idnits 2.17.1 draft-ietf-i2nsf-capability-data-model-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 5 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 8, 2020) is 1325 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-i2nsf-nsf-monitoring-data-model' is defined on line 1963, but no explicit reference was found in the text == Unused Reference: 'RFC0768' is defined on line 1974, but no explicit reference was found in the text == Unused Reference: 'RFC2119' is defined on line 1990, but no explicit reference was found in the text == Unused Reference: 'RFC3444' is defined on line 2001, but no explicit reference was found in the text == Unused Reference: 'RFC4443' is defined on line 2015, but no explicit reference was found in the text == Unused Reference: 'RFC8431' is defined on line 2087, but no explicit reference was found in the text == Unused Reference: 'RFC8519' is defined on line 2096, but no explicit reference was found in the text == Unused Reference: 'RFC8805' is defined on line 2106, but no explicit reference was found in the text == Outdated reference: A later version (-20) exists of draft-ietf-i2nsf-nsf-monitoring-data-model-03 == Outdated reference: A later version (-14) exists of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 3444 ** Downref: Normative reference to an Informational RFC: RFC 3849 ** Downref: Normative reference to an Informational RFC: RFC 5737 ** Downref: Normative reference to an Informational RFC: RFC 8192 ** Downref: Normative reference to an Informational RFC: RFC 8329 ** Downref: Normative reference to an Informational RFC: RFC 8805 Summary: 8 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group S. Hares, Ed. 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Jeong, Ed. 5 Expires: March 12, 2021 J. Kim 6 Sungkyunkwan University 7 R. Moskowitz 8 HTT Consulting 9 Q. Lin 10 Huawei 11 September 8, 2020 13 I2NSF Capability YANG Data Model 14 draft-ietf-i2nsf-capability-data-model-11 16 Abstract 18 This document defines a YANG data model for the capabilities of 19 various Network Security Functions (NSFs) in the Interface to Network 20 Security Functions (I2NSF) framework to centrally manage the 21 capabilities of the various NSFs. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on March 12, 2021. 40 Copyright Notice 42 Copyright (c) 2020 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 61 4.1. Network Security Function (NSF) Capabilities . . . . . . 6 62 5. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9 63 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 64 7. Security Considerations . . . . . . . . . . . . . . . . . . . 41 65 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 66 8.1. Normative References . . . . . . . . . . . . . . . . . . 42 67 8.2. Informative References . . . . . . . . . . . . . . . . . 45 68 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 47 69 A.1. Example 1: Registration for the Capabilities of a General 70 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 47 71 A.2. Example 2: Registration for the Capabilities of a Time- 72 based Firewall . . . . . . . . . . . . . . . . . . . . . 49 73 A.3. Example 3: Registration for the Capabilities of a Web 74 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 50 75 A.4. Example 4: Registration for the Capabilities of a 76 VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 51 77 A.5. Example 5: Registration for the Capabilities of a HTTP 78 and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 52 79 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 53 80 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 54 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 83 1. Introduction 85 As the industry becomes more sophisticated and network devices (e.g., 86 Internet of Things, Self-driving vehicles, and smartphone using Voice 87 over IP (VoIP) and Voice over LTE (VoLTE)), service providers have a 88 lot of problems described in [RFC8192]. To resolve these problems, 89 [I-D.ietf-i2nsf-capability] specifies the information model of the 90 capabilities of Network Security Functions (NSFs) in a framework of 91 the Interface to Network Security Functions (I2NSF) [RFC8329]. 93 This document provides a YANG data model [RFC6020][RFC7950] that 94 defines the capabilities of NSFs to centrally manage the capabilities 95 of those security devices. The security devices can register their 96 own capabilities into a Network Operator Management (Mgmt) System 97 (i.e., Security Controller) with this YANG data model through the 98 registration interface [RFC8329]. With the capabilities of those 99 security devices maintained centrally, those security devices can be 100 more easily managed [RFC8329]. This YANG data model is based on the 101 information model for I2NSF NSF capabilities 102 [I-D.ietf-i2nsf-capability]. 104 This YANG data model uses an "Event-Condition-Action" (ECA) policy 105 model that is used as the basis for the design of I2NSF Policy as 106 described in [RFC8329] and [I-D.ietf-i2nsf-capability]. The "ietf- 107 i2nsf-capability" YANG module defined in this document provides the 108 following features: 110 o Definition for general capabilities of network security functions. 112 o Definition for event capabilities of generic network security 113 functions. 115 o Definition for condition capabilities of generic network security 116 functions. 118 o Definition for condition capabilities of advanced network security 119 functions. 121 o Definition for action capabilities of generic network security 122 functions. 124 o Definition for resolution strategy capabilities of generic network 125 security functions. 127 o Definition for default action capabilities of generic network 128 security functions. 130 2. Terminology 132 This document uses the terminology described in [RFC8329]. 134 This document follows the guidelines of [RFC8407], uses the common 135 YANG types defined in [RFC6991], and adopts the Network Management 136 Datastore Architecture (NMDA). The meaning of the symbols in tree 137 diagrams is defined in [RFC8340]. 139 3. Overview 141 This section provides as overview of how the YANG data model can be 142 used in the I2NSF framework described in [RFC8329]. Figure 1 shows 143 the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF 144 Framework. As shown in this figure, an NSF Developer's Management 145 System can register NSFs and the capabilities that the network 146 security device can support. To register NSFs in this way, the 147 Developer's Management System utilizes this standardized capability 148 YANG data model through the I2NSF Registration Interface [RFC8329]. 149 That is, this Registration Interface uses the YANG module described 150 in this document to describe the capability of a network security 151 function that is registered with the Security Controller. With the 152 capabilities of those network security devices maintained centrally, 153 those security devices can be more easily managed, which can resolve 154 many of the problems described in [RFC8192]. 156 In Figure 1, a new NSF at a Developer's Management Systems has 157 capabilities of Firewall (FW) and Web Filter (WF), which are denoted 158 as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy 159 rules where 'E', 'C', and 'A' mean "Event", "Condition", and 160 "Action", respectively. The condition involves IPv4 or IPv6 161 datagrams, and the action includes "Allow" and "Deny" for those 162 datagrams. 164 Note that the NSF-Facing Interface [RFC8329] is used to configure the 165 security policy rules of the generic network security functions, and 166 The configuration of advanced security functions over the NSF-Facing 167 Interface is used to configure the security policy rules of advanced 168 network security functions (e.g., anti-virus and Distributed-Denial- 169 of-Service (DDoS) attack mitigator), respectively, according to the 170 capabilities of NSFs registered with the I2NSF Framework. 172 +------------------------------------------------------+ 173 | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | 174 | Network Mgmt, another network domain's mgmt, etc.) | 175 +--------------------+---------------------------------+ 176 I2NSF ^ 177 Consumer-Facing Interface | 178 | 179 v I2NSF 180 +-----------------+------------+ Registration +-------------+ 181 | Network Operator Mgmt System | Interface | Developer's | 182 | (i.e., Security Controller) |<-------------->| Mgmt System | 183 +-----------------+------------+ +-------------+ 184 ^ New NSF 185 | Cap = {FW, WF} 186 I2NSF | E = {} 187 NSF-Facing Interface | C = {IPv4, IPv6} 188 | A = {Allow, Deny} 189 v 190 +---------------+----+------------+-----------------+ 191 | | | | 192 +---+---+ +---+---+ +---+---+ +---+---+ 193 | NSF-1 | ... | NSF-m | | NSF-1 | ... | NSF-n | ... 194 +-------+ +-------+ +-------+ +-------+ 195 NSF-1 NSF-m NSF-1 NSF-n 196 Cap = {FW, WF} Cap = {FW, WF} Cap = {FW, WF} Cap = {FW, WF} 197 E = {} E = {user} E = {dev} E = {time} 198 C = {IPv4} C = {IPv6} C = {IPv4, IPv6} C = {IPv4} 199 A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} 201 Developer's Mgmt System A Developer's Mgmt System B 203 Figure 1: Capabilities of NSFs in I2NSF Framework 205 A use case of an NSF with the capabilities of firewall and web filter 206 is described as follows. 208 o If a network manager wants to apply security policy rules to block 209 malicious users with firewall and web filter, it is a tremendous 210 burden for a network administrator to apply all of the needed 211 rules to NSFs one by one. This problem can be resolved by 212 managing the capabilities of NSFs in this document. 214 o If a network administrator wants to block malicious users for IPv6 215 traffic, he sends a security policy rule to block the users to the 216 Network Operator Management System using the I2NSF User (i.e., web 217 application). 