idnits 2.17.1 draft-ietf-i2nsf-capability-data-model-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 5 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 15, 2020) is 1312 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-i2nsf-nsf-monitoring-data-model' is defined on line 1964, but no explicit reference was found in the text == Unused Reference: 'RFC0768' is defined on line 1976, but no explicit reference was found in the text == Unused Reference: 'RFC2119' is defined on line 1992, but no explicit reference was found in the text == Unused Reference: 'RFC3444' is defined on line 2003, but no explicit reference was found in the text == Unused Reference: 'RFC4443' is defined on line 2017, but no explicit reference was found in the text == Unused Reference: 'RFC8431' is defined on line 2089, but no explicit reference was found in the text == Unused Reference: 'RFC8519' is defined on line 2098, but no explicit reference was found in the text == Unused Reference: 'RFC8805' is defined on line 2108, but no explicit reference was found in the text == Outdated reference: A later version (-20) exists of draft-ietf-i2nsf-nsf-monitoring-data-model-04 == Outdated reference: A later version (-14) exists of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 3444 ** Downref: Normative reference to an Informational RFC: RFC 3849 ** Downref: Normative reference to an Informational RFC: RFC 5737 ** Downref: Normative reference to an Informational RFC: RFC 8192 ** Downref: Normative reference to an Informational RFC: RFC 8329 ** Downref: Normative reference to an Informational RFC: RFC 8805 Summary: 8 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group S. Hares, Ed. 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Jeong, Ed. 5 Expires: March 19, 2021 J. Kim 6 Sungkyunkwan University 7 R. Moskowitz 8 HTT Consulting 9 Q. Lin 10 Huawei 11 September 15, 2020 13 I2NSF Capability YANG Data Model 14 draft-ietf-i2nsf-capability-data-model-12 16 Abstract 18 This document defines a YANG data model for the capabilities of 19 various Network Security Functions (NSFs) in the Interface to Network 20 Security Functions (I2NSF) framework to centrally manage the 21 capabilities of the various NSFs. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on March 19, 2021. 40 Copyright Notice 42 Copyright (c) 2020 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 61 4.1. Network Security Function (NSF) Capabilities . . . . . . 6 62 5. YANG Data Model of I2NSF NSF Capability . . . . . . . . . . . 9 63 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 64 7. Security Considerations . . . . . . . . . . . . . . . . . . . 41 65 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 66 8.1. Normative References . . . . . . . . . . . . . . . . . . 42 67 8.2. Informative References . . . . . . . . . . . . . . . . . 45 68 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 47 69 A.1. Example 1: Registration for the Capabilities of a General 70 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 47 71 A.2. Example 2: Registration for the Capabilities of a Time- 72 based Firewall . . . . . . . . . . . . . . . . . . . . . 49 73 A.3. Example 3: Registration for the Capabilities of a Web 74 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 50 75 A.4. Example 4: Registration for the Capabilities of a 76 VoIP/VoLTE Filter . . . . . . . . . . . . . . . . . . . . 51 77 A.5. Example 5: Registration for the Capabilities of a HTTP 78 and HTTPS Flood Mitigator . . . . . . . . . . . . . . . . 52 79 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 53 80 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 54 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 83 1. Introduction 85 As the industry becomes more sophisticated and network devices (e.g., 86 Internet of Things, Self-driving vehicles, and smartphone using Voice 87 over IP (VoIP) and Voice over LTE (VoLTE)), service providers have a 88 lot of problems described in [RFC8192]. To resolve these problems, 89 [I-D.ietf-i2nsf-capability] specifies the information model of the 90 capabilities of Network Security Functions (NSFs) in a framework of 91 the Interface to Network Security Functions (I2NSF) [RFC8329]. 93 This document provides a YANG data model [RFC6020][RFC7950] that 94 defines the capabilities of NSFs to centrally manage the capabilities 95 of those security devices. The security devices can register their 96 own capabilities into a Network Operator Management (Mgmt) System 97 (i.e., Security Controller) with this YANG data model through the 98 registration interface [RFC8329]. With the capabilities of those 99 security devices maintained centrally, those security devices can be 100 more easily managed [RFC8329]. This YANG data model is based on the 101 information model for I2NSF NSF capabilities 102 [I-D.ietf-i2nsf-capability]. 104 This YANG data model uses an "Event-Condition-Action" (ECA) policy 105 model that is used as the basis for the design of I2NSF Policy as 106 described in [RFC8329] and [I-D.ietf-i2nsf-capability]. The "ietf- 107 i2nsf-capability" YANG module defined in this document provides the 108 following features: 110 o Definition for general capabilities of network security functions. 112 o Definition for event capabilities of generic network security 113 functions. 115 o Definition for condition capabilities of generic network security 116 functions. 118 o Definition for condition capabilities of advanced network security 119 functions. 121 o Definition for action capabilities of generic network security 122 functions. 124 o Definition for resolution strategy capabilities of generic network 125 security functions. 127 o Definition for default action capabilities of generic network 128 security functions. 130 2. Terminology 132 This document uses the terminology described in [RFC8329]. 134 This document follows the guidelines of [RFC8407], uses the common 135 YANG types defined in [RFC6991], and adopts the Network Management 136 Datastore Architecture (NMDA). The meaning of the symbols in tree 137 diagrams is defined in [RFC8340]. 139 3. Overview 141 This section provides as overview of how the YANG data model can be 142 used in the I2NSF framework described in [RFC8329]. Figure 1 shows 143 the capabilities (e.g., firewall and web filter) of NSFs in the I2NSF 144 Framework. As shown in this figure, an NSF Developer's Management 145 System can register NSFs and the capabilities that the network 146 security device can support. To register NSFs in this way, the 147 Developer's Management System utilizes this standardized capability 148 YANG data model through the I2NSF Registration Interface [RFC8329]. 149 That is, this Registration Interface uses the YANG module described 150 in this document to describe the capability of a network security 151 function that is registered with the Security Controller. With the 152 capabilities of those network security devices maintained centrally, 153 those security devices can be more easily managed, which can resolve 154 many of the problems described in [RFC8192]. 156 In Figure 1, a new NSF at a Developer's Management Systems has 157 capabilities of Firewall (FW) and Web Filter (WF), which are denoted 158 as (Cap = {FW, WF}), to support Event-Condition-Action (ECA) policy 159 rules where 'E', 'C', and 'A' mean "Event", "Condition", and 160 "Action", respectively. The condition involves IPv4 or IPv6 161 datagrams, and the action includes "Allow" and "Deny" for those 162 datagrams. 164 Note that the NSF-Facing Interface [RFC8329] is used to configure the 165 security policy rules of the generic network security functions, and 166 The configuration of advanced security functions over the NSF-Facing 167 Interface is used to configure the security policy rules of advanced 168 network security functions (e.g., anti-virus and Distributed-Denial- 169 of-Service (DDoS) attack mitigator), respectively, according to the 170 capabilities of NSFs registered with the I2NSF Framework. 172 +------------------------------------------------------+ 173 | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | 174 | Network Mgmt, another network domain's mgmt, etc.) | 175 +--------------------+---------------------------------+ 176 I2NSF ^ 177 Consumer-Facing Interface | 178 | 179 v I2NSF 180 +-----------------+------------+ Registration +-------------+ 181 | Network Operator Mgmt System | Interface | Developer's | 182 | (i.e., Security Controller) |<-------------->| Mgmt System | 183 +-----------------+------------+ +-------------+ 184 ^ New NSF 185 | Cap = {FW, WF} 186 I2NSF | E = {} 187 NSF-Facing Interface | C = {IPv4, IPv6} 188 | A = {Allow, Deny} 189 v 190 +---------------+----+------------+-----------------+ 191 | | | | 192 +---+---+ +---+---+ +---+---+ +---+---+ 193 | NSF-1 | ... | NSF-m | | NSF-1 | ... | NSF-n | 194 +-------+ +-------+ +-------+ +-------+ 195 NSF-1 NSF-m NSF-1 NSF-n 196 Cap = {FW, WF} Cap = {FW, WF} Cap = {FW, WF} Cap = {FW, WF} 197 E = {} E = {user} E = {dev} E = {time} 198 C = {IPv4} C = {IPv6} C = {IPv4, IPv6} C = {IPv4} 199 A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} 201 Developer's Mgmt System A Developer's Mgmt System B 203 Figure 1: Capabilities of NSFs in I2NSF Framework 205 A use case of an NSF with the capabilities of firewall and web filter 206 is described as follows. 208 o If a network manager wants to apply security policy rules to block 209 malicious users with firewall and web filter, it is a tremendous 210 burden for a network administrator to apply all of the needed 211 rules to NSFs one by one. This problem can be resolved by 212 managing the capabilities of NSFs in this document. 214 o If a network administrator wants to block malicious users for IPv6 215 traffic, he sends a security policy rule to block the users to the 216 Network Operator Management System using the I2NSF User (i.e., web 217 application). 