I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-16
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
|---|---|---|---|
| Authors | Susan Hares , Jaehoon Paul Jeong , Jinyong Tim Kim , Robert Moskowitz , Qiushi Lin | ||
| Last updated | 2021-08-05 (Latest revision 2021-03-08) | ||
| Replaces | draft-hares-i2nsf-capability-data-model | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
TSVART Early review
(of
-13)
by Michael Scharf
Almost ready
GENART Last Call review
(of
-09)
by Dan Romascanu
Ready w/issues
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Linda Dunbar | ||
| Shepherd write-up | Show Last changed 2019-12-11 | ||
| IESG | IESG state | AD Evaluation::Revised I-D Needed | |
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | Roman Danyliw | ||
| Send notices to | Linda Dunbar <dunbar.ll@gmail.com> | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA expert review state | Expert Reviews OK |
draft-ietf-i2nsf-capability-data-model-16
lt;egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
Figure 6: Configuration XML for the Capabilities Registration of a
Time-based Firewall in an IPv4 Network
Figure 6 shows the configuration XML for the capabilities
registration of a time-based firewall as an NSF in an IPv4 network.
Its capabilities are as follows.
1. The name of the NSF is time_based_firewall.
2. The NSF can execute the security policy rule according to
absolute time and periodic time.
Hares, et al. Expires September 9, 2021 [Page 70]
Internet-Draft I2NSF Capability YANG Data Model March 2021
3. The NSF can inspect a protocol (Next-Header), an exact IPv4
address, and a range of IPv4 addresses for IPv4 packets.
4. The NSF can control whether the packets are allowed to pass,
drop, or alert.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>time_based_firewall</nsf-name>
<time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities>
<condition-capabilities>
<generic-nsf-capabilities>
<ipv6-capability>ipv6-next-header</ipv6-capability>
<ipv6-capability>prefix-ipv6-address-flow-direction</ipv6-capability>
<ipv6-capability>prefix-ipv6-address</ipv6-capability>
<ipv6-capability>range-ipv6-address-flow-direction</ipv6-capability>
<ipv6-capability>range-ipv6-address</ipv6-capability>
</generic-nsf-capabilities>
</condition-capabilities>
<action-capabilities>
<ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
Figure 7: Configuration XML for the Capabilities Registration of a
Time-based Firewall in an IPv6 Network
In addition, Figure 7 shows the configuration XML for the
capabilities registration of a time-based firewall as an NSF in an
IPv6 network. Its capabilities are as follows.
1. The name of the NSF is time_based_firewall.
2. The NSF can execute the security policy rule according to
absolute time and periodic time.
3. The NSF can inspect a protocol (Next-Header), an exact IPv6
address, and a range of IPv6 addresses for IPv6 packets.
4. The NSF can control whether the packets are allowed to pass,
drop, or alert.
Hares, et al. Expires September 9, 2021 [Page 71]
Internet-Draft I2NSF Capability YANG Data Model March 2021
A.3. Example 3: Registration for the Capabilities of a Web Filter
This section shows a configuration example for the capabilities
registration of a web filter.
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>web_filter</nsf-name>
<condition-capabilities>
<advanced-nsf-capabilities>
<url-capability>user-defined</url-capability>
</advanced-nsf-capabilities>
</condition-capabilities>
<action-capabilities>
<ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
Figure 8: Configuration XML for the Capabilities Registration of a
Web Filter
Figure 8 shows the configuration XML for the capabilities
registration of a web filter as an NSF. Its capabilities are as
follows.
1. The name of the NSF is web_filter.
2. The NSF can inspect a URL matched from a user-defined URL
Database. User can add the new URL to the database.
3. The NSF can control whether the packets are allowed to pass,
drop, or alert.
A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE
Filter
This section shows a configuration example for the capabilities
registration of a VoIP/VoLTE filter.
Hares, et al. Expires September 9, 2021 [Page 72]
Internet-Draft I2NSF Capability YANG Data Model March 2021
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>voip_volte_filter</nsf-name>
<condition-capabilities>
<advanced-nsf-capabilities>
<voip-volte-capability>voip-volte-call-id</voip-volte-capability>
</advanced-nsf-capabilities>
</condition-capabilities>
<action-capabilities>
<ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
Figure 9: Configuration XML for the Capabilities Registration of a
VoIP/VoLTE Filter
Figure 9 shows the configuration XML for the capabilities
registration of a VoIP/VoLTE filter as an NSF. Its capabilities are
as follows.
1. The name of the NSF is voip_volte_filter.
2. The NSF can inspect a voice call id for VoIP/VoLTE packets.
3. The NSF can control whether the packets are allowed to pass,
drop, or alert.
A.5. Example 5: Registration for the Capabilities of a HTTP and HTTPS
Flood Mitigator
This section shows a configuration example for the capabilities
registration of a HTTP and HTTPS flood mitigator.
