Internet DRAFT - draft-hares-i2nsf-capability-yang
draft-hares-i2nsf-capability-yang
I2NSF S. Hares
Internet-Draft Huawei
Intended status: Standards Track R. Moskowitz
Expires: April 8, 2017 HTT Consulting
Xia
Huawei
October 5, 2016
I2NSF Capability Yang Model
draft-hares-i2nsf-capability-yang-01.txt
Abstract
This document defines a yang model that enables a I2NSF controller to
control various network security functions in Network security
devices.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 8, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Hares, et al. Expires April 8, 2017 [Page 1]
�
Internet-Draft I2NSF Terminology October 2016
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. High-level Yang . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. capability per NSF . . . . . . . . . . . . . . . . . . . 3
2.2. Network Security Control . . . . . . . . . . . . . . . . 4
2.3. Security Content Capabilities . . . . . . . . . . . . . . 6
2.4. Attack Mitigation Capabilities . . . . . . . . . . . . . 8
2.5. IT Resources linked to Capabilities . . . . . . . . . . . 10
2.6. actions . . . . . . . . . . . . . . . . . . . . . . . . . 10
3. Use of filter-based RIBS . . . . . . . . . . . . . . . . . . 10
4. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 11
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
6. Security Considerations . . . . . . . . . . . . . . . . . . . 23
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1. Normative References . . . . . . . . . . . . . . . . . . 23
7.2. Informative References . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction
[I-D.ietf-i2nsf-problem-and-use-cases] proposes two different types
of interfaces:
o North-bound interface (NBI) provided by the network security
functions (NSFs)
o Interface between I2NSF user/client with network controller:
This document provides a yang models that define the capabilities for
security devices that can be utilized by I2NSF NBI between the I2RS
network controller and the NSF devices to express the NSF devices
capabilities. It can also be used by the IN2SF user application (or
I2NSF client) to network controller to provide a complete list of the
I2NSF capabilities the Network controller can control.
This document defines a yang data models based on the
[I-D.xia-i2nsf-capability-interface-im], and initial work done in
[I-D.xia-i2nsf-service-interface-dm]. Terms used in document are
defined in [I-D.ietf-i2nsf-terminology].
This model is an attempt to merge draft-jeong-i2nsf-capability-
interface-yang-02.txt, but it has not bene reviewed by this draft's
authors. Hopefully, this is a good start for a merge. The Yang
Hares, et al. Expires April 8, 2017 [Page 2]
�
Internet-Draft I2NSF Terminology October 2016
module has not been changed to match the high-level-yang. This
seemed prudent until we agreed upon the merge.
[I-D.xia-i2nsf-capability-interface-im] defines the following type of
functionality in NSFs.
o network security control
o content security control, and
o attack mitigation control
This document contains high-level yang for each type of control. The
features in each section have been built up from the following
sources:
open-source: firewalls, IDS, IPS. This includes ECA policy for
basic-firewalls: in router, switches, firewalls,
firewall products commercial level
specialized devices IDS, IPS
2. High-level Yang
This section provides an overview of the high level yang.
2.1. capability per NSF
The high level yang capabilities per NSF device, controller, or
application is the following:
ietf-i2nsf-capability
+--rw nsf-capabilities
+--rw capability* [name]
+--rw nsf-name string
+--rw cfg-net-secctl-capabilities
| uses pkt-eca-policy:pkt-eca-policy-set
+--rw cfg-net-sec-content-capabilities
| uses i2nsf-content-caps
| uses i2nsf-content-sec-actions
+--rw cfg-attack-mitigate-capabilities*
| uses i2nsf-mitigate-caps
+--rw ITResource [ITresource-name]
| uses cfg-ITResources
Figure 1
Hares, et al. Expires April 8, 2017 [Page 3]
�
Internet-Draft I2NSF Terminology October 2016
Each of these section mirror sections in:
[I-D.xia-i2nsf-capability-interface-im]. The high level yang for
cfg-net-secctl-capabilities, cfg-net-sec-content-capabilities, and
cfg-attack-mitigate-capabilities. This draft is also utilizes the
concepts originated in Basile, Lioy,Pitscheider, and Zhao[2015]
concerning conflict resolution, use of external data, and
ITResources. The authors are grateful to Cataldo for pointing out
this excellent work.
