| Network Working Group | S. Hares |
| Internet-Draft | Huawei |
| Intended status: Standards Track | J. Jeong |
| Expires: January 4, 2018 | J. Kim |
| Sungkyunkwan University | |
| R. Moskowitz | |
| HTT Consulting | |
| L. Xia | |
| Huawei | |
| July 3, 2017 |
I2NSF Capability YANG Data Model
draft-hares-i2nsf-capability-data-model-03
This document defines a YANG data model for capabilities that enables an I2NSF user to control various network security functions in network security devices via an I2NSF security controller.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2018.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
[i2nsf-problem-statement] proposes two different types of interfaces:
This document provides a YANG model that defines the capabilities for security devices that can be utilized by I2NSF NSF-facing interface between the I2NSF security controller and the NSF devices to express the capabilities of NSF devices. This YANG model can also be used by the IN2SF user (or I2NSF client) to provide a complete list of the I2NSF capabilities that can be controlled by the security controller. This document defines a YANG [RFC6020] data model based on the [i2nsf-nsf-cap-im]. Terms used in document are defined in [i2nsf-terminology]. [i2nsf-nsf-cap-im] defines the following type of functionality in NSFs.
This document contains high-level YANG for each type of control.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
This document uses the terminology described in [i2nsf-nsf-cap-im] [i2rs-rib-data-model][supa-policy-info-model]. Especially, the following terms are from [supa-policy-info-model]:
A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams [i2rs-rib-data-model] is as follows:
This section provides an overview of the high-level YANG.
The high-level YANG capabilities per NSF devices, controller, or application is the following:
module : ietf-i2nsf-capability
+--rw sec-ctl-capabilities
+--rw nsf-capabilities* [nsf-capabilities-id]
+--rw nsf-capabilities-id uint 8
+--rw net-sec-control-capabilities
| uses i2nsf-net-sec-control-caps
+--rw con-sec-control-capabilities
| uses i2nsf-con-sec-control-caps
+--rw attack-mitigation-capabilities
| uses i2nsf-attack-mitigation-control-caps
Figure 1: High-Level YANG of I2NSF Capability Interface
Each of these section mirror sections in: [i2nsf-nsf-cap-im]. The high-level YANG for net-sec-control-capabilities, con-sec-control-capabilities, and attack-mitigation-capabilities. This draft also utilizes the concepts originated in Basile, Lioy, Pitscheider, and Zhao[2015] concerning conflict resolution, use of external data, and IT-Resources. The authors are grateful to Cataldo for pointing out this excellent work.
This section expands the
+--rw net-sec-control-capabilities
| uses i2nsf-net-sec-control-caps
Network Security Control
+--rw i2nsf-net-sec-control-caps
+--rw network-security-control
+--rw nsc-support? boolean
+--rw nsc-fcn* [nsc-fcn-name]
+--rw nsc-fcn-name string //std or vendor name
| uses capabilities-information
Figure 2: High-Level YANG of Network Security Control
This section expands the
+--rw net-sec-control-capabilities
| uses i2nsf-con-sec-control-caps
Content Security Control
+--rw i2nsf-con-sec-control-caps
+--rw content-security-control
+--rw antivirus
| +--rw antivirus-support? boolean
| +--rw antivirus-fcn* [antivirus-fcn-name]
| +--rw antivirus-fcn-name string //std or vendor name
| uses capabilities-information
+--rw ips
| +--rw ips-support? boolean
| +--rw ips-fcn* [ips-fcn-name]
| +--rw ips-fcn-name string //std or vendor name
| uses capabilities-information
+--rw ids
| +--rw ids-support? boolean
| +--rw ids-fcn* [ids-fcn-name]
| +--rw ids-fcn-name string //std or vendor name
| uses capabilities-information
+--rw url-filter
| +--rw url-filter-support? boolean