219 o When the Network Operator Management System receives the security 220 policy rule, it automatically sends that security policy rules to 221 appropriate NSFs (i.e., NSF-m in Developer's Management System A 222 and NSF-1 in Developer's Management System B) which can support 223 the capabilities (i.e., IPv6). This lets an I2NSF User not 224 consider NSFs where the rule is applied. 226 o If NSFs encounter the suspicious IPv6 packets of malicious users, 227 they can filter the packets out according to the configured 228 security policy rule. Therefore, the security policy rule against 229 the malicious users' packets can be automatically applied to 230 appropriate NSFs without human intervention. 232 4. YANG Tree Diagram 234 This section shows a YANG tree diagram of capabilities of network 235 security functions, as defined in the [I-D.ietf-i2nsf-capability]. 237 4.1. Network Security Function (NSF) Capabilities 239 This section explains a YANG tree diagram of NSF capabilities and its 240 features. Figure 2 shows a YANG tree diagram of NSF capabilities. 241 The NSF capabilities in the tree include time capabilities, event 242 capabilities, condition capabilities, action capabilities, resolution 243 strategy capabilities, and default action capabilities. Those 244 capabilities can be tailored or extended according to a vendor's 245 specific requirements. Refer to the NSF capabilities information 246 model for detailed discussion [I-D.ietf-i2nsf-capability]. 248 module: ietf-i2nsf-capability 249 +--rw nsf* [nsf-name] 250 +--rw nsf-name string 251 +--rw time-capabilities* enumeration 252 +--rw event-capabilities 253 | +--rw system-event-capability* identityref 254 | +--rw system-alarm-capability* identityref 255 +--rw condition-capabilities 256 | +--rw generic-nsf-capabilities 257 | | +--rw ipv4-capability* identityref 258 | | +--rw icmp-capability* identityref 259 | | +--rw ipv6-capability* identityref 260 | | +--rw icmpv6-capability* identityref 261 | | +--rw tcp-capability* identityref 262 | | +--rw udp-capability* identityref 263 | +--rw advanced-nsf-capabilities 264 | | +--rw anti-virus-capability* identityref 265 | | +--rw anti-ddos-capability* identityref 266 | | +--rw ips-capability* identityref 267 | | +--rw url-capability* identityref 268 | | +--rw voip-volte-capability* identityref 269 | +--rw context-capabilities* identityref 270 +--rw action-capabilities 271 | +--rw ingress-action-capability* identityref 272 | +--rw egress-action-capability* identityref 273 | +--rw log-action-capability* identityref 274 +--rw resolution-strategy-capabilities* identityref 275 +--rw default-action-capabilities* identityref 276 +--rw ipsec-method* identityref 278 Figure 2: YANG Tree Diagram of Capabilities of Network Security 279 Functions 281 Time capabilities are used to specify the capabilities which describe 282 when to execute the I2NSF policy rule. The time capabilities are 283 defined in terms of absolute time and periodic time. The absolute 284 time means the exact time to start or end. The periodic time means 285 repeated time like day, week, or month. See Section 3.4.6 286 (Capability Algebra) in [I-D.ietf-i2nsf-capability] for more 287 information about the time-based condition (e.g., time period) in the 288 capability algebra. 290 Event capabilities are used to specify the capabilities that describe 291 the event that would trigger the evaluation of the condition clause 292 of the I2NSF Policy Rule. The defined event capabilities are system 293 event and system alarm. See Section 3.1 (Design Principles and ECA 294 Policy Model Overview) in [I-D.ietf-i2nsf-capability] for more 295 information about the event in the ECA policy model. 297 Condition capabilities are used to specify capabilities of a set of 298 attributes, features, and/or values that are to be compared with a 299 set of known attributes, features, and/or values in order to 300 determine whether or not the set of actions in that (imperative) 301 I2NSF policy rule can be executed. The condition capabilities are 302 classified in terms of generic network security functions and 303 advanced network security functions. The condition capabilities of 304 generic network security functions are defined as IPv4 capability, 305 IPv6 capability, TCP capability, UDP capability, and ICMP capability. 306 The condition capabilities of advanced network security functions are 307 defined as anti-virus capability, anti-DDoS capability, Intrusion 308 Prevention System (IPS) capability, HTTP capability, and VoIP/VoLTE 309 capability. See Section 3.1 (Design Principles and ECA Policy Model 310 Overview) in [I-D.ietf-i2nsf-capability] for more information about 311 the condition in the ECA policy model. Also, see Section 3.4.3 312 (I2NSF Condition Clause Operator Types) in 313 [I-D.ietf-i2nsf-capability] for more information about the operator 314 types in an I2NSF condition clause. 316 Action capabilities are used to specify the capabilities that 317 describe the control and monitoring aspects of flow-based NSFs when 318 the event and condition clauses are satisfied. The action 319 capabilities are defined as ingress-action capability, egress-action 320 capability, and log-action capability. See Section 3.1 (Design 321 Principles and ECA Policy Model Overview) in 322 [I-D.ietf-i2nsf-capability] for more information about the action in 323 the ECA policy model. Also, see Section 7.2 (NSF-Facing Flow 324 Security Policy Structure) in [RFC8329] for more information about 325 the ingress and egress actions. In addition, see Section 9.1 (Flow- 326 Based NSF Capability Characterization) for more information about 327 logging at NSFs. 329 Resolution strategy capabilities are used to specify the capabilities 330 that describe conflicts that occur between the actions of the same or 331 different policy rules that are matched and contained in this 332 particular NSF. The resolution strategy capabilities are defined as 333 First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized 334 Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), 335 and Prioritized Matching Rule with No Errors (PMRN). See 336 Section 3.4.2 (Conflict, Resolution Strategy and Default Action) in 337 [I-D.ietf-i2nsf-capability] for more information about the resolution 338 strategy. 340 Default action capabilities are used to specify the capabilities that 341 describe how to execute I2NSF policy rules when no rule matches a 342 packet. The default action capabilities are defined as pass, drop, 343 alert, and mirror. See Section 3.4.2 (Conflict, Resolution Strategy 344 and Default Action) in [I-D.ietf-i2nsf-capability] for more 345 information about the default action. 347 IPsec method capabilities are used to specify capabilities of how to 348 support an Internet Key Exchange (IKE) [RFC7296] for the security 349 communication. The default action capabilities are defined as IKE or 350 IKE-less. See [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] for more 351 information about the SDN-based IPsec flow protection in I2NSF. 353 5. YANG Data Model of I2NSF NSF Capability 355 This section introduces a YANG module for NSFs' capabilities, as 356 defined in the [I-D.ietf-i2nsf-capability]. 358 This YANG module imports from [RFC6991]. It makes references to [RFC 359 0768][IANA-Protocol-Numbers][RFC0791][RFC0792][RFC0793][RFC3261][RFC4 360 443][RFC8200][RFC8329][I-D.ietf-i2nsf-capability][I-D.ietf-i2nsf-nsf- 361 monitoring-data-model][I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. 363 file "ietf-i2nsf-capability@2020-09-15.yang" 365 module ietf-i2nsf-capability { 366 yang-version 1.1; 367 namespace 368 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 369 prefix 370 nsfcap; 372 organization 373 "IETF I2NSF (Interface to Network Security Functions) 374 Working Group"; 376 contact 377 "WG Web: 378 WG List: 380 Editor: Jaehoon Paul Jeong 381 383 Editor: Jinyong Tim Kim 384 386 Editor: Susan Hares 387 "; 389 description 390 "This module is a YANG module for I2NSF Network Security 391 Functions (NSFs)'s Capabilities. 393 Copyright (c) 2020 IETF Trust and the persons identified as 394 authors of the code. All rights reserved. 396 Redistribution and use in source and binary forms, with or 397 without modification, is permitted pursuant to, and subject 398 to the license terms contained in, the Simplified BSD License 399 set forth in Section 4.c of the IETF Trust's Legal Provisions 400 Relating to IETF Documents 401 http://trustee.ietf.org/license-info). 