idnits 2.17.1 draft-ietf-i2nsf-capability-data-model-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 5 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (August 28, 2020) is 1330 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC0768' is defined on line 1896, but no explicit reference was found in the text == Unused Reference: 'RFC3444' is defined on line 1927, but no explicit reference was found in the text == Unused Reference: 'RFC8431' is defined on line 2008, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-i2nsf-nsf-monitoring-data-model' is defined on line 2029, but no explicit reference was found in the text ** Obsolete normative reference: RFC 790 (Obsoleted by RFC 820) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 3444 ** Downref: Normative reference to an Informational RFC: RFC 3849 ** Downref: Normative reference to an Informational RFC: RFC 5737 ** Downref: Normative reference to an Informational RFC: RFC 8192 ** Downref: Normative reference to an Informational RFC: RFC 8329 == Outdated reference: A later version (-20) exists of draft-ietf-i2nsf-nsf-monitoring-data-model-03 == Outdated reference: A later version (-14) exists of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 Summary: 8 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group S. Hares, Ed. 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Jeong, Ed. 5 Expires: March 1, 2021 J. Kim 6 Sungkyunkwan University 7 R. Moskowitz 8 HTT Consulting 9 Q. Lin 10 Huawei 11 August 28, 2020 13 I2NSF Capability YANG Data Model 14 draft-ietf-i2nsf-capability-data-model-09 16 Abstract 18 This document defines a YANG data model for the capabilities of 19 various Network Security Functions (NSFs) in the Interface to Network 20 Security Functions (I2NSF) framework to centrally manage the 21 capabilities of the various NSFs. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on March 1, 2021. 40 Copyright Notice 42 Copyright (c) 2020 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 5. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 62 5.1. Network Security Function (NSF) Capabilities . . . . . . 6 63 6. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9 64 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 65 8. Security Considerations . . . . . . . . . . . . . . . . . . . 40 66 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 67 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 68 9.2. Informative References . . . . . . . . . . . . . . . . . 44 69 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 45 70 A.1. Example 1: Registration for the Capabilities of a General 71 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 45 72 A.2. Example 2: Registration for the Capabilities of a Time- 73 based Firewall . . . . . . . . . . . . . . . . . . . . . 47 74 A.3. Example 3: Registration for the Capabilities of a Web 75 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 48 76 A.4. Example 4: Registration for the Capabilities of a 77 VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 49 78 A.5. Example 5: Registration for the Capabilities of a HTTP 79 and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 50 80 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 51 81 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 52 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 84 1. Introduction 86 As the industry becomes more sophisticated and network devices (e.g., 87 Internet of Things, Self-driving vehicles, and VoIP/VoLTE 88 smartphones), service providers have a lot of problems described in 89 [RFC8192]. To resolve these problems, [I-D.ietf-i2nsf-capability] 90 specifies the information model of the capabilities of Network 91 Security Functions (NSFs) in a framework of the Interface to Network 92 Security Functions (I2NSF) [RFC8329]. 94 This document provides a YANG data model [RFC6020][RFC7950] that 95 defines the capabilities of NSFs to centrally manage the capabilities 96 of those security devices. The security devices can register their 97 own capabilities into a Network Operator Management (Mgmt) System 98 (i.e., Security Controller) with this YANG data model through the 99 registration interface [RFC8329]. With the capabilities of those 100 security devices maintained centrally, those security devices can be 101 more easily managed [RFC8329]. This YANG data model is based on the 102 information model for I2NSF NSF capabilities 103 [I-D.ietf-i2nsf-capability]. 105 This YANG data model uses an "Event-Condition-Action" (ECA) policy 106 model that is used as the basis for the design of I2NSF Policy as 107 described in [RFC8329] and [I-D.ietf-i2nsf-capability]. The "ietf- 108 i2nsf-capability" YANG module defined in this document provides the 109 following features: 111 o Definition for general capabilities of network security functions. 113 o Definition for event capabilities of generic network security 114 functions. 116 o Definition for condition capabilities of generic network security 117 functions. 119 o Definition for condition capabilities of advanced network security 120 functions. 122 o Definition for action capabilities of generic network security 123 functions. 125 o Definition for resolution strategy capabilities of generic network 126 security functions. 128 o Definition for default action capabilities of generic network 129 security functions. 131 2. Requirements Language 133 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 134 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 135 document are to be interpreted as described in [RFC2119]. 137 3. Terminology 139 This document uses the terminology described in [RFC8329]. 141 This document follows the guidelines of [RFC8407], uses the common 142 YANG types defined in [RFC6991], and adopts the Network Management 143 Datastore Architecture (NMDA). The meaning of the symbols in tree 144 diagrams is defined in [RFC8340]. 146 4. Overview 148 This section provides as overview of how the YANG data model can be 149 used in the I2NSF framework described in [RFC8329]. Figure 1 shows 150 the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF 151 Framework. As shown in this figure, an NSF Developer's Management 152 System can register NSFs and the capabilities that the network 153 security device can support. To register NSFs in this way, the 154 Developer's Management System utilizes this standardized capability 155 YANG data model through the I2NSF Registration Interface [RFC8329]. 156 That is, this Registration Interface uses the YANG module described 157 in this document to describe the capability of a network security 158 function that is registered with the Security Controller. With the 159 capabilities of those network security devices maintained centrally, 160 those security devices can be more easily managed, which can resolve 161 many of the problems described in [RFC8192]. 163 In Figure 1, a new NSF at a Developer's Management Systems has 164 capabilities of Firewall (FW) and Web Filter (WF), which are denoted 165 as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy 166 rules where 'E', 'C', and 'A' mean "Event", "Condition", and 167 "Action", respectively. The condition involves IPv4 or IPv6 168 datagrams, and the action includes "Allow" and "Deny" for those 169 datagrams. 171 Note that the NSF-Facing Interface [RFC8329] is used to configure the 172 security policy rules of the generic network security functions, and 173 The configuration of advanced security functions over the NSF-Facing 174 Interface is used to configure the security policy rules of advanced 175 network security functions (e.g., anti-virus and anti-DDoS attack), 176 respectively, according to the capabilities of NSFs registered with 177 the I2NSF Framework. 179 +------------------------------------------------------+ 180 | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | 181 | Network Mgmt, another network domain's mgmt, etc.) | 182 +--------------------+---------------------------------+ 183 I2NSF ^ 184 Consumer-Facing Interface | 185 | 186 v I2NSF 187 +-----------------+------------+ Registration +-------------+ 188 | Network Operator Mgmt System | Interface | Developer's | 189 | (i.e., Security Controller) |<-------------->| Mgmt System | 190 +-----------------+------------+ +-------------+ 191 ^ New NSF 192 | Cap = {FW, WF} 193 I2NSF | E = {} 194 NSF-Facing Interface | C = {IPv4, IPv6} 195 | A = {Allow, Deny} 196 v 197 +---------------+----+------------+-----------------+ 198 | | | | 199 +---+---+ +---+---+ +---+---+ +---+---+ 200 | NSF-1 | ... | NSF-m | | NSF-1 | ... | NSF-n | ... 201 +-------+ +-------+ +-------+ +-------+ 202 NSF-1 NSF-m NSF-1 NSF-n 203 Cap = {FW, WF} Cap = {FW, WF} Cap = {FW, WF} Cap = {FW, WF} 204 E = {} E = {user} E = {dev} E = {time} 205 C = {IPv4} C = {IPv6} C = {IPv4, IPv6} C = {IPv4} 206 A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} 208 Developer's Mgmt System A Developer's Mgmt System B 210 Figure 1: Capabilities of NSFs in I2NSF Framework 212 A use case of an NSF with the capabilities of firewall and web filter 213 is described as follows. 215 o If a network manager wants to apply security policy rules to block 216 malicious users with firewall and web filter, it is a tremendous 217 burden for a network administrator to apply all of the needed 218 rules to NSFs one by one. This problem can be resolved by 219 managing the capabilities of NSFs in this document. 