| +--rw url-filter-fcn* [url-filter-fcn-name]
| +--rw url-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw data-filter
| +--rw data-filter-support? boolean
| +--rw data-filter-fcn* [data-filter-fcn-name]
| +--rw data-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw mail-filter
| +--rw mail-filter-support? boolean
| +--rw mail-filter-fcn* [mail-filter-fcn-name]
| +--rw mail-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw dns-filter
| +--rw dns-filter-support? boolean
| +--rw dns-filter-fcn* [dns-filter-name]
| +--rw dns-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw ftp-filter
| +--rw ftp-filter-support? boolean
| +--rw ftp-filter-fcn* [ftp-filter-fcn-name]
| +--rw ftp-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw games-filter
| +--rw games-filter-support? boolean
| +--rw games-filter-fcn* [games-filter-fcn-name]
| +--rw games-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw p2p-filter
| +--rw p2p-filter-support? boolean
| +--rw p2p-filter-fcn* [p2p-filter-fcn-name]
| +--rw p2p-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw rpc-filter
| +--rw rpc-filter-support? boolean
| +--rw rpc-filter-fcn* [rpc-filter-fcn-name]
| +--rw rpc-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw sql-filter
| +--rw sql-filter-support? boolean
| +--rw sql-filter-fcn* [sql-filter-fcn-name]
| +--rw sql-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw telnet-filter
| +--rw telnet-filter-support? boolean
| +--rw telnet-filter-fcn* [telnet-filter-fcn-name]
| +--rw telnet-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw tftp-filter
| +--rw tftp-filter-support? boolean
| +--rw tftp-filter-fcn* [tftp-filter-fcn-name]
| +--rw tftp-filter-fcn-name string //std or vendor name
| uses capabilities-information
+--rw file-blocking
| +--rw file-blocking-support? boolean
| +--rw file-blocking-fcn* [file-blocking-fcn-name]
| +--rw file-blocking-fcn-name string //std or vendor name
| uses capabilities-information
+--rw pkt-capture
| +--rw pkt-capture-support? boolean
| +--rw pkt-capture-fcn* [pkt-capture-fcn-name]
| +--rw pkt-capture-fcn-name string //std or vendor name
| uses capabilities-information
+--rw app-control
| +--rw app-control-support? boolean
| +--rw app-control-fcn* [app-control-fcn-name]
| +--rw app-control-fcn-name string //std or vendor name
| uses capabilities-information
+--rw voip-volte
+--rw voip-volte-support? boolean
+--rw voip-volte-fcn* [voip-volte-fcn-name]
+--rw voip-volte-fcn-name string //std or vendor name
uses capabilities-information
Figure 3: High-Level YANG of Content Security Control
The high-level YANG below expands the following section of the top-level model:
+--rw attack-mitigation-control-capabilities
| uses i2nsf-attack-mitigation-control-caps
Attack Mitigation Control
+--rw i2nsf-attack-mitigation-control-caps
+--rw attack-mitigation-control
+--rw (attack-mitigation-control-type)?
+--: (ddos-attack)
| +--rw (ddos-attack-type)?
| +--: (network-layer-ddos-attack)
| | +--rw network-layer-ddos-attack-types
| | +--rw syn-flood-attack
| | | +--rw syn-flood-attack-support? boolean
| | | +--rw syn-flood-fcn* [syn-flood-fcn-name]
| | | +--rw syn-flood-fcn-name string
| | | uses capabilities-information
| | +--rw udp-flood-attack
| | | +--rw udp-flood-attack-support? boolean
| | | +--rw udp-flood-fcn* [udp-flood-fcn-name]
| | | +--rw udp-flood-fcn-name string
| | | uses capabilities-information
| | +--rw icmp-flood-attack
| | | +--rw icmp-flood-attack-support? boolean
| | | +--rw icmp-flood-fcn* [icmp-flood-fcn-name]
| | | +--rw icmp-flood-fcn-name string
| | | uses capabilities-information
| | +--rw ip-fragment-flood-attack
| | | +--rw ip-fragment-flood-attack-support? boolean
| | | +--rw ip-frag-flood-fcn* [ip-frag-flood-fcn-name]
| | | +--rw ip-frag-flood-fcn-name string
