idnits 2.17.1 draft-ietf-i2nsf-capability-data-model-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 5 instances of too long lines in the document, the longest one being 1 character in excess of 72. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (August 25, 2020) is 1339 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC3261' is defined on line 1936, but no explicit reference was found in the text == Unused Reference: 'RFC768' is defined on line 1965, but no explicit reference was found in the text == Unused Reference: 'RFC790' is defined on line 1968, but no explicit reference was found in the text == Unused Reference: 'RFC791' is defined on line 1970, but no explicit reference was found in the text == Unused Reference: 'RFC792' is defined on line 1972, but no explicit reference was found in the text == Unused Reference: 'RFC793' is defined on line 1975, but no explicit reference was found in the text == Unused Reference: 'RFC8200' is defined on line 1996, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 3444 ** Obsolete normative reference: RFC 790 (Obsoleted by RFC 820) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 8192 ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 6 errors (**), 0 flaws (~~), 10 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group S. Hares, Ed. 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Jeong, Ed. 5 Expires: February 26, 2021 J. Kim 6 Sungkyunkwan University 7 R. Moskowitz 8 HTT Consulting 9 Q. Lin 10 Huawei 11 August 25, 2020 13 I2NSF Capability YANG Data Model 14 draft-ietf-i2nsf-capability-data-model-08 16 Abstract 18 This document defines a YANG data model for the capabilities of 19 various Network Security Functions (NSFs) in the Interface to Network 20 Security Functions (I2NSF) framework to centrally manage the 21 capabilities of the various NSFs. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on February 26, 2021. 40 Copyright Notice 42 Copyright (c) 2020 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 61 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 63 5.1. Network Security Function (NSF) Capabilities . . . . . . 6 64 6. YANG Data Modules . . . . . . . . . . . . . . . . . . . . . . 9 65 6.1. I2NSF Capability YANG Data Module . . . . . . . . . . . . 9 66 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 67 8. Security Considerations . . . . . . . . . . . . . . . . . . . 40 68 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 69 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 70 9.2. Informative References . . . . . . . . . . . . . . . . . 43 71 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 44 72 A.1. Example 1: Registration for Capabilities of General 73 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 44 74 A.2. Example 2: Registration for Capabilities of Time based 75 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 76 A.3. Example 3: Registration for Capabilities of Web Filter . 46 77 A.4. Example 4: Registration for Capabilities of VoIP/VoLTE 78 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 46 79 A.5. Example 5: Registration for Capabilities of HTTP and 80 HTTPS Flood Mitigation . . . . . . . . . . . . . . . . . 47 81 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 48 82 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 48 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 85 1. Introduction 87 As the industry becomes more sophisticated and network devices (e.g., 88 Internet of Things, Self-driving vehicles, and VoIP/VoLTE 89 smartphones), service providers have a lot of problems described in 90 [RFC8192]. To resolve these problems, [draft-ietf-i2nsf-capability] 91 specifies the information model of the capabilities of Network 92 Security Functions (NSFs). 94 This document provides a YANG data model [RFC6020][RFC7950] that 95 defines the capabilities of NSFs to centrally manage the capabilities 96 of those security devices. The security devices can register their 97 own capabilities into a Network Operator Management (Mgmt) System 98 (i.e., Security Controller) with this YANG data model through the 99 registration interface [RFC8329]. With the capabilities of those 100 security devices maintained centrally, those security devices can be 101 more easily managed [RFC8329]. This YANG data model is based on the 102 information model for I2NSF NSF capabilities 103 [draft-ietf-i2nsf-capability]. 105 This YANG data model uses an "Event-Condition-Action" (ECA) policy 106 model that is used as the basis for the design of I2NSF Policy as 107 described in [RFC8329] and [draft-ietf-i2nsf-capability]. The "ietf- 108 i2nsf-capability" YANG module defined in this document provides the 109 following features: 111 o Definition for general capabilities of network security functions. 113 o Definition for event capabilities of generic network security 114 functions. 116 o Definition for condition capabilities of generic network security 117 functions. 119 o Definition for condition capabilities of advanced network security 120 functions. 122 o Definition for action capabilities of generic network security 123 functions. 125 o Definition for resolution strategy capabilities of generic network 126 security functions. 128 o Definition for default action capabilities of generic network 129 security functions. 131 2. Requirements Language 133 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 134 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 135 document are to be interpreted as described in [RFC2119][RFC8174]. 137 3. Terminology 139 This document uses the terminology described in 140 [draft-ietf-i2nsf-capability][RFC8431]. Especially, the following 141 terms are from [RFC3444]: 143 o Data Model: A data model is a representation of concepts of 144 interest to an environment in a form that is dependent on data 145 repository, data definition language, query language, 146 implementation language, and protocol. 148 o Information Model: An information model is a representation of 149 concepts of interest to an environment in a form that is 150 independent of data repository, data definition language, query 151 language, implementation language, and protocol. 153 3.1. Tree Diagrams 155 A simplified graphical representation of the data model is used in 156 this document. The meaning of the symbols in these diagrams is 157 referred from [RFC8340]. 159 4. Overview 161 This section provides as overview of how the YANG data model can be 162 used in the I2NSF framework described in [RFC8329]. Figure 1 shows 163 the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF 164 Framework. As shown in this figure, an NSF Developer's Management 165 System can register NSFs and the capabilities that the network 166 security device can support. To register NSFs in this way, the 167 Developer's Management System utilizes this standardized capability 168 YANG data model through the I2NSF Registration Interface 169 [draft-ietf-i2nsf-registration-interface-dm]. That is, this 170 Registration Interface uses the YANG module described in this 171 document to describe the capability of a network security function 172 that is registered with the Security Controller. With the 173 capabilities of those network security devices maintained centrally, 174 those security devices can be more easily managed, which can resolve 175 many of the problems described in [RFC8192]. 177 In Figure 1, a new NSF at a Developer's Management Systems has 178 capabilities of Firewall (FW) and Web Filter (WF), which are denoted 179 as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy 180 rules where 'E', 'C', and 'A' mean "Event", "Condition", and 181 "Action", respectively. The condition involves IPv4 or IPv6 182 datagrams, and the action includes "Allow" and "Deny" for those 183 datagrams. 185 Note that the NSF-Facing Interface is used to configure the security 186 policy rules of the generic network security functions 187 [draft-ietf-i2nsf-nsf-facing-interface-dm], and The configuration of 188 advanced security functions over the NSF-Facing Interface is used to 189 configure the security policy rules of advanced network security 190 functions (e.g., anti-virus and anti-DDoS attack), respectively, 191 according to the capabilities of NSFs registered with the I2NSF 192 Framework. 194 +------------------------------------------------------+ 195 | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | 196 | Network Mgmt, another network domain's mgmt, etc.) | 197 +--------------------+---------------------------------+ 198 I2NSF ^ 199 Consumer-Facing Interface | 200 | 201 v I2NSF 202 +-----------------+------------+ Registration +-------------+ 203 | Network Operator Mgmt System | Interface | Developer's | 204 | (i.e., Security Controller) |<-------------->| Mgmt System | 205 +-----------------+------------+ +-------------+ 206 ^ New NSF 207 | Cap = {FW, WF} 208 I2NSF | E = {} 209 NSF-Facing Interface | C = {IPv4, IPv6} 210 | A = {Allow, Deny} 211 v 212 +---------------+----+------------+-----------------+ 213 | | | | 214 +---+---+ +---+---+ +---+---+ +---+---+ 215 | NSF-1 | ... | NSF-m | | NSF-1 | ... | NSF-n | ... 