I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-16
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
---|---|---|---|
Authors | Susan Hares , Jaehoon Paul Jeong , Jinyong Tim Kim , Robert Moskowitz , Qiushi Lin | ||
Last updated | 2021-08-05 (Latest revision 2021-03-08) | ||
Replaces | draft-hares-i2nsf-capability-data-model | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
TSVART Early review
(of
-13)
by Michael Scharf
Almost ready
GENART Last Call review
(of
-09)
by Dan Romascanu
Ready w/issues
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Linda Dunbar | ||
Shepherd write-up | Show Last changed 2019-12-11 | ||
IESG | IESG state | AD Evaluation::Revised I-D Needed | |
Consensus boilerplate | Yes | ||
Telechat date | (None) | ||
Responsible AD | Roman Danyliw | ||
Send notices to | Linda Dunbar <dunbar.ll@gmail.com> | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA expert review state | Expert Reviews OK |
draft-ietf-i2nsf-capability-data-model-16
lt;egress-action-capability>drop</egress-action-capability> <egress-action-capability>alert</egress-action-capability> </action-capabilities> </nsf> Figure 6: Configuration XML for the Capabilities Registration of a Time-based Firewall in an IPv4 Network Figure 6 shows the configuration XML for the capabilities registration of a time-based firewall as an NSF in an IPv4 network. Its capabilities are as follows. 1. The name of the NSF is time_based_firewall. 2. The NSF can execute the security policy rule according to absolute time and periodic time. Hares, et al. Expires September 9, 2021 [Page 70] Internet-Draft I2NSF Capability YANG Data Model March 2021 3. The NSF can inspect a protocol (Next-Header), an exact IPv4 address, and a range of IPv4 addresses for IPv4 packets. 4. The NSF can control whether the packets are allowed to pass, drop, or alert. <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf-name>time_based_firewall</nsf-name> <time-capabilities>absolute-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities> <condition-capabilities> <generic-nsf-capabilities> <ipv6-capability>ipv6-next-header</ipv6-capability> <ipv6-capability>prefix-ipv6-address-flow-direction</ipv6-capability> <ipv6-capability>prefix-ipv6-address</ipv6-capability> <ipv6-capability>range-ipv6-address-flow-direction</ipv6-capability> <ipv6-capability>range-ipv6-address</ipv6-capability> </generic-nsf-capabilities> </condition-capabilities> <action-capabilities> <ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability> <egress-action-capability>pass</egress-action-capability> <egress-action-capability>drop</egress-action-capability> <egress-action-capability>alert</egress-action-capability> </action-capabilities> </nsf> Figure 7: Configuration XML for the Capabilities Registration of a Time-based Firewall in an IPv6 Network In addition, Figure 7 shows the configuration XML for the capabilities registration of a time-based firewall as an NSF in an IPv6 network. Its capabilities are as follows. 1. The name of the NSF is time_based_firewall. 2. The NSF can execute the security policy rule according to absolute time and periodic time. 3. The NSF can inspect a protocol (Next-Header), an exact IPv6 address, and a range of IPv6 addresses for IPv6 packets. 4. The NSF can control whether the packets are allowed to pass, drop, or alert. Hares, et al. Expires September 9, 2021 [Page 71] Internet-Draft I2NSF Capability YANG Data Model March 2021 A.3. Example 3: Registration for the Capabilities of a Web Filter This section shows a configuration example for the capabilities registration of a web filter. <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf-name>web_filter</nsf-name> <condition-capabilities> <advanced-nsf-capabilities> <url-capability>user-defined</url-capability> </advanced-nsf-capabilities> </condition-capabilities> <action-capabilities> <ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability> <egress-action-capability>pass</egress-action-capability> <egress-action-capability>drop</egress-action-capability> <egress-action-capability>alert</egress-action-capability> </action-capabilities> </nsf> Figure 8: Configuration XML for the Capabilities Registration of a Web Filter Figure 8 shows the configuration XML for the capabilities registration of a web filter as an NSF. Its capabilities are as follows. 1. The name of the NSF is web_filter. 2. The NSF can inspect a URL matched from a user-defined URL Database. User can add the new URL to the database. 3. The NSF can control whether the packets are allowed to pass, drop, or alert. A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE Filter This section shows a configuration example for the capabilities registration of a VoIP/VoLTE filter. Hares, et al. Expires September 9, 2021 [Page 72] Internet-Draft I2NSF Capability YANG Data Model March 2021 <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf-name>voip_volte_filter</nsf-name> <condition-capabilities> <advanced-nsf-capabilities> <voip-volte-capability>voip-volte-call-id</voip-volte-capability> </advanced-nsf-capabilities> </condition-capabilities> <action-capabilities> <ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability> <egress-action-capability>pass</egress-action-capability> <egress-action-capability>drop</egress-action-capability> <egress-action-capability>alert</egress-action-capability> </action-capabilities> </nsf> Figure 9: Configuration XML for the Capabilities Registration of a VoIP/VoLTE Filter Figure 9 shows the configuration XML for the capabilities registration of a VoIP/VoLTE filter as an NSF. Its capabilities are as follows. 