2.2. Network Security Control
This section defines the network security control capabilites for
each NSF entity (device, controller, APP). The portion of the top
level model that this explains is the following:
+--rw cfg-net-secctl-capabilities
| uses pkt-eca-policy:pkt-eca-policy-set
Note that yang simply uses the ietf-pkt-eca-policy-cfg from
[I-D.ietf-i2rs-pkt-eca-data-model].
module ietf-pkt-eca-policy
+--rw pkt-eca-policy-cfg
| +--rw pkt-eca-policy-set
| +--rw policies* [policy-name]
| | +--rw policy-name string
| | +--rw vrf-name string
| | +--rw address-family
| | +--rw rule-list* [rule-name]
| | | +--rw rule-name
| | | +--rw rule-order-id uint16
| | | +--rw default-action-id integer
| | | +--rw default-resolution-strategy-id integer
| +--rw rules* [order-id rule-name]
| +--rw order-id uint16
| +--rw rule-name string
| +--rw policy-name string
| +--rw cfg-rule-conditions [rule-cnd-id]
| | +--rw rule-cnd-id uint32
| | +--rw support
| | | +--rw event-matches boolean
| | | +--rw pkt-matches boolean
| | | +--rw usr-context-matches boolean
| | +--rw eca-events-match* [rule-event-id]
| | | +--rw rule-event-it uint16
| | | | ... time-event match (see below)
| | +--rw eca-condition-match
Hares, et al. Expires April 8, 2017 [Page 4]
�
Internet-Draft I2NSF Terminology October 2016
| | | +--rw eca-pkt-matches* [pkt-match-id]
| | | | ...(see packet matches below)
| | | | ... (address, packet header, packet payload)
| | | +--rw eca-user-context-matches* [usr-match-id]
| | | | ... (see user context match below)
| +--rw cfg-rule-actions [cfgr-action-id]
| | +--rw cfgr-action-id
| | +--rw eca-actions* [action-id]
| | | +--rw action-id uint32
| | | +--rw eca-ingress-actions*
| | | | ... (permit, deny, mirror)
| | | +--rw eca-fwd-actions*
| | | | ... (invoke, tunnel encap, fwd)
| | | +--rw eca-egress-acttions*
| | | | .. .
| | | +--rw eca-qos-actions*
| | | | ...
| | | +--rw eca-security-actions*
| +--rw policy-conflict-resolution* [strategy-id]
| | +--rw strategy-id integer
| | +--rw filter-strategy identityref
| | | .. FMR, ADTP, Longest-match
| | +--rw global-strategy identityref
| | +--rw mandatory-strategy identityref
| | +--rw local-strategy identityref
| | +--rw resolution-fcn uint32
| | +--rw resolution-value uint32
| | +--rw resolution-info string
| | +--rw associated-ext-data*
| | | +--rw ext-data-id integer
| +--rw cfg-external-data* [cfg-ext-data-id]
| | +--rw cfg-ext-data-id integer
| | +--rw data-type integer
| | +--rw priority uint64
| | | uses external-data-forms
| | ... (other external data)
+--rw pkt-eca-policy-opstate
+--rw pkt-eca-opstate
+--rw policies-opstat* [policy-name]
| +--rw rules-installed;
| +--rw rules_opstat* [rule-name]
| +--rw strategy-used [strategy-id]
+--rw rules_opstate* [rule-order rule-name]
| +--rw status
| +--rw rule-inactive-reason
| +--rw rule-install-reason
| +--rw rule-installer
| +--rw refcnt
Hares, et al. Expires April 8, 2017 [Page 5]
�
Internet-Draft I2NSF Terminology October 2016
+--rw rules_pktstats* [rule-order rule-name]
| +--rw pkts-matched
| +--rw pkts-modified
| +--rw pkts-forward
+--rw op-external-data [op-ext-data-id]
| +--rw op-ext-data-id integer
| +--rw type identityref
| +--rw installed-priority integer
| | (other details on external data )
figure 2
2.3. Security Content Capabilities
This section expands the
+--rw cfg-net-sec-content-capabilities