Hares, et al. Expires September 9, 2021 [Page 73]
Internet-Draft I2NSF Capability YANG Data Model March 2021
<nsf xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-name>http_and_https_flood_mitigation</nsf-name>
<condition-capabilities>
<advanced-nsf-capabilities>
<anti-ddos-capability>http-flood-action</anti-ddos-capability>
<anti-ddos-capability>https-flood-action</anti-ddos-capability>
</advanced-nsf-capabilities>
</condition-capabilities>
<action-capabilities>
<ingress-action-capability>pass</ingress-action-capability>
<ingress-action-capability>drop</ingress-action-capability>
<ingress-action-capability>alert</ingress-action-capability>
<egress-action-capability>pass</egress-action-capability>
<egress-action-capability>drop</egress-action-capability>
<egress-action-capability>alert</egress-action-capability>
</action-capabilities>
</nsf>
Figure 10: Configuration XML for the Capabilities Registration of a
HTTP and HTTPS Flood Mitigator
Figure 10 shows the configuration XML for the capabilities
registration of a HTTP and HTTPS flood mitigator as an NSF. Its
capabilities are as follows.
1. The name of the NSF is http_and_https_flood_mitigation.
2. The NSF can control the amount of packets for HTTP and HTTPS
packets, which are routed to the NSF's IPv4 address or the NSF's
IPv6 address.
3. The NSF can control whether the packets are allowed to pass,
drop, or alert.
Appendix B. Acknowledgments
This work was supported by Institute of Information & Communications
Technology Planning & Evaluation (IITP) grant funded by the Korea
MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Security Intelligence Technology Development for the Customized
Security Service Provisioning). This work was supported in part by
the IITP grant funded by the MSIT (2020-0-00395, Standard Development
of Blockchain based Network Management Automation Technology).
Hares, et al. Expires September 9, 2021 [Page 74]
Internet-Draft I2NSF Capability YANG Data Model March 2021
Appendix C. Contributors
This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document, such as Acee
Lindem, Roman Danyliw, and Tom Petch. The authors sincerely
appreciate their contributions.
The following are co-authors of this document:
Patrick Lingga
Department of Computer Science and Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
EMail: patricklink@skku.edu
Liang Xia
Huawei
101 Software Avenue
Nanjing, Jiangsu 210012
China
EMail: Frank.Xialiang@huawei.com
Cataldo Basile
Politecnico di Torino
Corso Duca degli Abruzzi, 34
Torino, 10129
Italy
EMail: cataldo.basile@polito.it
John Strassner
Huawei
2330 Central Expressway
Santa Clara, CA 95050
USA
EMail: John.sc.Strassner@huawei.com
Diego R. Lopez
Telefonica I+D
Hares, et al. Expires September 9, 2021 [Page 75]
Internet-Draft I2NSF Capability YANG Data Model March 2021
Zurbaran, 12
Madrid, 28010
Spain
Email: diego.r.lopez@telefonica.com
Hyoungshick Kim
Department of Computer Science and Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
EMail: hyoung@skku.edu
Daeyoung Hyun
Department of Computer Science and Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
EMail: dyhyun@skku.edu
Dongjin Hong
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
EMail: dong.jin@skku.edu
Jung-Soo Park
Electronics and Telecommunications Research Institute
218 Gajeong-Ro, Yuseong-Gu
Daejeon, 34129
Republic of Korea
EMail: pjs@etri.re.kr
Tae-Jin Ahn
Korea Telecom
Hares, et al. Expires September 9, 2021 [Page 76]
Internet-Draft I2NSF Capability YANG Data Model March 2021
70 Yuseong-Ro, Yuseong-Gu
Daejeon, 305-811
Republic of Korea
EMail: taejin.ahn@kt.com
Se-Hui Lee
Korea Telecom
70 Yuseong-Ro, Yuseong-Gu
Daejeon, 305-811
Republic of Korea
EMail: sehuilee@kt.com
Authors' Addresses
Susan Hares (editor)
Huawei
7453 Hickory Hill
Saline, MI 48176
USA
Phone: +1-734-604-0332
EMail: shares@ndzh.com
Jaehoon (Paul) Jeong (editor)
Department of Computer Science and Engineering
Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419
Republic of Korea
Phone: +82 31 299 4957
Fax: +82 31 290 7996
EMail: pauljeong@skku.edu
URI: http://iotlab.skku.edu/people-jaehoon-jeong.php
Hares, et al. Expires September 9, 2021 [Page 77]
Internet-Draft I2NSF Capability YANG Data Model March 2021
Jinyong (Tim) Kim
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419
Republic of Korea
Phone: +82 10 8273 0930
EMail: timkim@skku.edu
Robert Moskowitz
HTT Consulting
Oak Park, MI
USA
Phone: +1-248-968-9809
EMail: rgm@htt-consult.com
Qiushi Lin
Huawei
Huawei Industrial Base
Shenzhen, Guangdong 518129
China
EMail: linqiushi@huawei.com
Hares, et al. Expires September 9, 2021 [Page 78]