219 o When the Network Operator Management System receives the security 220 policy rule, it automatically sends that security policy rules to 221 appropriate NSFs (i.e., NSF-m in Developer's Management System A 222 and NSF-1 in Developer's Management System B) which can support 223 the capabilities (i.e., IPv6). This lets an I2NSF User not 224 consider NSFs where the rule is applied. 226 o If NSFs encounter the suspicious IPv6 packets of malicious users, 227 they can filter the packets out according to the configured 228 security policy rule. Therefore, the security policy rule against 229 the malicious users' packets can be automatically applied to 230 appropriate NSFs without human intervention. 232 4. YANG Tree Diagram 234 This section shows a YANG tree diagram of capabilities of network 235 security functions, as defined in the [I-D.ietf-i2nsf-capability]. 237 4.1. Network Security Function (NSF) Capabilities 239 This section explains a YANG tree diagram of NSF capabilities and its 240 features. Figure 2 shows a YANG tree diagram of NSF capabilities. 241 The NSF capabilities in the tree include time capabilities, event 242 capabilities, condition capabilities, action capabilities, resolution 243 strategy capabilities, and default action capabilities. Those 244 capabilities can be tailored or extended according to a vendor's 245 specific requirements. Refer to the NSF capabilities information 246 model for detailed discussion [I-D.ietf-i2nsf-capability]. 248 module: ietf-i2nsf-capability 249 +--rw nsf* [nsf-name] 250 +--rw nsf-name string 251 +--rw time-capabilities* enumeration 252 +--rw event-capabilities 253 | +--rw system-event-capability* identityref 254 | +--rw system-alarm-capability* identityref 255 +--rw condition-capabilities 256 | +--rw generic-nsf-capabilities 257 | | +--rw ipv4-capability* identityref 258 | | +--rw icmp-capability* identityref 259 | | +--rw ipv6-capability* identityref 260 | | +--rw icmpv6-capability* identityref 261 | | +--rw tcp-capability* identityref 262 | | +--rw udp-capability* identityref 263 | +--rw advanced-nsf-capabilities 264 | | +--rw anti-virus-capability* identityref 265 | | +--rw anti-ddos-capability* identityref 266 | | +--rw ips-capability* identityref 267 | | +--rw url-capability* identityref 268 | | +--rw voip-volte-capability* identityref 269 | +--rw context-capabilities* identityref 270 +--rw action-capabilities 271 | +--rw ingress-action-capability* identityref 272 | +--rw egress-action-capability* identityref 273 | +--rw log-action-capability* identityref 274 +--rw resolution-strategy-capabilities* identityref 275 +--rw default-action-capabilities* identityref 276 +--rw ipsec-method* identityref 278 Figure 2: YANG Tree Diagram of Capabilities of Network Security 279 Functions 281 Time capabilities are used to specify the capabilities which describe 282 when to execute the I2NSF policy rule. The time capabilities are 283 defined in terms of absolute time and periodic time. The absolute 284 time means the exact time to start or end. The periodic time means 285 repeated time like day, week, or month. See Section 3.4.6 286 (Capability Algebra) in [I-D.ietf-i2nsf-capability] for more 287 information about the time-based condition (e.g., time period) in the 288 capability algebra. 290 Event capabilities are used to specify the capabilities that describe 291 the event that would trigger the evaluation of the condition clause 292 of the I2NSF Policy Rule. The defined event capabilities are system 293 event and system alarm. See Section 3.1 (Design Principles and ECA 294 Policy Model Overview) in [I-D.ietf-i2nsf-capability] for more 295 information about the event in the ECA policy model. 297 Condition capabilities are used to specify capabilities of a set of 298 attributes, features, and/or values that are to be compared with a 299 set of known attributes, features, and/or values in order to 300 determine whether or not the set of actions in that (imperative) 301 I2NSF policy rule can be executed. The condition capabilities are 302 classified in terms of generic network security functions and 303 advanced network security functions. The condition capabilities of 304 generic network security functions are defined as IPv4 capability, 305 IPv6 capability, TCP capability, UDP capability, and ICMP capability. 306 The condition capabilities of advanced network security functions are 307 defined as anti-virus capability, anti-DDoS capability, Intrusion 308 Prevention System (IPS) capability, HTTP capability, and VoIP/VoLTE 309 capability. See Section 3.1 (Design Principles and ECA Policy Model 310 Overview) in [I-D.ietf-i2nsf-capability] for more information about 311 the condition in the ECA policy model. Also, see Section 3.4.3 312 (I2NSF Condition Clause Operator Types) in 313 [I-D.ietf-i2nsf-capability] for more information about the operator 314 types in an I2NSF condition clause. 316 Action capabilities are used to specify the capabilities that 317 describe the control and monitoring aspects of flow-based NSFs when 318 the event and condition clauses are satisfied. The action 319 capabilities are defined as ingress-action capability, egress-action 320 capability, and log-action capability. See Section 3.1 (Design 321 Principles and ECA Policy Model Overview) in 322 [I-D.ietf-i2nsf-capability] for more information about the action in 323 the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow 324 Security Policy Structure) in [RFC8329] for more information about 325 the ingress and egress actions. In addition, see Section 9.1 (Flow- 326 Based NSF Capability Characterization) for more information about 327 logging at NSFs. 329 Resolution strategy capabilities are used to specify the capabilities 330 that describe conflicts that occur between the actions of the same or 331 different policy rules that are matched and contained in this 332 particular NSF. The resolution strategy capabilities are defined as 333 First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized 334 Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), 335 and Prioritized Matching Rule with No Errors (PMRN). See 336 Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in 337 [I-D.ietf-i2nsf-capability] for more information about the resolution 338 strategy. 340 Default action capabilities are used to specify the capabilities that 341 describe how to execute I2NSF policy rules when no rule matches a 342 packet. The default action capabilities are defined as pass, drop, 343 alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy 344 and Default Action) in [I-D.ietf-i2nsf-capability] for more 345 information about the default action. 347 IPsec method capabilities are used to specify capabilities of how to 348 support an Internet Key Exchange (IKE) [RFC7296] for the security 349 communication. The default action capabilities are defined as IKE or 350 IKE-less. See [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for more 351 information about the SDN-based IPsec flow protection in I2NSF. 353 5. YANG Data Model of I2NSF NSF Capability 355 This section introduces a YANG module for NSFs' capabilities, as 356 defined in the [I-D.ietf-i2nsf-capability]. 358 This YANG module imports from [RFC6991]. It makes references to [RFC 359 0768][IANA-Protocol-Numbers][RFC0791][RFC0792][RFC0793][RFC3261][RFC4 360 443][RFC8200][RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf- 361 monitoring-data-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. 363 file "ietf-i2nsf-capability@2020-09-08.yang" 365 module ietf-i2nsf-capability { 366 yang-version 1.1; 367 namespace 368 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 369 prefix 370 nsfcap; 372 organization 373 "IETF I2NSF (Interface to Network Security Functions) 374 Working Group"; 376 contact 377 "WG Web: 378 WG List: 380 Editor: Jaehoon Paul Jeong 381 383 Editor: Jinyong Tim Kim 384 386 Editor: Susan Hares 387 "; 389 description 390 "This module is a YANG module for I2NSF Network Security 391 Functions (NSFs)'s Capabilities. 393 Copyright (c) 2020 IETF Trust and the persons identified as 394 authors of the code. All rights reserved. 396 Redistribution and use in source and binary forms, with or 397 without modification, is permitted pursuant to, and subject 398 to the license terms contained in, the Simplified BSD License 399 set forth in Section 4.c of the IETF Trust's Legal Provisions 400 Relating to IETF Documents 401 http://trustee.ietf.org/license-info). 