216 +-------+ +-------+ +-------+ +-------+ 217 NSF-1 NSF-m NSF-1 NSF-n 218 Cap = {FW, WF} Cap = {FW, WF} Cap = {FW, WF} Cap = {FW, WF} 219 E = {} E = {user} E = {dev} E = {time} 220 C = {IPv4} C = {IPv6} C = {IPv4, IPv6} C = {IPv4} 221 A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} 223 Developer's Mgmt System A Developer's Mgmt System B 225 Figure 1: Capabilities of NSFs in I2NSF Framework 227 A use case of an NSF with the capabilities of firewall and web filter 228 is described as follows. 230 o If a network manager wants to apply security policy rules to block 231 malicious users with firewall and web filter, it is a tremendous 232 burden for a network administrator to apply all of the needed 233 rules to NSFs one by one. This problem can be resolved by 234 managing the capabilities of NSFs in this document. 236 o If a network administrator wants to block malicious users for IPv6 237 traffic, he sends a security policy rule to block the users to the 238 Network Operator Management System using the I2NSF User (i.e., web 239 application). 241 o When the Network Operator Management System receives the security 242 policy rule, it automatically sends that security policy rules to 243 appropriate NSFs (i.e., NSF-m in Developer's Management System A 244 and NSF-1 in Developer's Management System B) which can support 245 the capabilities (i.e., IPv6). This lets an I2NSF User not 246 consider NSFs where the rule is applied. 248 o If NSFs encounter the suspicious IPv6 packets of malicious users, 249 they can filter the packets out according to the configured 250 security policy rule. Therefore, the security policy rule against 251 the malicious users' packets can be automatically applied to 252 appropriate NSFs without human intervention. 254 5. YANG Tree Diagram 256 This section shows a YANG tree diagram of capabilities of network 257 security functions, as defined in the [draft-ietf-i2nsf-capability]. 259 5.1. Network Security Function (NSF) Capabilities 261 This section explains a YANG tree diagram of NSF capabilities and its 262 features. Figure 2 shows a YANG tree diagram of NSF capabilities. 263 The NSF capabilities in the tree include time capabilities, event 264 capabilities, condition capabilities, action capabilities, resolution 265 strategy capabilities, and default action capabilities. Those 266 capabilities can be tailored or extended according to a vendor's 267 specific requirements. Refer to the NSF capabilities information 268 model for detailed discussion [draft-ietf-i2nsf-capability]. 270 module: ietf-i2nsf-capability 271 +--rw nsf* [nsf-name] 272 +--rw nsf-name string 273 +--rw time-capabilities* enumeration 274 +--rw event-capabilities 275 | +--rw system-event-capability* identityref 276 | +--rw system-alarm-capability* identityref 277 +--rw condition-capabilities 278 | +--rw generic-nsf-capabilities 279 | | +--rw ipv4-capability* identityref 280 | | +--rw icmp-capability* identityref 281 | | +--rw ipv6-capability* identityref 282 | | +--rw icmpv6-capability* identityref 283 | | +--rw tcp-capability* identityref 284 | | +--rw udp-capability* identityref 285 | +--rw advanced-nsf-capabilities 286 | | +--rw anti-virus-capability* identityref 287 | | +--rw anti-ddos-capability* identityref 288 | | +--rw ips-capability* identityref 289 | | +--rw url-capability* identityref 290 | | +--rw voip-volte-capability* identityref 291 | +--rw context-capabilities* identityref 292 +--rw action-capabilities 293 | +--rw ingress-action-capability* identityref 294 | +--rw egress-action-capability* identityref 295 | +--rw log-action-capability* identityref 296 +--rw resolution-strategy-capabilities* identityref 297 +--rw default-action-capabilities* identityref 298 +--rw ipsec-method* identityref 300 Figure 2: YANG Tree Diagram of Capabilities of Network Security 301 Functions 303 Time capabilities are used to specify the capabilities which describe 304 when to execute the I2NSF policy rule. The time capabilities are 305 defined in terms of absolute time and periodic time. The absolute 306 time means the exact time to start or end. The periodic time means 307 repeated time like day, week, or month. See Section 3.4.6 308 (Capability Algebra) in [draft-ietf-i2nsf-capability] for more 309 information about the time-based condition (e.g., time period) in the 310 capability algebra. 312 Event capabilities are used to specify the capabilities that describe 313 the event that would trigger the evaluation of the condition clause 314 of the I2NSF Policy Rule. The defined event capabilities are system 315 event and system alarm. See Section 3.1 (Design Principles and ECA 316 Policy Model Overview) in [draft-ietf-i2nsf-capability] for more 317 information about the event in the ECA policy model. 319 Condition capabilities are used to specify capabilities of a set of 320 attributes, features, and/or values that are to be compared with a 321 set of known attributes, features, and/or values in order to 322 determine whether or not the set of actions in that (imperative) 323 I2NSF policy rule can be executed. The condition capabilities are 324 classified in terms of generic network security functions and 325 advanced network security functions. The condition capabilities of 326 generic network security functions are defined as IPv4 capability, 327 IPv6 capability, TCP capability, UDP capability, and ICMP capability. 328 The condition capabilities of advanced network security functions are 329 defined as anti-virus capability, anti-DDoS capability, IPS 330 capability, HTTP capability, and VoIP/VoLTE capability. See 331 Section 3.1 (Design Principles and ECA Policy Model Overview) in 332 [draft-ietf-i2nsf-capability] for more information about the 333 condition in the ECA policy model. Also, see Section 3.4.3 (I2NSF 334 Condition Clause Operator Types) in [draft-ietf-i2nsf-capability] for 335 more information about the operator types in an I2NSF condition 336 clause. 338 Action capabilities are used to specify the capabilities that 339 describe the control and monitoring aspects of flow-based NSFs when 340 the event and condition clauses are satisfied. The action 341 capabilities are defined as ingress-action capability, egress-action 342 capability, and log-action capability. See Section 3.1 (Design 343 Principles and ECA Policy Model Overview) in 344 [draft-ietf-i2nsf-capability] for more information about the action 345 in the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow 346 Security Policy Structure) in [RFC8329] for more information about 347 the ingress and egress actions. In addition, see Section 9.1 (Flow- 348 Based NSF Capability Characterization) for more information about 349 logging at NSFs. 351 Resolution strategy capabilities are used to specify the capabilities 352 that describe conflicts that occur between the actions of the same or 353 different policy rules that are matched and contained in this 354 particular NSF. The resolution strategy capabilities are defined as 355 First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized 356 Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), 357 and Prioritized Matching Rule with No Errors (PMRN). See 358 Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in 359 [draft-ietf-i2nsf-capability] for more information about the 360 resolution strategy. 362 Default action capabilities are used to specify the capabilities that 363 describe how to execute I2NSF policy rules when no rule matches a 364 packet. The default action capabilities are defined as pass, drop, 365 alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy 366 and Default Action) in [draft-ietf-i2nsf-capability] for more 367 information about the default action. 369 IPsec method capabilities are used to specify capabilities of how to 370 support an Internet Key Exchange (IKE) for the security 371 communication. The default action capabilities are defined as IKE or 372 IKE-less. See [draft-ietf-i2nsf-sdn-ipsec-flow-protection] for more 373 information about the SDN-based IPsec flow protection in I2NSF. 375 6. YANG Data Modules 377 6.1. I2NSF Capability YANG Data Module 379 This section introduces a YANG data module for network security 380 functions capabilities, as defined in the 381 [draft-ietf-i2nsf-capability]. 383 file "ietf-i2nsf-capability@2020-08-25.yang" 385 module ietf-i2nsf-capability { 386 yang-version 1.1; 387 namespace 388 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 389 prefix 390 nsfcap; 392 organization 393 "IETF I2NSF (Interface to Network Security Functions) 394 Working Group"; 396 contact 397 "WG Web: 398 WG List: 400 WG Chair: Linda Dunbar 401 403 WG Chair: Yoav Nir 404 406 Editor: Susan Hares 407 409 Editor: Jaehoon Paul Jeong 410 411 Editor: Jinyong Tim Kim 412 "; 414 description 415 "This module describes a capability model for I2NSF devices. 