403 This version of this YANG module is part of RFC XXXX; see 404 the RFC itself for full legal notices."; 406 // RFC Ed.: replace XXXX with an actual RFC number and remove 407 // this note. 409 revision "2020-09-15"{ 410 description "Initial revision."; 411 reference 412 "RFC XXXX: I2NSF Capability YANG Data Model"; 414 // RFC Ed.: replace XXXX with an actual RFC number and remove 415 // this note. 416 } 418 /* 419 * Identities 420 */ 422 identity event { 423 description 424 "Base identity for I2NSF policy events."; 425 reference 426 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 427 Monitoring YANG Data Model - Event"; 429 // RFC Ed.: replace the above draft with an actual RFC in the 430 // YANG module and remove this note. 431 } 433 identity system-event-capability { 434 base event; 435 description 436 "Identity for system event"; 438 reference 439 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 440 Monitoring YANG Data Model - System event"; 441 } 443 identity system-alarm-capability { 444 base event; 445 description 446 "Identity for system alarm"; 447 reference 448 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 449 Monitoring YANG Data Model - System alarm"; 450 } 452 identity access-violation { 453 base system-event-capability; 454 description 455 "Identity for access violation event"; 456 reference 457 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 458 Monitoring YANG Data Model - System event for access 459 violation"; 460 } 462 identity configuration-change { 463 base system-event-capability; 464 description 465 "Identity for configuration change event"; 466 reference 467 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 468 Monitoring YANG Data Model - System event for configuration 469 change"; 470 } 472 identity memory-alarm { 473 base system-alarm-capability; 474 description 475 "Identity for memory alarm"; 476 reference 477 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 478 Monitoring YANG Data Model - System alarm for memory"; 479 } 481 identity cpu-alarm { 482 base system-alarm-capability; 483 description 484 "Identity for CPU alarm"; 485 reference 486 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 487 Monitoring YANG Data Model - System alarm for CPU"; 488 } 490 identity disk-alarm { 491 base system-alarm-capability; 492 description 493 "Identity for disk alarm"; 494 reference 495 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 496 Monitoring YANG Data Model - System alarm for disk"; 497 } 499 identity hardware-alarm { 500 base system-alarm-capability; 501 description 502 "Identity for hardware alarm"; 503 reference 504 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 505 Monitoring YANG Data Model - System alarm for hardware"; 506 } 508 identity interface-alarm { 509 base system-alarm-capability; 510 description 511 "Identity for interface alarm"; 512 reference 513 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 514 Monitoring YANG Data Model - System alarm for interface"; 515 } 517 identity condition { 518 description 519 "Base identity for policy conditions"; 520 } 522 identity context-capability { 523 base condition; 524 description 525 "Identity for context condition capabilities for an NSF"; 526 reference 527 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 528 Capabilities - The operating context of an NSF."; 529 } 531 identity access-control-list { 532 base context-capability; 533 description 534 "Identity for Access Control List (ACL) condition capability"; 535 reference 536 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 537 Capabilities - The context of an NSF. 538 RFC 8519: YANG Data Model for Network Access Control Lists 539 (ACLs) - A user-ordered set of rules used to configure the 540 forwarding behavior in an NSF."; 541 } 543 identity application-layer-filter { 544 base context-capability; 545 description 546 "Identity for application-layer-filter condition capability"; 547 reference 548 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 549 Capabilities - An application-layer filtering (e.g., web 550 filter) as an NSF."; 551 } 553 identity target { 554 base context-capability; 555 description 556 "Identity for target condition capability"; 557 reference 558 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 559 Capabilities - A target (or destination) of a policy rule 560 to be applied by an NSF. 561 RFC 8519: YANG Data Model for Network Access Control Lists 562 (ACLs) - An access control for a target (e.g., the 563 corresponding IP address) in an NSF."; 564 } 566 identity user { 567 base context-capability; 568 description 569 "Identity for user condition capability"; 570 reference 571 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 572 Capabilities - A user in an application of a policy rule 573 to be applied by an NSF. 574 RFC 8519: YANG Data Model for Network Access Control Lists 575 (ACLs) - An access control for a user (e.g., the 576 corresponding IP address) in an NSF."; 577 } 579 identity group { 580 base context-capability; 581 description 582 "Identity for group condition capability"; 583 reference 584 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 585 Capabilities - A group (i.e., a set of users) in an 586 application of a policy rule to be applied by an NSF. 587 RFC 8519: YANG Data Model for Network Access Control Lists 588 (ACLs) - An access control for a group (e.g., the 589 corresponding IP address) in an NSF."; 590 } 592 identity geography { 593 base context-capability; 594 description 595 "Identity for geography condition capability"; 596 reference 597 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 598 Capabilities - A group (i.e., a set of users) in an 599 application of a policy rule to be applied by an NSF. 600 RFC 8519: YANG Data Model for Network Access Control Lists 601 (ACLs) - An access control for a geographical location 602 i.e., geolocation (e.g., the corresponding IP address) in 603 an NSF. 604 RFC 8805: A Format for Self-Published IP Geolocation Feeds 605 - An IP address with geolocation information."; 606 } 608 identity ipv4-capability { 609 base condition; 610 description 611 "Identity for IPv4 condition capability"; 612 reference 613 "RFC 791: Internet Protocol"; 614 } 616 identity exact-ipv4-header-length { 617 base ipv4-capability; 618 description 619 "Identity for exact-match IPv4 header-length 620 condition capability"; 621 reference 622 "RFC 791: Internet Protocol - Header Length"; 623 } 625 identity range-ipv4-header-length { 626 base ipv4-capability; 627 description 628 "Identity for range-match IPv4 header-length 629 condition capability"; 631 reference 632 "RFC 791: Internet Protocol - Header Length"; 633 } 635 identity ipv4-tos { 636 base ipv4-capability; 637 description 638 "Identity for IPv4 Type-Of-Service (TOS) 639 condition capability"; 640 reference 641 "RFC 791: Internet Protocol - Type of Service"; 642 } 644 identity exact-ipv4-total-length { 645 base ipv4-capability; 646 description 647 "Identity for exact-match IPv4 total length 648 condition capability"; 649 reference 650 "RFC 791: Internet Protocol - Total Length"; 651 } 653 identity range-ipv4-total-length { 654 base ipv4-capability; 655 description 656 "Identity for range-match IPv4 total length 657 condition capability"; 658 reference 659 "RFC 791: Internet Protocol - Total Length"; 660 } 662 identity ipv4-id { 663 base ipv4-capability; 664 description 665 "Identity for identification condition capability"; 666 reference 667 "RFC 791: Internet Protocol - Identification"; 668 } 670 identity ipv4-fragment-flags { 671 base ipv4-capability; 672 description 673 "Identity for IPv4 fragment flags condition capability"; 674 reference 675 "RFC 791: Internet Protocol - Fragmentation Flags"; 676 } 678 identity exact-ipv4-fragment-offset { 679 base ipv4-capability; 680 description 681 "Identity for exact-match IPv4 fragment offset 682 condition capability"; 683 reference 684 "RFC 791: Internet Protocol - Fragmentation Offset"; 685 } 687 identity range-ipv4-fragment-offset { 688 base ipv4-capability; 689 description 690 "Identity for range-match IPv4 fragment offset 691 condition capability"; 692 reference 693 "RFC 791: Internet Protocol - Fragmentation Offset"; 694 } 696 identity exact-ipv4-ttl { 697 base ipv4-capability; 698 description 699 "Identity for exact-match IPv4 Time-To-Live (TTL) 700 condition capability"; 701 reference 702 "RFC 791: Internet Protocol - Time To Live (TTL)"; 703 } 705 identity range-ipv4-ttl { 706 base ipv4-capability; 707 description 708 "Identity for range-match IPv4 Time-To-Live (TTL) 709 condition capability"; 710 reference 711 "RFC 791: Internet Protocol - Time To Live (TTL)"; 712 } 714 identity ipv4-protocol { 715 base ipv4-capability; 716 description 717 "Identity for IPv4 protocol condition capability"; 718 reference 719 "IANA Website: Assigned Internet Protocol Numbers 720 - Protocol Number for IPv4 721 RFC 791: Internet Protocol - Protocol"; 722 } 724 identity exact-ipv4-address { 725 base ipv4-capability; 726 description 727 "Identity for exact-match IPv4 address 728 condition capability"; 729 reference 730 "RFC 791: Internet Protocol - Address"; 731 } 733 identity range-ipv4-address { 734 base ipv4-capability; 735 description 736 "Identity for range-match IPv4 address condition 737 capability"; 738 reference 739 "RFC 791: Internet Protocol - Address"; 740 } 742 identity ipv4-ip-opts { 743 base ipv4-capability; 744 description 745 "Identity for IPv4 option condition capability"; 746 reference 747 "RFC 791: Internet Protocol - Options"; 748 } 750 identity ipv4-geo-ip { 751 base ipv4-capability; 752 description 753 "Identity for geography condition capability"; 754 reference 755 "draft-ietf-i2nsf-capability-05: Information Model 756 of NSFs Capabilities - Geo-IP"; 757 } 759 identity ipv6-capability { 760 base condition; 761 description 762 "Identity for IPv6 condition capabilities"; 763 reference 764 "RFC 8200: Internet Protocol, Version 6 (IPv6) 765 Specification"; 766 } 768 identity ipv6-traffic-class { 769 base ipv6-capability; 770 description 771 "Identity for IPv6 traffic class 772 condition capability"; 773 reference 774 "RFC 8200: Internet Protocol, Version 6 (IPv6) 775 Specification - Traffic Class"; 776 } 778 identity exact-ipv6-flow-label { 779 base ipv6-capability; 780 description 781 "Identity for exact-match IPv6 flow label 782 condition capability"; 783 reference 784 "RFC 8200: Internet Protocol, Version 6 (IPv6) 785 Specification - Flow Label"; 786 } 788 identity range-ipv6-flow-label { 789 base ipv6-capability; 790 description 791 "Identity for range-match IPv6 flow label 792 condition capability"; 793 reference 794 "RFC 8200: Internet Protocol, Version 6 (IPv6) 795 Specification - Flow Label"; 796 } 798 identity exact-ipv6-payload-length { 799 base ipv6-capability; 800 description 801 "Identity for exact-match IPv6 payload length 802 condition capability"; 803 reference 804 "RFC 8200: Internet Protocol, Version 6 (IPv6) 805 Specification - Payload Length"; 806 } 808 identity range-ipv6-payload-length { 809 base ipv6-capability; 810 description 811 "Identity for range-match IPv6 payload length 812 condition capability"; 813 reference 814 "RFC 8200: Internet Protocol, Version 6 (IPv6) 815 Specification - Payload Length"; 816 } 818 identity ipv6-next-header { 819 base