I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-05
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
---|---|---|---|
Authors | Susan Hares , Jaehoon Paul Jeong , Jinyong Tim Kim , Robert Moskowitz , Qiushi Lin | ||
Last updated | 2020-05-12 (Latest revision 2019-07-25) | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
TSVART Early review
(of
-13)
by Michael Scharf
Almost ready
GENART Last Call review
(of
-09)
by Dan Romascanu
Ready w/issues
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Linda Dunbar | ||
Shepherd write-up | Show Last changed 2019-12-11 | ||
IESG | IESG state | AD Evaluation::Revised I-D Needed | |
Consensus boilerplate | Yes | ||
Telechat date | (None) | ||
Responsible AD | Roman Danyliw | ||
Send notices to | Linda Dunbar <dunbar.ll@gmail.com> |
draft-ietf-i2nsf-capability-data-model-05
New version available: Hares, et al. Expires January 26, 2020 [Page 34] Internet-Draft I2NSF Capability YANG Data Model July 2019 base anti-virus-capability; } description "Anti-virus capabilities"; reference "draft-dong-i2nsf-asf-config-01: Configuration of Advanced Security Functions with I2NSF Security Controller"; } leaf-list anti-ddos-capability { type identityref { base anti-ddos-capability; } description "Anti-ddos capabilities"; reference "draft-dong-i2nsf-asf-config-01: Configuration of Advanced Security Functions with I2NSF Security Controller"; } leaf-list ips-capability { type identityref { base ips-capability; } description "Intrusion Prevention System (IPS) capabilities"; reference "draft-dong-i2nsf-asf-config-01: Configuration of Advanced Security Functions with I2NSF Security Controller"; } leaf-list url-capability { type identityref { base url-capability; } description "URL capabilities"; reference "draft-dong-i2nsf-asf-config-01: Configuration of Advanced Security Functions with I2NSF Security Controller"; } leaf-list voip-volte-capability { type identityref { Hares, et al. Expires January 26, 2020 [Page 35] Internet-Draft I2NSF Capability YANG Data Model July 2019 base voip-volte-capability; } description "VoIP and VoLTE capabilities"; reference "draft-dong-i2nsf-asf-config-01: Configuration of Advanced Security Functions with I2NSF Security Controller"; } } leaf-list context-capabilities { type identityref { base context-capability; } description "Security context capabilities"; } } container action-capabilities { description "Action capabilities. If network security function has the action capabilities, it supports the attendant actions for policy rules."; leaf-list ingress-action-capability { type identityref { base ingress-action-capability; } description "Ingress-action capabilities"; } leaf-list egress-action-capability { type identityref { base egress-action-capability; } description "Egress-action capabilities"; } leaf-list log-action-capability { type identityref { base log-action-capability; } description Hares, et al. Expires January 26, 2020 [Page 36] Internet-Draft I2NSF Capability YANG Data Model July 2019 "Log-action capabilities"; } } leaf-list resolution-strategy-capabilities { type identityref { base resolution-strategy-capability; } description "Resolution strategy capabilities. The resolution strategies can be used to specify how to resolve conflicts that occur between the actions of the same or different policy rules that are matched for the smae packet and by particular NSF"; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Resolution strategy"; } leaf-list default-action-capabilities { type identityref { base default-action-capability; } description "Default action capabilities. A default action is used to execute I2NSF policy rules when no rule matches a packet. The default action is defined as pass, drop, reject, alert, or mirror."; reference "draft-ietf-i2nsf-capability-04: Information Model of NSFs Capabilities - Default action"; } leaf-list ipsec-method { type identityref { base ipsec-capability; } description "IPsec method capabilities"; reference " draft-ietf-i2nsf-sdn-ipsec-flow-protection-04"; } } /* * Data nodes */ Hares, et al. Expires January 26, 2020 [Page 37] Internet-Draft I2NSF Capability YANG Data Model July 2019 list nsf { key "nsf-name"; description "The list of Network security Function (NSF) capabilities"; leaf nsf-name { type string; mandatory true; description "The name of network security function"; } } } <CODE ENDS> Figure 3: YANG Data Module of I2NSF Capability 7. IANA Considerations This document requests IANA to register the following URI in the "IETF XML Registry" [RFC3688]: Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability Registrant Contact: The IESG. XML: N/A; the requested URI is an XML namespace. This document requests IANA to register the following YANG module in the "YANG Module Names" registry [RFC7950]. name: ietf-i2nsf-capability namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability prefix: nsfcap reference: RFC XXXX 8. Security Considerations The YANG module specified in this document defines a data schema designed to be accessed through network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the required transport secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer Hares, et al. Expires January 26, 2020 [Page 38] Internet-Draft I2NSF Capability YANG Data Model July 2019 is HTTPS, and the required transport secure transport is TLS [RFC8446]. The NETCONF access control model [RFC8341] provides a means of restricting access to specific NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability: o ietf-i2nsf-capability: The attacker may provide incorrect information of the security capability of any target NSF by illegally modifying this. Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability: o ietf-i2nsf-capability: The attacker may gather the security capability information of any target NSF and misuse the information for subsequent attacks. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, <https://www.rfc-editor.org/info/rfc3261>. Hares, et al. Expires January 26, 2020 [Page 39] Internet-Draft I2NSF Capability YANG Data Model July 2019 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, <https://www.rfc-editor.org/info/rfc6020>. [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, <https://www.rfc-editor.org/info/rfc6241>. [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, <https://www.rfc-editor.org/info/rfc6242>. [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August 1980. [RFC790] Postel, J., "Assigned Numbers", RFC 790, September 1981. [RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981. [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, September 1981. [RFC793] Postel, J., "Transmission Control Protocol", RFC 793, September 1981. [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, <https://www.rfc-editor.org/info/rfc7950>. [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, <https://www.rfc-editor.org/info/rfc8040>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., and J. Jeong, "Interface to Network Security Functions (I2NSF): Problem Statement and Use Cases", RFC 8192, DOI 10.17487/RFC8192, July 2017, <https://www.rfc-editor.org/info/rfc8192>. Hares, et al. Expires January 26, 2020 [Page 40] Internet-Draft I2NSF Capability YANG Data Model July 2019 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/RFC8200, July 2017, <https://www.rfc-editor.org/info/rfc8200>. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, <https://www.rfc-editor.org/info/rfc8329>. [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, <https://www.rfc-editor.org/info/rfc8340>. [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, March 2018, <https://www.rfc-editor.org/info/rfc8341>. [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, S., and N. Bahadur, "A YANG Data Model for the Routing Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, September 2018, <https://www.rfc-editor.org/info/rfc8431>. [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>. 9.2. Informative References [draft-dong-i2nsf-asf-config] Pan, W. and L. Xia, "Configuration of Advanced Security Functions with I2NSF Security Controller", draft-dong- i2nsf-asf-config-01 (work in progress), October 2018. [draft-ietf-i2nsf-capability] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", draft-ietf- i2nsf-capability-05 (work in progress), April 2019. [draft-ietf-i2nsf-nsf-facing-interface-dm] Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, "I2NSF Network Security Function-Facing Interface YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-07 (work in progress), July 2019. Hares, et al. Expires January 26, 2020 [Page 41] Internet-Draft I2NSF Capability YANG Data Model July 2019 [draft-ietf-i2nsf-nsf-monitoring-data-model] Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- nsf-monitoring-data-model-01 (work in progress), July 2019. [draft-ietf-i2nsf-sdn-ipsec-flow-protection] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- Garcia, "Software-Defined Networking (SDN)-based IPsec Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- protection-05 (work in progress), July 2019. [draft-ietf-i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Birkholz, "Interface to Network Security Functions (I2NSF) Terminology", draft-ietf-i2nsf-terminology-08 (work in progress), July 2019. [draft-ietf-supa-generic-policy-info-model] Strassner, J., Halpern, J., and S. Meer, "Generic Policy Information Model for Simplified Use of Policy Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- model-03 (work in progress), May 2017. Hares, et al. Expires January 26, 2020 [Page 42] Internet-Draft I2NSF Capability YANG Data Model July 2019 Appendix A. Configuration Examples This section shows configuration examples of "ietf-i2nsf-capability" module for capabilities registration of general firewall. A.1. Example 1: Registration for Capabilities of General Firewall This section shows a configuration example for capabilities registration of general firewall. <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf-name>general_firewall</nsf-name> <condition-capabilities> <generic-nsf-capabilities> <ipv4-capability>ipv4-protocol</ipv4-capability> <ipv4-capability>exact-ipv4-address</ipv4-capability> <ipv4-capability>range-ipv4-address</ipv4-capability> <tcp-capability>exact-fourth-layer-port-num</tcp-capability> <tcp-capability>range-fourth-layer-port-num</tcp-capability> </generic-nsf-capabilities> </condition-capabilities> <action-capabilities> <ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability> <egress-action-capability>pass</egress-action-capability> <egress-action-capability>drop</egress-action-capability> <egress-action-capability>alert</egress-action-capability> </action-capabilities> </nsf> Figure 4: Configuration XML for Capabilities Registration of General Firewall Figure 4 shows the configuration XML for capabilities registration of general firewall and its capabilities are as follows. 1. The name of the NSF is general_firewall. 2. The NSF can inspect protocol, exact IPv4 address, and range IPv4 address for IPv4 packets. 3. The NSF can inspect exact port number and range port number for fourth layer packets. Hares, et al. Expires January 26, 2020 [Page 43] Internet-Draft I2NSF Capability YANG Data Model July 2019 4. The NSF can control whether the packets are allowed to pass, drop, or alert. A.2. Example 2: Registration for Capabilities of Time based Firewall This section shows a configuration example for capabilities registration of time based firewall. <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf-name>time_based_firewall</nsf-name> <time-capabilities>absolute-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities> <condition-capabilities> <generic-nsf-capabilities> <ipv4-capability>ipv4-protocol</ipv4-capability> <ipv4-capability>exact-ipv4-address</ipv4-capability> <ipv4-capability>range-ipv4-address</ipv4-capability> </generic-nsf-capabilities> </condition-capabilities> <action-capabilities> <ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability> <egress-action-capability>pass</egress-action-capability> <egress-action-capability>drop</egress-action-capability> <egress-action-capability>alert</egress-action-capability> </action-capabilities> </nsf> Figure 5: Configuration XML for Capabilities Registration of Time based Firewall Figure 5 shows the configuration XML for capabilities registration of time based firewall and its capabilities are as follows. 1. The name of the NSF is time_based_firewall. 2. The NSF can execute the security policy rule according to absolute time and periodic time. 3. The NSF can inspect protocol, exact IPv4 address, and range IPv4 address for IPv4 packets. 4. The NSF can control whether the packets are allowed to pass, drop, or alert. Hares, et al. Expires January 26, 2020 [Page 44] Internet-Draft I2NSF Capability YANG Data Model July 2019 A.3. Example 3: Registration for Capabilities of Web Filter This section shows a configuration example for capabilities registration of web filter. <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf-name>web_filter</nsf-name> <condition-capabilities> <advanced-nsf-capabilities> <url-capability>user-defined</url-capability> </advanced-nsf-capabilities> </condition-capabilities> <action-capabilities> <ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability> <egress-action-capability>pass</egress-action-capability> <egress-action-capability>drop</egress-action-capability> <egress-action-capability>alert</egress-action-capability> </action-capabilities> </nsf> Figure 6: Configuration XML for Capabilities Registration of Web Filter Figure 6 shows the configuration XML for capabilities registration of web filter and its capabilities are as follows. 1. The name of the NSF is web_filter. 2. The NSF can inspect url for http and https packets. 3. The NSF can control whether the packets are allowed to pass, drop, or alert. A.4. Example 4: Registration for Capabilities of VoIP/VoLTE Filter This section shows a configuration example for capabilities registration of VoIP/VoLTE filter. Hares, et al. Expires January 26, 2020 [Page 45] Internet-Draft I2NSF Capability YANG Data Model July 2019 <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf-name>voip_volte_filter</nsf-name> <condition-capabilities> <advanced-nsf-capabilities> <voip-volte-capability>voice-id</voip-volte-capability> </advanced-nsf-capabilities> </condition-capabilities> <action-capabilities> <ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability> <egress-action-capability>pass</egress-action-capability> <egress-action-capability>drop</egress-action-capability> <egress-action-capability>alert</egress-action-capability> </action-capabilities> </nsf> Figure 7: Configuration XML for Capabilities Registration of VoIP/ VoLTE Filter Figure 7 shows the configuration XML for capabilities registration of VoIP/VoLTE filter and its capabilities are as follows. 1. The name of the NSF is voip_volte_filter. 2. The NSF can inspect voice id for VoIP/VoLTE packets. 3. The NSF can control whether the packets are allowed to pass, drop, or alert. A.5. Example 5: Registration for Capabilities of HTTP and HTTPS Flood Mitigation This section shows a configuration example for capabilities registration of http and https flood mitigation. Hares, et al. Expires January 26, 2020 [Page 46] Internet-Draft I2NSF Capability YANG Data Model July 2019 <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf-name>http_and_https_flood_mitigation</nsf-name> <condition-capabilities> <advanced-nsf-capabilities> <anti-ddos-capability>http-flood-action</anti-ddos-capability> <anti-ddos-capability>https-flood-action</anti-ddos-capability> </advanced-nsf-capabilities> </condition-capabilities> <action-capabilities> <ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability> <egress-action-capability>pass</egress-action-capability> <egress-action-capability>drop</egress-action-capability> <egress-action-capability>alert</egress-action-capability> </action-capabilities> </nsf> Figure 8: Configuration XML for Capabilities Registration of HTTP and HTTPS Flood Mitigation Figure 8 shows the configuration XML for capabilities registration of http and https flood mitigation and its capabilities are as follows. 1. The name of the NSF is http_and_https_flood_mitigation. 2. The location of the NSF is 221.159.112.140. 3. The NSF can control the amount of packets for http and https packets. 4. The NSF can control whether the packets are allowed to pass, drop, or alert. Appendix B. Changes from draft-ietf-i2nsf-capability-data-model-04 The following changes are made from draft-ietf-i2nsf-capability-data- model-04: o The version is revised according to the comments from Acee Lindem and Carl Moberg who are YANG doctors for review. Appendix C. Acknowledgments This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based Hares, et al. Expires January 26, 2020 [Page 47] Internet-Draft I2NSF Capability YANG Data Model July 2019 Security Intelligence Technology Development for the Customized Security Service Provisioning). Appendix D. Contributors This document is made by the group effort of I2NSF working group. Many people actively contributed to this document. The following are considered co-authors: o Hyoungshick Kim (Sungkyunkwan University) o Daeyoung Hyun (Sungkyunkwan University) o Dongjin Hong (Sungkyunkwan University) o Liang Xia (Huawei) o Jung-Soo Park (ETRI) o Tae-Jin Ahn (Korea Telecom) o Se-Hui Lee (Korea Telecom) Authors' Addresses Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 USA Phone: +1-734-604-0332 EMail: shares@ndzh.com Jaehoon Paul Jeong Department of Computer Science and Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 31 299 4957 Fax: +82 31 290 7996 EMail: pauljeong@skku.edu URI: http://iotlab.skku.edu/people-jaehoon-jeong.php Hares, et al. Expires January 26, 2020 [Page 48] Internet-Draft I2NSF Capability YANG Data Model July 2019 Jinyong Tim Kim Department of Electronic, Electrical and Computer Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 10 8273 0930 EMail: timkim@skku.edu Robert Moskowitz HTT Consulting Oak Park, MI USA Phone: +1-248-968-9809 EMail: rgm@htt-consult.com Qiushi Lin Huawei Huawei Industrial Base Shenzhen, Guangdong 518129 China EMail: linqiushi@huawei.com Hares, et al. Expires January 26, 2020 [Page 49]