| | | uses capabilities-information
| | +--rw ipv6-related-attack
| | +--rw ipv6-related-attack-support? boolean
| | +--rw ipv6-related-fcn* [ipv6-related-fcn-name]
| | +--rw ipv6-related-fcn-name string
| | uses capabilities-information
| +--: (app-layer-ddos-attack)
| +--rw app-layer-ddos-attack-types
| +--rw http-flood-attack
| | +--rw http-flood-attack-support? boolean
| | +--rw http-flood-fcn* [http-flood-fcn-name]
| | +--rw http-flood-fcn-name string
| | uses capabilities-information
| +--rw https-flood-attack
| | +--rw https-flood-attack-support? boolean
| | +--rw https-flood-fcn* [https-flood-fcn-name]
| | +--rw https-flood-fcn-name string
| | uses capabilities-information
| +--rw dns-flood-attack
| | +--rw dns-flood-attack-support? boolean
| | +--rw dns-flood-fcn* [dns-flood-fcn-name]
| | +--rw dns-flood-fcn-name string
| | uses capabilities-information
| +--rw dns-amp-flood-attack
| | +--rw dns-amp-flood-attack-support? boolean
| | +--rw dns-amp-flood-fcn* [dns-amp-flood-fcn-name]
| | +--rw dns-amp-flood-fcn-name string
| | uses capabilities-information
| +--rw ssl-ddos-attack
| +--rw ssl-ddos-attack-support? boolean
| +--rw ssl-ddos-fcn* [ssl-ddos-fcn-name]
| +--rw ssl-ddos-fcn-name string
| uses capabilities-information
+--: (single-packet-attack)
+--rw (single-packet-attack-type)?
+--: (scan-and-sniff-attack)
| +--rw ip-sweep-attack
| | +--rw ip-sweep-attack-support? boolean
| | +--rw ip-sweep-fcn* [ip-sweep-fcn-name]
| | +--rw ip-sweep-fcn-name string
| | uses capabilities-information
| +--rw port-scanning-attack
| +--rw port-scanning-attack-support? boolean
| +--rw port-scanning-fcn* [port-scanning-fcn-name]
| +--rw port-scanning-fcn-name string
| uses capabilities-information
+--: (malformed-packet-attack)
| +--rw ping-of-death-attack
| | +--rw ping-of-death-attack-support? boolean
| | +--rw ping-of-death-fcn* [ping-of-death-fcn-name]
| | +--rw ping-of-death-fcn-name string
| | uses capabilities-information
| +--rw teardrop-attack
| +--rw teardrop-attack-support? boolean
| +--rw tear-drop-fcn* [tear-drop-fcn-name]
| +--rw tear-drop-fcn-name string
| uses capabilities-information
+--: (special-packet-attack)
+--rw oversized-icmp-attack
| +--rw oversized-icmp-attack-support? boolean
| +--rw oversized-icmp-fcn* [oversized-icmp-fcn-name]
| +--rw oversized-icmp-fcn-name string
| uses capabilities-information
+--rw tracert-attack
+--rw tracert-attack-support? boolean
+--rw tracert-fcn* [tracert-fcn-name]
+--rw tracert-fcn-name string
uses capabilities-information
Figure 4: High-Level YANG of Attack Mitigation Control
This section provides information on capabilities. This section has information on capabilities location and IT resources. Additional input is needed.
Capabilities Information
+--rw capabilities-information
+--rw nsf-location
| uses i2nsf-nsf-location
+--rw it-resources
uses i2nsf-it-resources
Figure 5: High-Level YANG of Information on Capabilities
This section provides location for capabilities. This section has location for capabilities. Additional input is needed.
+--rw nsf-location
| uses i2nsf-nsf-location
NSF Location
+--rw i2nsf-nsf-location
+--rw nsf-address
+--rw (nsf-address-type)?
+--:(ipv4-address)
| +--rw ipv4-address inet:ipv4-address
+--:(ipv6-address)
+--rw ipv6-address inet:ipv6-address
Figure 6: High-Level YANG of Capabilities Location
This section provides a link between capabilities and IT resources. This section has a list of IT resources by name. Additional input is needed.
+--rw it-resource
| uses i2nsf-it-resources
It Resource
+--rw i2nsf-it-resources
+--rw it-resources* [it-resource-id]
+--rw it-resource-id uint64
+--rw it-resource-name string
Figure 7: High-Level YANG of IT Resources
Notifications indicate when rules are added or deleted. These notifications will be defined later.