403 This version of this YANG module is part of RFC XXXX; see 404 the RFC itself for full legal notices."; 406 // RFC Ed.: replace XXXX with an actual RFC number and remove 407 // this note. 409 revision "2020-09-08"{ 410 description "Initial revision."; 411 reference 412 "RFC XXXX: I2NSF Capability YANG Data Model"; 414 // RFC Ed.: replace XXXX with an actual RFC number and remove 415 // this note. 416 } 418 /* 419 * Identities 420 */ 422 identity event { 423 description 424 "Base identity for I2NSF policy events."; 425 reference 426 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 427 Monitoring YANG Data Model - Event"; 429 // RFC Ed.: replace the above draft with an actual RFC in the 430 // YANG module and remove this note. 431 } 433 identity system-event-capability { 434 base event; 435 description 436 "Identity for system event"; 438 reference 439 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 440 Monitoring YANG Data Model - System event"; 441 } 443 identity system-alarm-capability { 444 base event; 445 description 446 "Identity for system alarm"; 447 reference 448 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 449 Monitoring YANG Data Model - System alarm"; 450 } 452 identity access-violation { 453 base system-event-capability; 454 description 455 "Identity for access violation event"; 456 reference 457 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 458 Monitoring YANG Data Model - System event for access 459 violation"; 460 } 462 identity configuration-change { 463 base system-event-capability; 464 description 465 "Identity for configuration change event"; 466 reference 467 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 468 Monitoring YANG Data Model - System event for configuration 469 change"; 470 } 472 identity memory-alarm { 473 base system-alarm-capability; 474 description 475 "Identity for memory alarm"; 476 reference 477 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 478 Monitoring YANG Data Model - System alarm for memory"; 479 } 481 identity cpu-alarm { 482 base system-alarm-capability; 483 description 484 "Identity for CPU alarm"; 485 reference 486 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 487 Monitoring YANG Data Model - System alarm for CPU"; 488 } 490 identity disk-alarm { 491 base system-alarm-capability; 492 description 493 "Identity for disk alarm"; 494 reference 495 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 496 Monitoring YANG Data Model - System alarm for disk"; 497 } 499 identity hardware-alarm { 500 base system-alarm-capability; 501 description 502 "Identity for hardware alarm"; 503 reference 504 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 505 Monitoring YANG Data Model - System alarm for hardware"; 506 } 508 identity interface-alarm { 509 base system-alarm-capability; 510 description 511 "Identity for interface alarm"; 512 reference 513 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 514 Monitoring YANG Data Model - System alarm for interface"; 515 } 517 identity condition { 518 description 519 "Base identity for policy conditions"; 520 } 522 identity context-capability { 523 base condition; 524 description 525 "Identity for context condition capabilities for an NSF"; 526 reference 527 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 528 Capabilities - The operating context of an NSF."; 529 } 531 identity access-control-list { 532 base context-capability; 533 description 534 "Identity for Access Control List (ACL) condition capability"; 535 reference 536 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 537 Capabilities - The context of an NSF. 538 RFC 8519: YANG Data Model for Network Access Control Lists 539 (ACLs) - A user-ordered set of rules used to configure the 540 forwarding behavior in an NSF."; 541 } 543 identity application-layer-filter { 544 base context-capability; 545 description 546 "Identity for application-layer-filter condition capability"; 547 reference 548 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 549 Capabilities - An application-layer filtering (e.g., web 550 filter) as an NSF."; 551 } 553 identity target { 554 base context-capability; 555 description 556 "Identity for target condition capability"; 557 reference 558 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 559 Capabilities - A target (or destination) of a policy rule 560 to be applied by an NSF. 561 RFC 8519: YANG Data Model for Network Access Control Lists 562 (ACLs) - An access control for a target (e.g., the 563 corresponding IP address) in an NSF."; 564 } 566 identity user { 567 base context-capability; 568 description 569 "Identity for user condition capability"; 570 reference 571 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 572 Capabilities - A user in an application of a policy rule 573 to be applied by an NSF. 574 RFC 8519: YANG Data Model for Network Access Control Lists 575 (ACLs) - An access control for a user (e.g., the 576 corresponding IP address) in an NSF."; 577 } 579 identity group { 580 base context-capability; 581 description 582 "Identity for group condition capability"; 583 reference 584 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 585 Capabilities - A group (i.e., a set of users) in an 586 application of a policy rule to be applied by an NSF. 587 RFC 8519: YANG Data Model for Network Access Control Lists 588 (ACLs) - An access control for a group (e.g., the 589 corresponding IP address) in an NSF."; 590 } 592 identity geography { 593 base context-capability; 594 description 595 "Identity for geography condition capability"; 596 reference 597 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 598 Capabilities - A group (i.e., a set of users) in an 599 application of a policy rule to be applied by an NSF. 600 RFC 8519: YANG Data Model for Network Access Control Lists 601 (ACLs) - An access control for a geographical location 602 i.e., geolocation (e.g., the corresponding IP address) in 603 an NSF. 604 RFC 8805: A Format for Self-Published IP Geolocation Feeds 605 - An IP address with geolocation information."; 606 } 608 identity ipv4-capability { 609 base condition; 610 description 611 "Identity for IPv4 condition capability"; 612 reference 613 "RFC 791: Internet Protocol"; 614 } 616 identity exact-ipv4-header-length { 617 base ipv4-capability; 618 description 619 "Identity for exact-match IPv4 header-length 620 condition capability"; 621 reference 622 "RFC 791: Internet Protocol - Header Length"; 623 } 625 identity range-ipv4-header-length { 626 base ipv4-capability; 627 description 628 "Identity for range-match IPv4 header-length 629 condition capability"; 631 reference 632 "RFC 791: Internet Protocol - Header Length"; 633 } 635 identity ipv4-tos { 636 base ipv4-capability; 637 description 638 "Identity for IPv4 Type-Of-Service (TOS) 639 condition capability"; 640 reference 641 "RFC 791: Internet Protocol - Type of Service"; 642 } 644 identity exact-ipv4-total-length { 645 base ipv4-capability; 646 description 647 "Identity for exact-match IPv4 total length 648 condition capability"; 649 reference 650 "RFC 791: Internet Protocol - Total Length"; 651 } 653 identity range-ipv4-total-length { 654 base ipv4-capability; 655 description 656 "Identity for range-match IPv4 total length 657 condition capability"; 658 reference 659 "RFC 791: Internet Protocol - Total Length"; 660 } 662 identity ipv4-id { 663 base ipv4-capability; 664 description 665 "Identity for identification condition capability"; 666 reference 667 "RFC 791: Internet Protocol - Identification"; 668 } 670 identity ipv4-fragment-flags { 671 base ipv4-capability; 672 description 673 "Identity for IPv4 fragment flags condition capability"; 674 reference 675 "RFC 791: Internet Protocol - Fragmentation Flags"; 676 } 678 identity exact-ipv4-fragment-offset { 679 base ipv4-capability; 680 description 681 "Identity for exact-match IPv4 fragment offset 682 condition capability"; 683 reference 684 "RFC 791: Internet Protocol - Fragmentation Offset"; 685 } 687 identity range-ipv4-fragment-offset { 688 base ipv4-capability; 689 description 690 "Identity for range-match IPv4 fragment offset 691 condition capability"; 692 reference 693 "RFC 791: Internet Protocol - Fragmentation Offset"; 694 } 696 identity exact-ipv4-ttl { 697 base ipv4-capability; 698 description 699 "Identity for exact-match IPv4 Time-To-Live (TTL) 700 condition capability"; 701 reference 702 "RFC 791: Internet Protocol - Time To Live (TTL)"; 703 } 705 identity range-ipv4-ttl { 706 base ipv4-capability; 707 description 708 "Identity for range-match IPv4 Time-To-Live (TTL) 709 condition capability"; 710 reference 711 "RFC 791: Internet Protocol - Time To Live (TTL)"; 712 } 714 identity ipv4-protocol { 715 base ipv4-capability; 716 description 717 "Identity for IPv4 protocol condition capability"; 718 reference 719 "IANA Website: Assigned Internet Protocol Numbers 720 - Protocol Number for IPv4 721 RFC 791: Internet Protocol - Protocol"; 722 } 724 identity exact-ipv4-address { 725 base ipv4-capability; 726 description 727 "Identity for exact-match IPv4 address 728 condition capability"; 729 reference 730 "RFC 791: Internet Protocol - Address"; 731 } 733 identity range-ipv4-address { 734 base ipv4-capability; 735 description 736 "Identity for range-match IPv4 address condition 737 capability"; 738 reference 739 "RFC 791: Internet Protocol - Address"; 740 } 742 identity ipv4-ip-opts { 743 base ipv4-capability; 744 description 745 "Identity for IPv4 option condition capability"; 746 reference 747 "RFC 791: Internet Protocol - Options"; 748 } 750 identity ipv4-geo-ip { 751 base ipv4-capability; 752 description 753 "Identity for geography condition capability"; 754 reference 755 "draft-ietf-i2nsf-capability-05: Information Model 756 of NSFs Capabilities - Geo-IP"; 757 } 759 identity ipv6-capability { 760 base condition; 761 description 762 "Identity for IPv6 condition capabilities"; 763 reference 764 "RFC 8200: Internet Protocol, Version 6 (IPv6) 765 Specification"; 766 } 768 identity ipv6-traffic-class { 769 base ipv6-capability; 770 description 771 "Identity for IPv6 traffic class 772 condition capability"; 773 reference 774 "RFC 8200: Internet Protocol, Version 6 (IPv6) 775 Specification - Traffic Class"; 776 } 778 identity exact-ipv6-flow-label { 779 base ipv6-capability; 780 description 781 "Identity for exact-match IPv6 flow label 782 condition capability"; 783 reference 784 "RFC 8200: Internet Protocol, Version 6 (IPv6) 785 Specification - Flow Label"; 786 } 788 identity range-ipv6-flow-label { 789 base ipv6-capability; 790 description 791 "Identity for range-match IPv6 flow label 792 condition capability"; 793 reference 794 "RFC 8200: Internet Protocol, Version 6 (IPv6) 795 Specification - Flow Label"; 796 } 798 identity exact-ipv6-payload-length { 799 base ipv6-capability; 800 description 801 "Identity for exact-match IPv6 payload length 802 condition capability"; 803 reference 804 "RFC 8200: Internet Protocol, Version 6 (IPv6) 805 Specification - Payload Length"; 806 } 808 identity range-ipv6-payload-length { 809 base ipv6-capability; 810 description 811 "Identity for range-match IPv6 payload length 812 condition capability"; 813 reference 814 "RFC 8200: Internet Protocol, Version 6 (IPv6) 815 Specification - Payload Length"; 816 } 818 identity ipv6-next-header { 819 base ipv6-capability; 