417 Copyright (c) 2020 IETF Trust and the persons identified as 418 authors of the code. All rights reserved. 420 Redistribution and use in source and binary forms, with or 421 without modification, is permitted pursuant to, and subject 422 to the license terms contained in, the Simplified BSD License 423 set forth in Section 4.c of the IETF Trust's Legal Provisions 424 Relating to IETF Documents 425 (http://trustee.ietf.org/license-info). 427 This version of this YANG module is part of RFC 8341; see 428 the RFC itself for full legal notices."; 430 revision "2020-08-25"{ 431 description "Initial revision."; 432 reference 433 "RFC XXXX: I2NSF Capability YANG Data Model"; 434 } 436 /* 437 * Identities 438 */ 440 identity event { 441 description 442 "Base identity for I2NSF policy events."; 443 reference 444 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 445 - Event"; 446 } 448 identity system-event-capability { 449 base event; 450 description 451 "Identity for system events"; 452 reference 453 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 454 - System alarm"; 455 } 457 identity system-alarm-capability { 458 base event; 459 description 460 "Identity for system alarms"; 461 reference 462 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 463 - System alarm"; 464 } 466 identity access-violation { 467 base system-event-capability; 468 description 469 "Identity for access violation events"; 470 reference 471 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 472 - System event"; 473 } 475 identity configuration-change { 476 base system-event-capability; 477 description 478 "Identity for configuration change events"; 479 reference 480 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 481 - System event"; 482 } 484 identity memory-alarm { 485 base system-alarm-capability; 486 description 487 "Identity for memory alarm events"; 488 reference 489 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 490 - System alarm"; 491 } 493 identity cpu-alarm { 494 base system-alarm-capability; 495 description 496 "Identity for CPU alarm events"; 497 reference 498 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 499 - System alarm"; 500 } 502 identity disk-alarm { 503 base system-alarm-capability; 504 description 505 "Identity for disk alarm events"; 506 reference 507 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 508 - System alarm"; 509 } 511 identity hardware-alarm { 512 base system-alarm-capability; 513 description 514 "Identity for hardware alarm events"; 515 reference 516 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 517 - System alarm"; 518 } 520 identity interface-alarm { 521 base system-alarm-capability; 522 description 523 "Identity for interface alarm events"; 524 reference 525 "draft-ietf-i2nsf-nsf-monitoring-data-model-03 526 - System alarm"; 527 } 529 identity condition { 530 description 531 "Base identity for policy conditions"; 532 } 534 identity context-capability { 535 base condition; 536 description 537 "Identity for context condition capabilities"; 538 } 540 identity acl-number { 541 base context-capability; 542 description 543 "Identity for ACL number condition capability"; 544 } 546 identity application { 547 base context-capability; 548 description 549 "Identity for application condition capability"; 550 } 552 identity target { 553 base context-capability; 554 description 555 "Identity for target condition capability"; 556 } 558 identity user { 559 base context-capability; 560 description 561 "Identity for user condition capability"; 562 } 564 identity group { 565 base context-capability; 566 description 567 "Identity for group condition capability"; 568 } 570 identity geography { 571 base context-capability; 572 description 573 "Identity for geography condition capability"; 574 } 576 identity ipv4-capability { 577 base condition; 578 description 579 "Identity for IPv4 condition capability"; 580 reference 581 "RFC 791: Internet Protocol"; 582 } 584 identity exact-ipv4-header-length { 585 base ipv4-capability; 586 description 587 "Identity for exact-match IPv4 header-length 588 condition capability"; 589 reference 590 "RFC 791: Internet Protocol - Header Length"; 591 } 593 identity range-ipv4-header-length { 594 base ipv4-capability; 595 description 596 "Identity for range-match IPv4 header-length 597 condition capability"; 598 reference 599 "RFC 791: Internet Protocol - Header Length"; 600 } 602 identity ipv4-tos { 603 base ipv4-capability; 604 description 605 "Identity for IPv4 Type-Of-Service (TOS) 606 condition capability"; 607 reference 608 "RFC 791: Internet Protocol - Type of Service"; 609 } 611 identity exact-ipv4-total-length { 612 base ipv4-capability; 613 description 614 "Identity for exact-match IPv4 total length 615 condition capability"; 616 reference 617 "RFC 791: Internet Protocol - Total Length"; 618 } 620 identity range-ipv4-total-length { 621 base ipv4-capability; 622 description 623 "Identity for range-match IPv4 total length 624 condition capability"; 625 reference 626 "RFC 791: Internet Protocol - Total Length"; 627 } 629 identity ipv4-id { 630 base ipv4-capability; 631 description 632 "Identity for identification condition capability"; 633 reference 634 "RFC 791: Internet Protocol - Identification"; 635 } 637 identity ipv4-fragment-flags { 638 base ipv4-capability; 639 description 640 "Identity for IPv4 fragment flags condition capability"; 641 reference 642 "RFC 791: Internet Protocol - Fragmentation Flags"; 643 } 645 identity exact-ipv4-fragment-offset { 646 base ipv4-capability; 647 description 648 "Identity for exact-match IPv4 fragment offset 649 condition capability"; 650 reference 651 "RFC 791: Internet Protocol - Fragmentation Offset"; 652 } 654 identity range-ipv4-fragment-offset { 655 base ipv4-capability; 656 description 657 "Identity for range-match IPv4 fragment offset 658 condition capability"; 659 reference 660 "RFC 791: Internet Protocol - Fragmentation Offset"; 661 } 663 identity exact-ipv4-ttl { 664 base ipv4-capability; 665 description 666 "Identity for exact-match IPv4 Time-To-Live (TTL) 667 condition capability"; 668 reference 669 "RFC 791: Internet Protocol - Time To Live (TTL)"; 670 } 672 identity range-ipv4-ttl { 673 base ipv4-capability; 674 description 675 "Identity for range-match IPv4 Time-To-Live (TTL) 676 condition capability"; 677 reference 678 "RFC 791: Internet Protocol - Time To Live (TTL)"; 679 } 681 identity ipv4-protocol { 682 base ipv4-capability; 683 description 684 "Identity for IPv4 protocol condition capability"; 685 reference 686 "RFC 790: Assigned numbers - Assigned Internet 687 Protocol Number 688 RFC 791: Internet Protocol - Protocol"; 689 } 691 identity exact-ipv4-address { 692 base ipv4-capability; 693 description 694 "Identity for exact-match IPv4 address 695 condition capability"; 696 reference 697 "RFC 791: Internet Protocol - Address"; 698 } 699 identity range-ipv4-address { 700 base ipv4-capability; 701 description 702 "Identity for range-match IPv4 address condition 703 capability"; 704 reference 705 "RFC 791: Internet Protocol - Address"; 706 } 708 identity ipv4-ip-opts { 709 base ipv4-capability; 710 description 711 "Identity for IPv4 option condition capability"; 712 reference 713 "RFC 791: Internet Protocol - Options"; 714 } 716 identity ipv4-geo-ip { 717 base ipv4-capability; 718 description 719 "Identity for geography condition capability"; 720 reference 721 "draft-ietf-i2nsf-capability-05: Information Model 722 of NSFs Capabilities - Geo-IP"; 723 } 725 identity ipv6-capability { 726 base condition; 727 description 728 "Identity for IPv6 condition capabilities"; 729 reference 730 "RFC 8200: Internet Protocol, Version 6 (IPv6) 731 Specification"; 732 } 734 identity ipv6-traffic-class { 735 base ipv6-capability; 736 description 737 "Identity for IPv6 traffic class 738 condition capability"; 739 reference 740 "RFC 8200: Internet Protocol, Version 6 (IPv6) 741 Specification - Traffic Class"; 742 } 744 identity exact-ipv6-flow-label { 745 base ipv6-capability; 746 description 747 "Identity for exact-match IPv6 flow label 748 condition capability"; 749 reference 750 "RFC 8200: Internet Protocol, Version 6 (IPv6) 751 Specification - Flow Label"; 752 } 754 identity range-ipv6-flow-label { 755 base ipv6-capability; 756 description 757 "Identity for range-match IPv6 flow label 758 condition capability"; 759 reference 760 "RFC 8200: Internet Protocol, Version 6 (IPv6) 761 Specification - Flow Label"; 762 } 764 identity exact-ipv6-payload-length { 765 base ipv6-capability; 766 description 767 "Identity for exact-match IPv6 payload length 768 condition capability"; 769 reference 770 "RFC 8200: Internet Protocol, Version 6 (IPv6) 771 Specification - Payload Length"; 772 } 774 identity range-ipv6-payload-length { 775 base ipv6-capability; 776 description 777 "Identity for range-match IPv6 payload length 778 condition capability"; 779 reference 780 "RFC 8200: Internet Protocol, Version 6 (IPv6) 781 Specification - Payload Length"; 782 } 784 identity ipv6-next-header { 785 base ipv6-capability; 786 description 787 "Identity for IPv6 next header condition capability"; 788 reference 789 "RFC 8200: Internet Protocol, Version 6 (IPv6) 790 Specification - Next Header"; 791 } 793 identity exact-ipv6-hop-limit { 794 base ipv6-capability; 795 description 796 "Identity for exact-match IPv6 hop limit condition 797 capability"; 798 reference 799 "RFC 8200: Internet Protocol, Version 6 (IPv6) 800 Specification - Hop Limit"; 801 } 803 identity range-ipv6-hop-limit { 804 base ipv6-capability; 805 description 806 "Identity for range-match IPv6 hop limit condition 807 capability"; 808 reference 809 "RFC 8200: Internet Protocol, Version 6 (IPv6) 810 Specification - Hop Limit"; 811 } 813 identity exact-ipv6-address { 814 base ipv6-capability; 815 description 816 "Identity for exact-match IPv6 address condition 817 capability"; 818 reference 819 "RFC 8200: Internet Protocol, Version 6 (IPv6) 820 Specification - Address"; 821 } 823 identity range-ipv6-address { 824 base ipv6-capability; 825 description 826 "Identity for range-match IPv6 address condition 827 capability"; 828 reference 829 "RFC 8200: Internet Protocol, Version 6 (IPv6) 830 Specification - Address"; 831 } 833 identity tcp-capability { 834 base condition; 835 description 836 "Identity for TCP condition capabilities"; 837 reference 838 "RFC 793: Transmission Control Protocol"; 839 } 841 identity exact-tcp-port-num { 842 base tcp-capability; 843 description 844 "Identity for exact-match TCP port number condition 845 capability"; 846 reference 847 "RFC 793: Transmission Control Protocol - Port Number"; 848 } 850 identity range-tcp-port-num { 851 base tcp-capability; 852 description 853 "Identity for range-match TCP port number condition 854 capability"; 855 reference 856 "RFC 793: Transmission Control Protocol - Port Number"; 857 } 859 identity exact-tcp-seq-num { 860 base tcp-capability; 861 description 862 "Identity for exact-match TCP sequence number condition 863 capability"; 864 reference 865 "RFC 793: Transmission Control Protocol - Sequence Number"; 866 } 868 identity range-tcp-seq-num { 869 base tcp-capability; 870 description 871 "Identity for range-match TCP sequence number condition 872 capability"; 873 reference 874 "RFC 793: Transmission Control Protocol - Sequence Number"; 875 } 877 identity exact-tcp-ack-num { 878 base tcp-capability; 879 description 880 "Identity for exact-match TCP acknowledgement number condition 881 capability"; 882 reference 883 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 884 } 886 identity range-tcp-ack-num { 887 base tcp-capability; 888 description 889 "Identity for range-match TCP acknowledgement number condition 890 capability"; 892 reference 893 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 894 } 896 identity exact-tcp-window-size { 897 base tcp-capability; 898 description 899 "Identity for exact-match TCP window size condition capability"; 900 reference 901 "RFC 793: Transmission Control Protocol - Window Size"; 902 } 904 identity range-tcp-window-size { 905 base tcp-capability; 906 description 907 "Identity for range-match TCP window size condition capability"; 908 reference 909 "RFC 793: Transmission Control Protocol - Window Size"; 910 } 912 identity tcp-flags { 913 base tcp-capability; 914 description 915 "Identity for TCP flags condition capability"; 916 reference 917 "RFC 793: Transmission Control Protocol - Flags"; 918 } 920 identity udp-capability { 921 base condition; 922 description 923 "Identity for UDP condition capabilities"; 924 reference 925 "RFC 768: User Datagram Protocol"; 926 } 928 identity exact-udp-port-num { 929 base udp-capability; 930 description 931 "Identity for exact-match UDP port number condition capability"; 932 reference 933 "RFC 768: User Datagram Protocol - Port Number"; 934 } 936 identity range-udp-port-num { 937 base udp-capability; 938 description 939 "Identity for range-match UDP port number condition capability"; 941 reference 942 "RFC 768: User Datagram Protocol - Port Number"; 943 } 945 identity exact-udp-total-length { 946 base udp-capability; 947 description 948 "Identity for exact-match UDP total-length condition capability"; 949 reference 950 "RFC 768: User Datagram Protocol - Total Length"; 951 } 953 identity range-udp-total-length { 954 base udp-capability; 955 description 956 "Identity for range-match UDP total-length condition capability"; 957 reference 958 "RFC 768: User Datagram Protocol - Total Length"; 959 } 961 identity icmp-capability { 962 base condition; 963 description 964 "Identity for ICMP condition capability"; 965 reference 966 "RFC 792: Internet Control Message Protocol"; 967 } 969 identity icmp-type { 970 base icmp-capability; 971 description 972 "Identity for ICMP type condition capability"; 973 reference 974 "RFC 792: Internet Control Message Protocol"; 975 } 977 identity icmpv6-capability { 978 base condition; 979 description 980 "Identity for ICMPv6 condition capability"; 981 reference 982 "RFC 4443: Internet Control Message Protocol (ICMPv6) 983 for the Internet Protocol Version 6 (IPv6) Specification 984 - ICMPv6"; 985 } 987 identity icmpv6-type { 988 base icmpv6-capability; 989 description 990 "Identity for ICMPv6 type condition capability"; 991 reference 992 "RFC 4443: Internet Control Message Protocol (ICMPv6) 993 for the Internet Protocol Version 6 (IPv6) Specification 994 - ICMPv6"; 995 } 997 identity url-capability { 998 base condition; 999 description 1000 "Identity for URL condition capability"; 1001 } 1003 identity pre-defined { 1004 base url-capability; 1005 description 1006 "Identity for URL pre-defined condition capability"; 1007 } 1009 identity user-defined { 1010 base url-capability; 1011 description 1012 "Identity for URL user-defined condition capability"; 1013 } 1015 identity log-action-capability { 1016 description 1017 "Identity for log-action capability"; 1018 } 1020 identity rule-log { 1021 base log-action-capability; 1022 description 1023 "Identity for rule log log-action capability"; 1024 } 1026 identity session-log { 1027 base log-action-capability; 1028 description 1029 "Identity for session log log-action capability"; 1030 } 1032 identity ingress-action-capability { 1033 description 1034 "Identity for ingress-action capability"; 1035 reference 1036 "RFC 8329: Framework for Interface to Network Security 1037 Functions - Ingress action"; 1038 } 1040 identity egress-action-capability { 1041 description 1042 "Base identity for egress-action capability"; 1043 reference 1044 "RFC 8329: Framework for Interface to Network Security 1045 Functions - Egress action"; 1046 } 1048 identity default-action-capability { 1049 description 1050 "Identity for default-action capability"; 1051 reference 1052 "draft-ietf-i2nsf-capability-05: Information Model of 1053 NSFs Capabilities - Default action"; 1054 } 1056 identity pass { 1057 base ingress-action-capability; 1058 base egress-action-capability; 1059 base default-action-capability; 1060 description 1061 "Identity for pass action capability"; 1062 reference 1063 "RFC 8329: Framework for Interface to Network Security 1064 Functions - Ingress, egress, and pass actions 1065 draft-ietf-i2nsf-capability-05: Information Model of 1066 NSFs Capabilities - Actions and default action"; 1067 } 1069 identity drop { 1070 base ingress-action-capability; 1071 base egress-action-capability; 1072 base default-action-capability; 1073 description 1074 "Identity for drop action capability"; 1075 reference 1076 "RFC 8329: Framework for Interface to Network Security 1077 Functions - Ingress, egress, and drop actions 1078 draft-ietf-i2nsf-capability-05: Information Model of 1079 NSFs Capabilities - Actions and default action"; 1080 } 1082 identity alert { 1083 base ingress-action-capability; 1084 base egress-action-capability; 1085 base default-action-capability; 1086 description 1087 "Identity for alert action capability"; 1088 reference 1089 "RFC 8329: Framework for Interface to Network Security 1090 Functions - Ingress, egress, and alert actions 1091 draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF 1092 NSF Monitoring YANG Data Model - Alarm (i.e., alert) 1093 draft-ietf-i2nsf-capability-05: Information Model of 1094 NSFs Capabilities - Actions and default action"; 1095 } 1097 identity mirror { 1098 base ingress-action-capability; 1099 base egress-action-capability; 1100 base default-action-capability; 1101 description 1102 "Identity for mirror action capability"; 1103 reference 1104 "RFC 8329: Framework for Interface to Network Security 1105 Functions - Ingress, egress, and mirror actions 1106 draft-ietf-i2nsf-capability-05: Information Model of 1107 NSFs Capabilities - Actions and default action"; 1108 } 1110 identity invoke-signaling { 1111 base egress-action-capability; 1112 description 1113 "Identity for invoke signaling action capability"; 1114 reference 1115 "RFC 8329: Framework for Interface to Network Security 1116 Functions - Invoke-signaling action"; 1117 } 1119 identity tunnel-encapsulation { 1120 base egress-action-capability; 1121 description 1122 "Identity for tunnel encapsulation action capability"; 1123 reference 1124 "RFC 8329: Framework for Interface to Network Security 1125 Functions - Tunnel-encapsulation action"; 1126 } 1128 identity forwarding { 1129 base egress-action-capability; 1130 description 1131 "Identity for forwarding action capability"; 1132 reference 1133 "RFC 8329: Framework for Interface to Network Security 1134 Functions - Forwarding action"; 1135 } 1137 identity redirection { 1138 base egress-action-capability; 1139 description 1140 "Identity for redirection action capability"; 1141 reference 1142 "RFC 8329: Framework for Interface to Network Security 1143 Functions - Redirection action"; 1144 } 1146 identity resolution-strategy-capability { 1147 description 1148 "Base identity for resolution strategy capability"; 1149 reference 1150 "draft-ietf-i2nsf-capability-05: Information Model of 1151 NSFs Capabilities - Resolution Strategy"; 1152 } 1154 identity fmr { 1155 base resolution-strategy-capability; 1156 description 1157 "Identity for First Matching Rule (FMR) resolution 1158 strategy capability"; 1159 reference 1160 "draft-ietf-i2nsf-capability-05: Information Model of 1161 NSFs Capabilities - Resolution Strategy"; 1162 } 1164 identity lmr { 1165 base resolution-strategy-capability; 1166 description 1167 "Identity for Last Matching Rule (LMR) resolution 1168 strategy capability"; 1169 reference 1170 "draft-ietf-i2nsf-capability-05: Information Model of 1171 NSFs Capabilities - Resolution Strategy"; 1172 } 1174 identity pmr { 1175 base resolution-strategy-capability; 1176 description 1177 "Identity for Prioritized Matching Rule (PMR) resolution 1178 strategy capability"; 1179 reference 1180 "draft-ietf-i2nsf-capability-05: Information Model of 1181 NSFs Capabilities - Resolution Strategy"; 1182 } 1184 identity pmre { 1185 base resolution-strategy-capability; 1186 description 1187 "Identity for Prioritized Matching Rule with Errors (PMRE) 1188 resolution strategy capability"; 1189 reference 1190 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 1191 Capabilities - Resolution Strategy"; 1192 } 1194 identity pmrn { 1195 base resolution-strategy-capability; 1196 description 1197 "Identity for Prioritized Matching Rule with No Errors (PMRN) 1198 resolution strategy capability"; 1199 reference 1200 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 1201 Capabilities - Resolution Strategy"; 1202 } 1204 identity advanced-nsf-capability { 1205 description 1206 "Base identity for advanced Network Security Function (NSF) 1207 capability. This can be used for advanced NSFs such as 1208 Anti-Virus, Anti-DDoS Attack, IPS, and VoIP/VoLTE Security 1209 Service."; 1210 reference 1211 "RFC 8329: Framework for Interface to Network Security 1212 Functions - Advanced NSF capability"; 1213 } 1215 identity anti-virus-capability { 1216 base advanced-nsf-capability; 1217 description 1218 "Identity for advanced NSF Anti-Virus capability. 1219 This can be used for an extension point for Anti-Virus 1220 as an advanced NSF."; 1221 reference 1222 "RFC 8329: Framework for Interface to Network Security 1223 Functions - Advanced NSF Anti-Virus capability"; 1224 } 1226 identity anti-ddos-capability { 1227 base advanced-nsf-capability; 1228 description 1229 "Identity for advanced NSF Anti-DDoS Attack capability. 1230 This can be used for an extension point for Anti-DDoS 1231 Attack as an advanced NSF."; 1232 reference 1233 "RFC 8329: Framework for Interface to Network Security 1234 Functions - Advanced NSF Anti-DDoS Attack capability"; 1235 } 1237 identity ips-capability { 1238 base advanced-nsf-capability; 1239 description 1240 "Identity for advanced NSF Intrusion Prevention System 1241 (IPS) capabilities. This can be used for an extension 1242 point for IPS as an advanced NSF."; 1243 reference 1244 "RFC 8329: Framework for Interface to Network Security 1245 Functions - Advanced NSF IPS capability"; 1246 } 1248 identity voip-volte-capability { 1249 base advanced-nsf-capability; 1250 description 1251 "Identity for advanced NSF VoIP/VoLTE Security Service 1252 capability. This can be used for an extension point 1253 for VoIP/VoLTE Security Service as an advanced NSF."; 1254 reference 1255 "RFC 3261: SIP: Session Initiation Protocol 1256 RFC 8329: Framework for Interface to Network Security 1257 Functions - Advanced NSF VoIP/VoLTE security service 1258 capability"; 1259 } 1261 identity detect { 1262 base anti-virus-capability; 1263 description 1264 "Identity for advanced NSF Anti-Virus Detection capability. 1265 This can be used for an extension point for Anti-Virus 1266 Detection as an advanced NSF."; 1267 reference 1268 "RFC 8329: Framework for Interface to Network Security 1269 Functions - Advanced NSF Anti-Virus Detection capability"; 1270 } 1272 identity exception-application { 1273 base anti-virus-capability; 1274 description 1275 "Identity for advanced NSF Anti-Virus Exception Application 1276 capability. This can be used for an extension point for 1277 Anti-Virus Exception Application as an advanced NSF."; 1278 reference 1279 "RFC 8329: Framework for Interface to Network Security 1280 Functions - Advanced NSF Anti-Virus Exception Application 1281 capability"; 1282 } 1284 identity exception-signature { 1285 base anti-virus-capability; 1286 description 1287 "Identity for advanced NSF Anti-Virus Exception Signature 1288 capability. This can be used for an extension point for 1289 Anti-Virus Exception Signature as an advanced NSF."; 1290 reference 1291 "RFC 8329: Framework for Interface to Network Security 1292 Functions - Advanced NSF Anti-Virus Exception Signature 1293 capability"; 1294 } 1296 identity allow-list { 1297 base anti-virus-capability; 1298 description 1299 "Identity for advanced NSF Anti-Virus Allow List capability. 1300 This can be used for an extension point for Anti-Virus 1301 Allow List as an advanced NSF."; 1302 reference 1303 "RFC 8329: Framework for Interface to Network Security 1304 Functions - Advanced NSF Anti-Virus Allow List capability"; 1305 } 1307 identity syn-flood-action { 1308 base anti-ddos-capability; 1309 description 1310 "Identity for advanced NSF Anti-DDoS SYN Flood Action 1311 capability. This can be used for an extension point for 1312 Anti-DDoS SYN Flood Action as an advanced NSF."; 1313 reference 1314 "RFC 8329: Framework for Interface to Network Security 1315 Functions - Advanced NSF Anti-DDoS SYN Flood Action 1316 capability"; 1317 } 1319 identity udp-flood-action { 1320 base anti-ddos-capability; 1321 description 1322 "Identity for advanced NSF Anti-DDoS UDP Flood Action 1323 capability. This can be used for an extension point for 1324 Anti-DDoS UDP Flood Action as an advanced NSF."; 1326 reference 1327 "RFC 8329: Framework for Interface to Network Security 1328 Functions - Advanced NSF Anti-DDoS UDP Flood Action 1329 capability"; 1330 } 1332 identity http-flood-action { 1333 base anti-ddos-capability; 1334 description 1335 "Identity for advanced NSF Anti-DDoS HTTP Flood Action 1336 capability. This can be used for an extension point for 1337 Anti-DDoS HTTP Flood Action as an advanced NSF."; 1338 reference 1339 "RFC 8329: Framework for Interface to Network Security 1340 Functions - Advanced NSF Anti-DDoS HTTP Flood Action 1341 capability"; 1342 } 1344 identity https-flood-action { 1345 base anti-ddos-capability; 1346 description 1347 "Identity for advanced NSF Anti-DDoS HTTPS Flood Action 1348 capability. This can be used for an extension point for 1349 Anti-DDoS HTTPS Flood Action as an advanced NSF."; 1350 reference 1351 "RFC 8329: Framework for Interface to Network Security 1352 Functions - Advanced NSF Anti-DDoS HTTPS Flood Action 1353 capability"; 1354 } 1356 identity dns-request-flood-action { 1357 base anti-ddos-capability; 1358 description 1359 "Identity for advanced NSF Anti-DDoS DNS Request Flood 1360 Action capability. This can be used for an extension 1361 point for Anti-DDoS DNS Request Flood Action as an 1362 advanced NSF."; 1363 reference 1364 "RFC 8329: Framework for Interface to Network Security 1365 Functions - Advanced NSF Anti-DDoS DNS Request Flood 1366 Action capability"; 1367 } 1369 identity dns-reply-flood-action { 1370 base anti-ddos-capability; 1371 description 1372 "Identity for advanced NSF Anti-DDoS DNS Reply Flood 1373 Action capability. This can be used for an extension 1374 point for Anti-DDoS DNS Reply Flood Action as an 1375 advanced NSF."; 1376 reference 1377 "RFC 8329: Framework for Interface to Network Security 1378 Functions - Advanced NSF Anti-DDoS DNS Reply Flood 1379 Action capability"; 1380 } 1382 identity icmp-flood-action { 1383 base anti-ddos-capability; 1384 description 1385 "Identity for advanced NSF Anti-DDoS ICMP Flood Action 1386 capability. This can be used for an extension point 1387 for Anti-DDoS ICMP Flood Action as an advanced NSF."; 1388 reference 1389 "RFC 8329: Framework for Interface to Network Security 1390 Functions - Advanced NSF Anti-DDoS ICMP Flood Action 1391 capability"; 1392 } 1394 identity icmpv6-flood-action { 1395 base anti-ddos-capability; 1396 description 1397 "Identity for advanced NSF Anti-DDoS ICMPv6 Flood Action 1398 capability. This can be used for an extension point 1399 for Anti-DDoS ICMPv6 Flood Action as an advanced NSF."; 1400 reference 1401 "RFC 8329: Framework for Interface to Network Security 1402 Functions - Advanced NSF Anti-DDoS ICMPv6 Flood Action 1403 capability"; 1404 } 1406 identity sip-flood-action { 1407 base anti-ddos-capability; 1408 description 1409 "Identity for advanced NSF Anti-DDoS SIP Flood Action 1410 capability. This can be used for an extension point 1411 for Anti-DDoS SIP Flood Action as an advanced NSF."; 1412 reference 1413 "RFC 8329: Framework for Interface to Network Security 1414 Functions - Advanced NSF Anti-DDoS SIP Flood Action 1415 capability"; 1416 } 1418 identity detect-mode { 1419 base anti-ddos-capability; 1420 description 1421 "Identity for advanced NSF Anti-DDoS Detection Mode 1422 capability. This can be used for an extension point 1423 for Anti-DDoS Detection Mode as an advanced NSF."; 1424 reference 1425 "RFC 8329: Framework for Interface to Network Security 1426 Functions - Advanced NSF Anti-DDoS Detection Mode 1427 capability"; 1428 } 1430 identity baseline-learning { 1431 base anti-ddos-capability; 1432 description 1433 "Identity for advanced NSF Anti-DDoS Baseline Learning 1434 capability. This can be used for an extension point 1435 for Anti-DDoS Baseline Learning as an advanced NSF."; 1436 reference 1437 "RFC 8329: Framework for Interface to Network Security 1438 Functions - Advanced NSF Anti-DDoS Baseline Learning 1439 capability"; 1440 } 1442 identity signature-set { 1443 base ips-capability; 1444 description 1445 "Identity for advanced NSF IPS Signature Set capability. 1446 This can be used for an extension point for IPS Signature 1447 Set as an advanced NSF."; 1448 reference 1449 "RFC 8329: Framework for Interface to Network Security 1450 Functions - Advanced NSF IPS Signature Set capability"; 1451 } 1453 identity ips-exception-signature { 1454 base ips-capability; 1455 description 1456 "Identity for advanced NSF IPS Exception Signature 1457 capability. This can be used for an extension point for 1458 IPS Exception Signature as an advanced NSF."; 1459 reference 1460 "RFC 8329: Framework for Interface to Network Security 1461 Functions - Advanced NSF IPS Exception Signature Set 1462 capability"; 1463 } 1465 identity voice-id { 1466 base voip-volte-capability; 1467 description 1468 "Identity for advanced NSF VoIP/VoLTE Voice-ID capability. 1469 This can be used for an extension point for VoIP/VoLTE 1470 Voice-ID as an advanced NSF."; 1471 reference 1472 "RFC 3261: SIP: Session Initiation Protocol 1473 RFC 8329: Framework for Interface to Network Security 1474 Functions - Advanced NSF VoIP/VoLTE Security Service 1475 capability"; 1477 } 1479 identity user-agent { 1480 base voip-volte-capability; 1481 description 1482 "Identity for advanced NSF VoIP/VoLTE User Agent capability. 1483 This can be used for an extension point for VoIP/VoLTE 1484 User Agent as an advanced NSF."; 1485 reference 1486 "RFC 3261: SIP: Session Initiation Protocol 1487 RFC 8329: Framework for Interface to Network Security 1488 Functions - Advanced NSF VoIP/VoLTE Security Service 1489 capability"; 1490 } 1492 identity ipsec-capability { 1493 description 1494 "Base identity for an IPsec capability"; 1495 reference 1496 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1497 Software-Defined Networking (SDN)-based IPsec Flow 1498 Protection - IPsec methods such as IKE and IKE-less"; 1499 } 1501 identity ike { 1502 base ipsec-capability; 1503 description 1504 "Identity for an IPSec Internet Key Exchange (IKE) 1505 capability"; 1506 reference 1507 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1508 Software-Defined Networking (SDN)-based IPsec Flow 1509 Protection - IPsec method with IKE"; 1510 } 1512 identity ikeless { 1513 base ipsec-capability; 1514 description 1515 "Identity for an IPSec without Internet Key Exchange (IKE) 1516 capability"; 1517 reference 1518 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1519 Software-Defined Networking (SDN)-based IPsec Flow 1520 Protection - IPsec method without IKE"; 1521 } 1523 /* 1524 * Grouping 1525 */ 1527 grouping nsf-capabilities { 1528 description 1529 "Network Security Function (NSF) Capabilities"; 1530 reference 1531 "RFC 8329: Framework for Interface to Network Security 1532 Functions - I2NSF Flow Security Policy Structure 1533 draft-ietf-i2nsf-capability-05: Information Model of 1534 NSFs Capabilities - Capability Information Model Design"; 1536 leaf-list time-capabilities { 1537 type enumeration { 1538 enum absolute-time { 1539 description 1540 "absolute time capabilities. 1541 If a network security function has the absolute time 1542 capability, the network security function supports 1543 rule execution according to absolute time."; 1544 } 1545 enum periodic-time { 1546 description 1547 "periodic time capabilities. 1548 If a network security function has the periodic time 1549 capability, the network security function supports 1550 rule execution according to periodic time."; 1551 } 1552 } 1553 description 1554 "Time capabilities"; 1555 } 1557 container event-capabilities { 1558 description 1559 "Capabilities of events. 1560 If a network security function has the event capabilities, 1561 the network security function supports rule execution 1562 according to system event and system alarm."; 1564 reference 1565 "RFC 8329: Framework for Interface to Network Security 1566 Functions - I2NSF Flow Security Policy Structure 1567 draft-ietf-i2nsf-capability-05: Information Model of 1568 NSFs Capabilities - Design Principles and ECA Policy 1569 Model Overview 1570 draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF 1571 NSF Monitoring YANG Data Model - System Alarm and 1572 System Events"; 1574 leaf-list system-event-capability { 1575 type identityref { 1576 base system-event-capability; 1577 } 1578 description 1579 "System event capabilities"; 1580 } 1582 leaf-list system-alarm-capability { 1583 type identityref { 1584 base system-alarm-capability; 1585 } 1586 description 1587 "System alarm capabilities"; 1588 } 1589 } 1591 container condition-capabilities { 1592 description 1593 "Conditions capabilities."; 1595 container generic-nsf-capabilities { 1596 description 1597 "Conditions capabilities. 1598 If a network security function has the condition 1599 capabilities, the network security function 1600 supports rule execution according to conditions of 1601 IPv4, IPv6, TCP, UDP, ICMP, ICMPv6, and payload."; 1602 reference 1603 "RFC 791: Internet Protocol - IPv4 1604 RFC 792: Internet Control Message Protocol - ICMP 1605 RFC 793: Transmission Control Protocol - TCP 1606 RFC 768: User Datagram Protocol - UDP 1607 RFC 8200: Internet Protocol, Version 6 (IPv6) 1608 Specification - IPv6 1609 RFC 4443: Internet Control Message Protocol (ICMPv6) 1610 for the Internet Protocol Version 6 (IPv6) Specification 1611 - ICMPv6 1612 RFC 8329: Framework for Interface to Network Security 1613 Functions - I2NSF Flow Security Policy Structure 1614 draft-ietf-i2nsf-capability-05: Information Model of 1615 NSFs Capabilities - Design Principles and ECA Policy 1616 Model Overview"; 1618 leaf-list ipv4-capability { 1619 type identityref { 1620 base ipv4-capability; 1621 } 1622 description 1623 "IPv4 packet capabilities"; 1624 reference 1625 "RFC 791: Internet Protocol"; 1626 } 1628 leaf-list icmp-capability { 1629 type identityref { 1630 base icmp-capability; 1631 } 1632 description 1633 "ICMP packet capabilities"; 1634 reference 1635 "RFC 792: Internet Control Message Protocol - ICMP"; 1636 } 1638 leaf-list ipv6-capability { 1639 type identityref { 1640 base ipv6-capability; 1641 } 1642 description 1643 "IPv6 packet capabilities"; 1644 reference 1645 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1646 Specification - IPv6"; 1647 } 1649 leaf-list icmpv6-capability { 1650 type identityref { 1651 base icmpv6-capability; 1652 } 1653 description 1654 "ICMPv6 packet capabilities"; 1655 reference 1656 "RFC 4443: Internet Control Message Protocol (ICMPv6) 1657 for the Internet Protocol Version 6 (IPv6) Specification 1658 - ICMPv6"; 1659 } 1661 leaf-list tcp-capability { 1662 type identityref { 1663 base tcp-capability; 1664 } 1665 description 1666 "TCP packet capabilities"; 1667 reference 1668 "RFC 793: Transmission Control Protocol - TCP"; 1669 } 1671 leaf-list udp-capability { 1672 type identityref { 1673 base udp-capability; 1674 } 1675 description 1676 "UDP packet capabilities"; 1677 reference 1678 "RFC 768: User Datagram Protocol - UDP"; 1679 } 1680 } 1682 container advanced-nsf-capabilities { 1683 description 1684 "Advanced Network Security Function (NSF) capabilities, 1685 such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE. 1686 This container contains the leaf-lists of advanced 1687 NSF capabilities"; 1688 reference 1689 "RFC 8329: Framework for Interface to Network Security 1690 Functions - Advanced NSF capabilities"; 1692 leaf-list anti-virus-capability { 1693 type identityref { 1694 base anti-virus-capability; 1695 } 1696 description 1697 "Anti-Virus capabilities"; 1698 reference 1699 "RFC 8329: Framework for Interface to Network Security 1700 Functions - Advanced NSF Anti-Virus capabilities"; 1701 } 1703 leaf-list anti-ddos-capability { 1704 type identityref { 1705 base anti-ddos-capability; 1706 } 1707 description 1708 "Anti-DDoS Attack capabilities"; 1709 reference 1710 "RFC 8329: Framework for Interface to Network Security 1711 Functions - Advanced NSF Anti-DDoS Attack capabilities"; 1712 } 1714 leaf-list ips-capability { 1715 type identityref { 1716 base ips-capability; 1717 } 1718 description 1719 "Intrusion Prevention System (IPS) capabilities"; 1720 reference 1721 "RFC 8329: Framework for Interface to Network Security 1722 Functions - Advanced NSF IPS capabilities"; 1723 } 1725 leaf-list url-capability { 1726 type identityref { 1727 base url-capability; 1728 } 1729 description 1730 "URL capabilities"; 1731 reference 1732 "RFC 8329: Framework for Interface to Network Security 1733 Functions - Advanced NSF URL capabilities"; 1734 } 1736 leaf-list voip-volte-capability { 1737 type identityref { 1738 base voip-volte-capability; 1739 } 1740 description 1741 "VoIP/VoLTE capabilities"; 1742 reference 1743 "RFC 8329: Framework for Interface to Network Security 1744 Functions - Advanced NSF VoIP/VoLTE capabilities"; 1745 } 1746 } 1748 leaf-list context-capabilities { 1749 type identityref { 1750 base context-capability; 1751 } 1752 description 1753 "Security context capabilities"; 1754 } 1755 } 1757 container action-capabilities { 1758 description 1759 "Action capabilities. 1760 If a network security function has the action 1761 capabilities, the network security function supports 1762 the attendant actions for policy rules."; 1764 leaf-list ingress-action-capability { 1765 type identityref { 1766 base ingress-action-capability; 1767 } 1768 description 1769 "Ingress-action capabilities"; 1770 } 1772 leaf-list egress-action-capability { 1773 type identityref { 1774 base egress-action-capability; 1775 } 1776 description 1777 "Egress-action capabilities"; 1778 } 1780 leaf-list log-action-capability { 1781 type identityref { 1782 base log-action-capability; 1783 } 1784 description 1785 "Log-action capabilities"; 1786 } 1787 } 1789 leaf-list resolution-strategy-capabilities { 1790 type identityref { 1791 base resolution-strategy-capability; 1792 } 1793 description 1794 "Resolution strategy capabilities. 1795 The resolution strategies can be used to specify how 1796 to resolve conflicts that occur between the actions 1797 of the same or different policy rules that are matched 1798 for the same packet and by particular NSF"; 1799 reference 1800 "draft-ietf-i2nsf-capability-05: Information Model of 1801 NSFs Capabilities - Resolution strategy capabilities"; 1802 } 1804 leaf-list default-action-capabilities { 1805 type identityref { 1806 base default-action-capability; 1807 } 1808 description 1809 "Default action capabilities. 1810 A default action is used to execute I2NSF policy rules 1811 when no rule matches a packet. The default action is 1812 defined as pass, drop, alert, or mirror."; 1813 reference 1814 "RFC 8329: Framework for Interface to Network Security 1815 Functions - Ingress and egress actions 1816 draft-ietf-i2nsf-capability-05: Information Model of 1817 NSFs Capabilities - Default action capabilities"; 1818 } 1820 leaf-list ipsec-method { 1821 type identityref { 1822 base ipsec-capability; 1823 } 1824 description 1825 "IPsec method capabilities"; 1826 reference 1827 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1828 Software-Defined Networking (SDN)-based IPsec Flow 1829 Protection - IPsec methods such as IKE and IKE-less"; 1830 } 1831 } 1833 /* 1834 * Data nodes 1835 */ 1837 list nsf { 1838 key "nsf-name"; 1839 description 1840 "The list of Network Security Functions (NSFs)"; 1841 leaf nsf-name { 1842 type string; 1843 mandatory true; 1844 description 1845 "The name of Network Security Function (NSF)"; 1846 } 1847 } 1848 } 1850 1852 Figure 3: YANG Data Module of I2NSF Capability 1854 7. IANA Considerations 1856 This document requests IANA to register the following URI in the 1857 "IETF XML Registry" [RFC3688]: 1859 Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1861 Registrant Contact: The IESG. 1863 XML: N/A; the requested URI is an XML namespace. 1865 This document requests IANA to register the following YANG module in 1866 the "YANG Module Names" registry [RFC7950][RFC8525]. 1868 name: ietf-i2nsf-capability 1870 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1872 prefix: nsfcap 1874 reference: RFC XXXX 1876 8. Security Considerations 1878 The YANG module specified in this document defines a data schema 1879 designed to be accessed through network management protocols such as 1880 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 1881 the secure transport layer, and the required transport secure 1882 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1883 is HTTPS, and the required transport secure transport is TLS 1884 [RFC8446]. 1886 The NETCONF access control model [RFC8341] provides a means of 1887 restricting access to specific NETCONF or RESTCONF users to a 1888 preconfigured subset of all available NETCONF or RESTCONF protocol 1889 operations and content. 1891 There are a number of data nodes defined in this YANG module that are 1892 writable, creatable, and deletable (i.e., config true, which is the 1893 default). These data nodes may be considered sensitive or vulnerable 1894 in some network environments. Write operations to these data nodes 1895 could have a negative effect on network and security operations. 1897 o ietf-i2nsf-capability: An attacker could alter the security 1898 capabilities associated with an NSF whereby disabling or enabling 1899 the evasion of security mitigations. 1901 Some of the readable data nodes in this YANG module may be considered 1902 sensitive or vulnerable in some network environments. It is thus 1903 important to control read access (e.g., via get, get-config, or 1904 notification) to these data nodes. These are the subtrees and data 1905 nodes and their sensitivity/vulnerability: 1907 o ietf-i2nsf-capability: An attacker could gather the security 1908 capability information of any NSF and use this information to 1909 evade detection or filtering. 1911 9. References 1913 9.1. Normative References 1915 [draft-ietf-i2nsf-capability] 1916 Xia, L., Strassner, J., Basile, C., and D. Lopez, 1917 "Information Model of NSFs Capabilities", draft-ietf- 1918 i2nsf-capability-05 (work in progress), April 2019. 1920 [draft-ietf-i2nsf-nsf-monitoring-data-model] 1921 Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, 1922 "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- 1923 nsf-monitoring-data-model-03 (work in progress), May 2020. 1925 [draft-ietf-i2nsf-sdn-ipsec-flow-protection] 1926 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 1927 Garcia, "Software-Defined Networking (SDN)-based IPsec 1928 Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- 1929 protection-08 (work in progress), June 2020. 1931 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1932 Requirement Levels", BCP 14, RFC 2119, 1933 DOI 10.17487/RFC2119, March 1997, 1934 . 1936 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1937 A., Peterson, J., Sparks, R., Handley, M., and E. 1938 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1939 DOI 10.17487/RFC3261, June 2002, 1940 . 1942 [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between 1943 Information Models and Data Models", RFC 3444, 1944 DOI 10.17487/RFC3444, January 2003, 1945 . 1947 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1948 DOI 10.17487/RFC3688, January 2004, 1949 . 1951 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1952 the Network Configuration Protocol (NETCONF)", RFC 6020, 1953 DOI 10.17487/RFC6020, October 2010, 1954 . 1956 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1957 and A. Bierman, Ed., "Network Configuration Protocol 1958 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1959 . 1961 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1962 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1963 . 1965 [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August 1966 1980. 1968 [RFC790] Postel, J., "Assigned Numbers", RFC 790, September 1981. 1970 [RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981. 1972 [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, 1973 September 1981. 1975 [RFC793] Postel, J., "Transmission Control Protocol", RFC 793, 1976 September 1981. 1978 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1979 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1980 . 1982 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1983 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1984 . 1986 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1987 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1988 May 2017, . 1990 [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., 1991 and J. Jeong, "Interface to Network Security Functions 1992 (I2NSF): Problem Statement and Use Cases", RFC 8192, 1993 DOI 10.17487/RFC8192, July 2017, 1994 . 1996 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1997 (IPv6) Specification", STD 86, RFC 8200, 1998 DOI 10.17487/RFC8200, July 2017, 1999 . 2001 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 2002 Kumar, "Framework for Interface to Network Security 2003 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 2004 . 2006 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 2007 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 2008 . 2010 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 2011 Access Control Model", STD 91, RFC 8341, 2012 DOI 10.17487/RFC8341, March 2018, 2013 . 2015 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 2016 S., and N. Bahadur, "A YANG Data Model for the Routing 2017 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 2018 September 2018, . 2020 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2021 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2022 . 2024 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 2025 and R. Wilton, "YANG Library", RFC 8525, 2026 DOI 10.17487/RFC8525, March 2019, 2027 . 2029 9.2. Informative References 2031 [draft-ietf-i2nsf-nsf-facing-interface-dm] 2032 Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, 2033 "I2NSF Network Security Function-Facing Interface YANG 2034 Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-09 2035 (work in progress), May 2020. 2037 [draft-ietf-i2nsf-registration-interface-dm] 2038 Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF 2039 Registration Interface YANG Data Model", draft-ietf-i2nsf- 2040 registration-interface-dm (work in progress), March 2020. 2042 Appendix A. Configuration Examples 2044 This section shows configuration examples of "ietf-i2nsf-capability" 2045 module for capabilities registration of general firewall. 2047 A.1. Example 1: Registration for Capabilities of General Firewall 2049 This section shows a configuration example for capabilities 2050 registration of general firewall. 2052 2053 general_firewall 2054 2055 2056 ipv4-protocol 2057 exact-ipv4-address 2058 range-ipv4-address 2059 exact-fourth-layer-port-num 2060 range-fourth-layer-port-num 2061 2062 2063 2064 pass 2065 drop 2066 alert 2067 pass 2068 drop 2069 alert 2070 2071 2073 Figure 4: Configuration XML for Capabilities Registration of General 2074 Firewall 2076 Figure 4 shows the configuration XML for capabilities registration of 2077 general firewall and its capabilities are as follows. 2079 1. The name of the NSF is general_firewall. 2081 2. The NSF can inspect protocol, exact IPv4 address, and range IPv4 2082 address for IPv4 packets. 2084 3. The NSF can inspect exact port number and range port number for 2085 fourth layer packets. 2087 4. The NSF can control whether the packets are allowed to pass, 2088 drop, or alert. 2090 A.2. Example 2: Registration for Capabilities of Time based Firewall 2092 This section shows a configuration example for capabilities 2093 registration of time based firewall. 2095 2096 time_based_firewall 2097 absolute-time 2098 periodic-time 2099 2100 2101 ipv4-protocol 2102 exact-ipv4-address 2103 range-ipv4-address 2104 2105 2106 2107 pass 2108 drop 2109 alert 2110 pass 2111 drop 2112 alert 2113 2114 2116 Figure 5: Configuration XML for Capabilities Registration of Time 2117 based Firewall 2119 Figure 5 shows the configuration XML for capabilities registration of 2120 time based firewall and its capabilities are as follows. 2122 1. The name of the NSF is time_based_firewall. 2124 2. The NSF can execute the security policy rule according to 2125 absolute time and periodic time. 2127 3. The NSF can inspect protocol, exact IPv4 address, and range IPv4 2128 address for IPv4 packets. 2130 4. The NSF can control whether the packets are allowed to pass, 2131 drop, or alert. 2133 A.3. Example 3: Registration for Capabilities of Web Filter 2135 This section shows a configuration example for capabilities 2136 registration of web filter. 2138 2139 web_filter 2140 2141 2142 user-defined 2143 2144 2145 2146 pass 2147 drop 2148 alert 2149 pass 2150 drop 2151 alert 2152 2153 2155 Figure 6: Configuration XML for Capabilities Registration of Web 2156 Filter 2158 Figure 6 shows the configuration XML for capabilities registration of 2159 web filter and its capabilities are as follows. 2161 1. The name of the NSF is web_filter. 2163 2. The NSF can inspect url for http and https packets. 2165 3. The NSF can control whether the packets are allowed to pass, 2166 drop, or alert. 2168 A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter 2170 This section shows a configuration example for capabilities 2171 registration of VoIP/VoLTE filter. 2173 2174 voip_volte_filter 2175 2176 2177 voice-id 2178 2179 2180 2181 pass 2182 drop 2183 alert 2184 pass 2185 drop 2186 alert 2187 2188 2190 Figure 7: Configuration XML for Capabilities Registration of VoIP/ 2191 VoLTE Filter 2193 Figure 7 shows the configuration XML for capabilities registration of 2194 VoIP/VoLTE filter and its capabilities are as follows. 2196 1. The name of the NSF is voip_volte_filter. 2198 2. The NSF can inspect voice id for VoIP/VoLTE packets. 2200 3. The NSF can control whether the packets are allowed to pass, 2201 drop, or alert. 2203 A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood 2204 Mitigation 2206 This section shows a configuration example for capabilities 2207 registration of http and https flood mitigation. 2209 2210 http_and_https_flood_mitigation 2211 2212 2213 http-flood-action 2214 https-flood-action 2215 2216 2217 2218 pass 2219 drop 2220 alert 2221 pass 2222 drop 2223 alert 2224 2225 2227 Figure 8: Configuration XML for Capabilities Registration of HTTP and 2228 HTTPS Flood Mitigation 2230 Figure 8 shows the configuration XML for capabilities registration of 2231 http and https flood mitigation and its capabilities are as follows. 2233 1. The name of the NSF is http_and_https_flood_mitigation. 2235 2. The location of the NSF is 221.159.112.140. 2237 3. The NSF can control the amount of packets for http and https 2238 packets. 2240 4. The NSF can control whether the packets are allowed to pass, 2241 drop, or alert. 2243 Appendix B. Acknowledgments 2245 This work was supported by Institute of Information & Communications 2246 Technology Planning & Evaluation (IITP) grant funded by the Korea 2247 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 2248 Security Intelligence Technology Development for the Customized 2249 Security Service Provisioning). 2251 Appendix C. Contributors 2253 This document is made by the group effort of I2NSF working group. 2254 Many people actively contributed to this document. The following are 2255 considered co-authors: 2257 o Hyoungshick Kim (Sungkyunkwan University) 2259 o Daeyoung Hyun (Sungkyunkwan University) 2261 o Dongjin Hong (Sungkyunkwan University) 2263 o Liang Xia (Huawei) 2265 o Jung-Soo Park (ETRI) 2267 o Tae-Jin Ahn (Korea Telecom) 2269 o Se-Hui Lee (Korea Telecom) 2271 Authors' Addresses 2273 Susan Hares (editor) 2274 Huawei 2275 7453 Hickory Hill 2276 Saline, MI 48176 2277 USA 2279 Phone: +1-734-604-0332 2280 EMail: shares@ndzh.com 2282 Jaehoon Paul Jeong (editor) 2283 Department of Computer Science and Engineering 2284 Sungkyunkwan University 2285 2066 Seobu-Ro, Jangan-Gu 2286 Suwon, Gyeonggi-Do 16419 2287 Republic of Korea 2289 Phone: +82 31 299 4957 2290 Fax: +82 31 290 7996 2291 EMail: pauljeong@skku.edu 2292 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2294 Jinyong Tim Kim 2295 Department of Electronic, Electrical and Computer Engineering 2296 Sungkyunkwan University 2297 2066 Seobu-Ro, Jangan-Gu 2298 Suwon, Gyeonggi-Do 16419 2299 Republic of Korea 2301 Phone: +82 10 8273 0930 2302 EMail: timkim@skku.edu 2303 Robert Moskowitz 2304 HTT Consulting 2305 Oak Park, MI 2306 USA 2308 Phone: +1-248-968-9809 2309 EMail: rgm@htt-consult.com 2311 Qiushi Lin 2312 Huawei 2313 Huawei Industrial Base 2314 Shenzhen, Guangdong 518129 2315 China 2317 EMail: linqiushi@huawei.com