221 o If a network administrator wants to block malicious users for IPv6 222 traffic, he sends a security policy rule to block the users to the 223 Network Operator Management System using the I2NSF User (i.e., web 224 application). 226 o When the Network Operator Management System receives the security 227 policy rule, it automatically sends that security policy rules to 228 appropriate NSFs (i.e., NSF-m in Developer's Management System A 229 and NSF-1 in Developer's Management System B) which can support 230 the capabilities (i.e., IPv6). This lets an I2NSF User not 231 consider NSFs where the rule is applied. 233 o If NSFs encounter the suspicious IPv6 packets of malicious users, 234 they can filter the packets out according to the configured 235 security policy rule. Therefore, the security policy rule against 236 the malicious users' packets can be automatically applied to 237 appropriate NSFs without human intervention. 239 5. YANG Tree Diagram 241 This section shows a YANG tree diagram of capabilities of network 242 security functions, as defined in the [I-D.ietf-i2nsf-capability]. 244 5.1. Network Security Function (NSF) Capabilities 246 This section explains a YANG tree diagram of NSF capabilities and its 247 features. Figure 2 shows a YANG tree diagram of NSF capabilities. 248 The NSF capabilities in the tree include time capabilities, event 249 capabilities, condition capabilities, action capabilities, resolution 250 strategy capabilities, and default action capabilities. Those 251 capabilities can be tailored or extended according to a vendor's 252 specific requirements. Refer to the NSF capabilities information 253 model for detailed discussion [I-D.ietf-i2nsf-capability]. 255 module: ietf-i2nsf-capability 256 +--rw nsf* [nsf-name] 257 +--rw nsf-name string 258 +--rw time-capabilities* enumeration 259 +--rw event-capabilities 260 | +--rw system-event-capability* identityref 261 | +--rw system-alarm-capability* identityref 262 +--rw condition-capabilities 263 | +--rw generic-nsf-capabilities 264 | | +--rw ipv4-capability* identityref 265 | | +--rw icmp-capability* identityref 266 | | +--rw ipv6-capability* identityref 267 | | +--rw icmpv6-capability* identityref 268 | | +--rw tcp-capability* identityref 269 | | +--rw udp-capability* identityref 270 | +--rw advanced-nsf-capabilities 271 | | +--rw anti-virus-capability* identityref 272 | | +--rw anti-ddos-capability* identityref 273 | | +--rw ips-capability* identityref 274 | | +--rw url-capability* identityref 275 | | +--rw voip-volte-capability* identityref 276 | +--rw context-capabilities* identityref 277 +--rw action-capabilities 278 | +--rw ingress-action-capability* identityref 279 | +--rw egress-action-capability* identityref 280 | +--rw log-action-capability* identityref 281 +--rw resolution-strategy-capabilities* identityref 282 +--rw default-action-capabilities* identityref 283 +--rw ipsec-method* identityref 285 Figure 2: YANG Tree Diagram of Capabilities of Network Security 286 Functions 288 Time capabilities are used to specify the capabilities which describe 289 when to execute the I2NSF policy rule. The time capabilities are 290 defined in terms of absolute time and periodic time. The absolute 291 time means the exact time to start or end. The periodic time means 292 repeated time like day, week, or month. See Section 3.4.6 293 (Capability Algebra) in [I-D.ietf-i2nsf-capability] for more 294 information about the time-based condition (e.g., time period) in the 295 capability algebra. 297 Event capabilities are used to specify the capabilities that describe 298 the event that would trigger the evaluation of the condition clause 299 of the I2NSF Policy Rule. The defined event capabilities are system 300 event and system alarm. See Section 3.1 (Design Principles and ECA 301 Policy Model Overview) in [I-D.ietf-i2nsf-capability] for more 302 information about the event in the ECA policy model. 304 Condition capabilities are used to specify capabilities of a set of 305 attributes, features, and/or values that are to be compared with a 306 set of known attributes, features, and/or values in order to 307 determine whether or not the set of actions in that (imperative) 308 I2NSF policy rule can be executed. The condition capabilities are 309 classified in terms of generic network security functions and 310 advanced network security functions. The condition capabilities of 311 generic network security functions are defined as IPv4 capability, 312 IPv6 capability, TCP capability, UDP capability, and ICMP capability. 313 The condition capabilities of advanced network security functions are 314 defined as anti-virus capability, anti-DDoS capability, IPS 315 capability, HTTP capability, and VoIP/VoLTE capability. See 316 Section 3.1 (Design Principles and ECA Policy Model Overview) in 317 [I-D.ietf-i2nsf-capability] for more information about the condition 318 in the ECA policy model. Also, see Section 3.4.3 (I2NSF Condition 319 Clause Operator Types) in [I-D.ietf-i2nsf-capability] for more 320 information about the operator types in an I2NSF condition clause. 322 Action capabilities are used to specify the capabilities that 323 describe the control and monitoring aspects of flow-based NSFs when 324 the event and condition clauses are satisfied. The action 325 capabilities are defined as ingress-action capability, egress-action 326 capability, and log-action capability. See Section 3.1 (Design 327 Principles and ECA Policy Model Overview) in 328 [I-D.ietf-i2nsf-capability] for more information about the action in 329 the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow 330 Security Policy Structure) in [RFC8329] for more information about 331 the ingress and egress actions. In addition, see Section 9.1 (Flow- 332 Based NSF Capability Characterization) for more information about 333 logging at NSFs. 335 Resolution strategy capabilities are used to specify the capabilities 336 that describe conflicts that occur between the actions of the same or 337 different policy rules that are matched and contained in this 338 particular NSF. The resolution strategy capabilities are defined as 339 First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized 340 Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), 341 and Prioritized Matching Rule with No Errors (PMRN). See 342 Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in 343 [I-D.ietf-i2nsf-capability] for more information about the resolution 344 strategy. 346 Default action capabilities are used to specify the capabilities that 347 describe how to execute I2NSF policy rules when no rule matches a 348 packet. The default action capabilities are defined as pass, drop, 349 alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy 350 and Default Action) in [I-D.ietf-i2nsf-capability] for more 351 information about the default action. 353 IPsec method capabilities are used to specify capabilities of how to 354 support an Internet Key Exchange (IKE) for the security 355 communication. The default action capabilities are defined as IKE or 356 IKE-less. See [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for more 357 information about the SDN-based IPsec flow protection in I2NSF. 359 6. YANG Data Model of I2NSF NSF Capability 361 This section introduces a YANG module for NSFs' capabilities, as 362 defined in the [I-D.ietf-i2nsf-capability]. 364 This YANG module imports from [RFC6991]. It makes references to [RFC 365 0768][RFC0790][RFC0791][RFC0792][RFC0793][RFC3261][RFC4443][RFC8200][ 366 RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf-monitoring-dat 367 a-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. 369 file "ietf-i2nsf-capability@2020-08-28.yang" 371 module ietf-i2nsf-capability { 372 yang-version 1.1; 373 namespace 374 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 375 prefix 376 nsfcap; 378 organization 379 "IETF I2NSF (Interface to Network Security Functions) 380 Working Group"; 382 contact 383 "WG Web: 384 WG List: 386 Editor: Jaehoon Paul Jeong 387 389 Editor: Jinyong Tim Kim 390 392 Editor: Susan Hares 393 "; 395 description 396 "This module is a YANG module for I2NSF Network Security 397 Functions (NSFs)'s Capabilities. 399 Copyright (c) 2020 IETF Trust and the persons identified as 400 authors of the code. All rights reserved. 402 Redistribution and use in source and binary forms, with or 403 without modification, is permitted pursuant to, and subject 404 to the license terms contained in, the Simplified BSD License 405 set forth in Section 4.c of the IETF Trust's Legal Provisions 406 Relating to IETF Documents 407 http://trustee.ietf.org/license-info). 