Huawei 2246 7453 Hickory Hill 2247 Saline, MI 48176 2248 USA 2250 Phone: +1-734-604-0332 2251 EMail: shares@ndzh.com 2253 Jaehoon Paul Jeong (editor) 2254 Department of Computer Science and Engineering 2255 Sungkyunkwan University 2256 2066 Seobu-Ro, Jangan-Gu 2257 Suwon, Gyeonggi-Do 16419 2258 Republic of Korea 2260 Phone: +82 31 299 4957 2261 Fax: +82 31 290 7996 2262 EMail: pauljeong@skku.edu 2263 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2264 Jinyong Tim Kim 2265 Department of Electronic, Electrical and Computer Engineering 2266 Sungkyunkwan University 2267 2066 Seobu-Ro, Jangan-Gu 2268 Suwon, Gyeonggi-Do 16419 2269 Republic of Korea 2271 Phone: +82 10 8273 0930 2272 EMail: timkim@skku.edu 2274 Robert Moskowitz 2275 HTT Consulting 2276 Oak Park, MI 2277 USA 2279 Phone: +1-248-968-9809 2280 EMail: rgm@htt-consult.com 2282 Qiushi Lin 2283 Huawei 2284 Huawei Industrial Base 2285 Shenzhen, Guangdong 518129 2286 China 2288 EMail: linqiushi@huawei.com