ipv6-capability; 820 description 821 "Identity for IPv6 next header condition capability"; 822 reference 823 "RFC 8200: Internet Protocol, Version 6 (IPv6) 824 Specification - Next Header"; 825 } 827 identity exact-ipv6-hop-limit { 828 base ipv6-capability; 829 description 830 "Identity for exact-match IPv6 hop limit condition 831 capability"; 832 reference 833 "RFC 8200: Internet Protocol, Version 6 (IPv6) 834 Specification - Hop Limit"; 835 } 837 identity range-ipv6-hop-limit { 838 base ipv6-capability; 839 description 840 "Identity for range-match IPv6 hop limit condition 841 capability"; 842 reference 843 "RFC 8200: Internet Protocol, Version 6 (IPv6) 844 Specification - Hop Limit"; 845 } 847 identity ipv6-protocol { 848 base ipv6-capability; 849 description 850 "Identity for IPv6 protocol condition capability"; 851 reference 852 "IANA Website: Assigned Internet Protocol Numbers 853 - Protocol Number for IPv6 854 RFC 8200: Internet Protocol, Version 6 (IPv6) 855 Specification - Protocol"; 856 } 858 identity exact-ipv6-address { 859 base ipv6-capability; 860 description 861 "Identity for exact-match IPv6 address condition 862 capability"; 863 reference 864 "RFC 8200: Internet Protocol, Version 6 (IPv6) 865 Specification - Address"; 866 } 868 identity range-ipv6-address { 869 base ipv6-capability; 870 description 871 "Identity for range-match IPv6 address condition 872 capability"; 873 reference 874 "RFC 8200: Internet Protocol, Version 6 (IPv6) 875 Specification - Address"; 876 } 878 identity tcp-capability { 879 base condition; 880 description 881 "Identity for TCP condition capabilities"; 882 reference 883 "RFC 793: Transmission Control Protocol"; 884 } 886 identity exact-tcp-port-num { 887 base tcp-capability; 888 description 889 "Identity for exact-match TCP port number condition 890 capability"; 891 reference 892 "RFC 793: Transmission Control Protocol - Port Number"; 893 } 895 identity range-tcp-port-num { 896 base tcp-capability; 897 description 898 "Identity for range-match TCP port number condition 899 capability"; 900 reference 901 "RFC 793: Transmission Control Protocol - Port Number"; 902 } 904 identity exact-tcp-seq-num { 905 base tcp-capability; 906 description 907 "Identity for exact-match TCP sequence number condition 908 capability"; 909 reference 910 "RFC 793: Transmission Control Protocol - Sequence Number"; 911 } 913 identity range-tcp-seq-num { 914 base tcp-capability; 915 description 916 "Identity for range-match TCP sequence number condition 917 capability"; 918 reference 919 "RFC 793: Transmission Control Protocol - Sequence Number"; 920 } 922 identity exact-tcp-ack-num { 923 base tcp-capability; 924 description 925 "Identity for exact-match TCP acknowledgement number condition 926 capability"; 927 reference 928 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 929 } 931 identity range-tcp-ack-num { 932 base tcp-capability; 933 description 934 "Identity for range-match TCP acknowledgement number condition 935 capability"; 936 reference 937 "RFC 793: Transmission Control Protocol - Acknowledgement Number"; 938 } 940 identity exact-tcp-window-size { 941 base tcp-capability; 942 description 943 "Identity for exact-match TCP window size condition capability"; 944 reference 945 "RFC 793: Transmission Control Protocol - Window Size"; 946 } 948 identity range-tcp-window-size { 949 base tcp-capability; 950 description 951 "Identity for range-match TCP window size condition capability"; 952 reference 953 "RFC 793: Transmission Control Protocol - Window Size"; 954 } 956 identity tcp-flags { 957 base tcp-capability; 958 description 959 "Identity for TCP flags condition capability"; 960 reference 961 "RFC 793: Transmission Control Protocol - Flags"; 962 } 964 identity udp-capability { 965 base condition; 966 description 967 "Identity for UDP condition capabilities"; 968 reference 969 "RFC 768: User Datagram Protocol"; 970 } 972 identity exact-udp-port-num { 973 base udp-capability; 974 description 975 "Identity for exact-match UDP port number condition capability"; 976 reference 977 "RFC 768: User Datagram Protocol - Port Number"; 978 } 980 identity range-udp-port-num { 981 base udp-capability; 982 description 983 "Identity for range-match UDP port number condition capability"; 984 reference 985 "RFC 768: User Datagram Protocol - Port Number"; 986 } 988 identity exact-udp-total-length { 989 base udp-capability; 990 description 991 "Identity for exact-match UDP total-length condition capability"; 992 reference 993 "RFC 768: User Datagram Protocol - Total Length"; 994 } 996 identity range-udp-total-length { 997 base udp-capability; 998 description 999 "Identity for range-match UDP total-length condition capability"; 1000 reference 1001 "RFC 768: User Datagram Protocol - Total Length"; 1002 } 1004 identity icmp-capability { 1005 base condition; 1006 description 1007 "Identity for ICMP condition capability"; 1008 reference 1009 "RFC 792: Internet Control Message Protocol"; 1010 } 1012 identity icmp-type { 1013 base icmp-capability; 1014 description 1015 "Identity for ICMP type condition capability"; 1016 reference 1017 "RFC 792: Internet Control Message Protocol"; 1018 } 1020 identity icmpv6-capability { 1021 base condition; 1022 description 1023 "Identity for ICMPv6 condition capability"; 1024 reference 1025 "RFC 4443: Internet Control Message Protocol (ICMPv6) 1026 for the Internet Protocol Version 6 (IPv6) Specification 1027 - ICMPv6"; 1028 } 1030 identity icmpv6-type { 1031 base icmpv6-capability; 1032 description 1033 "Identity for ICMPv6 type condition capability"; 1034 reference 1035 "RFC 4443: Internet Control Message Protocol (ICMPv6) 1036 for the Internet Protocol Version 6 (IPv6) Specification 1037 - ICMPv6"; 1038 } 1040 identity url-capability { 1041 base condition; 1042 description 1043 "Identity for URL condition capability"; 1044 } 1046 identity pre-defined { 1047 base url-capability; 1048 description 1049 "Identity for URL pre-defined condition capability"; 1050 } 1052 identity user-defined { 1053 base url-capability; 1054 description 1055 "Identity for URL user-defined condition capability"; 1056 } 1058 identity log-action-capability { 1059 description 1060 "Identity for log-action capability"; 1061 } 1062 identity rule-log { 1063 base log-action-capability; 1064 description 1065 "Identity for rule log log-action capability"; 1066 } 1068 identity session-log { 1069 base log-action-capability; 1070 description 1071 "Identity for session log log-action capability"; 1072 } 1074 identity ingress-action-capability { 1075 description 1076 "Identity for ingress-action capability"; 1077 reference 1078 "RFC 8329: Framework for Interface to Network Security 1079 Functions - Ingress action"; 1080 } 1082 identity egress-action-capability { 1083 description 1084 "Base identity for egress-action capability"; 1085 reference 1086 "RFC 8329: Framework for Interface to Network Security 1087 Functions - Egress action"; 1088 } 1090 identity default-action-capability { 1091 description 1092 "Identity for default-action capability"; 1093 reference 1094 "draft-ietf-i2nsf-capability-05: Information Model of 1095 NSFs Capabilities - Default action"; 1096 } 1098 identity pass { 1099 base ingress-action-capability; 1100 base egress-action-capability; 1101 base default-action-capability; 1102 description 1103 "Identity for pass action capability"; 1104 reference 1105 "RFC 8329: Framework for Interface to Network Security 1106 Functions - Ingress, egress, and pass actions. 1107 draft-ietf-i2nsf-capability-05: Information Model of 1108 NSFs Capabilities - Actions and default action."; 1109 } 1110 identity drop { 1111 base ingress-action-capability; 1112 base egress-action-capability; 1113 base default-action-capability; 1114 description 1115 "Identity for drop action capability"; 1116 reference 1117 "RFC 8329: Framework for Interface to Network Security 1118 Functions - Ingress, egress, and drop actions. 1119 draft-ietf-i2nsf-capability-05: Information Model of 1120 NSFs Capabilities - Actions and default action."; 1121 } 1123 identity alert { 1124 base ingress-action-capability; 1125 base egress-action-capability; 1126 base default-action-capability; 1127 description 1128 "Identity for alert action capability"; 1129 reference 1130 "RFC 8329: Framework for Interface to Network Security 1131 Functions - Ingress, egress, and alert actions. 1132 draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF 1133 NSF Monitoring YANG Data Model - Alarm (i.e., alert). 1134 draft-ietf-i2nsf-capability-05: Information Model of 1135 NSFs Capabilities - Actions and default action."; 1136 } 1138 identity mirror { 1139 base ingress-action-capability; 1140 base egress-action-capability; 1141 base default-action-capability; 1142 description 1143 "Identity for mirror action capability"; 1144 reference 1145 "RFC 8329: Framework for Interface to Network Security 1146 Functions - Ingress, egress, and mirror actions. 