409 This version of this YANG module is part of RFC XXXX; see 410 the RFC itself for full legal notices."; 412 revision "2020-08-28"{ 413 description "Initial revision."; 414 reference 415 "RFC XXXX: I2NSF Capability YANG Data Model"; 416 } 418 /* 419 * Identities 420 */ 422 identity event { 423 description 424 "Base identity for I2NSF policy events."; 425 reference 426 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF 427 Monitoring YANG Data Model - Event"; 428 } 430 identity system-event-capability { 431 base event; 432 description 433 "Identity for system event"; 434 reference 435 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF 436 Monitoring YANG Data Model - System event"; 437 } 439 identity system-alarm-capability { 440 base event; 441 description 442 "Identity for system alarm"; 443 reference 444 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF 445 Monitoring YANG Data Model - System alarm"; 446 } 448 identity access-violation { 449 base system-event-capability; 450 description 451 "Identity for access violation event"; 452 reference 453 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF 454 Monitoring YANG Data Model - System event for access 455 violation"; 456 } 458 identity configuration-change { 459 base system-event-capability; 460 description 461 "Identity for configuration change event"; 462 reference 463 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF 464 Monitoring YANG Data Model - System event for configuration 465 change"; 466 } 468 identity memory-alarm { 469 base system-alarm-capability; 470 description 471 "Identity for memory alarm"; 472 reference 473 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF 474 Monitoring YANG Data Model - System alarm for memory"; 475 } 477 identity cpu-alarm { 478 base system-alarm-capability; 479 description 480 "Identity for CPU alarm"; 481 reference 482 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF 483 Monitoring YANG Data Model - System alarm for CPU"; 484 } 486 identity disk-alarm { 487 base system-alarm-capability; 488 description 489 "Identity for disk alarm"; 490 reference 491 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF 492 Monitoring YANG Data Model - System alarm for disk"; 493 } 495 identity hardware-alarm { 496 base system-alarm-capability; 497 description 498 "Identity for hardware alarm"; 499 reference 500 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF 501 Monitoring YANG Data Model - System alarm for hardware"; 502 } 504 identity interface-alarm { 505 base system-alarm-capability; 506 description 507 "Identity for interface alarm"; 508 reference 509 "draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF NSF 510 Monitoring YANG Data Model - System alarm for interface"; 511 } 513 identity condition { 514 description 515 "Base identity for policy conditions"; 516 } 518 identity context-capability { 519 base condition; 520 description 521 "Identity for context condition capabilities"; 522 } 524 identity acl-number { 525 base context-capability; 526 description 527 "Identity for ACL number condition capability"; 528 } 530 identity application { 531 base context-capability; 532 description 533 "Identity for application condition capability"; 534 } 536 identity target { 537 base context-capability; 538 description 539 "Identity for target condition capability"; 541 } 543 identity user { 544 base context-capability; 545 description 546 "Identity for user condition capability"; 547 } 549 identity group { 550 base context-capability; 551 description 552 "Identity for group condition capability"; 553 } 555 identity geography { 556 base context-capability; 557 description 558 "Identity for geography condition capability"; 559 } 561 identity ipv4-capability { 562 base condition; 563 description 564 "Identity for IPv4 condition capability"; 565 reference 566 "RFC 791: Internet Protocol"; 567 } 569 identity exact-ipv4-header-length { 570 base ipv4-capability; 571 description 572 "Identity for exact-match IPv4 header-length 573 condition capability"; 574 reference 575 "RFC 791: Internet Protocol - Header Length"; 576 } 578 identity range-ipv4-header-length { 579 base ipv4-capability; 580 description 581 "Identity for range-match IPv4 header-length 582 condition capability"; 583 reference 584 "RFC 791: Internet Protocol - Header Length"; 585 } 587 identity ipv4-tos { 588 base ipv4-capability; 589 description 590 "Identity for IPv4 Type-Of-Service (TOS) 591 condition capability"; 592 reference 593 "RFC 791: Internet Protocol - Type of Service"; 594 } 596 identity exact-ipv4-total-length { 597 base ipv4-capability; 598 description 599 "Identity for exact-match IPv4 total length 600 condition capability"; 601 reference 602 "RFC 791: Internet Protocol - Total Length"; 603 } 605 identity range-ipv4-total-length { 606 base ipv4-capability; 607 description 608 "Identity for range-match IPv4 total length 609 condition capability"; 610 reference 611 "RFC 791: Internet Protocol - Total Length"; 612 } 614 identity ipv4-id { 615 base ipv4-capability; 616 description 617 "Identity for identification condition capability"; 618 reference 619 "RFC 791: Internet Protocol - Identification"; 620 } 622 identity ipv4-fragment-flags { 623 base ipv4-capability; 624 description 625 "Identity for IPv4 fragment flags condition capability"; 626 reference 627 "RFC 791: Internet Protocol - Fragmentation Flags"; 628 } 630 identity exact-ipv4-fragment-offset { 631 base ipv4-capability; 632 description 633 "Identity for exact-match IPv4 fragment offset 634 condition capability"; 635 reference 636 "RFC 791: Internet Protocol - Fragmentation Offset"; 638 } 640 identity range-ipv4-fragment-offset { 641 base ipv4-capability; 642 description 643 "Identity for range-match IPv4 fragment offset 644 condition capability"; 645 reference 646 "RFC 791: Internet Protocol - Fragmentation Offset"; 647 } 649 identity exact-ipv4-ttl { 650 base ipv4-capability; 651 description 652 "Identity for exact-match IPv4 Time-To-Live (TTL) 653 condition capability"; 654 reference 655 "RFC 791: Internet Protocol - Time To Live (TTL)"; 656 } 658 identity range-ipv4-ttl { 659 base ipv4-capability; 660 description 661 "Identity for range-match IPv4 Time-To-Live (TTL) 662 condition capability"; 663 reference 664 "RFC 791: Internet Protocol - Time To Live (TTL)"; 665 } 667 identity ipv4-protocol { 668 base ipv4-capability; 669 description 670 "Identity for IPv4 protocol condition capability"; 671 reference 672 "RFC 790: Assigned numbers - Assigned Internet 673 Protocol Number 674 RFC 791: Internet Protocol - Protocol"; 675 } 677 identity exact-ipv4-address { 678 base ipv4-capability; 679 description 680 "Identity for exact-match IPv4 address 681 condition capability"; 682 reference 683 "RFC 791: Internet Protocol - Address"; 684 } 685 identity range-ipv4-address { 686 base ipv4-capability; 687 description 688 "Identity for range-match IPv4 address condition 689 capability"; 690 reference 691 "RFC 791: Internet Protocol - Address"; 692 } 694 identity ipv4-ip-opts { 695 base ipv4-capability; 696 description 697 "Identity for IPv4 option condition capability"; 698 reference 699 "RFC 791: Internet Protocol - Options"; 700 } 702 identity ipv4-geo-ip { 703 base ipv4-capability; 704 description 705 "Identity for geography condition capability"; 706 reference 707 "draft-ietf-i2nsf-capability-05: Information Model 708 of NSFs Capabilities - Geo-IP"; 709 } 711 identity ipv6-capability { 712 base condition; 713 description 714 "Identity for IPv6 condition capabilities"; 715 reference 716 "RFC 8200: Internet Protocol, Version 6 (IPv6) 717 Specification"; 718 } 720 identity ipv6-traffic-class { 721 base ipv6-capability; 722 description 723 "Identity for IPv6 traffic class 724 condition capability"; 725 reference 726 "RFC 8200: Internet Protocol, Version 6 (IPv6) 727 Specification - Traffic Class"; 728 } 730 identity exact-ipv6-flow-label { 731 base ipv6-capability; 732 description 733 "Identity for exact-match IPv6 flow label 734 condition capability"; 735 reference 736 "RFC 8200: Internet Protocol, Version 6 (IPv6) 737 Specification - Flow Label"; 738 } 740 identity range-ipv6-flow-label { 741 base ipv6-capability; 742 description 743 "Identity for range-match IPv6 flow label 744 condition capability"; 745 reference 746 "RFC 8200: Internet Protocol, Version 6 (IPv6) 747 Specification - Flow Label"; 748 } 750 identity exact-ipv6-payload-length { 751 base ipv6-capability; 752 description 753 "Identity for exact-match IPv6 payload length 754 condition capability"; 755 reference 756 "RFC 8200: Internet Protocol, Version 6 (IPv6) 757 Specification - Payload Length"; 758 } 760 identity range-ipv6-payload-length { 761 base ipv6-capability; 762 description 763 "Identity for range-match IPv6 payload length 764 condition capability"; 765 reference 766 "RFC 8200: Internet Protocol, Version 6 (IPv6) 767 Specification - Payload Length"; 768 } 770 identity ipv6-next-header { 771 base ipv6-capability; 772 description 773 "Identity for IPv6 next header condition capability"; 774 reference 775 "RFC 8200: Internet Protocol, Version 6 (IPv6) 776 Specification - Next Header"; 777 } 779 identity exact-ipv6-hop-limit { 780 base ipv6-capability; 781 description 782 "Identity for exact-match IPv6 hop limit condition 783 capability"; 784 reference 785 "RFC 8200: Internet Protocol, Version 6 (IPv6) 786 Specification - Hop Limit"; 787 } 789 identity range-ipv6-hop-limit { 790 base ipv6-capability; 791 description 792 "Identity for range-match IPv6 hop limit condition 793 capability"; 794 reference 795 "RFC 8200: Internet Protocol, Version 6 (IPv6) 796 Specification - Hop Limit"; 797 } 799 identity exact-ipv6-address { 800 base ipv6-capability; 801 description 802 "Identity for exact-match IPv6 address condition 803 capability"; 804 reference 805 "RFC 8200: Internet Protocol, Version 6 (IPv6) 806 Specification - Address"; 807 } 809 identity range-ipv6-address { 810 base ipv6-capability; 811 description 812 "Identity for range-match IPv6 address condition 813 capability"; 814 reference 815 "RFC 8200: Internet Protocol, Version 6 (IPv6) 816 Specification - Address"; 817 } 819 identity tcp-capability { 820 base condition; 