| uses i2nsf-content-caps
| uses i2nsf-content-sec-actions
Content Security Control
+--rw cfg-netsec-content-caps*
| +--rw cfg-groups* [group-name]
| | +--rw group-name string
| | +--rw group-rule-list* [rule-name]
| | | +--rw rule-name string
| | | +--rw rule-order-id integer
| | | +--rw default-action-id integer
| | | +--rw default-resolution-strategy-id integer|
| +--rw cfg-netsec-content-rules* [rule-order-id rule-name]
| | +--rw cfg-netsec-content-rule
| | | +--rw rule-order-id integer
| | | +--rw rule-name string
| | | +--rw cfg-filter-rules
| | | | +--rw cfg-anti-virus-rule
| | | | | +--rw antivirus-support? Boolean
| | | | | +--rw source string
| | | +--rw cfg-IPS-rule
| | | | +--rw ips-support? boolean
| | | | +--rw source string
| | | +--rw cfg-IDS-rule
| | | | +--rw ids-support? boolean
| | | | +--rw source string
| | | +--rw cfg-url-filter-rule
| | | | +--rw url-filtering-support? boolean
Hares, et al. Expires April 8, 2017 [Page 6]
�
Internet-Draft I2NSF Terminology October 2016
| | | | +--rw source string
| | | +--rw cfg-file-block-rule
| | | | +--rw file-blocking-support? boolean
| | | | +--rw source string
| | | +--rw cfg-data-filter-rule
| | | | +--rw data-filtering-support? boolean
| | | | +--rw source string
| | | | | ... description
| | | +--rw cfg-APP-behave-rule
| | | | +--rw app-control-support? boolean
| | | | +--rw source string
| | | +--rw cfg-mail-filter-rule
| | | | +--rw mail-filter-support? boolean
| | | | +--rw source string
| | | +--rw cfg-pkt-capture-rule
| | | | +--rw pkt-capture-support? boolean
| | | | +--rw source string
| | | +--rw cfg-file-isolate-rule
| | | | +--rw file-isolation-support? boolean
| | | | +--rw source string
| | | +--rw voip-volte-rule
| | | | +--rw voip-volte-support? boolean
+--rw cfg-sec-content-actions
| +--voip-volte-rules* [voip-volte-rule-id]
| | +--rw voip-volte-rule-id uint16
| | +--rw voip-volte-event
| | | +--rw called-voip boolean
| | | +--rw called-volte boolean
| | +--rw condition-match
| | | +--rw sip-header* [sip-header-uri]
| | | +--rw sip-header-uri string
| | | +--rw sip-header-method string
| | | +--rw expire-time yang:date-and-time
| | | +--rw sip-header-user-agent uint32
| | | +--rw cell-region* [cell-id-region]
| | | | +-rw cell-id-region uint32
| | +--rw action
| | | +--rw action-type identityref
| | | +--rw (action-type)?
| | | | +--: (ingress-action)
| | | | | +--rw ingress-permit boolean
| | | | | | +--rw ingress-deny boolean
| | | | | | +--rw ingress-mirror boolean
| | | | +--: (egress-action)
| | | | | | +--rw egress-redirection boolean
figure 3
Hares, et al. Expires April 8, 2017 [Page 7]
�
Internet-Draft I2NSF Terminology October 2016
2.4. Attack Mitigation Capabilities
The high level yang below expands the following section of the top-
level model:
+--rw cfg-attack-mitigate-capabilities
| uses cfg-attack-mitigate-caps
Attack mitigation
+--rw cfg-attack-mitigate-caps
| +--rw cfg-groups* [group-name]
| | +--rw group-name string
| | +--rw group-rule-list* [rule-name]
| | | +--rw rule-name string
| | | +--rw rule-order-id integer
| | | +--rw default-action-id integer
| | | +--rw default-resolution-strategy-id integer|
| +--rw cfg-netsec-content-rules* [rule-order-id rule-name]
| | +--rw rule-order-id integer
| | +--rw attack-mitigation-type identityref
| | +--:(network-attack-type)?
| | | +--:sync-flood
| | | +--rw syn-flood-support boolean
| | | +--rw sync-flood* [sync-flood-fcn]
| | | +--rw sync-flood-fcn uint16
| | | +--:(udp-flood)
| | | | +--rw udp-flood-supported boolean
| | | | +--rw udp-flood-fcn string //std or vendor name
| | | +--:(icmp-flood)
| | | | +--rw icmp-flood-supported boolean
| | | | +--rw cfg-icmp-flood* [icmp-flood-fcn]
| | | | +--rw icmp-flood-fcn string
| | | +--:(ip_frag_flood)
| | | | +--rw ipfrag-flood-fcn-supported boolean
| | | +--rw cfg-ip-frag-flood* [ipfrag-flood-fcn]
| | | | +--rw ipfrag-flood-fcn string //std/vendor name
| | | +--:(http_flood)
| | | | +--rw http-flood-fcn-supported boolean
| | | | +--rw cfg-http-flood* [http-flood-fcn]
| | | | +--rw http-flood-fcn string
| | | +--:(dns-flood)
| | | | +--rw dns-flood-fcn-supported boolean
| | | | +--rw cfg-dns-flood* [dns-flood-fcn]
| | | | +--rw dns-flood-fcn string //std or vendor name
| | | +--:(dns-amplify)
| | | | +--rw dns-amp-fcn-supported boolean
Hares, et al. Expires April 8, 2017 [Page 8]
�
Internet-Draft I2NSF Terminology October 2016
| | | | +--rw cfg-dns-amplify* [dns-amp-fcn]
| | | | +--rw dns-amp-fcn string //std or vendor name
| | | +--:(SSL-DDoS)
| | | | +--rw ssl-ddos-fcn-support boolean
| | | | +--rw cfg-ssl-ddos* [ssl-dos-fcn]
| | | | +--rw ssl-dos-fcn string
| | | +--: (ip-sweep):
| | | | +--rw ipsweep-fcn-supported boolean
| | | | +--rw cfg-IP-Sweep* [ipsweep-fcn]
| | | | +--rw ipsweep-fcn string //std or vendor name
| | | +--: (port-scanning)
| | | | +--rw port-scan-fcn-supported boolean
| | | | +--rw cfg-Port-scanning [port-scan-fcn]
| | | | +--rw port-scan-fcn string //std or vendor name
| | | +--: (ping-of-death)
| | | | +--rw pingd-fcn-supported boolean
| | | | +--rw cfg-ping-of-death* [pingd-function]
| | | | +--rw pingd-fcn string //std or vendor name
| | | +--:(icmp-oversize)
| | | | +--rw o-icmp-fcn-supported boolean
| | | +--rw cfg-oversize-ICMP* [o-icmp-fcn]
| | | | +--rw o-icmp-fcn string //std or vendor name
| | +--:(single-packet-attack)?
| | | +--rw single-packet-type? identityref
| | | +--:(scan-and-sniff-attack)
| | | | +--scan-n-sniff-type identityref
| | | | +--(scan-n-sniff-type)?
| | | | |--:(ip-sweep-attack)
| | | | | +--rw 1p-ip-sweep-attack-support boolean
| | | | | +--rw 1p-ip-sweep-attack-fcn string
| | | | +--:(port-scanning-attack)
| | | | | +--rw 1pk-port-scanning-support boolean
| | | | | +--rw 1pk_port-sanning-fcn string
| | | +--:(malformed-packet-attack)
| | | | +--1pk-malformed-packet-attack-type identityref
| | | | +--:(ping-of-death-attack)
| | | | | +--rw 1pk-ping-of-death-support boolean
| | | | | +--rw 1pk-ping-of-death-fcn string
| | | | +--:(teardrop-attack)
| | | | | +--rw 1pk-teardrop-attack-support boolean
| | | | | +--rw 1pk-teardrop-attack-fcn string
| | | +--:(special-packet-attack)
| | | | +--rw special-packet-attack-type identityref
| | | | +--(special-packet-attack-type)?
| | | | | +--:(oversized-icmp-attack)
| | | | | | +--rw oversized-icmp-attack-support boolean
| | | | | | +--rw oversized-icmp-attack-fcn string
| | | | | +--:(tracert-attack)
Hares, et al. Expires April 8, 2017 [Page 9]
�
Internet-Draft I2NSF Terminology October 2016
| | | | | | +--rw tracert-attack-support boolean
| | | | | | +--rw tracert-attack-fcn string
figure 4
2.5. IT Resources linked to Capabilities
Tis section provides a link between capabilities and IT resources.
This section has a lsit of IT Resources by name. Additional input is
needed.
+--rw cfg-ITResources
| +--ITResources* [ITresource-name]
| | +--rw ITresource-name string
| | ..
2.6. actions
The following notifications indicate when rules are added or deleted.
(to be completed after discussion with Paul Jeong, Jin-Yong Kim,
and Dae-Young Hyun, and Jung-Soo Park, and Taei-Jin Ahn.)
3. Use of filter-based RIBS
The packet-eca policy is kept for configuration, I2RS ephemeral
state, and BGP stored policy state in filter-based RIBS. These RIBS
have the high-level yang structures below and are described in
[I-D.ietf-i2rs-fb-rib-data-model]. These filter-ribs may be
leveraged in I2NSF storage devices for the policy storage.
Hares, et al. Expires April 8, 2017 [Page 10]
�
Internet-Draft I2NSF Terminology October 2016
+--rw fb-ribs
+--rw fb-rib* [rib-name]
| +--rw rib-name string
| | rw fb-type identityref /config, i2rs, bgp
| +--rw rib-afi rt:address-family
| +--rw fb-rib-intf* [name]
| | +--rw name string
| | +--rw intf if:interface
| +--rw default-ribs
| | +--rw rt-rib string // routing kernel rib
| | +--rw config-rib string; // static rt-rib
| | +--rw i2rs-rib string; // ephemeral rt-rib
| | +--rw bgp-instance-name string // bgp instance
| | +--rw bgp-rib string // bgp rib
| +--rw fb-rib-refs
| | +--rw fb-rib-update-ref uint32 //count of writes
| +--rw mounts-using*
| | +--rw mount-name string //
| +--use pkt-eca:pkt-eca-policy-set
figure 5
4. YANG Modules
<CODE BEGINS> file "ietf-i2nsf-capability@2016-10-01.yang"
module ietf-i2nsf-capability {
namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability";
// replace with iana namespace when assigned
prefix "i2nsf-capability";
import ietf-pkt-eca-policy {
prefix pkt-eca-policy;
}
// meta
organization "IETF I2NSF WG";
contact
"email: Susan Hares: shares@ndzh.com
email: Robert Moskowitz rgm@htt-consult.com;
email: Frank Xia
email: Aldo Basile cataldo.basile@polito.it";
description
"This module describes a capability model
for I2NSF devices .";
revision "2016-10-01" {
Hares, et al. Expires April 8, 2017 [Page 11]
�
Internet-Draft I2NSF Terminology October 2016
description "second revision";
reference "draft-hares-i2nsf-capability-yang-01.txt";
}
grouping ITResources {
list ITResource {
key ITResource-id;
leaf ITResource-id {
type uint64;
description "ID for ITResource";
}
leaf ITResource-name {
type string;
description "ITResource name.";
}
description "list of IT Resources.";
}
description "IT Resource grouping.";
}
grouping cfg-sec-content-caps {
list cfg-fcn-groups { // functions in 2 lists:
key "group-name"; // group and functions
leaf group-name {
type string;
description " name of function
group";
}
list group-fnc-list {
key "fcn-name";
leaf fcn-name {
type string;
description "security content
function name";
}
leaf fcn-order-id {
type uint64;
description "function order
in list of functions.";
}
leaf default-action-id {
type uint64;
description "default
extended action id";
}
leaf default-cr-resolve-id {
type uint32;
Hares, et al. Expires April 8, 2017 [Page 12]
�
Internet-Draft I2NSF Terminology October 2016
description "default
policy conflict resolution
policy identifier.";
}
description "list of
functions per group.
e.g. group A has
5 functions.";
}
description "list of
groups with associated
security content functions.";
}
list cfg-sec-content-fcns {
key "fcn-order-id function-name";
leaf fcn-order-id {
type uint64;
description "order id for rule";
}
leaf function-name {
type string;
description "rule name";
}
list anti-virus {
key "anti-virus-name";
leaf anti-virus-name {
type string;
description "name of
anti-virtus functionalty";
}
leaf anti-virus-supported {
type boolean;
description "anti-virus
feature supported";
}
description "anti-virus functions";
}
list IPS {
key "IPS-name";
leaf IPS-name {
type string;
description "name of
anti-virtus functionalty";
}
leaf IPS-supported {
type boolean;
Hares, et al. Expires April 8, 2017 [Page 13]
�
Internet-Draft I2NSF Terminology October 2016
description "IPS
capability
supported";
}
description "IPS capability";
}
list IDS {
key "IDS-name";
leaf IDS-name {
type string;
description "name of IDS";
}
leaf IDS-supported {
type boolean;
description "anti-virus
feature supported";
}
description "IDS
capabilities";
}
list url-filter {
key "url-filter-name";
leaf url-filter-name {
type string;
description "name of IDS";
}
leaf url-filter-supported {
type boolean;
description "url filter
feature supported";
}
description "URL filter
capabilities";
}
list file-block {
key "fblock-name";
leaf fblock-name {
type string;
description "name of
file block function";
}
leaf fblock-supported {
type boolean;
description "anti-virus
Hares, et al. Expires April 8, 2017 [Page 14]
�
Internet-Draft I2NSF Terminology October 2016
feature supported";
}
description "file block
capabilities";
}
list data-filter {
key "dfilter-name";
leaf dfilter-name {
type string;
description "name of
data filer";
}
leaf dfilter-supported {
type boolean;
description "anti-virus
feature supported";
}
description "data filter
capabilities";
}
list app-behave {
key "app-behave-name";
leaf app-behave-name {
type string;
description "name of
application behavior
control function.";
}
leaf app-behave-supported {
type boolean;
description "application
behavior control
security capability
supported.";
}
description "Application
behavior control security
capabilities";
}
list mail-filter {
key "mfilter-name";
leaf mfilter-name {
type string;
description "name of
data filer";
Hares, et al. Expires April 8, 2017 [Page 15]
�
Internet-Draft I2NSF Terminology October 2016
}
leaf mfilter-supported {
type boolean;
description "mail filter
supported";
}
description "mail filter";
}
list pkt-capture {
key "pkt-capture-name";
leaf pkt-capture-name {
type string;
description "name of
data filer";
}
leaf pkt-capture-supported {
type boolean;
description "pkt capture
facility supported";
}
description "packet capture
facility supported ";
}
list file-isolate {
key "f-isolate-name";
leaf f-isolate-name {
type string;
description "name of
file isolate capability";
}
leaf f-isolate-supported {
type boolean;
description "file isolate
capability supported ";
}
description "file isolate
capability ";
}
description "list of
security content capabilities.";
}
description "configured
security content capabilities";
}
Hares, et al. Expires April 8, 2017 [Page 16]
�
Internet-Draft I2NSF Terminology October 2016
grouping cfg-content-sec-actions {
list content-sec-actions {
key "action-name";
leaf action-name {
type string;
description "name of extra
content security action
beyond function policy";
}
description "list
of content security actions";
}
description "configure
content security actions
configured beyond capability
function existance";
}
grouping cfg-attack-mitigate-caps {
// group and then rules
list cfg-mitigate-fncs-groups {
key "group-name";
leaf group-name {
type string;
description " name of function
group";
}
list group-mitigate-fncs-list {
key "fcn-name";
leaf fcn-name {
type string;
description "security content
function name";
}
leaf fcn-order-id {
type uint64;
description "function order
in list of functions.";
}
leaf default-action-id {
type uint64;
description "default
extended action id";
}
leaf default-cr-resolve-id {
type uint32;
description "default
policy conflict resolution
Hares, et al. Expires April 8, 2017 [Page 17]
�
Internet-Draft I2NSF Terminology October 2016
policy identifier.";
}
description "list of
functions per group.
e.g. group A has
5 functions.";
}
description "list of
groups with associated
attack mitigate functions.";
}
list cfg-attack-mitigate-rule {
key "rule-order-id rule-name";
leaf rule-order-id {
type uint64;
description "order id for
configured mitigate
function";
}
leaf rule-name {
type string;
description "mitigate
rule name";
}
list cfg-sync-flood {
key sync-flood-fcn;
leaf sync-flood-fcn {
type string;
description "name of
sync flood functionalty";
}
leaf sync-flood-fcn-supported {
type boolean;
description "sync-flood
mitigation fcn supported";
}
description "list of
sync flood mitigation
functions ";
}
list cfg-udp-flood {
key "udp-flood-fcn";
leaf udp-flood-fcn {
type string;
description "name of
Hares, et al. Expires April 8, 2017 [Page 18]
�
Internet-Draft I2NSF Terminology October 2016
udp flood mitigation function ";
}
leaf udp-flood-fcn-supported {
type boolean;
description "udp flood
prevent function
capability supported";
}
description "list of
udp-flood mitigation
functions node
(configured capability).";
}
list cfg-icmp-flood {
key "icmp-flood-fcn";
leaf icmp-flood-fcn {
type string;
description "name of
icmp flood prevention
function";
}
leaf icmp-flood-fcn-supported {
type boolean;
description "icmp
flood mitigation
feature supported";
}
description "list for
icmp flood prevention
functions part of
attack mitigation
capabilities.";
}
list cfg-http-flood {
key "http-flood-fcn";
leaf http-flood-fcn {
type string;
description "name of
http flood
mitigation function";
}
leaf http-flood-fcn-supported {
type boolean;
description "support
for http flood function
Hares, et al. Expires April 8, 2017 [Page 19]
�
Internet-Draft I2NSF Terminology October 2016
capability is active.";
}
description "list of
http flood
mitigation functions
configured ";
}
list cfg-dns-flood {
key "dns-flood-fcn";
leaf dns-flood-fcn {
type string;
description "name of
dns flood mitigation
function";
}
leaf dns-flood-fcn-supported {
type boolean;
description "dns flood
mitigation support is
active.";
}
description "list of
dns flood
mitigation functions
configured.";
}
list cfg-dns-amplify {
key "dns-amplify-fcn";
leaf dns-amplify-fcn {
type string;
description "name of
dns amplify mitigation
function.";
}
leaf dfilter-supported {
type boolean;
description "dns
amplification mitigation
function is active.";
}
description "list of
dns amplification
mitigation functions
configured.";
}
Hares, et al. Expires April 8, 2017 [Page 20]
�
Internet-Draft I2NSF Terminology October 2016
list SSL-DoS {
key "ssl-dos-fcn";
leaf ssl-dos-fcn {
type string;
description "name of
SSL DoS mitigation
function";
}
leaf ssl-dos-supported {
type boolean;
description "SSL DoS
mitigation function is
active.";
}
description "List of
SSL DoS functions configured.";
}
list cfg-IP-Sweep {
key "ipsweep-fcn";
leaf ipsweep-fcn {
type string;
description "name of
ip sweep mitigation
function.";
}
leaf ipsweep-fcn-supported {
type boolean;
description "IP Sweep
mitigation function
active.";
}
description "list of
IP Sweep mitigation
functions in NSF device.";
}
list cfg-Port-scanning {
key "port-scan-fcn";
leaf port-scan-fcn {
type string;
description "name of
port-scan mitigation
function.";
}
leaf port-scan-fcn-supported {
type boolean;
description "port scanning
Hares, et al. Expires April 8, 2017 [Page 21]
�
Internet-Draft I2NSF Terminology October 2016
mitigation fcn supported.";
}
description "List of
port scanning mitigation
functions. ";
}
list cfg-ping-of-death {
key "pingd-fcn";
leaf pingd-fcn {
type string;
description "name of
ping of death
mitigation function";
}
leaf pingd-fcn-supported{
type boolean;
description "active support
for this ping of death
mitigation function";
}
description "List of ping of
death mitigation
functions.";
}
description "attack
mitigation rule .";
} // rules
description "configured
attack mitigation functions.";
} // cfg-attack-mitigate-policy-set
container i2nsf-capabilities {
list capabilty {
key "nsf-name";
leaf nsf-name {
type string;
description "name of
nsf or nsf group
capabilities drawn from.";
}
container cfg-net-secctl-capabilities {
uses pkt-eca-policy:pkt-eca-policy-set;
description "network security
control capabilities configured.";
}
container cfg-sec-content-capabilities {
Hares, et al. Expires April 8, 2017 [Page 22]
�
Internet-Draft I2NSF Terminology October 2016
uses cfg-sec-content-caps;
uses cfg-content-sec-actions;
description "security content
capabilities configured.";
}
container cfg-attack-mitigate-capabilites {
uses cfg-attack-mitigate-caps;
description "attack mitigation capabilities";
}
container cfg-ITResources {
uses ITResources;
description "IT Resources
associated with NSF.";
}
description "List of NSF
capabilities per nsf, nsf group
or nsf application.";
} //end of list
description "I2NSF capabilities";
} // end of container
}
<CODE ENDS>
5. IANA Considerations
No IANA considerations exist for this document at this time. URL
will be added.