This section introduces a YANG module for the information model of I2NSF capability interface, as defined in the [i2nsf-nsf-cap-im].
<CODE BEGINS> file "ietf-i2nsf-capability@2017-07-03.yang"
module ietf-i2nsf-capability {
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability";
prefix
i2nsf-capability;
import ietf-inet-types{
prefix inet;
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
WG Chair: Adrian Farrel
<mailto:Adrain@olddog.co.uk>
WG Chair: Linda Dunbar
<mailto:Linda.duhbar@huawei.com>
Editor: Susan Hares
<mailto:shares@ndzh.com>
Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>
Editor: Jinyong Tim Kim
<mailto:timkim@skku.edu>";
description
"This module describes a capability model
for I2NSF devices.";
revision "2017-07-03"{
description "The second revision";
reference
"draft-xibassnez-i2nsf-capability-01
draft-hares-i2nsf-capability-data-model-02";
}
container sec-ctl-capabilities {
description
"sec-ctl-capabilities";
}
grouping i2nsf-nsf-location {
description
"This provides a location for capabilities.";
container nsf-address {
description
"This is location information for capabilities.";
choice nsf-address-type {
description
"nsf address type: ipv4 and ipv4";
case ipv4-address {
description
"ipv4 case";
leaf ipv4-address {
type inet:ipv4-address;
mandatory true;
description
"nsf address type is ipv4";
}
}
case ipv6-address {
description
"ipv6 case";
leaf ipv6-address {
type inet:ipv6-address;
mandatory true;
description
"nsf address type is ipv6";
}
}
}
}
}
grouping i2nsf-it-resources {
description
"This provides a link between capabilities
and IT resources. This has a list of IT resources
by name.";
list it-resources {
key "it-resource-id";
description
"it-resource";
leaf it-resource-id {
type uint64;
mandatory true;
description
"it-resource-id";
}
leaf it-resource-name {
type string;
mandatory true;
description
"it-resource-name";
}
}
}
grouping capabilities-information {
description
"This includes information of capabilities.";
uses i2nsf-nsf-location;
uses i2nsf-it-resources;
}
grouping i2nsf-net-sec-control-caps {
description
"i2nsf-net-sec-control-caps";
container network-security-control {
description
"i2nsf-net-sec-control-caps";
leaf nsc-support {
type boolean;
mandatory true;
description
"nsc-support";
}
list nsc-fcn {
key "nsc-fcn-name";
description
"nsc-fcn";
leaf nsc-fcn-name {
type string;
mandatory true;
description
"nsc-fcn-name";
}
uses capabilities-information;
}
}
}
grouping i2nsf-con-sec-control-caps {
description
"i2nsf-con-sec-control-caps";
container content-security-control {
description
"content-security-control";
container antivirus {
description
"antivirus";
leaf antivirus-support {
type boolean;
mandatory true;
description
"antivirus-support";
}
list antivirus-fcn-name {
key "antivirus-fcn-name";
description
"antivirus-fcn-name";
leaf antivirus-fcn-name {
type string;
mandatory true;
description
"antivirus-fcn-name";
}
uses capabilities-information;
}
}
container ips {
description
"ips";
leaf ips-support {
type boolean;
mandatory true;
description
"ips-support";
}
list ips-fcn {
key "ips-fcn-name";
description
"ips-fcn";
leaf ips-fcn-name {
type string;
mandatory true;
description
"ips-fcn-name";
}
uses capabilities-information;
}
}
container ids {
description
"ids";
leaf ids-support {
type boolean;
mandatory true;
description
"ids-support";
}
list ids-fcn {
key "ids-fcn-name";
description
"ids-fcn";
leaf ids-fcn-name {
type string;
mandatory true;
description
"ids-fcn-name";
}
uses capabilities-information;
}
}
container url-filter {
description
"url-filter";
leaf url-filter-support {
type boolean;
mandatory true;
description
"url-filter-support";
}
list url-filter-fcn {
key "url-filter-fcn-name";
description
"url-filter-fcn";
leaf url-filter-fcn-name {