821 description 822 "Identity for TCP condition capabilities"; 823 reference 824 "RFC 793: Transmission Control Protocol"; 825 } 827 identity exact-tcp-port-num { 828 base tcp-capability; 829 description 830 "Identity for exact-match TCP port number condition 831 capability"; 832 reference 833 "RFC 793: Transmission Control Protocol - Port Number"; 834 } 836 identity range-tcp-port-num { 837 base tcp-capability; 838 description 839 "Identity for range-match TCP port number condition 840 capability"; 841 reference 842 "RFC 793: Transmission Control Protocol - Port Number"; 843 } 845 identity exact-tcp-seq-num { 846 base tcp-capability; 847 description 848 "Identity for exact-match TCP sequence number condition 849 capability"; 850 reference 851 "RFC 793: Transmission Control Protocol - Sequence Number"; 852 } 854 identity range-tcp-seq-num { 855 base tcp-capability; 856 description 857 "Identity for range-match TCP sequence number condition 858 capability"; 859 reference 860 "RFC 793: Transmission Control Protocol - Sequence Number"; 861 } 863 identity exact-tcp-ack-num { 864 base tcp-capability; 865 description 866 "Identity for exact-match TCP acknowledgement number condition 867 capability"; 868 reference 869 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 870 } 872 identity range-tcp-ack-num { 873 base tcp-capability; 874 description 875 "Identity for range-match TCP acknowledgement number condition 876 capability"; 878 reference 879 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 880 } 882 identity exact-tcp-window-size { 883 base tcp-capability; 884 description 885 "Identity for exact-match TCP window size condition capability"; 886 reference 887 "RFC 793: Transmission Control Protocol - Window Size"; 888 } 890 identity range-tcp-window-size { 891 base tcp-capability; 892 description 893 "Identity for range-match TCP window size condition capability"; 894 reference 895 "RFC 793: Transmission Control Protocol - Window Size"; 896 } 898 identity tcp-flags { 899 base tcp-capability; 900 description 901 "Identity for TCP flags condition capability"; 902 reference 903 "RFC 793: Transmission Control Protocol - Flags"; 904 } 906 identity udp-capability { 907 base condition; 908 description 909 "Identity for UDP condition capabilities"; 910 reference 911 "RFC 768: User Datagram Protocol"; 912 } 914 identity exact-udp-port-num { 915 base udp-capability; 916 description 917 "Identity for exact-match UDP port number condition capability"; 918 reference 919 "RFC 768: User Datagram Protocol - Port Number"; 920 } 922 identity range-udp-port-num { 923 base udp-capability; 924 description 925 "Identity for range-match UDP port number condition capability"; 927 reference 928 "RFC 768: User Datagram Protocol - Port Number"; 929 } 931 identity exact-udp-total-length { 932 base udp-capability; 933 description 934 "Identity for exact-match UDP total-length condition capability"; 935 reference 936 "RFC 768: User Datagram Protocol - Total Length"; 937 } 939 identity range-udp-total-length { 940 base udp-capability; 941 description 942 "Identity for range-match UDP total-length condition capability"; 943 reference 944 "RFC 768: User Datagram Protocol - Total Length"; 945 } 947 identity icmp-capability { 948 base condition; 949 description 950 "Identity for ICMP condition capability"; 951 reference 952 "RFC 792: Internet Control Message Protocol"; 953 } 955 identity icmp-type { 956 base icmp-capability; 957 description 958 "Identity for ICMP type condition capability"; 959 reference 960 "RFC 792: Internet Control Message Protocol"; 961 } 963 identity icmpv6-capability { 964 base condition; 965 description 966 "Identity for ICMPv6 condition capability"; 967 reference 968 "RFC 4443: Internet Control Message Protocol (ICMPv6) 969 for the Internet Protocol Version 6 (IPv6) Specification 970 - ICMPv6"; 971 } 973 identity icmpv6-type { 974 base icmpv6-capability; 975 description 976 "Identity for ICMPv6 type condition capability"; 977 reference 978 "RFC 4443: Internet Control Message Protocol (ICMPv6) 979 for the Internet Protocol Version 6 (IPv6) Specification 980 - ICMPv6"; 981 } 983 identity url-capability { 984 base condition; 985 description 986 "Identity for URL condition capability"; 987 } 989 identity pre-defined { 990 base url-capability; 991 description 992 "Identity for URL pre-defined condition capability"; 993 } 995 identity user-defined { 996 base url-capability; 997 description 998 "Identity for URL user-defined condition capability"; 999 } 1001 identity log-action-capability { 1002 description 1003 "Identity for log-action capability"; 1004 } 1006 identity rule-log { 1007 base log-action-capability; 1008 description 1009 "Identity for rule log log-action capability"; 1010 } 1012 identity session-log { 1013 base log-action-capability; 1014 description 1015 "Identity for session log log-action capability"; 1016 } 1018 identity ingress-action-capability { 1019 description 1020 "Identity for ingress-action capability"; 1021 reference 1022 "RFC 8329: Framework for Interface to Network Security 1023 Functions - Ingress action"; 1024 } 1026 identity egress-action-capability { 1027 description 1028 "Base identity for egress-action capability"; 1029 reference 1030 "RFC 8329: Framework for Interface to Network Security 1031 Functions - Egress action"; 1032 } 1034 identity default-action-capability { 1035 description 1036 "Identity for default-action capability"; 1037 reference 1038 "draft-ietf-i2nsf-capability-05: Information Model of 1039 NSFs Capabilities - Default action"; 1040 } 1042 identity pass { 1043 base ingress-action-capability; 1044 base egress-action-capability; 1045 base default-action-capability; 1046 description 1047 "Identity for pass action capability"; 1048 reference 1049 "RFC 8329: Framework for Interface to Network Security 1050 Functions - Ingress, egress, and pass actions 1051 draft-ietf-i2nsf-capability-05: Information Model of 1052 NSFs Capabilities - Actions and default action"; 1053 } 1055 identity drop { 1056 base ingress-action-capability; 1057 base egress-action-capability; 1058 base default-action-capability; 1059 description 1060 "Identity for drop action capability"; 1061 reference 1062 "RFC 8329: Framework for Interface to Network Security 1063 Functions - Ingress, egress, and drop actions 1064 draft-ietf-i2nsf-capability-05: Information Model of 1065 NSFs Capabilities - Actions and default action"; 1066 } 1068 identity alert { 1069 base ingress-action-capability; 1070 base egress-action-capability; 1071 base default-action-capability; 1072 description 1073 "Identity for alert action capability"; 1074 reference 1075 "RFC 8329: Framework for Interface to Network Security 1076 Functions - Ingress, egress, and alert actions 1077 draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF 1078 NSF Monitoring YANG Data Model - Alarm (i.e., alert) 1079 draft-ietf-i2nsf-capability-05: Information Model of 1080 NSFs Capabilities - Actions and default action"; 1081 } 1083 identity mirror { 1084 base ingress-action-capability; 1085 base egress-action-capability; 1086 base default-action-capability; 1087 description 1088 "Identity for mirror action capability"; 1089 reference 1090 "RFC 8329: Framework for Interface to Network Security 1091 Functions - Ingress, egress, and mirror actions 1092 draft-ietf-i2nsf-capability-05: Information Model of 1093 NSFs Capabilities - Actions and default action"; 1094 } 1096 identity invoke-signaling { 1097 base egress-action-capability; 1098 description 1099 "Identity for invoke signaling action capability"; 1100 reference 1101 "RFC 8329: Framework for Interface to Network Security 1102 Functions - Invoke-signaling action"; 1103 } 1105 identity tunnel-encapsulation { 1106 base egress-action-capability; 1107 description 1108 "Identity for tunnel encapsulation action capability"; 1109 reference 1110 "RFC 8329: Framework for Interface to Network Security 1111 Functions - Tunnel-encapsulation action"; 1112 } 1114 identity forwarding { 1115 base egress-action-capability; 1116 description 1117 "Identity for forwarding action capability"; 1118 reference 1119 "RFC 8329: Framework for Interface to Network Security 1120 Functions - Forwarding action"; 1121 } 1123 identity redirection { 1124 base egress-action-capability; 1125 description 1126 "Identity for redirection action capability"; 1127 reference 1128 "RFC 8329: Framework for Interface to Network Security 1129 Functions - Redirection action"; 1130 } 1132 identity resolution-strategy-capability { 1133 description 1134 "Base identity for resolution strategy capability"; 1135 reference 1136 "draft-ietf-i2nsf-capability-05: Information Model of 1137 NSFs Capabilities - Resolution Strategy"; 1138 } 1140 identity fmr { 1141 base resolution-strategy-capability; 1142 description 1143 "Identity for First Matching Rule (FMR) resolution 1144 strategy capability"; 1145 reference 1146 "draft-ietf-i2nsf-capability-05: Information Model of 1147 NSFs Capabilities - Resolution Strategy"; 1148 } 1150 identity lmr { 1151 base resolution-strategy-capability; 1152 description 1153 "Identity for Last Matching Rule (LMR) resolution 1154 strategy capability"; 1155 reference 1156 "draft-ietf-i2nsf-capability-05: Information Model of 1157 NSFs Capabilities - Resolution Strategy"; 1158 } 1160 identity pmr { 1161 base resolution-strategy-capability; 1162 description 1163 "Identity for Prioritized Matching Rule (PMR) resolution 1164 strategy capability"; 1165 reference 1166 "draft-ietf-i2nsf-capability-05: Information Model of 1167 NSFs Capabilities - Resolution Strategy"; 1168 } 1170 identity pmre { 1171 base resolution-strategy-capability; 1172 description 1173 "Identity for Prioritized Matching Rule with Errors (PMRE) 1174 resolution strategy capability"; 1175 reference 1176 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 1177 Capabilities - Resolution Strategy"; 1178 } 1180 identity pmrn { 1181 base resolution-strategy-capability; 1182 description 1183 "Identity for Prioritized Matching Rule with No Errors (PMRN) 1184 resolution strategy capability"; 1185 reference 1186 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 1187 Capabilities - Resolution Strategy"; 1188 } 1190 identity advanced-nsf-capability { 1191 description 1192 "Base identity for advanced Network Security Function (NSF) 1193 capability. This can be used for advanced NSFs such as 1194 Anti-Virus, Anti-DDoS Attack, IPS, and VoIP/VoLTE Security 1195 Service."; 1196 reference 1197 "RFC 8329: Framework for Interface to Network Security 1198 Functions - Advanced NSF capability"; 1199 } 1201 identity anti-virus-capability { 1202 base advanced-nsf-capability; 1203 description 1204 "Identity for advanced NSF Anti-Virus capability. 