820 description 821 "Identity for IPv6 next header condition capability"; 822 reference 823 "RFC 8200: Internet Protocol, Version 6 (IPv6) 824 Specification - Next Header"; 825 } 827 identity exact-ipv6-hop-limit { 828 base ipv6-capability; 829 description 830 "Identity for exact-match IPv6 hop limit condition 831 capability"; 832 reference 833 "RFC 8200: Internet Protocol, Version 6 (IPv6) 834 Specification - Hop Limit"; 835 } 837 identity range-ipv6-hop-limit { 838 base ipv6-capability; 839 description 840 "Identity for range-match IPv6 hop limit condition 841 capability"; 842 reference 843 "RFC 8200: Internet Protocol, Version 6 (IPv6) 844 Specification - Hop Limit"; 845 } 847 identity ipv6-protocol { 848 base ipv6-capability; 849 description 850 "Identity for IPv6 protocol condition capability"; 851 reference 852 "IANA Website: Assigned Internet Protocol Numbers 853 - Protocol Number for IPv6 854 RFC 8200: Internet Protocol, Version 6 (IPv6) 855 Specification - Protocol"; 856 } 858 identity exact-ipv6-address { 859 base ipv6-capability; 860 description 861 "Identity for exact-match IPv6 address condition 862 capability"; 863 reference 864 "RFC 8200: Internet Protocol, Version 6 (IPv6) 865 Specification - Address"; 866 } 868 identity range-ipv6-address { 869 base ipv6-capability; 870 description 871 "Identity for range-match IPv6 address condition 872 capability"; 873 reference 874 "RFC 8200: Internet Protocol, Version 6 (IPv6) 875 Specification - Address"; 876 } 878 identity tcp-capability { 879 base condition; 880 description 881 "Identity for TCP condition capabilities"; 882 reference 883 "RFC 793: Transmission Control Protocol"; 884 } 886 identity exact-tcp-port-num { 887 base tcp-capability; 888 description 889 "Identity for exact-match TCP port number condition 890 capability"; 891 reference 892 "RFC 793: Transmission Control Protocol - Port Number"; 893 } 895 identity range-tcp-port-num { 896 base tcp-capability; 897 description 898 "Identity for range-match TCP port number condition 899 capability"; 900 reference 901 "RFC 793: Transmission Control Protocol - Port Number"; 902 } 904 identity exact-tcp-seq-num { 905 base tcp-capability; 906 description 907 "Identity for exact-match TCP sequence number condition 908 capability"; 909 reference 910 "RFC 793: Transmission Control Protocol - Sequence Number"; 911 } 913 identity range-tcp-seq-num { 914 base tcp-capability; 915 description 916 "Identity for range-match TCP sequence number condition 917 capability"; 918 reference 919 "RFC 793: Transmission Control Protocol - Sequence Number"; 920 } 922 identity exact-tcp-ack-num { 923 base tcp-capability; 924 description 925 "Identity for exact-match TCP acknowledgement number condition 926 capability"; 927 reference 928 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 929 } 931 identity range-tcp-ack-num { 932 base tcp-capability; 933 description 934 "Identity for range-match TCP acknowledgement number condition 935 capability"; 936 reference 937 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 938 } 940 identity exact-tcp-window-size { 941 base tcp-capability; 942 description 943 "Identity for exact-match TCP window size condition capability"; 944 reference 945 "RFC 793: Transmission Control Protocol - Window Size"; 946 } 948 identity range-tcp-window-size { 949 base tcp-capability; 950 description 951 "Identity for range-match TCP window size condition capability"; 952 reference 953 "RFC 793: Transmission Control Protocol - Window Size"; 954 } 956 identity tcp-flags { 957 base tcp-capability; 958 description 959 "Identity for TCP flags condition capability"; 960 reference 961 "RFC 793: Transmission Control Protocol - Flags"; 962 } 964 identity udp-capability { 965 base condition; 966 description 967 "Identity for UDP condition capabilities"; 968 reference 969 "RFC 768: User Datagram Protocol"; 970 } 972 identity exact-udp-port-num { 973 base udp-capability; 974 description 975 "Identity for exact-match UDP port number condition capability"; 976 reference 977 "RFC 768: User Datagram Protocol - Port Number"; 978 } 980 identity range-udp-port-num { 981 base udp-capability; 982 description 983 "Identity for range-match UDP port number condition capability"; 984 reference 985 "RFC 768: User Datagram Protocol - Port Number"; 986 } 988 identity exact-udp-total-length { 989 base udp-capability; 990 description 991 "Identity for exact-match UDP total-length condition capability"; 992 reference 993 "RFC 768: User Datagram Protocol - Total Length"; 994 } 996 identity range-udp-total-length { 997 base udp-capability; 998 description 999 "Identity for range-match UDP total-length condition capability"; 1000 reference 1001 "RFC 768: User Datagram Protocol - Total Length"; 1002 } 1004 identity icmp-capability { 1005 base condition; 1006 description 1007 "Identity for ICMP condition capability"; 1008 reference 1009 "RFC 792: Internet Control Message Protocol"; 1010 } 1012 identity icmp-type { 1013 base icmp-capability; 1014 description 1015 "Identity for ICMP type condition capability"; 1016 reference 1017 "RFC 792: Internet Control Message Protocol"; 1018 } 1020 identity icmpv6-capability { 1021 base condition; 1022 description 1023 "Identity for ICMPv6 condition capability"; 1024 reference 1025 "RFC 4443: Internet Control Message Protocol (ICMPv6) 1026 for the Internet Protocol Version 6 (IPv6) Specification 1027 - ICMPv6"; 1028 } 1030 identity icmpv6-type { 1031 base icmpv6-capability; 1032 description 1033 "Identity for ICMPv6 type condition capability"; 1034 reference 1035 "RFC 4443: Internet Control Message Protocol (ICMPv6) 1036 for the Internet Protocol Version 6 (IPv6) Specification 1037 - ICMPv6"; 1038 } 1040 identity url-capability { 1041 base condition; 1042 description 1043 "Identity for URL condition capability"; 1044 } 1046 identity pre-defined { 1047 base url-capability; 1048 description 1049 "Identity for URL pre-defined condition capability"; 1050 } 1052 identity user-defined { 1053 base url-capability; 1054 description 1055 "Identity for URL user-defined condition capability"; 1056 } 1058 identity log-action-capability { 1059 description 1060 "Identity for log-action capability"; 1061 } 1062 identity rule-log { 1063 base log-action-capability; 1064 description 1065 "Identity for rule log log-action capability"; 1066 } 1068 identity session-log { 1069 base log-action-capability; 1070 description 1071 "Identity for session log log-action capability"; 1072 } 1074 identity ingress-action-capability { 1075 description 1076 "Identity for ingress-action capability"; 1077 reference 1078 "RFC 8329: Framework for Interface to Network Security 1079 Functions - Ingress action"; 1080 } 1082 identity egress-action-capability { 1083 description 1084 "Base identity for egress-action capability"; 1085 reference 1086 "RFC 8329: Framework for Interface to Network Security 1087 Functions - Egress action"; 1088 } 1090 identity default-action-capability { 1091 description 1092 "Identity for default-action capability"; 1093 reference 1094 "draft-ietf-i2nsf-capability-05: Information Model of 1095 NSFs Capabilities - Default action"; 1096 } 1098 identity pass { 1099 base ingress-action-capability; 1100 base egress-action-capability; 1101 base default-action-capability; 1102 description 1103 "Identity for pass action capability"; 1104 reference 1105 "RFC 8329: Framework for Interface to Network Security 1106 Functions - Ingress, egress, and pass actions. 1107 draft-ietf-i2nsf-capability-05: Information Model of 1108 NSFs Capabilities - Actions and default action."; 1109 } 1110 identity drop { 1111 base ingress-action-capability; 1112 base egress-action-capability; 1113 base default-action-capability; 1114 description 1115 "Identity for drop action capability"; 1116 reference 1117 "RFC 8329: Framework for Interface to Network Security 1118 Functions - Ingress, egress, and drop actions. 1119 draft-ietf-i2nsf-capability-05: Information Model of 1120 NSFs Capabilities - Actions and default action."; 1121 } 1123 identity alert { 1124 base ingress-action-capability; 1125 base egress-action-capability; 1126 base default-action-capability; 1127 description 1128 "Identity for alert action capability"; 1129 reference 1130 "RFC 8329: Framework for Interface to Network Security 1131 Functions - Ingress, egress, and alert actions. 1132 draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF 1133 NSF Monitoring YANG Data Model - Alarm (i.e., alert). 1134 draft-ietf-i2nsf-capability-05: Information Model of 1135 NSFs Capabilities - Actions and default action."; 1136 } 1138 identity mirror { 1139 base ingress-action-capability; 1140 base egress-action-capability; 1141 base default-action-capability; 1142 description 1143 "Identity for mirror action capability"; 1144 reference 1145 "RFC 8329: Framework for Interface to Network Security 1146 Functions - Ingress, egress, and mirror actions. 1147 draft-ietf-i2nsf-capability-05: Information Model of 1148 NSFs Capabilities - Actions and default action."; 1149 } 1151 identity invoke-signaling { 1152 base egress-action-capability; 1153 description 1154 "Identity for invoke signaling action capability"; 1155 reference 1156 "RFC 8329: Framework for Interface to Network Security 1157 Functions - Invoke-signaling action"; 1159 } 1161 identity tunnel-encapsulation { 1162 base egress-action-capability; 1163 description 1164 "Identity for tunnel encapsulation action capability"; 1165 reference 1166 "RFC 8329: Framework for Interface to Network Security 1167 Functions - Tunnel-encapsulation action"; 1168 } 1170 identity forwarding { 1171 base egress-action-capability; 1172 description 1173 "Identity for forwarding action capability"; 1174 reference 1175 "RFC 8329: Framework for Interface to Network Security 1176 Functions - Forwarding action"; 1177 } 1179 identity redirection { 1180 base egress-action-capability; 1181 description 1182 "Identity for redirection action capability"; 1183 reference 1184 "RFC 8329: Framework for Interface to Network Security 1185 Functions - Redirection action"; 1186 } 1188 identity resolution-strategy-capability { 1189 description 1190 "Base identity for resolution strategy capability"; 1191 reference 1192 "draft-ietf-i2nsf-capability-05: Information Model of 1193 NSFs Capabilities - Resolution Strategy"; 1194 } 1196 identity fmr { 1197 base resolution-strategy-capability; 1198 description 1199 "Identity for First Matching Rule (FMR) resolution 1200 strategy capability"; 1201 reference 1202 "draft-ietf-i2nsf-capability-05: Information Model of 1203 NSFs Capabilities - Resolution Strategy"; 1204 } 1206 identity lmr { 1207 base resolution-strategy-capability; 1208 description 1209 "Identity for Last Matching Rule (LMR) resolution 1210 strategy capability"; 1211 reference 1212 "draft-ietf-i2nsf-capability-05: Information Model of 1213 NSFs Capabilities - Resolution Strategy"; 1214 } 1216 identity pmr { 1217 base resolution-strategy-capability; 1218 description 1219 "Identity for Prioritized Matching Rule (PMR) resolution 1220 strategy capability"; 1221 reference 1222 "draft-ietf-i2nsf-capability-05: Information Model of 1223 NSFs Capabilities - Resolution Strategy"; 1224 } 1226 identity pmre { 1227 base resolution-strategy-capability; 1228 description 1229 "Identity for Prioritized Matching Rule with Errors (PMRE) 1230 resolution strategy capability"; 1231 reference 1232 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 1233 Capabilities - Resolution Strategy"; 1234 } 1236 identity pmrn { 1237 base resolution-strategy-capability; 1238 description 1239 "Identity for Prioritized Matching Rule with No Errors (PMRN) 1240 resolution strategy capability"; 1241 reference 1242 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 1243 Capabilities - Resolution Strategy"; 1244 } 1246 identity advanced-nsf-capability { 1247 description 1248 "Base identity for advanced Network Security Function (NSF) 1249 capability. This can be used for advanced NSFs such as 1250 Anti-Virus, Anti-DDoS Attack, IPS, and VoIP/VoLTE Security 1251 Service."; 1252 reference 1253 "RFC 8329: Framework for Interface to Network Security 1254 Functions - Advanced NSF capability"; 1256 } 1258 identity anti-virus-capability { 1259 base advanced-nsf-capability; 1260 description 1261 "Identity for advanced NSF Anti-Virus capability. 1262 This can be used for an extension point for Anti-Virus 1263 as an advanced NSF."; 1264 reference 1265 "RFC 8329: Framework for Interface to Network Security 1266 Functions - Advanced NSF Anti-Virus capability"; 1267 } 1269 identity anti-ddos-capability { 1270 base advanced-nsf-capability; 1271 description 1272 "Identity for advanced NSF Anti-DDoS Attack capability. 1273 This can be used for an extension point for Anti-DDoS 1274 Attack as an advanced NSF."; 1275 reference 1276 "RFC 8329: Framework for Interface to Network Security 1277 Functions - Advanced NSF Anti-DDoS Attack capability"; 1278 } 1280 identity ips-capability { 1281 base advanced-nsf-capability; 1282 description 1283 "Identity for advanced NSF IPS capabilities. This can be 1284 used for an extension point for IPS as an advanced NSF."; 1285 reference 1286 "RFC 8329: Framework for Interface to Network Security 1287 Functions - Advanced NSF IPS capability"; 1288 } 1290 identity voip-volte-capability { 1291 base advanced-nsf-capability; 1292 description 1293 "Identity for advanced NSF VoIP/VoLTE Security Service 1294 capability. This can be used for an extension point 1295 for VoIP/VoLTE Security Service as an advanced NSF."; 1296 reference 1297 "RFC 3261: SIP: Session Initiation Protocol 1298 RFC 8329: Framework for Interface to Network Security 1299 Functions - Advanced NSF VoIP/VoLTE security service 1300 capability"; 1301 } 1303 identity detect { 1304 base anti-virus-capability; 1305 description 1306 "Identity for advanced NSF Anti-Virus Detection capability. 1307 This can be used for an extension point for Anti-Virus 1308 Detection as an advanced NSF."; 1309 reference 1310 "RFC 8329: Framework for Interface to Network Security 1311 Functions - Advanced NSF Anti-Virus Detection capability"; 1312 } 1314 identity exception-application { 1315 base anti-virus-capability; 1316 description 1317 "Identity for advanced NSF Anti-Virus Exception Application 1318 capability. This can be used for an extension point for 1319 Anti-Virus Exception Application as an advanced NSF."; 1320 reference 1321 "RFC 8329: Framework for Interface to Network Security 1322 Functions - Advanced NSF Anti-Virus Exception Application 1323 capability"; 1324 } 1326 identity exception-signature { 1327 base anti-virus-capability; 1328 description 1329 "Identity for advanced NSF Anti-Virus Exception Signature 1330 capability. This can be used for an extension point for 1331 Anti-Virus Exception Signature as an advanced NSF."; 1332 reference 1333 "RFC 8329: Framework for Interface to Network Security 1334 Functions - Advanced NSF Anti-Virus Exception Signature 1335 capability"; 1336 } 1338 identity allow-list { 1339 base anti-virus-capability; 1340 description 1341 "Identity for advanced NSF Anti-Virus Allow List capability. 1342 This can be used for an extension point for Anti-Virus 1343 Allow List as an advanced NSF."; 1344 reference 1345 "RFC 8329: Framework for Interface to Network Security 1346 Functions - Advanced NSF Anti-Virus Allow List capability"; 1347 } 1349 identity syn-flood-action { 1350 base anti-ddos-capability; 1351 description 1352 "Identity for advanced NSF Anti-DDoS SYN Flood Action 1353 capability. This can be used for an extension point for 1354 Anti-DDoS SYN Flood Action as an advanced NSF."; 1355 reference 1356 "RFC 8329: Framework for Interface to Network Security 1357 Functions - Advanced NSF Anti-DDoS SYN Flood Action 1358 capability"; 1359 } 1361 identity udp-flood-action { 1362 base anti-ddos-capability; 1363 description 1364 "Identity for advanced NSF Anti-DDoS UDP Flood Action 1365 capability. This can be used for an extension point for 1366 Anti-DDoS UDP Flood Action as an advanced NSF."; 1367 reference 1368 "RFC 8329: Framework for Interface to Network Security 1369 Functions - Advanced NSF Anti-DDoS UDP Flood Action 1370 capability"; 1371 } 1373 identity http-flood-action { 1374 base anti-ddos-capability; 1375 description 1376 "Identity for advanced NSF Anti-DDoS HTTP Flood Action 1377 capability. This can be used for an extension point for 1378 Anti-DDoS HTTP Flood Action as an advanced NSF."; 1379 reference 1380 "RFC 8329: Framework for Interface to Network Security 1381 Functions - Advanced NSF Anti-DDoS HTTP Flood Action 1382 capability"; 1383 } 1385 identity https-flood-action { 1386 base anti-ddos-capability; 1387 description 1388 "Identity for advanced NSF Anti-DDoS HTTPS Flood Action 1389 capability. This can be used for an extension point for 1390 Anti-DDoS HTTPS Flood Action as an advanced NSF."; 1391 reference 1392 "RFC 8329: Framework for Interface to Network Security 1393 Functions - Advanced NSF Anti-DDoS HTTPS Flood Action 1394 capability"; 1395 } 1397 identity dns-request-flood-action { 1398 base anti-ddos-capability; 1399 description 1400 "Identity for advanced NSF Anti-DDoS DNS Request Flood 1401 Action capability. This can be used for an extension 1402 point for Anti-DDoS DNS Request Flood Action as an 1403 advanced NSF."; 1404 reference 1405 "RFC 8329: Framework for Interface to Network Security 1406 Functions - Advanced NSF Anti-DDoS DNS Request Flood 1407 Action capability"; 1408 } 1410 identity dns-reply-flood-action { 1411 base anti-ddos-capability; 1412 description 1413 "Identity for advanced NSF Anti-DDoS DNS Reply Flood 1414 Action capability. This can be used for an extension 1415 point for Anti-DDoS DNS Reply Flood Action as an 1416 advanced NSF."; 1417 reference 1418 "RFC 8329: Framework for Interface to Network Security 1419 Functions - Advanced NSF Anti-DDoS DNS Reply Flood 1420 Action capability"; 1421 } 1423 identity icmp-flood-action { 1424 base anti-ddos-capability; 1425 description 1426 "Identity for advanced NSF Anti-DDoS ICMP Flood Action 1427 capability. This can be used for an extension point 1428 for Anti-DDoS ICMP Flood Action as an advanced NSF."; 1429 reference 1430 "RFC 8329: Framework for Interface to Network Security 1431 Functions - Advanced NSF Anti-DDoS ICMP Flood Action 1432 capability"; 1433 } 1435 identity icmpv6-flood-action { 1436 base anti-ddos-capability; 1437 description 1438 "Identity for advanced NSF Anti-DDoS ICMPv6 Flood Action 1439 capability. This can be used for an extension point 1440 for Anti-DDoS ICMPv6 Flood Action as an advanced NSF."; 1441 reference 1442 "RFC 8329: Framework for Interface to Network Security 1443 Functions - Advanced NSF Anti-DDoS ICMPv6 Flood Action 1444 capability"; 1445 } 1447 identity sip-flood-action { 1448 base anti-ddos-capability; 1449 description 1450 "Identity for advanced NSF Anti-DDoS SIP Flood Action 1451 capability. This can be used for an extension point 1452 for Anti-DDoS SIP Flood Action as an advanced NSF."; 1453 reference 1454 "RFC 8329: Framework for Interface to Network Security 1455 Functions - Advanced NSF Anti-DDoS SIP Flood Action 1456 capability"; 1457 } 1459 identity detect-mode { 1460 base anti-ddos-capability; 1461 description 1462 "Identity for advanced NSF Anti-DDoS Detection Mode 1463 capability. This can be used for an extension point 1464 for Anti-DDoS Detection Mode as an advanced NSF."; 1465 reference 1466 "RFC 8329: Framework for Interface to Network Security 1467 Functions - Advanced NSF Anti-DDoS Detection Mode 1468 capability"; 1469 } 1471 identity baseline-learning { 1472 base anti-ddos-capability; 1473 description 1474 "Identity for advanced NSF Anti-DDoS Baseline Learning 1475 capability. This can be used for an extension point 1476 for Anti-DDoS Baseline Learning as an advanced NSF."; 1477 reference 1478 "RFC 8329: Framework for Interface to Network Security 1479 Functions - Advanced NSF Anti-DDoS Baseline Learning 1480 capability"; 1481 } 1483 identity signature-set { 1484 base ips-capability; 1485 description 1486 "Identity for advanced NSF IPS Signature Set capability. 1487 This can be used for an extension point for IPS Signature 1488 Set as an advanced NSF."; 1489 reference 1490 "RFC 8329: Framework for Interface to Network Security 1491 Functions - Advanced NSF IPS Signature Set capability"; 1492 } 1494 identity ips-exception-signature { 1495 base ips-capability; 1496 description 1497 "Identity for advanced NSF IPS Exception Signature 1498 capability. This can be used for an extension point for 1499 IPS Exception Signature as an advanced NSF."; 1500 reference 1501 "RFC 8329: Framework for Interface to Network Security 1502 Functions - Advanced NSF IPS Exception Signature Set 1503 capability"; 1504 } 1506 identity voice-id { 1507 base voip-volte-capability; 1508 description 1509 "Identity for advanced NSF VoIP/VoLTE Voice-ID capability. 1510 This can be used for an extension point for VoIP/VoLTE 1511 Voice-ID as an advanced NSF."; 1512 reference 1513 "RFC 3261: SIP: Session Initiation Protocol 1514 RFC 8329: Framework for Interface to Network Security 1515 Functions - Advanced NSF VoIP/VoLTE Security Service 1516 capability"; 1518 } 1520 identity user-agent { 1521 base voip-volte-capability; 1522 description 1523 "Identity for advanced NSF VoIP/VoLTE User Agent capability. 1524 This can be used for an extension point for VoIP/VoLTE 1525 User Agent as an advanced NSF."; 1526 reference 1527 "RFC 3261: SIP: Session Initiation Protocol 1528 RFC 8329: Framework for Interface to Network Security 1529 Functions - Advanced NSF VoIP/VoLTE Security Service 1530 capability"; 1531 } 1533 identity ipsec-capability { 1534 description 1535 "Base identity for an IPsec capability"; 1536 reference 1537 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1538 Software-Defined Networking (SDN)-based IPsec Flow 1539 Protection - IPsec methods such as IKE and IKE-less"; 1540 } 1542 identity ike { 1543 base ipsec-capability; 1544 description 1545 "Identity for an IPsec Internet Key Exchange (IKE) 1546 capability"; 1547 reference 1548 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1549 Software-Defined Networking (SDN)-based IPsec Flow 1550 Protection - IPsec method with IKE. 1551 RFC 7296: Internet Key Exchange Protocol Version 2 1552 (IKEv2) - IKE as a component of IPsec used for 1553 performing mutual authentication and establishing and 1554 maintaining Security Associations (SAs)."; 1555 } 1557 identity ikeless { 1558 base ipsec-capability; 1559 description 1560 "Identity for an IPsec without Internet Key Exchange (IKE) 1561 capability"; 1562 reference 1563 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1564 Software-Defined Networking (SDN)-based IPsec Flow 1565 Protection - IPsec method without IKE"; 1566 } 1568 /* 1569 * Grouping 1570 */ 1572 grouping nsf-capabilities { 1573 description 1574 "Network Security Function (NSF) Capabilities"; 1575 reference 1576 "RFC 8329: Framework for Interface to Network Security 1577 Functions - I2NSF Flow Security Policy Structure. 1578 draft-ietf-i2nsf-capability-05: Information Model of 1579 NSFs Capabilities - Capability Information Model Design."; 1581 leaf-list time-capabilities { 1582 type enumeration { 1583 enum absolute-time { 1584 description 1585 "absolute time capabilities. 1586 If a network security function has the absolute time 1587 capability, the network security function supports 1588 rule execution according to absolute time."; 1589 } 1590 enum periodic-time { 1591 description 1592 "periodic time capabilities. 1593 If a network security function has the periodic time 1594 capability, the network security function supports 1595 rule execution according to periodic time."; 1596 } 1597 } 1598 description 1599 "Time capabilities"; 1600 } 1602 container event-capabilities { 1603 description 1604 "Capabilities of events. 1605 If a network security function has the event capabilities, 1606 the network security function supports rule execution 1607 according to system event and system alarm."; 1609 reference 1610 "RFC 8329: Framework for Interface to Network Security 1611 Functions - I2NSF Flow Security Policy Structure. 1612 draft-ietf-i2nsf-capability-05: Information Model of 1613 NSFs Capabilities - Design Principles and ECA Policy 1614 Model Overview. 1615 draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF 1616 NSF Monitoring YANG Data Model - System Alarm and 1617 System Events."; 1619 leaf-list system-event-capability { 1620 type identityref { 1621 base system-event-capability; 1622 } 1623 description 1624 "System event capabilities"; 1625 } 1627 leaf-list system-alarm-capability { 1628 type identityref { 1629 base system-alarm-capability; 1630 } 1631 description 1632 "System alarm capabilities"; 1633 } 1634 } 1636 container condition-capabilities { 1637 description 1638 "Conditions capabilities."; 1640 container generic-nsf-capabilities { 1641 description 1642 "Conditions capabilities. 1643 If a network security function has the condition 1644 capabilities, the network security function 1645 supports rule execution according to conditions of 1646 IPv4, IPv6, TCP, UDP, ICMP, ICMPv6, and payload."; 1647 reference 1648 "RFC 791: Internet Protocol - IPv4. 1649 RFC 792: Internet Control Message Protocol - ICMP. 1650 RFC 793: Transmission Control Protocol - TCP. 1651 RFC 768: User Datagram Protocol - UDP. 1652 RFC 8200: Internet Protocol, Version 6 (IPv6) 1653 Specification - IPv6. 1654 RFC 4443: Internet Control Message Protocol (ICMPv6) 1655 for the Internet Protocol Version 6 (IPv6) Specification 1656 - ICMPv6. 1657 RFC 8329: Framework for Interface to Network Security 1658 Functions - I2NSF Flow Security Policy Structure. 1659 draft-ietf-i2nsf-capability-05: Information Model of 1660 NSFs Capabilities - Design Principles and ECA Policy 1661 Model Overview."; 1663 leaf-list ipv4-capability { 1664 type identityref { 1665 base ipv4-capability; 1666 } 1667 description 1668 "IPv4 packet capabilities"; 1669 reference 1670 "RFC 791: Internet Protocol"; 1671 } 1673 leaf-list icmp-capability { 1674 type identityref { 1675 base icmp-capability; 1676 } 1677 description 1678 "ICMP packet capabilities"; 1679 reference 1680 "RFC 792: Internet Control Message Protocol - ICMP"; 1681 } 1683 leaf-list ipv6-capability { 1684 type identityref { 1685 base ipv6-capability; 1686 } 1687 description 1688 "IPv6 packet capabilities"; 1689 reference 1690 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1691 Specification - IPv6"; 1692 } 1694 leaf-list icmpv6-capability { 1695 type identityref { 1696 base icmpv6-capability; 1697 } 1698 description 1699 "ICMPv6 packet capabilities"; 1700 reference 1701 "RFC 4443: Internet Control Message Protocol (ICMPv6) 1702 for the Internet Protocol Version 6 (IPv6) Specification 1703 - ICMPv6"; 1704 } 1706 leaf-list tcp-capability { 1707 type identityref { 1708 base tcp-capability; 1709 } 1710 description 1711 "TCP packet capabilities"; 1712 reference 1713 "RFC 793: Transmission Control Protocol - TCP"; 1714 } 1716 leaf-list udp-capability { 1717 type identityref { 1718 base udp-capability; 1719 } 1720 description 1721 "UDP packet capabilities"; 1722 reference 1723 "RFC 768: User Datagram Protocol - UDP"; 1724 } 1725 } 1727 container advanced-nsf-capabilities { 1728 description 1729 "Advanced Network Security Function (NSF) capabilities, 1730 such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE. 1731 This container contains the leaf-lists of advanced 1732 NSF capabilities"; 1733 reference 1734 "RFC 8329: Framework for Interface to Network Security 1735 Functions - Advanced NSF capabilities"; 1737 leaf-list anti-virus-capability { 1738 type identityref { 1739 base anti-virus-capability; 1740 } 1741 description 1742 "Anti-Virus capabilities"; 1743 reference 1744 "RFC 8329: Framework for Interface to Network Security 1745 Functions - Advanced NSF Anti-Virus capabilities"; 1746 } 1748 leaf-list anti-ddos-capability { 1749 type identityref { 1750 base anti-ddos-capability; 1751 } 1752 description 1753 "Anti-DDoS Attack capabilities"; 1754 reference 1755 "RFC 8329: Framework for Interface to Network Security 1756 Functions - Advanced NSF Anti-DDoS Attack capabilities"; 1757 } 1759 leaf-list ips-capability { 1760 type identityref { 1761 base ips-capability; 1762 } 1763 description 1764 "IPS capabilities"; 1765 reference 1766 "RFC 8329: Framework for Interface to Network Security 1767 Functions - Advanced NSF IPS capabilities"; 1768 } 1770 leaf-list url-capability { 1771 type identityref { 1772 base url-capability; 1773 } 1774 description 1775 "URL capabilities"; 1776 reference 1777 "RFC 8329: Framework for Interface to Network Security 1778 Functions - Advanced NSF URL capabilities"; 1779 } 1781 leaf-list voip-volte-capability { 1782 type identityref { 1783 base voip-volte-capability; 1784 } 1785 description 1786 "VoIP/VoLTE capabilities"; 1787 reference 1788 "RFC 8329: Framework for Interface to Network Security 1789 Functions - Advanced NSF VoIP/VoLTE capabilities"; 1790 } 1791 } 1793 leaf-list context-capabilities { 1794 type identityref { 1795 base context-capability; 1796 } 1797 description 1798 "Security context capabilities"; 1799 } 1800 } 1802 container action-capabilities { 1803 description 1804 "Action capabilities. 1805 If a network security function has the action capabilities, 1806 the network security function supports the attendant 1807 actions for policy rules."; 1809 leaf-list ingress-action-capability { 1810 type identityref { 1811 base ingress-action-capability; 1812 } 1813 description 1814 "Ingress-action capabilities"; 1815 } 1817 leaf-list egress-action-capability { 1818 type identityref { 1819 base egress-action-capability; 1820 } 1821 description 1822 "Egress-action capabilities"; 1823 } 1825 leaf-list log-action-capability { 1826 type identityref { 1827 base log-action-capability; 1828 } 1829 description 1830 "Log-action capabilities"; 1831 } 1832 } 1833 leaf-list resolution-strategy-capabilities { 1834 type identityref { 1835 base resolution-strategy-capability; 1836 } 1837 description 1838 "Resolution strategy capabilities. 1839 The resolution strategies can be used to specify how 1840 to resolve conflicts that occur between the actions 1841 of the same or different policy rules that are matched 1842 for the same packet and by particular NSF"; 1843 reference 1844 "draft-ietf-i2nsf-capability-05: Information Model of 1845 NSFs Capabilities - Resolution strategy capabilities"; 1846 } 1848 leaf-list default-action-capabilities { 1849 type identityref { 1850 base default-action-capability; 1851 } 1852 description 1853 "Default action capabilities. 1854 A default action is used to execute I2NSF policy rules 1855 when no rule matches a packet. The default action is 1856 defined as pass, drop, alert, or mirror."; 1857 reference 1858 "RFC 8329: Framework for Interface to Network Security 1859 Functions - Ingress and egress actions. 1860 draft-ietf-i2nsf-capability-05: Information Model of 1861 NSFs Capabilities - Default action capabilities."; 1862 } 1864 leaf-list ipsec-method { 1865 type identityref { 1866 base ipsec-capability; 1867 } 1868 description 1869 "IPsec method capabilities"; 1870 reference 1871 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1872 Software-Defined Networking (SDN)-based IPsec Flow 1873 Protection - IPsec methods such as IKE and IKE-less"; 1874 } 1875 } 1877 /* 1878 * Data nodes 1879 */ 1881 list nsf { 1882 key "nsf-name"; 1883 description 1884 "The list of Network Security Functions (NSFs)"; 1885 leaf nsf-name { 1886 type string; 1887 mandatory true; 1888 description 1889 "The name of Network Security Function (NSF)"; 1890 } 1891 } 1892 } 1894 1896 Figure 3: YANG Data Module of I2NSF Capability 1898 6. IANA Considerations 1900 This document requests IANA to register the following URI in the 1901 "IETF XML Registry" [RFC3688]: 1903 ID: yang:ietf-i2nsf-capability 1904 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1905 Filename: [ TBD-at-Registration ] 1906 Reference: [ RFC-to-be ] 1908 This document requests IANA to register the following YANG module in 1909 the "YANG Module Names" registry [RFC7950][RFC8525]: 1911 Name: ietf-i2nsf-capability 1912 File: [ TBD-at-Registration ] 1913 Maintained by IANA? N 1914 Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1915 Prefix: nsfcap 1916 Module: 1917 Reference: [ RFC-to-be ] 1919 7. Security Considerations 1921 The YANG module specified in this document defines a data schema 1922 designed to be accessed through network management protocols such as 1923 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 1924 the secure transport layer, and the required transport secure 1925 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1926 is HTTPS, and the required transport secure transport is TLS 1927 [RFC8446]. 1929 The NETCONF access control model [RFC8341] provides a means of 1930 restricting access to specific NETCONF or RESTCONF users to a 1931 preconfigured subset of all available NETCONF or RESTCONF protocol 1932 operations and content. 1934 There are a number of data nodes defined in this YANG module that are 1935 writable, creatable, and deletable (i.e., config true, which is the 1936 default). These data nodes may be considered sensitive or vulnerable 1937 in some network environments. Write operations to these data nodes 1938 could have a negative effect on network and security operations. 1940 o ietf-i2nsf-capability: An attacker could alter the security 1941 capabilities associated with an NSF whereby disabling or enabling 1942 the evasion of security mitigations. 1944 Some of the readable data nodes in this YANG module may be considered 1945 sensitive or vulnerable in some network environments. It is thus 1946 important to control read access (e.g., via get, get-config, or 1947 notification) to these data nodes. These are the subtrees and data 1948 nodes and their sensitivity/vulnerability: 1950 o ietf-i2nsf-capability: An attacker could gather the security 1951 capability information of any NSF and use this information to 1952 evade detection or filtering. 1954 8. References 1956 8.1. Normative References 1958 [I-D.ietf-i2nsf-capability] 1959 Xia, L., Strassner, J., Basile, C., and D. Lopez, 1960 "Information Model of NSFs Capabilities", draft-ietf- 1961 i2nsf-capability-05 (work in progress), April 2019. 1963 [I-D.ietf-i2nsf-nsf-monitoring-data-model] 1964 Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, 1965 "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- 1966 nsf-monitoring-data-model-03 (work in progress), May 2020. 1968 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 1969 Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, 1970 "Software-Defined Networking (SDN)-based IPsec Flow 1971 Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 1972 (work in progress), June 2020. 1974 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1975 DOI 10.17487/RFC0768, August 1980, 1976 . 1978 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1979 DOI 10.17487/RFC0791, September 1981, 1980 . 1982 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1983 RFC 792, DOI 10.17487/RFC0792, September 1981, 1984 . 1986 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1987 RFC 793, DOI 10.17487/RFC0793, September 1981, 1988 . 1990 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1991 Requirement Levels", BCP 14, RFC 2119, 1992 DOI 10.17487/RFC2119, March 1997, 1993 . 1995 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1996 A., Peterson, J., Sparks, R., Handley, M., and E. 1997 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1998 DOI 10.17487/RFC3261, June 2002, 1999 . 2001 [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between 2002 Information Models and Data Models", RFC 3444, 2003 DOI 10.17487/RFC3444, January 2003, 2004 . 2006 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2007 DOI 10.17487/RFC3688, January 2004, 2008 . 2010 [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix 2011 Reserved for Documentation", RFC 3849, 2012 DOI 10.17487/RFC3849, July 2004, 2013 . 2015 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 2016 Control Message Protocol (ICMPv6) for the Internet 2017 Protocol Version 6 (IPv6) Specification", STD 89, 2018 RFC 4443, DOI 10.17487/RFC4443, March 2006, 2019 . 2021 [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks 2022 Reserved for Documentation", RFC 5737, 2023 DOI 10.17487/RFC5737, January 2010, 2024 . 2026 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2027 the Network Configuration Protocol (NETCONF)", RFC 6020, 2028 DOI 10.17487/RFC6020, October 2010, 2029 . 2031 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2032 and A. Bierman, Ed., "Network Configuration Protocol 2033 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2034 . 2036 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2037 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2038 . 2040 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 2041 RFC 6991, DOI 10.17487/RFC6991, July 2013, 2042 . 2044 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 2045 Kivinen, "Internet Key Exchange Protocol Version 2 2046 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2047 2014, . 2049 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2050 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2051 . 2053 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 2054 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 2055 . 2057 [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., 2058 and J. Jeong, "Interface to Network Security Functions 2059 (I2NSF): Problem Statement and Use Cases", RFC 8192, 2060 DOI 10.17487/RFC8192, July 2017, 2061 . 2063 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 2064 (IPv6) Specification", STD 86, RFC 8200, 2065 DOI 10.17487/RFC8200, July 2017, 2066 . 2068 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 2069 Kumar, "Framework for Interface to Network Security 2070 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 2071 . 2073 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 2074 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 2075 . 2077 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 2078 Access Control Model", STD 91, RFC 8341, 2079 DOI 10.17487/RFC8341, March 2018, 2080 . 2082 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 2083 Documents Containing YANG Data Models", BCP 216, RFC 8407, 2084 DOI 10.17487/RFC8407, October 2018, 2085 . 2087 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 2088 S., and N. Bahadur, "A YANG Data Model for the Routing 2089 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 2090 September 2018, . 2092 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2093 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2094 . 2096 [RFC8519] Jethanandani, M., Agarwal, S., Huang, L., and D. Blair, 2097 "YANG Data Model for Network Access Control Lists (ACLs)", 2098 RFC 8519, DOI 10.17487/RFC8519, March 2019, 2099 . 2101 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 2102 and R. Wilton, "YANG Library", RFC 8525, 2103 DOI 10.17487/RFC8525, March 2019, 2104 . 2106 [RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W. 2107 Kumari, "A Format for Self-Published IP Geolocation 2108 Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020, 2109 . 2111 8.2. Informative References 2113 [IANA-Protocol-Numbers] 2114 "Assigned Internet Protocol Numbers", Available: 2115 https://www.iana.org/assignments/protocol- 2116 numbers/protocol-numbers.xhtml, September 2020. 2118 Appendix A. Configuration Examples 2120 This section shows configuration examples of "ietf-i2nsf-capability" 2121 module for capabilities registration of general firewall. 2123 A.1. Example 1: Registration for the Capabilities of a General Firewall 2125 This section shows a configuration example for the capabilities 2126 registration of a general firewall in either an IPv4 network or an 2127 IPv6 network. 2129 2130 general_firewall 2131 2132 2133 ipv4-protocol 2134 exact-ipv4-address 2135 range-ipv4-address 2136 exact-fourth-layer-port-num 2137 range-fourth-layer-port-num 2138 2139 2140 2141 pass 2142 drop 2143 alert 2144 pass 2145 drop 2146 alert 2147 2148 2150 Figure 4: Configuration XML for the Capabilities Registration of a 2151 General Firewall in an IPv4 Network 2153 Figure 4 shows the configuration XML for the capabilities 2154 registration of a general firewall as an NSF in an IPv4 network 2155 [RFC5737]. Its capabilities are as follows. 2157 1. The name of the NSF is general_firewall. 2159 2. The NSF can inspect a protocol, an exact IPv4 address, and a 2160 range of IPv4 addresses for IPv4 packets. 2162 3. The NSF can inspect an exact port number and a range of port 2163 numbers for the fourth layer packets. 2165 4. The NSF can control whether the packets are allowed to pass, 2166 drop, or alert. 2168 2169 general_firewall 2170 2171 2172 ipv6-protocol 2173 exact-ipv6-address 2174 range-ipv6-address 2175 exact-fourth-layer-port-num 2176 range-fourth-layer-port-num 2177 2178 2179 2180 pass 2181 drop 2182 alert 2183 pass 2184 drop 2185 alert 2186 2187 2189 Figure 5: Configuration XML for the Capabilities Registration of a 2190 General Firewall in an IPv6 Network 2192 In addition, Figure 5 shows the configuration XML for the 2193 capabilities registration of a general firewall as an NSF in an IPv6 2194 network [RFC3849]. Its capabilities are as follows. 2196 1. The name of the NSF is general_firewall. 2198 2. The NSF can inspect a protocol, an exact IPv6 address, and a 2199 range of IPv6 addresses for IPv6 packets. 2201 3. The NSF can inspect an exact port number and a range of port 2202 numbers for the fourth layer packets. 2204 4. The NSF can control whether the packets are allowed to pass, 2205 drop, or alert. 2207 A.2. Example 2: Registration for the Capabilities of a Time-based 2208 Firewall 2210 This section shows a configuration example for the capabilities 2211 registration of a time-based firewall in either an IPv4 network or an 2212 IPv6 network. 2214 2215 time_based_firewall 2216 absolute-time 2217 periodic-time 2218 2219 2220 ipv4-protocol 2221 exact-ipv4-address 2222 range-ipv4-address 2223 2224 2225 2226 pass 2227 drop 2228 alert 2229 pass 2230 drop 2231 alert 2232 2233 2235 Figure 6: Configuration XML for the Capabilities Registration of a 2236 Time-based Firewall in an IPv4 Network 2238 Figure 6 shows the configuration XML for the capabilities 2239 registration of a time-based firewall as an NSF in an IPv4 network 2240 [RFC5737]. Its capabilities are as follows. 2242 1. The name of the NSF is time_based_firewall. 2244 2. The NSF can execute the security policy rule according to 2245 absolute time and periodic time. 2247 3. The NSF can inspect a protocol, an exact IPv4 address, and a 2248 range of IPv4 addresses for IPv4 packets. 2250 4. The NSF can control whether the packets are allowed to pass, 2251 drop, or alert. 2253 2254 time_based_firewall 2255 absolute-time 2256 periodic-time 2257 2258 2259 ipv6-protocol 2260 exact-ipv6-address 2261 range-ipv6-address 2262 2263 2264 2265 pass 2266 drop 2267 alert 2268 pass 2269 drop 2270 alert 2271 2272 2274 Figure 7: Configuration XML for the Capabilities Registration of a 2275 Time-based Firewall in an IPv6 Network 2277 In addition, Figure 7 shows the configuration XML for the 2278 capabilities registration of a time-based firewall as an NSF in an 2279 IPv6 network [RFC3849]. Its capabilities are as follows. 2281 1. The name of the NSF is time_based_firewall. 2283 2. The NSF can execute the security policy rule according to 2284 absolute time and periodic time. 2286 3. The NSF can inspect a protocol, an exact IPv6 address, and a 2287 range of IPv6 addresses for IPv6 packets. 2289 4. The NSF can control whether the packets are allowed to pass, 2290 drop, or alert. 2292 A.3. Example 3: Registration for the Capabilities of a Web Filter 2294 This section shows a configuration example for the capabilities 2295 registration of a web filter. 2297 2298 web_filter 2299 2300 2301 user-defined 2302 2303 2304 2305 pass 2306 drop 2307 alert 2308 pass 2309 drop 2310 alert 2311 2312 2314 Figure 8: Configuration XML for the Capabilities Registration of a 2315 Web Filter 2317 Figure 8 shows the configuration XML for the capabilities 2318 registration of a web filter as an NSF. Its capabilities are as 2319 follows. 2321 1. The name of the NSF is web_filter. 2323 2. The NSF can inspect url for http and https packets. 2325 3. The NSF can control whether the packets are allowed to pass, 2326 drop, or alert. 2328 A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE 2329 Filter 2331 This section shows a configuration example for the capabilities 2332 registration of a VoIP/VoLTE filter. 2334 2335 voip_volte_filter 2336 2337 2338 voice-id 2339 2340 2341 2342 pass 2343 drop 2344 alert 2345 pass 2346 drop 2347 alert 2348 2349 2351 Figure 9: Configuration XML for the Capabilities Registration of a 2352 VoIP/VoLTE Filter 2354 Figure 9 shows the configuration XML for the capabilities 2355 registration of a VoIP/VoLTE filter as an NSF. Its capabilities are 2356 as follows. 2358 1. The name of the NSF is voip_volte_filter. 2360 2. The NSF can inspect a voice id for VoIP/VoLTE packets. 2362 3. The NSF can control whether the packets are allowed to pass, 2363 drop, or alert. 2365 A.5. Example 5: Registration for the Capabilities of a HTTP and HTTPS 2366 Flood Mitigator 2368 This section shows a configuration example for the capabilities 2369 registration of a HTTP and HTTPS flood mitigator. 2371 2372 http_and_https_flood_mitigation 2373 2374 2375 http-flood-action 2376 https-flood-action 2377 2378 2379 2380 pass 2381 drop 2382 alert 2383 pass 2384 drop 2385 alert 2386 2387 2389 Figure 10: Configuration XML for the Capabilities Registration of a 2390 HTTP and HTTPS Flood Mitigator 2392 Figure 10 shows the configuration XML for the capabilities 2393 registration of a HTTP and HTTPS flood mitigator as an NSF. Its 2394 capabilities are as follows. 2396 1. The name of the NSF is http_and_https_flood_mitigation. 2398 2. The IPv4 address of the NSF is assumed to be 192.0.2.11 2399 [RFC5737]. Also, the IPv6 address of the NSF is assumed to be 2400 2001:DB8:0:1::11 [RFC3849]. 2402 3. The NSF can control the amount of packets for HTTP and HTTPS 2403 packets, which are routed to the NSF's IPv4 address or the NSF's 2404 IPv6 address. 2406 4. The NSF can control whether the packets are allowed to pass, 2407 drop, or alert. 2409 Appendix B. Acknowledgments 2411 This work was supported by Institute of Information & Communications 2412 Technology Planning & Evaluation (IITP) grant funded by the Korea 2413 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 2414 Security Intelligence Technology Development for the Customized 2415 Security Service Provisioning). 2417 Appendix C. Contributors 2419 This document is made by the group effort of I2NSF working group. 2420 Many people actively contributed to this document, such as Acee 2421 Lindem, Roman Danyliw, and Tom Petch. The authors sincerely 2422 appreciate their contributions. 2424 The following are co-authors of this document: 2426 Hyoungshick Kim 2427 Department of Computer Science and Engineering 2428 Sungkyunkwan University 2429 2066 Seo-ro Jangan-gu 2430 Suwon, Gyeonggi-do 16419 2431 Republic of Korea 2433 EMail: hyoung@skku.edu 2435 Daeyoung Hyun 2436 Department of Computer Science and Engineering 2437 Sungkyunkwan University 2438 2066 Seo-ro Jangan-gu 2439 Suwon, Gyeonggi-do 16419 2440 Republic of Korea 2442 EMail: dyhyun@skku.edu 2444 Dongjin Hong 2445 Department of Electronic, Electrical and Computer Engineering 2446 Sungkyunkwan University 2447 2066 Seo-ro Jangan-gu 2448 Suwon, Gyeonggi-do 16419 2449 Republic of Korea 2451 EMail: dong.jin@skku.edu 2453 Liang Xia 2454 Huawei 2455 101 Software Avenue 2456 Nanjing, Jiangsu 210012 2457 China 2459 EMail: Frank.Xialiang@huawei.com 2460 Jung-Soo Park 2461 Electronics and Telecommunications Research Institute 2462 218 Gajeong-Ro, Yuseong-Gu 2463 Daejeon, 34129 2464 Republic of Korea 2466 EMail: pjs@etri.re.kr 2468 Tae-Jin Ahn 2469 Korea Telecom 2470 70 Yuseong-Ro, Yuseong-Gu 2471 Daejeon, 305-811 2472 Republic of Korea 2474 EMail: taejin.ahn@kt.com 2476 Se-Hui Lee 2477 Korea Telecom 2478 70 Yuseong-Ro, Yuseong-Gu 2479 Daejeon, 305-811 2480 Republic of Korea 2482 EMail: sehuilee@kt.com 2484 Authors' Addresses 2486 Susan Hares (editor) 2487 Huawei 2488 7453 Hickory Hill 2489 Saline, MI 48176 2490 USA 2492 Phone: +1-734-604-0332 2493 EMail: shares@ndzh.com 2494 Jaehoon Paul Jeong (editor) 2495 Department of Computer Science and Engineering 2496 Sungkyunkwan University 2497 2066 Seobu-Ro, Jangan-Gu 2498 Suwon, Gyeonggi-Do 16419 2499 Republic of Korea 2501 Phone: +82 31 299 4957 2502 Fax: +82 31 290 7996 2503 EMail: pauljeong@skku.edu 2504 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2506 Jinyong Tim Kim 2507 Department of Electronic, Electrical and Computer Engineering 2508 Sungkyunkwan University 2509 2066 Seobu-Ro, Jangan-Gu 2510 Suwon, Gyeonggi-Do 16419 2511 Republic of Korea 2513 Phone: +82 10 8273 0930 2514 EMail: timkim@skku.edu 2516 Robert Moskowitz 2517 HTT Consulting 2518 Oak Park, MI 2519 USA 2521 Phone: +1-248-968-9809 2522 EMail: rgm@htt-consult.com 2524 Qiushi Lin 2525 Huawei 2526 Huawei Industrial Base 2527 Shenzhen, Guangdong 518129 2528 China 2530 EMail: linqiushi@huawei.com