1. The name of the NSF is voip_volte_filter. 2. The NSF can inspect a voice call id for VoIP/VoLTE packets. 3. The NSF can control whether the packets are allowed to pass, drop, or alert. A.5. Example 5: Registration for the Capabilities of a HTTP and HTTPS Flood Mitigator This section shows a configuration example for the capabilities registration of a HTTP and HTTPS flood mitigator. Hares, et al. Expires September 9, 2021 [Page 73] Internet-Draft I2NSF Capability YANG Data Model March 2021 <nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> <nsf-name>http_and_https_flood_mitigation</nsf-name> <condition-capabilities> <advanced-nsf-capabilities> <anti-ddos-capability>http-flood-action</anti-ddos-capability> <anti-ddos-capability>https-flood-action</anti-ddos-capability> </advanced-nsf-capabilities> </condition-capabilities> <action-capabilities> <ingress-action-capability>pass</ingress-action-capability> <ingress-action-capability>drop</ingress-action-capability> <ingress-action-capability>alert</ingress-action-capability> <egress-action-capability>pass</egress-action-capability> <egress-action-capability>drop</egress-action-capability> <egress-action-capability>alert</egress-action-capability> </action-capabilities> </nsf> Figure 10: Configuration XML for the Capabilities Registration of a HTTP and HTTPS Flood Mitigator Figure 10 shows the configuration XML for the capabilities registration of a HTTP and HTTPS flood mitigator as an NSF. Its capabilities are as follows. 1. The name of the NSF is http_and_https_flood_mitigation. 2. The NSF can control the amount of packets for HTTP and HTTPS packets, which are routed to the NSF's IPv4 address or the NSF's IPv6 address. 3. The NSF can control whether the packets are allowed to pass, drop, or alert. Appendix B. Acknowledgments This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning). This work was supported in part by the IITP grant funded by the MSIT (2020-0-00395, Standard Development of Blockchain based Network Management Automation Technology). Hares, et al. Expires September 9, 2021 [Page 74] Internet-Draft I2NSF Capability YANG Data Model March 2021 Appendix C. Contributors This document is made by the group effort of I2NSF working group. Many people actively contributed to this document, such as Acee Lindem, Roman Danyliw, and Tom Petch. The authors sincerely appreciate their contributions. The following are co-authors of this document: Patrick Lingga Department of Computer Science and Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 16419 Republic of Korea EMail: patricklink@skku.edu Liang Xia Huawei 101 Software Avenue Nanjing, Jiangsu 210012 China EMail: Frank.Xialiang@huawei.com Cataldo Basile Politecnico di Torino Corso Duca degli Abruzzi, 34 Torino, 10129 Italy EMail: cataldo.basile@polito.it John Strassner Huawei 2330 Central Expressway Santa Clara, CA 95050 USA EMail: John.sc.Strassner@huawei.com Diego R. Lopez Telefonica I+D Hares, et al. Expires September 9, 2021 [Page 75] Internet-Draft I2NSF Capability YANG Data Model March 2021 Zurbaran, 12 Madrid, 28010 Spain Email: diego.r.lopez@telefonica.com Hyoungshick Kim Department of Computer Science and Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 16419 Republic of Korea EMail: hyoung@skku.edu Daeyoung Hyun Department of Computer Science and Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 16419 Republic of Korea EMail: dyhyun@skku.edu Dongjin Hong Department of Electronic, Electrical and Computer Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 16419 Republic of Korea EMail: dong.jin@skku.edu Jung-Soo Park Electronics and Telecommunications Research Institute 218 Gajeong-Ro, Yuseong-Gu Daejeon, 34129 Republic of Korea EMail: pjs@etri.re.kr Tae-Jin Ahn Korea Telecom Hares, et al. Expires September 9, 2021 [Page 76] Internet-Draft I2NSF Capability YANG Data Model March 2021 70 Yuseong-Ro, Yuseong-Gu Daejeon, 305-811 Republic of Korea EMail: taejin.ahn@kt.com Se-Hui Lee Korea Telecom 70 Yuseong-Ro, Yuseong-Gu Daejeon, 305-811 Republic of Korea EMail: sehuilee@kt.com Authors' Addresses Susan Hares (editor) Huawei 7453 Hickory Hill Saline, MI 48176 USA Phone: +1-734-604-0332 EMail: shares@ndzh.com Jaehoon (Paul) Jeong (editor) Department of Computer Science and Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 31 299 4957 Fax: +82 31 290 7996 EMail: pauljeong@skku.edu URI: http://iotlab.skku.edu/people-jaehoon-jeong.php Hares, et al. Expires September 9, 2021 [Page 77] Internet-Draft I2NSF Capability YANG Data Model March 2021 Jinyong (Tim) Kim Department of Electronic, Electrical and Computer Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 10 8273 0930 EMail: timkim@skku.edu Robert Moskowitz HTT Consulting Oak Park, MI USA Phone: +1-248-968-9809 EMail: rgm@htt-consult.com Qiushi Lin Huawei Huawei Industrial Base Shenzhen, Guangdong 518129 China EMail: linqiushi@huawei.com Hares, et al. Expires September 9, 2021 [Page 78]