type string;
mandatory true;
description
"url-filter-fcn-name";
}
uses capabilities-information;
}
}
container data-filter {
description
"data-filter";
leaf data-filter-support {
type boolean;
mandatory true;
description
"data-filter-support";
}
list data-filter-fcn {
key "data-filter-fcn-name";
description
"data-filter-fcn";
leaf data-filter-fcn-name {
type string;
mandatory true;
description
"data-filter-fcn-name";
}
uses capabilities-information;
}
}
container mail-filter {
description
"mail-filter";
leaf mail-filter-support {
type boolean;
mandatory true;
description
"mail-filter-support";
}
list mail-filter-fcn {
key "mail-filter-fcn-name";
description
"mail-filter-fcn";
leaf mail-filter-fcn-name {
type string;
mandatory true;
description
"mail-filter-fcn-name";
}
uses capabilities-information;
}
}
container dns-filter {
description
"dns-filter";
leaf dns-filter-support {
type boolean;
mandatory true;
description
"dns-filter-support";
}
list dns-filter-fcn {
key "dns-filter-fcn-name";
description
"dns-filter-fcn";
leaf dns-filter-fcn-name {
type string;
mandatory true;
description
"dns-filter-fcn-name";
}
uses capabilities-information;
}
}
container ftp-filter {
description
"ftp-filter";
leaf ftp-filter-support {
type boolean;
mandatory true;
description
"ftp-filter-support";
}
list ftp-filter-fcn {
key "ftp-filter-fcn-name";
description
"ftp-filter-fcn";
leaf ftp-filter-fcn-name {
type string;
mandatory true;
description
"ftp-filter-fcn-name";
}
uses capabilities-information;
}
}
container games-filter {
description
"games-filter";
leaf games-filter-support {
type boolean;
mandatory true;
description
"games-filter-support";
}
list games-filter-fcn {
key "games-filter-fcn-name";
description
"games-filter-fcn";
leaf games-filter-fcn-name {
type string;
mandatory true;
description
"games-filter-fcn-name";
}
uses capabilities-information;
}
}
container p2p-filter {
description
"p2p-filter";
leaf p2p-filter-support {
type boolean;
mandatory true;
description
"p2p-filter-support";
}
list p2p-filter-fcn {
key "p2p-filter-fcn-name";
description
"p2p-filter-fcn";
leaf p2p-filter-fcn-name {
type string;
mandatory true;
description
"p2p-filter-fcn-name";
}
uses capabilities-information;
}
}
container rpc-filter {
description
"rpc-filter";
leaf rpc-filter-support {
type boolean;
mandatory true;
description
"rpc-filter-support";
}
list rpc-filter-fcn {
key "rpc-filter-fcn-name";
description
"rpc-filter-fcn";
leaf rpc-filter-fcn-name {
type string;
mandatory true;
description
"rpc-filter-fcn-name";
}
uses capabilities-information;
}
}
container sql-filter {
description
"sql-filter";
leaf sql-filter-support {
type boolean;
mandatory true;
description
"sql-filter-support";
}
list sql-filter-fcn {
key "sql-filter-fcn-name";
description
"sql-filter-fcn";
leaf sql-filter-fcn-name {
type string;
mandatory true;
description
"sql-filter-fcn-name";
}
uses capabilities-information;
}
}
container telent-filter {
description
"telent-filter";
leaf telent-filter-support {
type boolean;
mandatory true;
description
"telent-filter-support";
}
list telent-filter-fcn {
key "telent-filter-fcn-name";
description
"telent-filter-fcn";
leaf telent-filter-fcn-name {
type string;
mandatory true;
description
"telent-filter-fcn-name";
}
uses capabilities-information;
}
}
container tftp-filter {
description
"tftp-filter";
leaf tftp-filter-support {
type boolean;
mandatory true;
description
"tftp-filter-support";
}
list tftp-filter-fcn {
key "tftp-filter-fcn-name";
description
"tftp-filter-fcn";
leaf tftp-filter-fcn-name {
type string;
mandatory true;
description
"tftp-filter-fcn-name";
}
uses capabilities-information;
}
}
container file-blocking {
description
"file-blocking";
leaf file-blocking-support {
type boolean;
mandatory true;