1147 draft-ietf-i2nsf-capability-05: Information Model of 1148 NSFs Capabilities - Actions and default action."; 1149 } 1151 identity invoke-signaling { 1152 base egress-action-capability; 1153 description 1154 "Identity for invoke signaling action capability"; 1155 reference 1156 "RFC 8329: Framework for Interface to Network Security 1157 Functions - Invoke-signaling action"; 1159 } 1161 identity tunnel-encapsulation { 1162 base egress-action-capability; 1163 description 1164 "Identity for tunnel encapsulation action capability"; 1165 reference 1166 "RFC 8329: Framework for Interface to Network Security 1167 Functions - Tunnel-encapsulation action"; 1168 } 1170 identity forwarding { 1171 base egress-action-capability; 1172 description 1173 "Identity for forwarding action capability"; 1174 reference 1175 "RFC 8329: Framework for Interface to Network Security 1176 Functions - Forwarding action"; 1177 } 1179 identity redirection { 1180 base egress-action-capability; 1181 description 1182 "Identity for redirection action capability"; 1183 reference 1184 "RFC 8329: Framework for Interface to Network Security 1185 Functions - Redirection action"; 1186 } 1188 identity resolution-strategy-capability { 1189 description 1190 "Base identity for resolution strategy capability"; 1191 reference 1192 "draft-ietf-i2nsf-capability-05: Information Model of 1193 NSFs Capabilities - Resolution Strategy"; 1194 } 1196 identity fmr { 1197 base resolution-strategy-capability; 1198 description 1199 "Identity for First Matching Rule (FMR) resolution 1200 strategy capability"; 1201 reference 1202 "draft-ietf-i2nsf-capability-05: Information Model of 1203 NSFs Capabilities - Resolution Strategy"; 1204 } 1206 identity lmr { 1207 base resolution-strategy-capability; 1208 description 1209 "Identity for Last Matching Rule (LMR) resolution 1210 strategy capability"; 1211 reference 1212 "draft-ietf-i2nsf-capability-05: Information Model of 1213 NSFs Capabilities - Resolution Strategy"; 1214 } 1216 identity pmr { 1217 base resolution-strategy-capability; 1218 description 1219 "Identity for Prioritized Matching Rule (PMR) resolution 1220 strategy capability"; 1221 reference 1222 "draft-ietf-i2nsf-capability-05: Information Model of 1223 NSFs Capabilities - Resolution Strategy"; 1224 } 1226 identity pmre { 1227 base resolution-strategy-capability; 1228 description 1229 "Identity for Prioritized Matching Rule with Errors (PMRE) 1230 resolution strategy capability"; 1231 reference 1232 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 1233 Capabilities - Resolution Strategy"; 1234 } 1236 identity pmrn { 1237 base resolution-strategy-capability; 1238 description 1239 "Identity for Prioritized Matching Rule with No Errors (PMRN) 1240 resolution strategy capability"; 1241 reference 1242 "draft-ietf-i2nsf-capability-05: Information Model of NSFs 1243 Capabilities - Resolution Strategy"; 1244 } 1246 identity advanced-nsf-capability { 1247 description 1248 "Base identity for advanced Network Security Function (NSF) 1249 capability. This can be used for advanced NSFs such as 1250 Anti-Virus, Anti-DDoS Attack, IPS, and VoIP/VoLTE Security 1251 Service."; 1252 reference 1253 "RFC 8329: Framework for Interface to Network Security 1254 Functions - Advanced NSF capability"; 1256 } 1258 identity anti-virus-capability { 1259 base advanced-nsf-capability; 1260 description 1261 "Identity for advanced NSF Anti-Virus capability. 1262 This can be used for an extension point for Anti-Virus 1263 as an advanced NSF."; 1264 reference 1265 "RFC 8329: Framework for Interface to Network Security 1266 Functions - Advanced NSF Anti-Virus capability"; 1267 } 1269 identity anti-ddos-capability { 1270 base advanced-nsf-capability; 1271 description 1272 "Identity for advanced NSF Anti-DDoS Attack capability. 1273 This can be used for an extension point for Anti-DDoS 1274 Attack as an advanced NSF."; 1275 reference 1276 "RFC 8329: Framework for Interface to Network Security 1277 Functions - Advanced NSF Anti-DDoS Attack capability"; 1278 } 1280 identity ips-capability { 1281 base advanced-nsf-capability; 1282 description 1283 "Identity for advanced NSF IPS capabilities. This can be 1284 used for an extension point for IPS as an advanced NSF."; 1285 reference 1286 "RFC 8329: Framework for Interface to Network Security 1287 Functions - Advanced NSF IPS capability"; 1288 } 1290 identity voip-volte-capability { 1291 base advanced-nsf-capability; 1292 description 1293 "Identity for advanced NSF VoIP/VoLTE Security Service 1294 capability. This can be used for an extension point 1295 for VoIP/VoLTE Security Service as an advanced NSF."; 1296 reference 1297 "RFC 3261: SIP: Session Initiation Protocol 1298 RFC 8329: Framework for Interface to Network Security 1299 Functions - Advanced NSF VoIP/VoLTE security service 1300 capability"; 1301 } 1303 identity detect { 1304 base anti-virus-capability; 1305 description 1306 "Identity for advanced NSF Anti-Virus Detection capability. 1307 This can be used for an extension point for Anti-Virus 1308 Detection as an advanced NSF."; 1309 reference 1310 "RFC 8329: Framework for Interface to Network Security 1311 Functions - Advanced NSF Anti-Virus Detection capability"; 1312 } 1314 identity exception-application { 1315 base anti-virus-capability; 1316 description 1317 "Identity for advanced NSF Anti-Virus Exception Application 1318 capability. This can be used for an extension point for 1319 Anti-Virus Exception Application as an advanced NSF."; 1320 reference 1321 "RFC 8329: Framework for Interface to Network Security 1322 Functions - Advanced NSF Anti-Virus Exception Application 1323 capability"; 1324 } 1326 identity exception-signature { 1327 base anti-virus-capability; 1328 description 1329 "Identity for advanced NSF Anti-Virus Exception Signature 1330 capability. This can be used for an extension point for 1331 Anti-Virus Exception Signature as an advanced NSF."; 1332 reference 1333 "RFC 8329: Framework for Interface to Network Security 1334 Functions - Advanced NSF Anti-Virus Exception Signature 1335 capability"; 1336 } 1338 identity allow-list { 1339 base anti-virus-capability; 1340 description 1341 "Identity for advanced NSF Anti-Virus Allow List capability. 1342 This can be used for an extension point for Anti-Virus 1343 Allow List as an advanced NSF."; 1344 reference 1345 "RFC 8329: Framework for Interface to Network Security 1346 Functions - Advanced NSF Anti-Virus Allow List capability"; 1347 } 1349 identity syn-flood-action { 1350 base anti-ddos-capability; 1351 description 1352 "Identity for advanced NSF Anti-DDoS SYN Flood Action 1353 capability. This can be used for an extension point for 1354 Anti-DDoS SYN Flood Action as an advanced NSF."; 1355 reference 1356 "RFC 8329: Framework for Interface to Network Security 1357 Functions - Advanced NSF Anti-DDoS SYN Flood Action 1358 capability"; 1359 } 1361 identity udp-flood-action { 1362 base anti-ddos-capability; 1363 description 1364 "Identity for advanced NSF Anti-DDoS UDP Flood Action 1365 capability. This can be used for an extension point for 1366 Anti-DDoS UDP Flood Action as an advanced NSF."; 1367 reference 1368 "RFC 8329: Framework for Interface to Network Security 1369 Functions - Advanced NSF Anti-DDoS UDP Flood Action 1370 capability"; 1371 } 1373 identity http-flood-action { 1374 base anti-ddos-capability; 1375 description 1376 "Identity for advanced NSF Anti-DDoS HTTP Flood Action 1377 capability. This can be used for an extension point for 1378 Anti-DDoS HTTP Flood Action as an advanced NSF."; 1379 reference 1380 "RFC 8329: Framework for Interface to Network Security 1381 Functions - Advanced NSF Anti-DDoS HTTP Flood Action 1382 capability"; 1383 } 1385 identity https-flood-action { 1386 base anti-ddos-capability; 1387 description 1388 "Identity for advanced NSF Anti-DDoS HTTPS Flood Action 1389 capability. This can be used for an extension point for 1390 Anti-DDoS HTTPS Flood Action as an advanced NSF."; 1391 reference 1392 "RFC 8329: Framework for Interface to Network Security 1393 Functions - Advanced NSF Anti-DDoS HTTPS Flood Action 1394 capability"; 1395 } 1397 identity dns-request-flood-action { 1398 base anti-ddos-capability; 1399 description 1400 "Identity for advanced NSF Anti-DDoS DNS Request Flood 1401 Action capability. This can be used for an extension 1402 point for Anti-DDoS DNS Request Flood Action as an 1403 advanced NSF."; 1404 reference 1405 "RFC 8329: Framework for Interface to Network Security 1406 Functions - Advanced NSF Anti-DDoS DNS Request Flood 1407 Action capability"; 1408 } 1410 identity dns-reply-flood-action { 1411 base anti-ddos-capability; 1412 description 1413 "Identity for advanced NSF Anti-DDoS DNS Reply Flood 1414 Action capability. This can be used for an extension 1415 point for Anti-DDoS DNS Reply Flood Action as an 1416 advanced NSF."; 1417 reference 1418 "RFC 8329: Framework for Interface to Network Security 1419 Functions - Advanced NSF Anti-DDoS DNS Reply Flood 1420 Action capability"; 1421 } 1423 identity icmp-flood-action { 1424 base anti-ddos-capability; 1425 description 1426 "Identity for advanced NSF Anti-DDoS ICMP Flood Action 1427 capability. This can be used for an extension point 1428 for Anti-DDoS ICMP Flood Action as an advanced NSF."; 1429 reference 1430 "RFC 8329: Framework for Interface to Network Security 1431 Functions - Advanced NSF Anti-DDoS ICMP Flood Action 1432 capability"; 1433 } 1435 identity icmpv6-flood-action { 1436 base anti-ddos-capability; 1437 description 1438 "Identity for advanced NSF Anti-DDoS ICMPv6 Flood Action 1439 capability. This can be used for an extension point 1440 for Anti-DDoS ICMPv6 Flood Action as an advanced NSF."; 1441 reference 1442 "RFC 8329: Framework for Interface to Network Security 1443 Functions - Advanced NSF Anti-DDoS ICMPv6 Flood Action 1444 capability"; 1445 } 1447 identity sip-flood-action { 1448 base anti-ddos-capability; 1449 description 1450 "Identity for advanced NSF Anti-DDoS SIP Flood Action 1451 capability. This can be used for an extension point 1452 for Anti-DDoS SIP Flood Action as an advanced NSF."; 1453 reference 1454 "RFC 8329: Framework for Interface to Network Security 1455 Functions - Advanced NSF Anti-DDoS SIP Flood Action 1456 capability"; 1457 } 1459 identity detect-mode { 1460 base anti-ddos-capability; 1461 description 1462 "Identity for advanced NSF Anti-DDoS Detection Mode 1463 capability. This can be used for an extension point 1464 for Anti-DDoS Detection Mode as an advanced NSF."; 1465 reference 1466 "RFC 8329: Framework for Interface to Network Security 1467 Functions - Advanced NSF Anti-DDoS Detection Mode 1468 capability"; 1469 } 1471 identity baseline-learning { 1472 base anti-ddos-capability; 1473 description 1474 "Identity for advanced NSF Anti-DDoS Baseline Learning 1475 capability. This can be used for an extension point 1476 for Anti-DDoS Baseline Learning as an advanced NSF."; 1477 reference 1478 "RFC 8329: Framework for Interface to Network Security 1479 Functions - Advanced NSF Anti-DDoS Baseline Learning 1480 capability"; 1481 } 1483 identity signature-set { 1484 base ips-capability; 1485 description 1486 "Identity for advanced NSF IPS Signature Set capability. 1487 This can be used for an extension point for IPS Signature 1488 Set as an advanced NSF."; 1489 reference 1490 "RFC 8329: Framework for Interface to Network Security 1491 Functions - Advanced NSF IPS Signature Set capability"; 1492 } 1494 identity ips-exception-signature { 1495 base ips-capability; 1496 description 1497 "Identity for advanced NSF IPS Exception Signature 1498 capability. This can be used for an extension point for 1499 IPS Exception Signature as an advanced NSF."; 1500 reference 1501 "RFC 8329: Framework for Interface to Network Security 1502 Functions - Advanced NSF IPS Exception Signature Set 1503 capability"; 1504 } 1506 identity voice-id { 1507 base voip-volte-capability; 1508 description 1509 "Identity for advanced NSF VoIP/VoLTE Voice-ID capability. 1510 This can be used for an extension point for VoIP/VoLTE 1511 Voice-ID as an advanced NSF."; 1512 reference 1513 "RFC 3261: SIP: Session Initiation Protocol 1514 RFC 8329: Framework for Interface to Network Security 1515 Functions - Advanced NSF VoIP/VoLTE Security Service 1516 capability"; 1518 } 1520 identity user-agent { 1521 base voip-volte-capability; 1522 description 1523 "Identity for advanced NSF VoIP/VoLTE User Agent capability. 1524 This can be used for an extension point for VoIP/VoLTE 1525 User Agent as an advanced NSF."; 1526 reference 1527 "RFC 3261: SIP: Session Initiation Protocol 1528 RFC 8329: Framework for Interface to Network Security 1529 Functions - Advanced NSF VoIP/VoLTE Security Service 1530 capability"; 1531 } 1533 identity ipsec-capability { 1534 description 1535 "Base identity for an IPsec capability"; 1536 reference 1537 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1538 Software-Defined Networking (SDN)-based IPsec Flow 1539 Protection - IPsec methods such as IKE and IKE-less"; 1540 } 1542 identity ike { 1543 base ipsec-capability; 1544 description 1545 "Identity for an IPsec Internet Key Exchange (IKE) 1546 capability"; 1547 reference 1548 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1549 Software-Defined Networking (SDN)-based IPsec Flow 1550 Protection - IPsec method with IKE. 1551 RFC 7296: Internet Key Exchange Protocol Version 2 1552 (IKEv2) - IKE as a component of IPsec used for 1553 performing mutual authentication and establishing and 1554 maintaining Security Associations (SAs)."; 1555 } 1557 identity ikeless { 1558 base ipsec-capability; 1559 description 1560 "Identity for an IPsec without Internet Key Exchange (IKE) 1561 capability"; 1562 reference 1563 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1564 Software-Defined Networking (SDN)-based IPsec Flow 1565 Protection - IPsec method without IKE"; 1566 } 1568 /* 1569 * Grouping 1570 */ 1572 grouping nsf-capabilities { 1573 description 1574 "Network Security Function (NSF) Capabilities"; 1575 reference 1576 "RFC 8329: Framework for Interface to Network Security 1577 Functions - I2NSF Flow Security Policy Structure. 1578 draft-ietf-i2nsf-capability-05: Information Model of 1579 NSFs Capabilities - Capability Information Model Design."; 1581 leaf-list time-capabilities { 1582 type enumeration { 1583 enum absolute-time { 1584 description 1585 "absolute time capabilities. 1586 If a network security function has the absolute time 1587 capability, the network security function supports 1588 rule execution according to absolute time."; 1589 } 1590 enum periodic-time { 1591 description 1592 "periodic time capabilities. 1593 If a network security function has the periodic time 1594 capability, the network security function supports 1595 rule execution according to periodic time."; 1596 } 1597 } 1598 description 1599 "Time capabilities"; 1600 } 1602 container event-capabilities { 1603 description 1604 "Capabilities of events. 1605 If a network security function has the event capabilities, 1606 the network security function supports rule execution 1607 according to system event and system alarm."; 1609 reference 1610 "RFC 8329: Framework for Interface to Network Security 1611 Functions - I2NSF Flow Security Policy Structure. 1612 draft-ietf-i2nsf-capability-05: Information Model of 1613 NSFs Capabilities - Design Principles and ECA Policy 1614 Model Overview. 1615 draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF 1616 NSF Monitoring YANG Data Model - System Alarm and 1617 System Events."; 1619 leaf-list system-event-capability { 1620 type identityref { 1621 base system-event-capability; 1622 } 1623 description 1624 "System event capabilities"; 1625 } 1627 leaf-list system-alarm-capability { 1628 type identityref { 1629 base system-alarm-capability; 1630 } 1631 description 1632 "System alarm capabilities"; 1633 } 1634 } 1636 container condition-capabilities { 1637 description 1638 "Conditions capabilities."; 1640 container generic-nsf-capabilities { 1641 description 1642 "Conditions capabilities. 1643 If a network security function has the condition 1644 capabilities, the network security function 1645 supports rule execution according to conditions of 1646 IPv4, IPv6, TCP, UDP, ICMP, ICMPv6, and payload."; 1647 reference 1648 "RFC 791: Internet Protocol - IPv4. 1649 RFC 792: Internet Control Message Protocol - ICMP. 1650 RFC 793: Transmission Control Protocol - TCP. 1651 RFC 768: User Datagram Protocol - UDP. 1652 RFC 8200: Internet Protocol, Version 6 (IPv6) 1653 Specification - IPv6. 1654 RFC 4443: Internet Control Message Protocol (ICMPv6) 1655 for the Internet Protocol Version 6 (IPv6) Specification 1656 - ICMPv6. 1657 RFC 8329: Framework for Interface to Network Security 1658 Functions - I2NSF Flow Security Policy Structure. 1659 draft-ietf-i2nsf-capability-05: Information Model of 1660 NSFs Capabilities - Design Principles and ECA Policy 1661 Model Overview."; 1663 leaf-list ipv4-capability { 1664 type identityref { 1665 base ipv4-capability; 1666 } 1667 description 1668 "IPv4 packet capabilities"; 1669 reference 1670 "RFC 791: Internet Protocol"; 1671 } 1673 leaf-list icmp-capability { 1674 type identityref { 1675 base icmp-capability; 1676 } 1677 description 1678 "ICMP packet capabilities"; 1679 reference 1680 "RFC 792: Internet Control Message Protocol - ICMP"; 1681 } 1683 leaf-list ipv6-capability { 1684 type identityref { 1685 base ipv6-capability; 1686 } 1687 description 1688 "IPv6 packet capabilities"; 1689 reference 1690 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1691 Specification - IPv6"; 1692 } 1694 leaf-list icmpv6-capability { 1695 type identityref { 1696 base icmpv6-capability; 1697 } 1698 description 1699 "ICMPv6 packet capabilities"; 1700 reference 1701 "RFC 4443: Internet Control Message Protocol (ICMPv6) 1702 for the Internet Protocol Version 6 (IPv6) Specification 1703 - ICMPv6"; 1704 } 1706 leaf-list tcp-capability { 1707 type identityref { 1708 base tcp-capability; 1709 } 1710 description 1711 "TCP packet capabilities"; 1712 reference 1713 "RFC 793: Transmission Control Protocol - TCP"; 1714 } 1716 leaf-list udp-capability { 1717 type identityref { 1718 base udp-capability; 1719 } 1720 description 1721 "UDP packet capabilities"; 1722 reference 1723 "RFC 768: User Datagram Protocol - UDP"; 1724 } 1725 } 1727 container advanced-nsf-capabilities { 1728 description 1729 "Advanced Network Security Function (NSF) capabilities, 1730 such as Anti-Virus, Anti-DDoS, IPS, and VoIP/VoLTE. 1731 This container contains the leaf-lists of advanced 1732 NSF capabilities"; 1733 reference 1734 "RFC 8329: Framework for Interface to Network Security 1735 Functions - Advanced NSF capabilities"; 1737 leaf-list anti-virus-capability { 1738 type identityref { 1739 base anti-virus-capability; 1740 } 1741 description 1742 "Anti-Virus capabilities"; 1743 reference 1744 "RFC 8329: Framework for Interface to Network Security 1745 Functions - Advanced NSF Anti-Virus capabilities"; 1746 } 1748 leaf-list anti-ddos-capability { 1749 type identityref { 1750 base anti-ddos-capability; 1751 } 1752 description 1753 "Anti-DDoS Attack capabilities"; 1754 reference 1755 "RFC 8329: Framework for Interface to Network Security 1756 Functions - Advanced NSF Anti-DDoS Attack capabilities"; 1757 } 1759 leaf-list ips-capability { 1760 type identityref { 1761 base ips-capability; 1762 } 1763 description 1764 "IPS capabilities"; 1765 reference 1766 "RFC 8329: Framework for Interface to Network Security 1767 Functions - Advanced NSF IPS capabilities"; 1768 } 1770 leaf-list url-capability { 1771 type identityref { 1772 base url-capability; 1773 } 1774 description 1775 "URL capabilities"; 1776 reference 1777 "RFC 8329: Framework for Interface to Network Security 1778 Functions - Advanced NSF URL capabilities"; 1779 } 1781 leaf-list voip-volte-capability { 1782 type identityref { 1783 base voip-volte-capability; 1784 } 1785 description 1786 "VoIP/VoLTE capabilities"; 1787 reference 1788 "RFC 8329: Framework for Interface to Network Security 1789 Functions - Advanced NSF VoIP/VoLTE capabilities"; 1790 } 1791 } 1793 leaf-list context-capabilities { 1794 type identityref { 1795 base context-capability; 1796 } 1797 description 1798 "Security context capabilities"; 1799 } 1800 } 1802 container action-capabilities { 1803 description 1804 "Action capabilities. 