6. Security Considerations
Security of I2NSF is defined in (need reference here).
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
7.2. Informative References
[I-D.ietf-i2nsf-gap-analysis]
Hares, S., Moskowitz, R., and D. Zhang, "Analysis of
Existing work for I2NSF", draft-ietf-i2nsf-gap-analysis-00
(work in progress), February 2016.
Hares, et al. Expires April 8, 2017 [Page 23]
�
Internet-Draft I2NSF Terminology October 2016
[I-D.ietf-i2nsf-problem-and-use-cases]
Hares, S., Dunbar, L., Lopez, D., Zarny, M., and C.
Jacquenet, "I2NSF Problem Statement and Use cases", draft-
ietf-i2nsf-problem-and-use-cases-00 (work in progress),
February 2016.
[I-D.ietf-i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., and L. Xia,
"Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-00 (work in
progress), May 2016.
[I-D.ietf-i2rs-fb-rib-data-model]
Hares, S., Kini, S., Dunbar, L., Krishnan, R., Bogdanovic,
D., and R. White, "Filter-Based RIB Data Model", draft-
ietf-i2rs-fb-rib-data-model-00 (work in progress), June
2016.
[I-D.ietf-i2rs-pkt-eca-data-model]
Hares, S., Wu, Q., and R. White, "Filter-Based Packet
Forwarding ECA Policy", draft-ietf-i2rs-pkt-eca-data-
model-00 (work in progress), June 2016.
[I-D.ietf-netmod-acl-model]
Bogdanovic, D., Koushik, K., Huang, L., and D. Blair,
"Network Access Control List (ACL) YANG Data Model",
draft-ietf-netmod-acl-model-06 (work in progress),
December 2015.
[I-D.ietf-opsawg-firewalls]
Baker, F. and P. Hoffman, "On Firewalls in Internet
Security", draft-ietf-opsawg-firewalls-01 (work in
progress), October 2012.
[I-D.xia-i2nsf-capability-interface-im]
Xia, L., Zhang, D., elopez@fortinet.com, e., Bouthors, N.,
and L. Fang, "Information Model of Interface to Network
Security Functions Capability Interface", draft-xia-i2nsf-
capability-interface-im-05 (work in progress), March 2016.
[I-D.xia-i2nsf-service-interface-dm]
Xia, L., Strassner, J., and D. Bogdanovic, "Data Model of
Interface to Network Security Functions Service
Interface", draft-xia-i2nsf-service-interface-dm-00 (work
in progress), February 2015.
Hares, et al. Expires April 8, 2017 [Page 24]
�
Internet-Draft I2NSF Terminology October 2016
[RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to
Accounting Management", RFC 2975, DOI 10.17487/RFC2975,
October 2000, <http://www.rfc-editor.org/info/rfc2975>.
[RFC3198] Westerinen, A., Schnizlein, J., Strassner, J., Scherling,
M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry,
J., and S. Waldbusser, "Terminology for Policy-Based
Management", RFC 3198, DOI 10.17487/RFC3198, November
2001, <http://www.rfc-editor.org/info/rfc3198>.
[RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and
Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002,
<http://www.rfc-editor.org/info/rfc3234>.
[RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and
Accounting (AAA) Transport Profile", RFC 3539,
DOI 10.17487/RFC3539, June 2003,
<http://www.rfc-editor.org/info/rfc3539>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<http://www.rfc-editor.org/info/rfc4949>.
[RFC7277] Bjorklund, M., "A YANG Data Model for IP Management",
RFC 7277, DOI 10.17487/RFC7277, June 2014,
<http://www.rfc-editor.org/info/rfc7277>.
Authors' Addresses
Susan Hares
Huawei
7453 Hickory Hill
Saline, MI 48176
USA
Phone: +1-734-604-0332
Email: shares@ndzh.com
Robert Moskowitz
HTT Consulting
Oak Park, MI
USA
Phone: +1-248-968-9809
Email: rgm@htt-consult.com
Hares, et al. Expires April 8, 2017 [Page 25]
�
Internet-Draft I2NSF Terminology October 2016
Liang Xia (Frank)
Huawei
101 Software Avenue, Yuhuatai District
Nanjing, Jiangsu
China
Email: Frank.xialiang@huawei.com
Hares, et al. Expires April 8, 2017 [Page 26]