description
"file-blocking-support";
}
list file-blocking-fcn {
key "file-blocking-fcn-name";
description
"file-blocking-fcn";
leaf file-blocking-fcn-name {
type string;
mandatory true;
description
"file-blocking-fcn-name";
}
uses capabilities-information;
}
}
container file-isolate {
description
"file-isolate";
leaf file-isolate-support {
type boolean;
mandatory true;
description
"file-isolate-support";
}
list file-isolate-fcn {
key "file-isolate-fcn-name";
description
"file-isolate-fcn";
leaf file-isolate-fcn-name {
type string;
mandatory true;
description
"file-isolate-fcn-name";
}
uses capabilities-information;
}
}
container pkt-capture {
description
"pkt-capture";
leaf pkt-capture-support {
type boolean;
mandatory true;
description
"pkt-capture-support";
}
list pkt-capture-fcn {
key "pkt-capture-fcn-name";
description
"pkt-capture-fcn";
leaf pkt-capture-fcn-name {
type string;
mandatory true;
description
"pkt-capture-fcn-name";
}
uses capabilities-information;
}
}
container app-control {
description
"app-control";
leaf app-control-support {
type boolean;
mandatory true;
description
"app-control-support";
}
list app-control-fcn {
key "app-control-fcn-name";
description
"app-control-fcn";
leaf app-control-fcn-name {
type string;
mandatory true;
description
"app-control-fcn-name";
}
uses capabilities-information;
}
}
container voip-volte {
description
"voip-volte";
leaf voip-volte-support {
type boolean;
mandatory true;
description
"voip-volte-support";
}
list voip-volte-fcn {
key "voip-volte-fcn-name";
description
"voip-volte-fcn";
leaf voip-volte-fcn-name {
type string;
mandatory true;
description
"voip-volte-fcn-name";
}
uses capabilities-information;
}
}
}
}
grouping i2nsf-attack-mitigation-control-caps {
description
"i2nsf-attack-mitigation-control-caps";
container attack-mitigation-control {
description
"attack-mitigation-control";
choice attack-mitigation-control-type {
description
"attack-mitigation-control-type";
case ddos-attack {
description
"ddos-attack";
choice ddos-attack-type {
description
"ddos-attack-type";
case network-layer-ddos-attack {
description
"network-layer-ddos-attack";
container network-layer-ddos-attack-types {
description
"network-layer-ddos-attack-type";
container syn-flood-attack {
description
"syn-flood-attack";
leaf syn-flood-attack-support {
type boolean;
mandatory true;
description
"syn-flood-attack-support";
}
list syn-flood-fcn {
key "syn-flood-fcn-name";
description
"syn-flood-fcn";
leaf syn-flood-fcn-name {
type string;
mandatory true;
description
"syn-flood-fcn-name";
}
uses capabilities-information;
}
}
container udp-flood-attack {
description
"udp-flood-attack";
leaf udp-flood-attack-support {
type boolean;
mandatory true;
description
"udp-flood-attack-support";
}
list udp-flood-fcn {
key "udp-flood-fcn-name";
description
"udp-flood-fcn";
leaf udp-flood-fcn-name {
type string;
mandatory true;
description
"udp-flood-fcn-name";
}
uses capabilities-information;
}
}
container icmp-flood-attack {
description
"icmp-flood-attack";
leaf icmp-flood-attack-support {
type boolean;
mandatory true;
description
"icmp-flood-attack-support";
}
list icmp-flood-fcn {
key "icmp-flood-fcn-name";
description
"icmp-flood-fcn";
leaf icmp-flood-fcn-name {
type string;
mandatory true;
description
"icmp-flood-fcn-name";
}
uses capabilities-information;
}
}
container ip-fragment-flood-attack {
description
"ip-fragment-flood-attack";
leaf ip-fragment-flood-attack-support {
type boolean;
mandatory true;
description
"ip-fragment-flood-attack-support";
}
list frag-flood-fcn {
key "ip-frag-flood-fcn-name";
description
"frag-flood-fcn";
leaf ip-frag-flood-fcn-name {
type string;
mandatory true;
description
"ip-frag-flood-fcn-name";
}
uses capabilities-information;
}
}
container ipv6-related-attack {