1805 If a network security function has the action capabilities, 1806 the network security function supports the attendant 1807 actions for policy rules."; 1809 leaf-list ingress-action-capability { 1810 type identityref { 1811 base ingress-action-capability; 1812 } 1813 description 1814 "Ingress-action capabilities"; 1815 } 1817 leaf-list egress-action-capability { 1818 type identityref { 1819 base egress-action-capability; 1820 } 1821 description 1822 "Egress-action capabilities"; 1823 } 1825 leaf-list log-action-capability { 1826 type identityref { 1827 base log-action-capability; 1828 } 1829 description 1830 "Log-action capabilities"; 1831 } 1832 } 1833 leaf-list resolution-strategy-capabilities { 1834 type identityref { 1835 base resolution-strategy-capability; 1836 } 1837 description 1838 "Resolution strategy capabilities. 1839 The resolution strategies can be used to specify how 1840 to resolve conflicts that occur between the actions 1841 of the same or different policy rules that are matched 1842 for the same packet and by particular NSF"; 1843 reference 1844 "draft-ietf-i2nsf-capability-05: Information Model of 1845 NSFs Capabilities - Resolution strategy capabilities"; 1846 } 1848 leaf-list default-action-capabilities { 1849 type identityref { 1850 base default-action-capability; 1851 } 1852 description 1853 "Default action capabilities. 1854 A default action is used to execute I2NSF policy rules 1855 when no rule matches a packet. The default action is 1856 defined as pass, drop, alert, or mirror."; 1857 reference 1858 "RFC 8329: Framework for Interface to Network Security 1859 Functions - Ingress and egress actions. 1860 draft-ietf-i2nsf-capability-05: Information Model of 1861 NSFs Capabilities - Default action capabilities."; 1862 } 1864 leaf-list ipsec-method { 1865 type identityref { 1866 base ipsec-capability; 1867 } 1868 description 1869 "IPsec method capabilities"; 1870 reference 1871 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-08: 1872 Software-Defined Networking (SDN)-based IPsec Flow 1873 Protection - IPsec methods such as IKE and IKE-less"; 1874 } 1875 } 1877 /* 1878 * Data nodes 1879 */ 1881 list nsf { 1882 key "nsf-name"; 1883 description 1884 "The list of Network Security Functions (NSFs)"; 1885 leaf nsf-name { 1886 type string; 1887 mandatory true; 1888 description 1889 "The name of Network Security Function (NSF)"; 1890 } 1891 } 1892 } 1894 1896 Figure 3: YANG Data Module of I2NSF Capability 1898 6. IANA Considerations 1900 This document requests IANA to register the following URI in the 1901 "IETF XML Registry" [RFC3688]: 1903 ID: yang:ietf-i2nsf-capability 1904 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1905 Registrant Contact: The IESG. 1906 XML: N/A; the requested URI is an XML namespace. 1907 Filename: [ TBD-at-Registration ] 1908 Reference: [ RFC-to-be ] 1910 This document requests IANA to register the following YANG module in 1911 the "YANG Module Names" registry [RFC7950][RFC8525]: 1913 Name: ietf-i2nsf-capability 1914 Maintained by IANA? N 1915 Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability 1916 Prefix: nsfcap 1917 Module: 1918 Reference: [ RFC-to-be ] 1920 7. Security Considerations 1922 The YANG module specified in this document defines a data schema 1923 designed to be accessed through network management protocols such as 1924 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 1925 the secure transport layer, and the required transport secure 1926 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1927 is HTTPS, and the required transport secure transport is TLS 1928 [RFC8446]. 1930 The NETCONF access control model [RFC8341] provides a means of 1931 restricting access to specific NETCONF or RESTCONF users to a 1932 preconfigured subset of all available NETCONF or RESTCONF protocol 1933 operations and content. 1935 There are a number of data nodes defined in this YANG module that are 1936 writable, creatable, and deletable (i.e., config true, which is the 1937 default). These data nodes may be considered sensitive or vulnerable 1938 in some network environments. Write operations to these data nodes 1939 could have a negative effect on network and security operations. 1941 o ietf-i2nsf-capability: An attacker could alter the security 1942 capabilities associated with an NSF whereby disabling or enabling 1943 the evasion of security mitigations. 1945 Some of the readable data nodes in this YANG module may be considered 1946 sensitive or vulnerable in some network environments. It is thus 1947 important to control read access (e.g., via get, get-config, or 1948 notification) to these data nodes. These are the subtrees and data 1949 nodes and their sensitivity/vulnerability: 1951 o ietf-i2nsf-capability: An attacker could gather the security 1952 capability information of any NSF and use this information to 1953 evade detection or filtering. 1955 8. References 1957 8.1. Normative References 1959 [I-D.ietf-i2nsf-capability] 1960 Xia, L., Strassner, J., Basile, C., and D. Lopez, 1961 "Information Model of NSFs Capabilities", draft-ietf- 1962 i2nsf-capability-05 (work in progress), April 2019. 1964 [I-D.ietf-i2nsf-nsf-monitoring-data-model] 1965 Jeong, J., Lingga, P., Hares, S., Xia, L., and H. 1966 Birkholz, "I2NSF NSF Monitoring YANG Data Model", draft- 1967 ietf-i2nsf-nsf-monitoring-data-model-04 (work in 1968 progress), September 2020. 1970 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 1971 Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, 1972 "Software-Defined Networking (SDN)-based IPsec Flow 1973 Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 1974 (work in progress), June 2020. 1976 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1977 DOI 10.17487/RFC0768, August 1980, 1978 . 1980 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1981 DOI 10.17487/RFC0791, September 1981, 1982 . 1984 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1985 RFC 792, DOI 10.17487/RFC0792, September 1981, 1986 . 1988 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1989 RFC 793, DOI 10.17487/RFC0793, September 1981, 1990 . 1992 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1993 Requirement Levels", BCP 14, RFC 2119, 1994 DOI 10.17487/RFC2119, March 1997, 1995 . 1997 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1998 A., Peterson, J., Sparks, R., Handley, M., and E. 1999 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 2000 DOI 10.17487/RFC3261, June 2002, 2001 . 2003 [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between 2004 Information Models and Data Models", RFC 3444, 2005 DOI 10.17487/RFC3444, January 2003, 2006 . 2008 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2009 DOI 10.17487/RFC3688, January 2004, 2010 . 2012 [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix 2013 Reserved for Documentation", RFC 3849, 2014 DOI 10.17487/RFC3849, July 2004, 2015 . 2017 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 2018 Control Message Protocol (ICMPv6) for the Internet 2019 Protocol Version 6 (IPv6) Specification", STD 89, 2020 RFC 4443, DOI 10.17487/RFC4443, March 2006, 2021 . 2023 [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks 2024 Reserved for Documentation", RFC 5737, 2025 DOI 10.17487/RFC5737, January 2010, 2026 . 2028 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2029 the Network Configuration Protocol (NETCONF)", RFC 6020, 2030 DOI 10.17487/RFC6020, October 2010, 2031 . 2033 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2034 and A. Bierman, Ed., "Network Configuration Protocol 2035 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2036 . 2038 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2039 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2040 . 2042 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 2043 RFC 6991, DOI 10.17487/RFC6991, July 2013, 2044 . 2046 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 2047 Kivinen, "Internet Key Exchange Protocol Version 2 2048 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2049 2014, . 2051 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2052 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2053 . 2055 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 2056 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 2057 . 2059 [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., 2060 and J. Jeong, "Interface to Network Security Functions 2061 (I2NSF): Problem Statement and Use Cases", RFC 8192, 2062 DOI 10.17487/RFC8192, July 2017, 2063 . 2065 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 2066 (IPv6) Specification", STD 86, RFC 8200, 2067 DOI 10.17487/RFC8200, July 2017, 2068 . 2070 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 2071 Kumar, "Framework for Interface to Network Security 2072 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 2073 . 2075 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 2076 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 2077 . 2079 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 2080 Access Control Model", STD 91, RFC 8341, 2081 DOI 10.17487/RFC8341, March 2018, 2082 . 2084 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 2085 Documents Containing YANG Data Models", BCP 216, RFC 8407, 2086 DOI 10.17487/RFC8407, October 2018, 2087 . 2089 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 2090 S., and N. Bahadur, "A YANG Data Model for the Routing 2091 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 2092 September 2018, . 2094 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2095 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2096 . 2098 [RFC8519] Jethanandani, M., Agarwal, S., Huang, L., and D. Blair, 2099 "YANG Data Model for Network Access Control Lists (ACLs)", 2100 RFC 8519, DOI 10.17487/RFC8519, March 2019, 2101 . 2103 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 2104 and R. Wilton, "YANG Library", RFC 8525, 2105 DOI 10.17487/RFC8525, March 2019, 2106 . 2108 [RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W. 2109 Kumari, "A Format for Self-Published IP Geolocation 2110 Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020, 2111 . 2113 8.2. Informative References 2115 [IANA-Protocol-Numbers] 2116 "Assigned Internet Protocol Numbers", Available: 2117 https://www.iana.org/assignments/protocol- 2118 numbers/protocol-numbers.xhtml, September 2020. 2120 Appendix A. Configuration Examples 2122 This section shows configuration examples of "ietf-i2nsf-capability" 2123 module for capabilities registration of general firewall. 2125 A.1. Example 1: Registration for the Capabilities of a General Firewall 2127 This section shows a configuration example for the capabilities 2128 registration of a general firewall in either an IPv4 network or an 2129 IPv6 network. 2131 2132 general_firewall 2133 2134 2135 ipv4-protocol 2136 exact-ipv4-address 2137 range-ipv4-address 2138 exact-fourth-layer-port-num 2139 range-fourth-layer-port-num 2140 2141 2142 2143 pass 2144 drop 2145 alert 2146 pass 2147 drop 2148 alert 2149 2150 2152 Figure 4: Configuration XML for the Capabilities Registration of a 2153 General Firewall in an IPv4 Network 2155 Figure 4 shows the configuration XML for the capabilities 2156 registration of a general firewall as an NSF in an IPv4 network 2157 [RFC5737]. Its capabilities are as follows. 2159 1. The name of the NSF is general_firewall. 2161 2. The NSF can inspect a protocol, an exact IPv4 address, and a 2162 range of IPv4 addresses for IPv4 packets. 2164 3. The NSF can inspect an exact port number and a range of port 2165 numbers for the fourth layer packets. 2167 4. The NSF can control whether the packets are allowed to pass, 2168 drop, or alert. 2170 2171 general_firewall 2172 2173 2174 ipv6-protocol 2175 exact-ipv6-address 2176 range-ipv6-address 2177 exact-fourth-layer-port-num 2178 range-fourth-layer-port-num 2179 2180 2181 2182 pass 2183 drop 2184 alert 2185 pass 2186 drop 2187 alert 2188 2189 2191 Figure 5: Configuration XML for the Capabilities Registration of a 2192 General Firewall in an IPv6 Network 2194 In addition, Figure 5 shows the configuration XML for the 2195 capabilities registration of a general firewall as an NSF in an IPv6 2196 network [RFC3849]. Its capabilities are as follows. 2198 1. The name of the NSF is general_firewall. 2200 2. The NSF can inspect a protocol, an exact IPv6 address, and a 2201 range of IPv6 addresses for IPv6 packets. 2203 3. The NSF can inspect an exact port number and a range of port 2204 numbers for the fourth layer packets. 2206 4. The NSF can control whether the packets are allowed to pass, 2207 drop, or alert. 2209 A.2. Example 2: Registration for the Capabilities of a Time-based 2210 Firewall 2212 This section shows a configuration example for the capabilities 2213 registration of a time-based firewall in either an IPv4 network or an 2214 IPv6 network. 2216 2217 time_based_firewall 2218 absolute-time 2219 periodic-time 2220 2221 2222 ipv4-protocol 2223 exact-ipv4-address 2224 range-ipv4-address 2225 2226 2227 2228 pass 2229 drop 2230 alert 2231 pass 2232 drop 2233 alert 2234 2235 2237 Figure 6: Configuration XML for the Capabilities Registration of a 2238 Time-based Firewall in an IPv4 Network 2240 Figure 6 shows the configuration XML for the capabilities 2241 registration of a time-based firewall as an NSF in an IPv4 network 2242 [RFC5737]. Its capabilities are as follows. 2244 1. The name of the NSF is time_based_firewall. 2246 2. The NSF can execute the security policy rule according to 2247 absolute time and periodic time. 2249 3. The NSF can inspect a protocol, an exact IPv4 address, and a 2250 range of IPv4 addresses for IPv4 packets. 2252 4. The NSF can control whether the packets are allowed to pass, 2253 drop, or alert. 2255 2256 time_based_firewall 2257 absolute-time 2258 periodic-time 2259 2260 2261 ipv6-protocol 2262 exact-ipv6-address 2263 range-ipv6-address 2264 2265 2266 2267 pass 2268 drop 2269 alert 2270 pass 2271 drop 2272 alert 2273 2274 2276 Figure 7: Configuration XML for the Capabilities Registration of a 2277 Time-based Firewall in an IPv6 Network 2279 In addition, Figure 7 shows the configuration XML for the 2280 capabilities registration of a time-based firewall as an NSF in an 2281 IPv6 network [RFC3849]. Its capabilities are as follows. 2283 1. The name of the NSF is time_based_firewall. 2285 2. The NSF can execute the security policy rule according to 2286 absolute time and periodic time. 2288 3. The NSF can inspect a protocol, an exact IPv6 address, and a 2289 range of IPv6 addresses for IPv6 packets. 2291 4. The NSF can control whether the packets are allowed to pass, 2292 drop, or alert. 2294 A.3. Example 3: Registration for the Capabilities of a Web Filter 2296 This section shows a configuration example for the capabilities 2297 registration of a web filter. 2299 2300 web_filter 2301 2302 2303 user-defined 2304 2305 2306 2307 pass 2308 drop 2309 alert 2310 pass 2311 drop 2312 alert 2313 2314 2316 Figure 8: Configuration XML for the Capabilities Registration of a 2317 Web Filter 2319 Figure 8 shows the configuration XML for the capabilities 2320 registration of a web filter as an NSF. Its capabilities are as 2321 follows. 2323 1. The name of the NSF is web_filter. 2325 2. The NSF can inspect url for http and https packets. 2327 3. The NSF can control whether the packets are allowed to pass, 2328 drop, or alert. 2330 A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE 2331 Filter 2333 This section shows a configuration example for the capabilities 2334 registration of a VoIP/VoLTE filter. 2336 2337 voip_volte_filter 2338 2339 2340 voice-id 2341 2342 2343 2344 pass 2345 drop 2346 alert 2347 pass 2348 drop 2349 alert 2350 2351 2353 Figure 9: Configuration XML for the Capabilities Registration of a 2354 VoIP/VoLTE Filter 2356 Figure 9 shows the configuration XML for the capabilities 2357 registration of a VoIP/VoLTE filter as an NSF. Its capabilities are 2358 as follows. 2360 1. The name of the NSF is voip_volte_filter. 2362 2. The NSF can inspect a voice id for VoIP/VoLTE packets. 2364 3. The NSF can control whether the packets are allowed to pass, 2365 drop, or alert. 2367 A.5. Example 5: Registration for the Capabilities of a HTTP and HTTPS 2368 Flood Mitigator 2370 This section shows a configuration example for the capabilities 2371 registration of a HTTP and HTTPS flood mitigator. 2373 2374 http_and_https_flood_mitigation 2375 2376 2377 http-flood-action 2378 https-flood-action 2379 2380 2381 2382 pass 2383 drop 2384 alert 2385 pass 2386 drop 2387 alert 2388 2389 2391 Figure 10: Configuration XML for the Capabilities Registration of a 2392 HTTP and HTTPS Flood Mitigator 2394 Figure 10 shows the configuration XML for the capabilities 2395 registration of a HTTP and HTTPS flood mitigator as an NSF. Its 2396 capabilities are as follows. 2398 1. The name of the NSF is http_and_https_flood_mitigation. 2400 2. The IPv4 address of the NSF is assumed to be 192.0.2.11 2401 [RFC5737]. Also, the IPv6 address of the NSF is assumed to be 2402 2001:DB8:0:1::11 [RFC3849]. 2404 3. The NSF can control the amount of packets for HTTP and HTTPS 2405 packets, which are routed to the NSF's IPv4 address or the NSF's 2406 IPv6 address. 2408 4. The NSF can control whether the packets are allowed to pass, 2409 drop, or alert. 2411 Appendix B. Acknowledgments 2413 This work was supported by Institute of Information & Communications 2414 Technology Planning & Evaluation (IITP) grant funded by the Korea 2415 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 2416 Security Intelligence Technology Development for the Customized 2417 Security Service Provisioning). 2419 Appendix C. Contributors 2421 This document is made by the group effort of I2NSF working group. 2422 Many people actively contributed to this document, such as Acee 2423 Lindem, Roman Danyliw, and Tom Petch. The authors sincerely 2424 appreciate their contributions. 2426 The following are co-authors of this document: 2428 Hyoungshick Kim 2429 Department of Computer Science and Engineering 2430 Sungkyunkwan University 2431 2066 Seo-ro Jangan-gu 2432 Suwon, Gyeonggi-do 16419 2433 Republic of Korea 2435 EMail: hyoung@skku.edu 2437 Daeyoung Hyun 2438 Department of Computer Science and Engineering 2439 Sungkyunkwan University 2440 2066 Seo-ro Jangan-gu 2441 Suwon, Gyeonggi-do 16419 2442 Republic of Korea 2444 EMail: dyhyun@skku.edu 2446 Dongjin Hong 2447 Department of Electronic, Electrical and Computer Engineering 2448 Sungkyunkwan University 2449 2066 Seo-ro Jangan-gu 2450 Suwon, Gyeonggi-do 16419 2451 Republic of Korea 2453 EMail: dong.jin@skku.edu 2455 Liang Xia 2456 Huawei 2457 101 Software Avenue 2458 Nanjing, Jiangsu 210012 2459 China 2461 EMail: Frank.Xialiang@huawei.com 2462 Jung-Soo Park 2463 Electronics and Telecommunications Research Institute 2464 218 Gajeong-Ro, Yuseong-Gu 2465 Daejeon, 34129 2466 Republic of Korea 2468 EMail: pjs@etri.re.kr 2470 Tae-Jin Ahn 2471 Korea Telecom 2472 70 Yuseong-Ro, Yuseong-Gu 2473 Daejeon, 305-811 2474 Republic of Korea 2476 EMail: taejin.ahn@kt.com 2478 Se-Hui Lee 2479 Korea Telecom 2480 70 Yuseong-Ro, Yuseong-Gu 2481 Daejeon, 305-811 2482 Republic of Korea 2484 EMail: sehuilee@kt.com 2486 Authors' Addresses 2488 Susan Hares (editor) 2489 Huawei 2490 7453 Hickory Hill 2491 Saline, MI 48176 2492 USA 2494 Phone: +1-734-604-0332 2495 EMail: shares@ndzh.com 2496 Jaehoon Paul Jeong (editor) 2497 Department of Computer Science and Engineering 2498 Sungkyunkwan University 2499 2066 Seobu-Ro, Jangan-Gu 2500 Suwon, Gyeonggi-Do 16419 2501 Republic of Korea 2503 Phone: +82 31 299 4957 2504 Fax: +82 31 290 7996 2505 EMail: pauljeong@skku.edu 2506 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2508 Jinyong Tim Kim 2509 Department of Electronic, Electrical and Computer Engineering 2510 Sungkyunkwan University 2511 2066 Seobu-Ro, Jangan-Gu 2512 Suwon, Gyeonggi-Do 16419 2513 Republic of Korea 2515 Phone: +82 10 8273 0930 2516 EMail: timkim@skku.edu 2518 Robert Moskowitz 2519 HTT Consulting 2520 Oak Park, MI 2521 USA 2523 Phone: +1-248-968-9809 2524 EMail: rgm@htt-consult.com 2526 Qiushi Lin 2527 Huawei 2528 Huawei Industrial Base 2529 Shenzhen, Guangdong 518129 2530 China 2532 EMail: linqiushi@huawei.com