1205 This can be used for an extension point for Anti-Virus 1206 as an advanced NSF."; 1207 reference 1208 "RFC 8329: Framework for Interface to Network Security 1209 Functions - Advanced NSF Anti-Virus capability"; 1210 } 1212 identity anti-ddos-capability { 1213 base advanced-nsf-capability; 1214 description 1215 "Identity for advanced NSF Anti-DDoS Attack capability. 1216 This can be used for an extension point for Anti-DDoS 1217 Attack as an advanced NSF."; 1218 reference 1219 "RFC 8329: Framework for Interface to Network Security 1220 Functions - Advanced NSF Anti-DDoS Attack capability"; 1221 } 1223 identity ips-capability { 1224 base advanced-nsf-capability; 1225 description 1226 "Identity for advanced NSF Intrusion Prevention System 1227 (IPS) capabilities. This can be used for an extension 1228 point for IPS as an advanced NSF."; 1229 reference 1230 "RFC 8329: Framework for Interface to Network Security 1231 Functions - Advanced NSF IPS capability"; 1232 } 1234 identity voip-volte-capability { 1235 base advanced-nsf-capability; 1236 description 1237 "Identity for advanced NSF VoIP/VoLTE Security Service 1238 capability. This can be used for an extension point 1239 for VoIP/VoLTE Security Service as an advanced NSF."; 1240 reference 1241 "RFC 3261: SIP: Session Initiation Protocol 1242 RFC 8329: Framework for Interface to Network Security 1243 Functions - Advanced NSF VoIP/VoLTE security service 1244 capability"; 1245 } 1247 identity detect { 1248 base anti-virus-capability; 1249 description 1250 "Identity for advanced NSF Anti-Virus Detection capability. 1251 This can be used for an extension point for Anti-Virus 1252 Detection as an advanced NSF."; 1253 reference 1254 "RFC 8329: Framework for Interface to Network Security 1255 Functions - Advanced NSF Anti-Virus Detection capability"; 1256 } 1258 identity exception-application { 1259 base anti-virus-capability; 1260 description 1261 "Identity for advanced NSF Anti-Virus Exception Application 1262 capability. This can be used for an extension point for 1263 Anti-Virus Exception Application as an advanced NSF."; 1264 reference 1265 "RFC 8329: Framework for Interface to Network Security 1266 Functions - Advanced NSF Anti-Virus Exception Application 1267 capability"; 1268 } 1270 identity exception-signature { 1271 base anti-virus-capability; 1272 description 1273 "Identity for advanced NSF Anti-Virus Exception Signature 1274 capability. This can be used for an extension point for 1275 Anti-Virus Exception Signature as an advanced NSF."; 1276 reference 1277 "RFC 8329: Framework for Interface to Network Security 1278 Functions - Advanced NSF Anti-Virus Exception Signature 1279 capability"; 1280 } 1282 identity allow-list { 1283 base anti-virus-capability; 1284 description 1285 "Identity for advanced NSF Anti-Virus Allow List capability. 1286 This can be used for an extension point for Anti-Virus 1287 Allow List as an advanced NSF."; 1288 reference 1289 "RFC 8329: Framework for Interface to Network Security 1290 Functions - Advanced NSF Anti-Virus Allow List capability"; 1291 } 1293 identity syn-flood-action { 1294 base anti-ddos-capability; 1295 description 1296 "Identity for advanced NSF Anti-DDoS SYN Flood Action 1297 capability. This can be used for an extension point for 1298 Anti-DDoS SYN Flood Action as an advanced NSF."; 1299 reference 1300 "RFC 8329: Framework for Interface to Network Security 1301 Functions - Advanced NSF Anti-DDoS SYN Flood Action 1302 capability"; 1303 } 1305 identity udp-flood-action { 1306 base anti-ddos-capability; 1307 description 1308 "Identity for advanced NSF Anti-DDoS UDP Flood Action 1309 capability. This can be used for an extension point for 1310 Anti-DDoS UDP Flood Action as an advanced NSF."; 1312 reference 1313 "RFC 8329: Framework for Interface to Network Security 1314 Functions - Advanced NSF Anti-DDoS UDP Flood Action 1315 capability"; 1316 } 1318 identity http-flood-action { 1319 base anti-ddos-capability; 1320 description 1321 "Identity for advanced NSF Anti-DDoS HTTP Flood Action 1322 capability. This can be used for an extension point for 1323 Anti-DDoS HTTP Flood Action as an advanced NSF."; 1324 reference 1325 "RFC 8329: Framework for Interface to Network Security 1326 Functions - Advanced NSF Anti-DDoS HTTP Flood Action 1327 capability"; 1328 } 1330 identity https-flood-action { 1331 base anti-ddos-capability; 1332 description 1333 "Identity for advanced NSF Anti-DDoS HTTPS Flood Action 1334 capability. This can be used for an extension point for 1335 Anti-DDoS HTTPS Flood Action as an advanced NSF."; 1336 reference 1337 "RFC 8329: Framework for Interface to Network Security 1338 Functions - Advanced NSF Anti-DDoS HTTPS Flood Action 1339 capability"; 1340 } 1342 identity dns-request-flood-action { 1343 base anti-ddos-capability; 1344 description 1345 "Identity for advanced NSF Anti-DDoS DNS Request Flood 1346 Action capability. This can be used for an extension 1347 point for Anti-DDoS DNS Request Flood Action as an 1348 advanced NSF."; 1349 reference 1350 "RFC 8329: Framework for Interface to Network Security 1351 Functions - Advanced NSF Anti-DDoS DNS Request Flood 1352 Action capability"; 1353 } 1355 identity dns-reply-flood-action { 1356 base anti-ddos-capability; 1357 description 1358 "Identity for advanced NSF Anti-DDoS DNS Reply Flood 1359 Action capability. This can be used for an extension 1360 point for Anti-DDoS DNS Reply Flood Action as an 1361 advanced NSF."; 1362 reference 1363 "RFC 8329: Framework for Interface to Network Security 1364 Functions - Advanced NSF Anti-DDoS DNS Reply Flood 1365 Action capability"; 1366 } 1368 identity icmp-flood-action { 1369 base anti-ddos-capability; 1370 description 1371 "Identity for advanced NSF Anti-DDoS ICMP Flood Action 1372 capability. This can be used for an extension point 1373 for Anti-DDoS ICMP Flood Action as an advanced NSF."; 1374 reference 1375 "RFC 8329: Framework for Interface to Network Security 1376 Functions - Advanced NSF Anti-DDoS ICMP Flood Action 1377 capability"; 1378 } 1380 identity icmpv6-flood-action { 1381 base anti-ddos-capability; 1382 description 1383 "Identity for advanced NSF Anti-DDoS ICMPv6 Flood Action 1384 capability. This can be used for an extension point 1385 for Anti-DDoS ICMPv6 Flood Action as an advanced NSF."; 1386 reference 1387 "RFC 8329: Framework for Interface to Network Security 1388 Functions - Advanced NSF Anti-DDoS ICMPv6 Flood Action 1389 capability"; 1390 } 1392 identity sip-flood-action { 1393 base anti-ddos-capability; 1394 description 1395 "Identity for advanced NSF Anti-DDoS SIP Flood Action 1396 capability. This can be used for an extension point 1397 for Anti-DDoS SIP Flood Action as an advanced NSF."; 1398 reference 1399 "RFC 8329: Framework for Interface to Network Security 1400 Functions - Advanced NSF Anti-DDoS SIP Flood Action 1401 capability"; 1402 } 1404 identity detect-mode { 1405 base anti-ddos-capability; 1406 description 1407 "Identity for advanced NSF Anti-DDoS Detection Mode 1408 capability. This can be used for an extension point 1409 for Anti-DDoS Detection Mode as an advanced NSF."; 1410 reference 1411 "RFC 8329: Framework for Interface to Network Security 1412 Functions - Advanced NSF Anti-DDoS Detection Mode 1413 capability"; 1414 } 1416 identity baseline-learning { 1417 base anti-ddos-capability; 1418 description 1419 "Identity for advanced NSF Anti-DDoS Baseline Learning 1420 capability. This can be used for an extension point 1421 for Anti-DDoS Baseline Learning as an advanced NSF."; 1422 reference 1423 "RFC 8329: Framework for Interface to Network Security 1424 Functions - Advanced NSF Anti-DDoS Baseline Learning 1425 capability"; 1426 } 1428 identity signature-set { 1429 base ips-capability; 1430 description 1431 "Identity for advanced NSF IPS Signature Set capability. 