description
"ipv6-related-attack";
leaf ipv6-related-attack-support {
type boolean;
mandatory true;
description
"ipv6-related-attack-support";
}
list ipv6-related-fcn {
key "ipv6-related-fcn-name";
description
"ipv6-related-fcn";
leaf ipv6-related-fcn-name {
type string;
mandatory true;
description
"ipv6-related-fcn-name";
}
uses capabilities-information;
}
}
}
}
case app-layer-ddos-attack {
description
"app-layer-ddos-attack";
container app-layer-ddos-attack-types {
description
"app-layer-ddos-attack-types";
container http-flood-attack {
description
"http-flood-attack";
leaf http-flood-attack-support {
type boolean;
mandatory true;
description
"http-flood-attack-support";
}
list http-flood-fcn {
key "http-flood-fcn-name";
description
"http-flood-fcn";
leaf http-flood-fcn-name {
type string;
mandatory true;
description
"http-flood-fcn-name";
}
uses capabilities-information;
}
}
container https-flood-attack {
description
"https-flood-attack";
leaf https-flood-attack-support {
type boolean;
mandatory true;
description
"https-flood-attack-support";
}
list https-flood-fcn {
key "https-flood-fcn-name";
description
"https-flood-fcn";
leaf https-flood-fcn-name {
type string;
mandatory true;
description
"https-flood-fcn-name";
}
uses capabilities-information;
}
}
container dns-flood-attack {
description
"dns-flood-attack";
leaf dns-flood-attack-support {
type boolean;
mandatory true;
description
"dns-flood-attack-support";
}
list dns-flood-fcn {
key "dns-flood-fcn-name";
description
"dns-flood-fcn";
leaf dns-flood-fcn-name {
type string;
mandatory true;
description
"dns-flood-fcn-name";
}
uses capabilities-information;
}
}
container dns-amp-flood-attack {
description
"dns-amp-flood-attack";
leaf dns-flood-attack-support {
type boolean;
mandatory true;
description
"dns-flood-attack-support";
}
list dns-amp-flood-fcn {
key "dns-amp-flood-fcn-name";
description
"dns-amp-flood-fcn";
leaf dns-amp-flood-fcn-name {
type string;
mandatory true;
description
"dns-amp-flood-fcn-name";
}
uses capabilities-information;
}
}
container ssl-ddos-attack {
description
"ssl-ddos-attack";
leaf ssl-ddos-attack-support {
type boolean;
mandatory true;
description
"ssl-ddos-attack-support";
}
list ssl-ddos-fcn {
key "ssl-ddos-fcn-name";
description
"ssl-ddos-fcn";
leaf ssl-ddos-fcn-name {
type string;
mandatory true;
description
"ssl-ddos-fcn-name";
}
uses capabilities-information;
}
}
}
}
}
}
case single-packet-attack {
description
"single-packet-attack";
choice single-packet-attack-type {
description
"single-packet-attack-type";
case scan-and-sniff-attack {
description
"scan-and-sniff-attack";
container ip-sweep-attack {
description
"ip-sweep-attack";
leaf ip-sweep-attack-suppor {
type boolean;
mandatory true;
description
"ip-sweep-attack-suppor";
}
list ip-sweep-fcn {
key "ip-sweep-fcn-name";
description
"ip-sweep-fcn";
leaf ip-sweep-fcn-name {
type string;
mandatory true;
description
"ip-sweep-fcn-name";
}
uses capabilities-information;
}
}
container port-scanning-attack {
description
"port-scanning-attack";
leaf port-scanning-attack-support {
type boolean;
mandatory true;
description
"port-scanning-attack-support";
}
list port-scanning-fcn {
key "port-scanning-fcn-name";
description
"port-scanning-fcn";
leaf port-scanning-fcn-name {
type string;
mandatory true;
description
"port-scanning-fcn-name";
}
uses capabilities-information;
}
}
}
case malformed-packet-attack {
description
"malformed-packet-attack";
container ping-of-death-attack {
description
"ping-of-death-attack";
leaf ping-of-death-attack-support {
type boolean;
mandatory true;
description
"ping-of-death-attack-support";
}
list ping-of-death-fcn {
key "ping-of-death-fcn-name";
description
"ping-of-death-fcn";
leaf ping-of-death-fcn-name {
type string;
mandatory true;