1432 This can be used for an extension point for IPS Signature 1433 Set as an advanced NSF."; 1434 reference 1435 "RFC 8329: Framework for Interface to Network Security 1436 Functions - Advanced NSF IPS Signature Set capability"; 1437 } 1439 identity ips-exception-signature { 1440 base ips-capability; 1441 description 1442 "Identity for advanced NSF IPS Exception Signature 1443 capability. This can be used for an extension point for 1444 IPS Exception Signature as an advanced NSF."; 1445 reference 1446 "RFC 8329: Framework for Interface to Network Security 1447 Functions - Advanced NSF IPS Exception Signature Set 1448 capability"; 1449 } 1451 identity voice-id { 1452 base voip-volte-capability; 1453 description 1454 "Identity for advanced NSF VoIP/VoLTE Voice-ID capability. 1455 This can be used for an extension point for VoIP/VoLTE 1456 Voice-ID as an advanced NSF."; 1457 reference 1458 "RFC 3261: SIP: Session Initiation Protocol 1459 RFC 8329: Framework for Interface to Network Security 1460 Functions - Advanced NSF VoIP/VoLTE Security Service 1461 capability"; 1463 } 1465 identity user-agent { 1466 base voip-volte-capability; 1467 description 1468 "Identity for advanced NSF VoIP/VoLTE User Agent capability. 1469 This can be used for an extension point for VoIP/VoLTE 1470 User Agent as an advanced NSF."; 1471 reference 1472 "RFC 3261: SIP: Session Initiation Protocol 1473 RFC 8329: Framework for Interface to Network Security 1474 Functions - Advanced NSF VoIP/VoLTE Security Service 1475 capability"; 1476 } 1478 identity ipsec-capability { 1479 description 1480 "Base identity for an IPsec capability"; 1481 reference 1482 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1483 Software-Defined Networking (SDN)-based IPsec Flow 1484 Protection - IPsec methods such as IKE and IKE-less"; 1485 } 1487 identity ike { 1488 base ipsec-capability; 1489 description 1490 "Identity for an IPsec Internet Key Exchange (IKE) 1491 capability"; 1492 reference 1493 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1494 Software-Defined Networking (SDN)-based IPsec Flow 1495 Protection - IPsec method with IKE"; 1496 } 1498 identity ikeless { 1499 base ipsec-capability; 1500 description 1501 "Identity for an IPsec without Internet Key Exchange (IKE) 1502 capability"; 1503 reference 1504 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1505 Software-Defined Networking (SDN)-based IPsec Flow 1506 Protection - IPsec method without IKE"; 1507 } 1509 /* 1510 * Grouping 1511 */ 1513 grouping nsf-capabilities { 1514 description 1515 "Network Security Function (NSF) Capabilities"; 1516 reference 1517 "RFC 8329: Framework for Interface to Network Security 1518 Functions - I2NSF Flow Security Policy Structure 1519 draft-ietf-i2nsf-capability-05: Information Model of 1520 NSFs Capabilities - Capability Information Model Design"; 1522 leaf-list time-capabilities { 1523 type enumeration { 1524 enum absolute-time { 1525 description 1526 "absolute time capabilities. 1527 If a network security function has the absolute time 1528 capability, the network security function supports 1529 rule execution according to absolute time."; 1530 } 1531 enum periodic-time { 1532 description 1533 "periodic time capabilities. 1534 If a network security function has the periodic time 1535 capability, the network security function supports 1536 rule execution according to periodic time."; 1537 } 1538 } 1539 description 1540 "Time capabilities"; 1541 } 1543 container event-capabilities { 1544 description 1545 "Capabilities of events. 1546 If a network security function has the event capabilities, 1547 the network security function supports rule execution 1548 according to system event and system alarm."; 1550 reference 1551 "RFC 8329: Framework for Interface to Network Security 1552 Functions - I2NSF Flow Security Policy Structure 1553 draft-ietf-i2nsf-capability-05: Information Model of 1554 NSFs Capabilities - Design Principles and ECA Policy 1555 Model Overview 1556 draft-ietf-i2nsf-nsf-monitoring-data-model-03: I2NSF 1557 NSF Monitoring YANG Data Model - System Alarm and 1558 System Events"; 1560 leaf-list system-event-capability { 1561 type identityref { 1562 base system-event-capability; 1563 } 1564 description 1565 "System event capabilities"; 1566 } 1568 leaf-list system-alarm-capability { 1569 type identityref { 1570 base system-alarm-capability; 1571 } 1572 description 1573 "System alarm capabilities"; 1574 } 1575 } 1577 container condition-capabilities { 1578 description 1579 "Conditions capabilities."; 1581 container generic-nsf-capabilities { 1582 description 1583 "Conditions capabilities. 1584 If a network security function has the condition 1585 capabilities, the network security function 1586 supports rule execution according to conditions of 1587 IPv4, IPv6, TCP, UDP, ICMP, ICMPv6, and payload."; 1588 reference 1589 "RFC 791: Internet Protocol - IPv4 1590 RFC 792: Internet Control Message Protocol - ICMP 1591 RFC 793: Transmission Control Protocol - TCP 1592 RFC 768: User Datagram Protocol - UDP 1593 RFC 8200: Internet Protocol, Version 6 (IPv6) 1594 Specification - IPv6 1595 RFC 4443: Internet Control Message Protocol (ICMPv6) 1596 for the Internet Protocol Version 6 (IPv6) Specification 1597 - ICMPv6 1598 RFC 8329: Framework for Interface to Network Security 1599 Functions - I2NSF Flow Security Policy Structure 1600 draft-ietf-i2nsf-capability-05: Information Model of 1601 NSFs Capabilities - Design Principles and ECA Policy 1602 Model Overview"; 1604 leaf-list ipv4-capability { 1605 type identityref { 1606 base ipv4-capability; 1607 } 1608 description 1609 "IPv4 packet capabilities"; 1610 reference 1611 "RFC 791: Internet Protocol"; 1612 } 1614 leaf-list icmp-capability { 1615 type identityref { 1616 base icmp-capability; 1617 } 1618 description 1619 "ICMP packet capabilities"; 1620 reference 1621 "RFC 792: Internet Control Message Protocol - ICMP"; 1622 } 1624 leaf-list ipv6-capability { 1625 type identityref { 1626 base ipv6-capability; 1627 } 1628 description 1629 "IPv6 packet capabilities"; 1630 reference 1631 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1632 Specification - IPv6"; 1633 } 1635 leaf-list icmpv6-capability { 1636 type identityref { 1637 base icmpv6-capability; 1638 } 1639 description 1640 "ICMPv6 packet capabilities"; 1641 reference 1642 "RFC 4443: Internet Control Message Protocol (ICMPv6) 1643 for the Internet Protocol Version 6 (IPv6) Specification 1644 - ICMPv6"; 1645 } 1647 leaf-list tcp-capability { 1648 type identityref { 1649 base tcp-capability; 1650 } 1651 description 1652 "TCP packet capabilities"; 1653 reference 1654 "RFC 793: Transmission Control Protocol - TCP"; 1655 } 1657 leaf-list udp-capability { 1658 type identityref { 1659 base udp-capability; 1660 } 1661 description 1662 "UDP packet capabilities"; 1663 reference 1664 "RFC 768: User Datagram Protocol - UDP"; 1665 } 1666 } 1668 container advanced-nsf-capabilities { 1669 description 1670 "Advanced Network Security Function (NSF) capabilities, 1671 such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE. 1672 This container contains the leaf-lists of advanced 1673 NSF capabilities"; 1674 reference 1675 "RFC 8329: Framework for Interface to Network Security 1676 Functions - Advanced NSF capabilities"; 1678 leaf-list anti-virus-capability { 1679 type identityref { 1680 base anti-virus-capability; 1681 } 1682 description 1683 "Anti-Virus capabilities"; 1684 reference 1685 "RFC 8329: Framework for Interface to Network Security 1686 Functions - Advanced NSF Anti-Virus capabilities"; 1687 } 1689 leaf-list anti-ddos-capability { 1690 type identityref { 1691 base anti-ddos-capability; 1692 } 1693 description 1694 "Anti-DDoS Attack capabilities"; 1695 reference 1696 "RFC 8329: Framework for Interface to Network Security 1697 Functions - Advanced NSF Anti-DDoS Attack capabilities"; 1698 } 1700 leaf-list ips-capability { 1701 type identityref { 1702 base ips-capability; 1703 } 1704 description 1705 "Intrusion Prevention System (IPS) capabilities"; 1706 reference 1707 "RFC 8329: Framework for Interface to Network Security 1708 Functions - Advanced NSF IPS capabilities"; 1709 } 1711 leaf-list url-capability { 1712 type identityref { 1713 base url-capability; 1714 } 1715 description 1716 "URL capabilities"; 1717 reference 1718 "RFC 8329: Framework for Interface to Network Security 1719 Functions - Advanced NSF URL capabilities"; 1720 } 1722 leaf-list voip-volte-capability { 1723 type identityref { 1724 base voip-volte-capability; 1725 } 1726 description 1727 "VoIP/VoLTE capabilities"; 1728 reference 1729 "RFC 8329: Framework for Interface to Network Security 1730 Functions - Advanced NSF VoIP/VoLTE capabilities"; 1731 } 1732 } 1734 leaf-list context-capabilities { 1735 type identityref { 1736 base context-capability; 1737 } 1738 description 1739 "Security context capabilities"; 1740 } 1741 } 1743 container action-capabilities { 1744 description 1745 "Action capabilities. 1746 If a network security function has the action 1747 capabilities, the network security function supports 1748 the attendant actions for policy rules."; 1750 leaf-list ingress-action-capability { 1751 type identityref { 1752 base ingress-action-capability; 1753 } 1754 description 1755 "Ingress-action capabilities"; 1756 } 1758 leaf-list egress-action-capability { 1759 type identityref { 1760 base egress-action-capability; 1761 } 1762 description 1763 "Egress-action capabilities"; 1764 } 1766 leaf-list log-action-capability { 1767 type identityref { 1768 base log-action-capability; 1769 } 1770 description 1771 "Log-action capabilities"; 1772 } 1773 } 1775 leaf-list resolution-strategy-capabilities { 1776 type identityref { 1777 base resolution-strategy-capability; 1778 } 1779 description 1780 "Resolution strategy capabilities. 1781 The resolution strategies can be used to specify how 1782 to resolve conflicts that occur between the actions 1783 of the same or different policy rules that are matched 1784 for the same packet and by particular NSF"; 1785 reference 1786 "draft-ietf-i2nsf-capability-05: Information Model of 1787 NSFs Capabilities - Resolution strategy capabilities"; 1788 } 1790 leaf-list default-action-capabilities { 1791 type identityref { 1792 base default-action-capability; 1793 } 1794 description 1795 "Default action capabilities. 1796 A default action is used to execute I2NSF policy rules 1797 when no rule matches a packet. The default action is 1798 defined as pass, drop, alert, or mirror."; 1799 reference 1800 "RFC 8329: Framework for Interface to Network Security 1801 Functions - Ingress and egress actions 1802 draft-ietf-i2nsf-capability-05: Information Model of 1803 NSFs Capabilities - Default action capabilities"; 1804 } 1806 leaf-list ipsec-method { 1807 type identityref { 1808 base ipsec-capability; 1809 } 1810 description 1811 "IPsec method capabilities"; 1812 reference 1813 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1814 Software-Defined Networking (SDN)-based IPsec Flow 1815 Protection - IPsec methods such as IKE and IKE-less"; 1816 } 1817 } 1819 /* 1820 * Data nodes 1821 */ 1823 list nsf { 1824 key "nsf-name"; 1825 description 1826 "The list of Network Security Functions (NSFs)"; 1827 leaf nsf-name { 1828 type string; 1829 mandatory true; 1830 description 1831 "The name of Network Security Function (NSF)"; 1832 } 1833 } 1834 } 1836 1838 Figure 3: YANG Data Module of I2NSF Capability 1840 7. IANA Considerations 1842 This document requests IANA to register the following URI in the 1843 "IETF XML Registry" [RFC3688]: 1845 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1846 Registrant Contact: The IESG. 1847 XML: N/A; the requested URI is an XML namespace. 1849 This document requests IANA to register the following YANG module in 1850 the "YANG Module Names" registry [RFC7950][RFC8525]: 1852 name: ietf-i2nsf-capability 1853 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1854 prefix: nsfcap 1855 reference: RFC XXXX 1857 8. Security Considerations 1859 The YANG module specified in this document defines a data schema 1860 designed to be accessed through network management protocols such as 1861 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 1862 the secure transport layer, and the required transport secure 1863 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1864 is HTTPS, and the required transport secure transport is TLS 1865 [RFC8446]. 1867 The NETCONF access control model [RFC8341] provides a means of 1868 restricting access to specific NETCONF or RESTCONF users to a 1869 preconfigured subset of all available NETCONF or RESTCONF protocol 1870 operations and content. 1872 There are a number of data nodes defined in this YANG module that are 1873 writable, creatable, and deletable (i.e., config true, which is the 1874 default). These data nodes may be considered sensitive or vulnerable 1875 in some network environments. Write operations to these data nodes 1876 could have a negative effect on network and security operations. 1878 o ietf-i2nsf-capability: An attacker could alter the security 1879 capabilities associated with an NSF whereby disabling or enabling 1880 the evasion of security mitigations. 1882 Some of the readable data nodes in this YANG module may be considered 1883 sensitive or vulnerable in some network environments. It is thus 1884 important to control read access (e.g., via get, get-config, or 1885 notification) to these data nodes. These are the subtrees and data 1886 nodes and their sensitivity/vulnerability: 1888 o ietf-i2nsf-capability: An attacker could gather the security 1889 capability information of any NSF and use this information to 1890 evade detection or filtering. 1892 9. References 1894 9.1. Normative References 1896 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1897 DOI 10.17487/RFC0768, August 1980, 1898 . 1900 [RFC0790] Postel, J., "Assigned numbers", RFC 790, 1901 DOI 10.17487/RFC0790, September 1981, 1902 . 1904 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1905 DOI 10.17487/RFC0791, September 1981, 1906 . 1908 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1909 RFC 792, DOI 10.17487/RFC0792, September 1981, 1910 . 1912 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1913 RFC 793, DOI 10.17487/RFC0793, September 1981, 1914 . 1916 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1917 Requirement Levels", BCP 14, RFC 2119, 1918 DOI 10.17487/RFC2119, March 1997, 1919 . 1921 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1922 A., Peterson, J., Sparks, R., Handley, M., and E. 1923 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1924 DOI 10.17487/RFC3261, June 2002, 1925 . 1927 [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between 1928 Information Models and Data Models", RFC 3444, 1929 DOI 10.17487/RFC3444, January 2003, 1930 . 1932 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1933 DOI 10.17487/RFC3688, January 2004, 1934 . 1936 [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix 1937 Reserved for Documentation", RFC 3849, 1938 DOI 10.17487/RFC3849, July 2004, 1939 . 1941 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 1942 Control Message Protocol (ICMPv6) for the Internet 1943 Protocol Version 6 (IPv6) Specification", STD 89, 1944 RFC 4443, DOI 10.17487/RFC4443, March 2006, 1945 . 1947 [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks 1948 Reserved for Documentation", RFC 5737, 1949 DOI 10.17487/RFC5737, January 2010, 1950 . 1952 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1953 the Network Configuration Protocol (NETCONF)", RFC 6020, 1954 DOI 10.17487/RFC6020, October 2010, 1955 . 1957 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1958 and A. Bierman, Ed., "Network Configuration Protocol 1959 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1960 . 1962 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1963 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1964 . 1966 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 1967 RFC 6991, DOI 10.17487/RFC6991, July 2013, 1968 . 1970 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1971 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1972 . 1974 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1975 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1976 . 1978 [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., 1979 and J. Jeong, "Interface to Network Security Functions 1980 (I2NSF): Problem Statement and Use Cases", RFC 8192, 1981 DOI 10.17487/RFC8192, July 2017, 1982 . 1984 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1985 (IPv6) Specification", STD 86, RFC 8200, 1986 DOI 10.17487/RFC8200, July 2017, 1987 . 1989 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1990 Kumar, "Framework for Interface to Network Security 1991 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 1992 . 1994 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1995 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1996 . 1998 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1999 Access Control Model", STD 91, RFC 8341, 2000 DOI 10.17487/RFC8341, March 2018, 2001 . 2003 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 2004 Documents Containing YANG Data Models", BCP 216, RFC 8407, 2005 DOI 10.17487/RFC8407, October 2018, 2006 . 2008 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 2009 S., and N. Bahadur, "A YANG Data Model for the Routing 2010 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 2011 September 2018, . 2013 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2014 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2015 . 2017 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 2018 and R. Wilton, "YANG Library", RFC 8525, 2019 DOI 10.17487/RFC8525, March 2019, 2020 . 2022 9.2. Informative References 2024 [I-D.ietf-i2nsf-capability] 2025 Xia, L., Strassner, J., Basile, C., and D. Lopez, 2026 "Information Model of NSFs Capabilities", draft-ietf- 2027 i2nsf-capability-05 (work in progress), April 2019. 2029 [I-D.ietf-i2nsf-nsf-monitoring-data-model] 2030 Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, 2031 "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- 2032 nsf-monitoring-data-model-03 (work in progress), May 2020. 2034 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 2035 Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, 2036 "Software-Defined Networking (SDN)-based IPsec Flow 2037 Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 2038 (work in progress), June 2020. 2040 Appendix A. Configuration Examples 2042 This section shows configuration examples of "ietf-i2nsf-capability" 2043 module for capabilities registration of general firewall. 2045 A.1. Example 1: Registration for the Capabilities of a General Firewall 2047 This section shows a configuration example for the capabilities 2048 registration of a general firewall in either an IPv4 network or an 2049 IPv6 network. 2051 2052 general_firewall 2053 2054 2055 ipv4-protocol 2056 exact-ipv4-address 2057 range-ipv4-address 2058 exact-fourth-layer-port-num 2059 range-fourth-layer-port-num 2060 2061 2062 2063 pass 2064 drop 2065 alert 2066 pass 2067 drop 2068 alert 2069 2070 2072 Figure 4: Configuration XML for the Capabilities Registration of a 2073 General Firewall in an IPv4 Network 2075 Figure 4 shows the configuration XML for the capabilities 2076 registration of a general firewall as an NSF in an IPv4 network 2077 [RFC5737]. Its capabilities are as follows. 2079 1. The name of the NSF is general_firewall. 2081 2. The NSF can inspect a protocol, an exact IPv4 address, and a 2082 range of IPv4 addresses for IPv4 packets. 2084 3. The NSF can inspect an exact port number and a range of port 2085 numbers for the fourth layer packets. 2087 4. The NSF can control whether the packets are allowed to pass, 2088 drop, or alert. 2090 2091 general_firewall 2092 2093 2094 ipv6-protocol 2095 exact-ipv6-address 2096 range-ipv6-address 2097 exact-fourth-layer-port-num 2098 range-fourth-layer-port-num 2099 2100 2101 2102 pass 2103 drop 2104 alert 2105 pass 2106 drop 2107 alert 2108 2109 2111 Figure 5: Configuration XML for the Capabilities Registration of a 2112 General Firewall in an IPv6 Network 2114 In addition, Figure 5 shows the configuration XML for the 2115 capabilities registration of a general firewall as an NSF in an IPv6 2116 network [RFC3849]. Its capabilities are as follows. 2118 1. The name of the NSF is general_firewall. 2120 2. The NSF can inspect a protocol, an exact IPv6 address, and a 2121 range of IPv6 addresses for IPv6 packets. 2123 3. The NSF can inspect an exact port number and a range of port 2124 numbers for the fourth layer packets. 2126 4. The NSF can control whether the packets are allowed to pass, 2127 drop, or alert. 2129 A.2. Example 2: Registration for the Capabilities of a Time-based 2130 Firewall 2132 This section shows a configuration example for the capabilities 2133 registration of a time-based firewall in either an IPv4 network or an 2134 IPv6 network. 2136 2137 time_based_firewall 2138 absolute-time 2139 periodic-time 2140 2141 2142 ipv4-protocol 2143 exact-ipv4-address 2144 range-ipv4-address 2145 2146 2147 2148 pass 2149 drop 2150 alert 2151 pass 2152 drop 2153 alert 2154 2155 2157 Figure 6: Configuration XML for the Capabilities Registration of a 2158 Time-based Firewall in an IPv4 Network 2160 Figure 6 shows the configuration XML for the capabilities 2161 registration of a time-based firewall as an NSF in an IPv4 network 2162 [RFC5737]. Its capabilities are as follows. 2164 1. The name of the NSF is time_based_firewall. 2166 2. The NSF can execute the security policy rule according to 2167 absolute time and periodic time. 2169 3. The NSF can inspect a protocol, an exact IPv4 address, and a 2170 range of IPv4 addresses for IPv4 packets. 2172 4. The NSF can control whether the packets are allowed to pass, 2173 drop, or alert. 2175 2176 time_based_firewall 2177 absolute-time 2178 periodic-time 2179 2180 2181 ipv6-protocol 2182 exact-ipv6-address 2183 range-ipv6-address 2184 2185 2186 2187 pass 2188 drop 2189 alert 2190 pass 2191 drop 2192 alert 2193 2194 2196 Figure 7: Configuration XML for the Capabilities Registration of a 2197 Time-based Firewall in an IPv6 Network 2199 In addition, Figure 7 shows the configuration XML for the 2200 capabilities registration of a time-based firewall as an NSF in an 2201 IPv6 network [RFC3849]. Its capabilities are as follows. 2203 1. The name of the NSF is time_based_firewall. 2205 2. The NSF can execute the security policy rule according to 2206 absolute time and periodic time. 2208 3. The NSF can inspect a protocol, an exact IPv6 address, and a 2209 range of IPv6 addresses for IPv6 packets. 2211 4. The NSF can control whether the packets are allowed to pass, 2212 drop, or alert. 2214 A.3. Example 3: Registration for the Capabilities of a Web Filter 2216 This section shows a configuration example for the capabilities 2217 registration of a web filter. 2219 2220 web_filter 2221 2222 2223 user-defined 2224 2225 2226 2227 pass 2228 drop 2229 alert 2230 pass 2231 drop 2232 alert 2233 2234 2236 Figure 8: Configuration XML for the Capabilities Registration of a 2237 Web Filter 2239 Figure 8 shows the configuration XML for the capabilities 2240 registration of a web filter as an NSF. Its capabilities are as 2241 follows. 2243 1. The name of the NSF is web_filter. 2245 2. The NSF can inspect url for http and https packets. 2247 3. The NSF can control whether the packets are allowed to pass, 2248 drop, or alert. 2250 A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE 2251 Filter 2253 This section shows a configuration example for the capabilities 2254 registration of a VoIP/VoLTE filter. 2256 2257 voip_volte_filter 2258 2259 2260 voice-id 2261 2262 2263 2264 pass 2265 drop 2266 alert 2267 pass 2268 drop 2269 alert 2270 2271 2273 Figure 9: Configuration XML for the Capabilities Registration of a 2274 VoIP/VoLTE Filter 2276 Figure 9 shows the configuration XML for the capabilities 2277 registration of a VoIP/VoLTE filter as an NSF. Its capabilities are 2278 as follows. 2280 1. The name of the NSF is voip_volte_filter. 2282 2. The NSF can inspect a voice id for VoIP/VoLTE packets. 2284 3. The NSF can control whether the packets are allowed to pass, 2285 drop, or alert. 2287 A.5. Example 5: Registration for the Capabilities of a HTTP and HTTPS 2288 Flood Mitigator 2290 This section shows a configuration example for the capabilities 2291 registration of a HTTP and HTTPS flood mitigator. 2293 2294 http_and_https_flood_mitigation 2295 2296 2297 http-flood-action 2298 https-flood-action 2299 2300 2301 2302 pass 2303 drop 2304 alert 2305 pass 2306 drop 2307 alert 2308 2309 2311 Figure 10: Configuration XML for the Capabilities Registration of a 2312 HTTP and HTTPS Flood Mitigator 2314 Figure 10 shows the configuration XML for the capabilities 2315 registration of a HTTP and HTTPS flood mitigator as an NSF. Its 2316 capabilities are as follows. 2318 1. The name of the NSF is http_and_https_flood_mitigation. 2320 2. The IPv4 address of the NSF is assumed to be 192.0.2.11 2321 [RFC5737]. Also, the IPv6 address of the NSF is assumed to be 2322 2001:DB8:0:1::11 [RFC3849]. 2324 3. The NSF can control the amount of packets for HTTP and HTTPS 2325 packets, which are routed to the NSF's IPv4 address or the NSF's 2326 IPv6 address. 2328 4. The NSF can control whether the packets are allowed to pass, 2329 drop, or alert. 2331 Appendix B. Acknowledgments 2333 This work was supported by Institute of Information & Communications 2334 Technology Planning & Evaluation (IITP) grant funded by the Korea 2335 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 2336 Security Intelligence Technology Development for the Customized 2337 Security Service Provisioning). This work was supported in part by 2338 the IITP (2020-0-00395, Standard Development of Blockchain based 2339 Network Management Automation Technology). 2341 Appendix C. Contributors 2343 This document is made by the group effort of I2NSF working group. 2344 Many people actively contributed to this document, such as Acee 2345 Lindem, Roman Danyliw, and Tom Petch. The authors sincerely 2346 appreciate their contributions. 2348 The following are co-authors of this document: 2350 Hyoungshick Kim 2351 Department of Computer Science and Engineering 2352 Sungkyunkwan University 2353 2066 Seo-ro Jangan-gu 2354 Suwon, Gyeonggi-do 16419 2355 Republic of Korea 2357 EMail: hyoung@skku.edu 2359 Daeyoung Hyun 2360 Department of Computer Science and Engineering 2361 Sungkyunkwan University 2362 2066 Seo-ro Jangan-gu 2363 Suwon, Gyeonggi-do 16419 2364 Republic of Korea 2366 EMail: dyhyun@skku.edu 2368 Dongjin Hong 2369 Department of Electronic, Electrical and Computer Engineering 2370 Sungkyunkwan University 2371 2066 Seo-ro Jangan-gu 2372 Suwon, Gyeonggi-do 16419 2373 Republic of Korea 2375 EMail: dong.jin@skku.edu 2377 Liang Xia 2378 Huawei 2379 101 Software Avenue 2380 Nanjing, Jiangsu 210012 2381 China 2383 EMail: Frank.Xialiang@huawei.com 2384 Jung-Soo Park 2385 Electronics and Telecommunications Research Institute 2386 218 Gajeong-Ro, Yuseong-Gu 2387 Daejeon, 34129 2388 Republic of Korea 2390 EMail: pjs@etri.re.kr 2392 Tae-Jin Ahn 2393 Korea Telecom 2394 70 Yuseong-Ro, Yuseong-Gu 2395 Daejeon, 305-811 2396 Republic of Korea 2398 EMail: taejin.ahn@kt.com 2400 Se-Hui Lee 2401 Korea Telecom 2402 70 Yuseong-Ro, Yuseong-Gu 2403 Daejeon, 305-811 2404 Republic of Korea 2406 EMail: sehuilee@kt.com 2408 Authors' Addresses 2410 Susan Hares (editor) 2411 Huawei 2412 7453 Hickory Hill 2413 Saline, MI 48176 2414 USA 2416 Phone: +1-734-604-0332 2417 EMail: shares@ndzh.com 2418 Jaehoon Paul Jeong (editor) 2419 Department of Computer Science and Engineering 2420 Sungkyunkwan University 2421 2066 Seobu-Ro, Jangan-Gu 2422 Suwon, Gyeonggi-Do 16419 2423 Republic of Korea 2425 Phone: +82 31 299 4957 2426 Fax: +82 31 290 7996 2427 EMail: pauljeong@skku.edu 2428 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2430 Jinyong Tim Kim 2431 Department of Electronic, Electrical and Computer Engineering 2432 Sungkyunkwan University 2433 2066 Seobu-Ro, Jangan-Gu 2434 Suwon, Gyeonggi-Do 16419 2435 Republic of Korea 2437 Phone: +82 10 8273 0930 2438 EMail: timkim@skku.edu 2440 Robert Moskowitz 2441 HTT Consulting 2442 Oak Park, MI 2443 USA 2445 Phone: +1-248-968-9809 2446 EMail: rgm@htt-consult.com 2448 Qiushi Lin 2449 Huawei 2450 Huawei Industrial Base 2451 Shenzhen, Guangdong 518129 2452 China 2454 EMail: linqiushi@huawei.com