description
"ping-of-death-fcn-name";
}
uses capabilities-information;
}
}
container teardrop-attack {
description
"teardrop-attack";
leaf teardrop-attack-support {
type boolean;
mandatory true;
description
"teardrop-attack-support";
}
list tear-drop-fcn {
key "tear-drop-fcn-name";
description
"tear-drop-fcn";
leaf tear-drop-fcn-name {
type string;
mandatory true;
description
"tear-drop-fcn-name";
}
uses capabilities-information;
}
}
}
case special-packet-attack {
description
"special-packet-attack";
container oversized-icmp-attack {
description
"oversized-icmp-attack";
leaf oversized-icmp-attack-support {
type boolean;
mandatory true;
description
"oversized-icmp-attack-support";
}
list oversized-icmp-fcn {
key "oversized-icmp-fcn-name";
description
"oversized-icmp-fcn";
leaf oversized-icmp-fcn-name {
type string;
mandatory true;
description
"oversized-icmp-fcn-name";
}
uses capabilities-information;
}
}
container tracert-attack {
description
"tracert-attack";
leaf tracert-attack-support {
type boolean;
mandatory true;
description
"tracert-attack-support";
}
list tracert-fcn {
key "tracert-fcn-name";
description
"tracert-fcn";
leaf tracert-fcn-name {
type string;
mandatory true;
description
"tracert-fcn-name";
}
uses capabilities-information;
}
}
}
}
}
}
}
}
list nsf-capabilities {
key "nsf-capabilities-id";
description
"nsf-capabilities";
leaf nsf-capabilities-id {
type uint8;
mandatory true;
description
"nsf-capabilities-id";
}
container net-sec-control-capabilities {
uses i2nsf-net-sec-control-caps;
description
"net-sec-control-capabilities";
}
container con-sec-control-capabilities {
uses i2nsf-con-sec-control-caps;
description
"con-sec-control-capabilities";
}
container attack-mitigation-capabilities {
uses i2nsf-attack-mitigation-control-caps;
description
"attack-mitigation-capabilities";
}
}
}
<CODE ENDS>
Figure 8: Data Model of I2NSF Capability Interface
No IANA considerations exist for this document at this time. URL will be added.
This document introduces no additional security threats and SHOULD follow the security requirements as stated in [i2nsf-framework].
This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning).
This document has greatly benefited from inputs by Daeyoung Hyun, Dongjin Hong, Hyoungshick Kim, Jung-Soo Park, Tae-Jin Ahn, and Se-Hui Lee.
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
| [RFC6020] | Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. |
| [i2nsf-framework] | Lopez, D., Lopez, E., Dunbar, L., Strassner, J. and R. Kumar, "Framework for Interface to Network Security Functions", Internet-Draft draft-ietf-i2nsf-framework-05, May 2017. |
| [i2nsf-nsf-cap-im] | Xia, L., Strassner, J., Basile, C. and D. Lopez, "Information Model of NSFs Capabilities", Internet-Draft draft-xibassnez-i2nsf-capability-01, March 2017. |
| [i2nsf-problem-statement] | Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R. and J. Jeong, "I2NSF Problem Statement and Use cases", Internet-Draft draft-ietf-i2nsf-problem-and-use-cases-16, May 2017. |
| [i2nsf-terminology] | Hares, S., Strassner, J., Lopez, D., Xia, L. and H. Birkholz, "Interface to Network Security Functions (I2NSF) Terminology", Internet-Draft draft-ietf-i2nsf-terminology-03, March 2017. |
| [i2rs-rib-data-model] | Wang, L., Ananthakrishnan, H., Chen, M., Dass, A., Kini, S. and N. Bahadur, "A YANG Data Model for Routing Information Base (RIB)", Internet-Draft draft-ietf-i2rs-rib-data-model-07, January 2017. |
| [supa-policy-info-model] | Strassner, J., Halpern, J. and S. Meer, "Generic Policy Information Model for Simplified Use of Policy Abstractions (SUPA)", Internet-Draft draft-ietf-supa-generic-policy-info-model-03, May 2017. |
The following changes are made from draft-hares-i2nsf-capability-data-model-01: