draft-ietf-i2nsf-registration-interface-dm-12.txt   draft-ietf-i2nsf-registration-interface-dm-13.txt 
I2NSF Working Group S. Hyun, Ed. I2NSF Working Group S. Hyun, Ed.
Internet-Draft Myongji University Internet-Draft Myongji University
Intended status: Standards Track J. Jeong, Ed. Intended status: Standards Track J. Jeong, Ed.
Expires: 19 March 2022 T. Roh Expires: 7 April 2022 T. Roh
S. Wi S. Wi
Sungkyunkwan University Sungkyunkwan University
J. Park J. Park
ETRI ETRI
15 September 2021 4 October 2021
I2NSF Registration Interface YANG Data Model I2NSF Registration Interface YANG Data Model
draft-ietf-i2nsf-registration-interface-dm-12 draft-ietf-i2nsf-registration-interface-dm-13
Abstract Abstract
This document defines an information model and a YANG data model for This document defines an information model and a YANG data model for
Registration Interface between Security Controller and Developer's Registration Interface between Security Controller and Developer's
Management System (DMS) in the Interface to Network Security Management System (DMS) in the Interface to Network Security
Functions (I2NSF) framework to register Network Security Functions Functions (I2NSF) framework to register Network Security Functions
(NSF) of the DMS with the Security Controller. The objective of (NSF) of the DMS with the Security Controller. The objective of
these information and data models is to support NSF capability these information and data models is to support NSF capability
registration and query via I2NSF Registration Interface. registration and query via I2NSF Registration Interface.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 19 March 2022. This Internet-Draft will expire on 7 April 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 35 skipping to change at page 2, line 35
5.1. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . 9 5.1. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . 9
5.1.1. Definition of Symbols in Tree Diagrams . . . . . . . 9 5.1.1. Definition of Symbols in Tree Diagrams . . . . . . . 9
5.1.2. I2NSF Registration Interface . . . . . . . . . . . . 9 5.1.2. I2NSF Registration Interface . . . . . . . . . . . . 9
5.1.3. NSF Capability Information . . . . . . . . . . . . . 11 5.1.3. NSF Capability Information . . . . . . . . . . . . . 11
5.1.4. NSF Access Information . . . . . . . . . . . . . . . 12 5.1.4. NSF Access Information . . . . . . . . . . . . . . . 12
5.2. YANG Data Modules . . . . . . . . . . . . . . . . . . . . 12 5.2. YANG Data Modules . . . . . . . . . . . . . . . . . . . . 12
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
8.1. Normative References . . . . . . . . . . . . . . . . . . 19 8.1. Normative References . . . . . . . . . . . . . . . . . . 19
8.2. Informative References . . . . . . . . . . . . . . . . . 20 8.2. Informative References . . . . . . . . . . . . . . . . . 21
Appendix A. XML Examples of I2NSF Registration Interface Data Appendix A. XML Examples of I2NSF Registration Interface Data
Model . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Model . . . . . . . . . . . . . . . . . . . . . . . . . . 22
A.1. Example 1: Registration for the Capabilities of a General A.1. Example 1: Registration for the Capabilities of a General
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 22 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 22
A.2. Example 2: Registration for the Capabilities of a A.2. Example 2: Registration for the Capabilities of a
Time-based Firewall . . . . . . . . . . . . . . . . . . . 25 Time-based Firewall . . . . . . . . . . . . . . . . . . . 26
A.3. Example 3: Registration for the Capabilities of a Web A.3. Example 3: Registration for the Capabilities of a Web
Filter . . . . . . . . . . . . . . . . . . . . . . . . . 29 Filter . . . . . . . . . . . . . . . . . . . . . . . . . 30
A.4. Example 4: Registration for the Capabilities of a VoIP/ A.4. Example 4: Registration for the Capabilities of a VoIP/
VoLTE Filter . . . . . . . . . . . . . . . . . . . . . . 33 VoLTE Filter . . . . . . . . . . . . . . . . . . . . . . 33
A.5. Example 5: Registration for the Capabilities of a DDoS A.5. Example 5: Registration for the Capabilities of a DDoS
Mitigator . . . . . . . . . . . . . . . . . . . . . . . . 36 Mitigator . . . . . . . . . . . . . . . . . . . . . . . . 36
A.6. Example 6: Query for the Capabilities of a Time-based A.6. Example 6: Query for the Capabilities of a Time-based
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 40 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 41
Appendix B. NSF Lifecycle Management in NFV Environments . . . . 43 Appendix B. NSF Lifecycle Management in NFV Environments . . . . 43
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 43 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 44
Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 43 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 44
Appendix E. Changes from Appendix E. Changes from
draft-ietf-i2nsf-registration-interface-dm-11 . . . . . . 44 draft-ietf-i2nsf-registration-interface-dm-11 . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44
1. Introduction 1. Introduction
A number of Network Security Functions (NSF) may exist in the A number of Network Security Functions (NSF) may exist in the
Interface to Network Security Functions (I2NSF) framework [RFC8329]. Interface to Network Security Functions (I2NSF) framework [RFC8329].
Since each of these NSFs likely has different security capabilities Since each of these NSFs likely has different security capabilities
from each other, it is important to register the security from each other, it is important to register the security
skipping to change at page 4, line 17 skipping to change at page 4, line 17
repository, data definition language, query language, repository, data definition language, query language,
implementation language, and protocol. implementation language, and protocol.
* Information Model: An information model is a representation of * Information Model: An information model is a representation of
concepts of interest to an environment in a form that is concepts of interest to an environment in a form that is
independent of data repository, data definition language, query independent of data repository, data definition language, query
language, implementation language, and protocol. language, implementation language, and protocol.
* YANG: This document follows the guidelines of [RFC8407], uses the * YANG: This document follows the guidelines of [RFC8407], uses the
common YANG types defined in [RFC6991], and adopts the Network common YANG types defined in [RFC6991], and adopts the Network
Management Datastore Architecture (NMDA). The meaning of the Management Datastore Architecture (NMDA) [RFC8342]. The meaning
symbols in tree diagrams is defined in [RFC8340]. of the symbols in tree diagrams is defined in [RFC8340].
3. Objectives 3. Objectives
* Registering NSFs to I2NSF framework: Developer's Management System * Registering NSFs to I2NSF framework: Developer's Management System
(DMS) in I2NSF framework is typically run by an NSF vendor, and (DMS) in I2NSF framework is typically run by an NSF vendor, and
uses Registration Interface to provide NSFs developed by the NSF uses Registration Interface to provide NSFs developed by the NSF
vendor to Security Controller. DMS registers NSFs and their vendor to Security Controller. DMS registers NSFs and their
capabilities to I2NSF framework through Registration Interface. capabilities to I2NSF framework through Registration Interface.
For the registered NSFs, Security Controller maintains a catalog For the registered NSFs, Security Controller maintains a catalog
of the capabilities of those NSFs. of the capabilities of those NSFs.
skipping to change at page 10, line 20 skipping to change at page 10, line 20
Security Controller uses the registration interface to query DMS Security Controller uses the registration interface to query DMS
about NSF(s) having the required capabilities. The following about NSF(s) having the required capabilities. The following
sections describe the YANG data models to support these operations. sections describe the YANG data models to support these operations.
5.1.2.1. NSF Capability Registration 5.1.2.1. NSF Capability Registration
This section expands the i2nsf-nsf-registrations in Figure 5. This section expands the i2nsf-nsf-registrations in Figure 5.
NSF Capability Registration NSF Capability Registration
+--rw nsf-registrations +--rw nsf-registrations
+--rw nsf-information* [capability-name] +--rw nsf-information* [nsf-name]
+--rw capability-name string +--rw nsf-name string
+--rw nsf-capability-info +--rw nsf-capability-info
| uses nsf-capability-info | uses nsf-capability-info
+--rw security-capability +--rw security-capability
| uses ietf-i2nsf-capability | uses ietf-i2nsf-capability
+--rw performance-capability +--rw performance-capability
| uses performance-capability | uses performance-capability
+--rw nsf-access-info +--rw nsf-access-info
| uses nsf-access-info +--rw ip
+--rw capability-name +--rw port
+--rw ip
+--rw port
Figure 6: YANG Tree of NSF Capability Registration Module Figure 6: YANG Tree of NSF Capability Registration Module
When registering an NSF to Security Controller, DMS uses this module When registering an NSF to Security Controller, DMS uses this module
to describe what capabilities the NSF can offer. DMS includes the to describe what capabilities the NSF can offer. DMS includes the
network access information of the NSF which is required to make a network access information of the NSF which is required to make a
network connection with the NSF as well as the capability description network connection with the NSF as well as the capability description
of the NSF. of the NSF.
5.1.2.2. NSF Capability Query 5.1.2.2. NSF Capability Query
This section expands the nsf-capability-query in Figure 5. This section expands the nsf-capability-query in Figure 5.
I2NSF Capability Query I2NSF Capability Query
+---x nsf-capability-query +---x nsf-capability-query
+---w input +---w input
| +---w query-nsf-capability | +---w query-nsf-capability
| | uses ietf-i2nsf-capability | | uses ietf-i2nsf-capability
+--ro output +--ro output
+--ro nsf-access-info +--ro nsf-access-info
| uses nsf-access-info +--rw nsf-name
+--rw capability-name
+--rw ip +--rw ip
+--rw port +--rw port
Figure 7: YANG Tree of NSF Capability Query Module Figure 7: YANG Tree of NSF Capability Query Module
Security Controller MAY require some additional capabilities to Security Controller MAY require some additional capabilities to
provide the security service requested by an I2NSF user, but none of provide the security service requested by an I2NSF user, but none of
the registered NSFs has the required capabilities. In this case, the registered NSFs has the required capabilities. In this case,
Security Controller makes a description of the required capabilities Security Controller makes a description of the required capabilities
using this module and then queries DMS about which NSF(s) can provide using this module and then queries DMS about which NSF(s) can provide
skipping to change at page 12, line 29 skipping to change at page 12, line 29
This module is used to specify the performance capabilities of an NSF This module is used to specify the performance capabilities of an NSF
when registering or initiating the NSF. when registering or initiating the NSF.
5.1.4. NSF Access Information 5.1.4. NSF Access Information
This section expands the nsf-access-info in Figure 6. This section expands the nsf-access-info in Figure 6.
NSF Access Information NSF Access Information
+--rw nsf-access-info +--rw nsf-access-info
+--rw capability-name string
+--rw ip inet:ip-address-no-zone +--rw ip inet:ip-address-no-zone
+--rw port inet:port-number +--rw port inet:port-number
Figure 10: YANG Tree of I2NSF NSF Access Informantion Figure 10: YANG Tree of I2NSF NSF Access Informantion
This module contains the network access information of an NSF that is This module contains the network access information of an NSF that is
required to enable network communications with the NSF. The field of required to enable network communications with the NSF. The field of
ip can have either an IPv4 address or an IPv6 address. ip can have either an IPv4 address or an IPv6 address.
5.2. YANG Data Modules 5.2. YANG Data Modules
This section provides a YANG module of the data model for the This section provides a YANG module of the data model for the
registration interface between Security Controller and Developer's registration interface between Security Controller and Developer's
Management System, as defined in Section 4. Management System, as defined in Section 4.
This YANG module imports from [RFC6991], and makes a reference to This YANG module imports from [RFC6991], and makes a reference to
[I-D.ietf-i2nsf-capability-data-model]. [I-D.ietf-i2nsf-capability-data-model].
<CODE BEGINS> file "ietf-i2nsf-reg-interface@2021-09-15.yang" <CODE BEGINS> file "ietf-i2nsf-reg-interface@2021-10-04.yang"
module ietf-i2nsf-reg-interface { module ietf-i2nsf-reg-interface {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface";
prefix nsfreg;
prefix nsfreg; //RFC Ed.: replace occurences of XXXX with actual RFC number and
//remove this note
// RFC Ed.: replace occurences of XXXX with actual RFC number and import ietf-inet-types {
// remove this note prefix inet;
reference "RFC 6991";
}
import ietf-i2nsf-capability {
prefix nsfcap;
// RFC Ed.: replace YYYY with actual RFC number of
// draft-ietf-i2nsf-capability-data-model and remove this note.
reference "RFC YYYY: I2NSF Capability YANG Data Model";
}
import ietf-inet-types { organization
prefix inet; "IETF I2NSF (Interface to Network Security Functions)
reference "RFC 6991"; Working Group";
}
import ietf-i2nsf-capability {
prefix cap;
// RFC Ed.: replace YYYY with actual RFC number of
// draft-ietf-i2nsf-capability-data-model and remove this note.
reference "RFC YYYY: I2NSF Capability YANG Data Model";
}
organization contact
"IETF I2NSF (Interface to Network Security Functions) "WG Web: <https://tools.ietf.org/wg/i2nsf>
Working Group"; WG List: <mailto:i2nsf@ietf.org>
contact Editor: Sangwon Hyun
"WG Web: <https://tools.ietf.org/wg/i2nsf> <mailto:shyun@mju.ac.kr>
WG List: <mailto:i2nsf@ietf.org>
Editor: Sangwon Hyun Editor: Jaehoon Paul Jeong
<mailto:shyun@mju.ac.kr> <mailto:pauljeong@skku.edu>";
Editor: Jaehoon Paul Jeong description
<mailto:pauljeong@skku.edu>"; "This module defines a YANG data model for I2NSF
Registration Interface.
description The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
"This module defines a YANG data model for I2NSF 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
Registration Interface. 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in BCP 14
(RFC 2119) (RFC 8174) when, and only when, they appear
in all capitals, as shown here.
Copyright (c) 2021 IETF Trust and the persons Copyright (c) 2021 IETF Trust and the persons
identified as authors of the code. All rights reserved. identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2021-10-04" {
description "Initial revision";
reference
"RFC XXXX: I2NSF Registration Interface YANG Data Model";
// RFC Ed.: replace XXXX with actual RFC number and remove // RFC Ed.: replace XXXX with actual RFC number and remove
// this note // this note
}
revision "2021-09-15" { grouping nsf-performance-capability {
description "Initial revision"; description
reference "Description of the performance capabilities of an NSF";
"RFC XXXX: I2NSF Registration Interface YANG Data Model";
// RFC Ed.: replace XXXX with actual RFC number and remove
// this note
}
grouping nsf-performance-capability { container processing {
description description
"Description of the performance capabilities of an NSF";
container processing {
description
"Processing power of an NSF in the unit of GHz (gigahertz)"; "Processing power of an NSF in the unit of GHz (gigahertz)";
leaf processing-average { leaf processing-average {
type uint16; type uint16;
units "GHz"; units "GHz";
description description
"Average processing power"; "Average processing power";
} }
leaf processing-peak { leaf processing-peak {
type uint16; type uint16;
units "GHz"; units "GHz";
description description
"Peak processing power"; "Peak processing power";
}
} }
container bandwidth { }
description
container bandwidth {
description
"Network bandwidth available on an NSF "Network bandwidth available on an NSF
in the unit of Mbps (megabits per second)"; in the unit of Mbps (megabits per second)";
container outbound { container outbound {
description description
"Outbound network bandwidth"; "Outbound network bandwidth";
leaf outbound-average { leaf outbound-average {
type uint32; type uint32;
units "Mbps"; units "Mbps";
description description
"Average outbound bandwidth"; "Average outbound bandwidth";
} }
leaf outbound-peak { leaf outbound-peak {
type uint32; type uint32;
units "Mbps"; units "Mbps";
description description
"Peak outbound bandwidth"; "Peak outbound bandwidth";
} }
} }
container inbound {
container inbound {
description description
"Inbound network bandwidth"; "Inbound network bandwidth";
leaf inbound-average { leaf inbound-average {
type uint32; type uint32;
units "Mbps"; units "Mbps";
description description
"Average inbound bandwidth"; "Average inbound bandwidth";
} }
leaf inbound-peak { leaf inbound-peak {
type uint32; type uint32;
units "Mbps"; units "Mbps";
description description
"Peak inbound bandwidth"; "Peak inbound bandwidth";
} }
}
} }
} }
}
grouping nsf-capability-info { grouping nsf-capability-info {
description
"Capability description of an NSF";
container security-capability {
description description
"Capability description of an NSF";
container security-capability {
description
"Description of the security capabilities of an NSF"; "Description of the security capabilities of an NSF";
uses cap:nsf-capabilities; uses nsfcap:nsf-capabilities;
// RFC Ed.: replace YYYY with actual RFC number of reference "RFC YYYY: I2NSF Capability YANG Data Model";
// draft-ietf-i2nsf-capability-data-model and remove this note. // RFC Ed.: replace YYYY with actual RFC number of
reference "RFC YYYY: I2NSF Capability YANG Data Model"; // draft-ietf-i2nsf-capability-data-model and remove this note.
} }
container performance-capability { container performance-capability {
description description
"Description of the performance capabilities of an NSF"; "Description of the performance capabilities of an NSF";
uses nsf-performance-capability; uses nsf-performance-capability;
} }
} }
grouping nsf-access-info { grouping nsf-access-info {
description
"Information required to access an NSF";
leaf ip {
type inet:ip-address-no-zone;
description description
"Information required to access an NSF";
leaf capability-name {
type string;
description
"Unique name of this NSF's capability";
}
leaf ip {
type inet:ip-address-no-zone;
description
"Either an IPv4 address or an IPv6 address of this NSF"; "Either an IPv4 address or an IPv6 address of this NSF";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
description description
"Port available on this NSF"; "Port available on this NSF";
} }
} }
container nsf-registrations { container nsf-registrations {
description
"Information of an NSF that DMS registers
to Security Controller";
list nsf-information {
key "nsf-name";
description description
"Information of an NSF that DMS registers
to Security Controller";
list nsf-information {
key "capability-name";
description
"Required information for registration"; "Required information for registration";
leaf capability-name { leaf nsf-name {
type string; type string;
mandatory true;
description description
"Unique name of this registered NSF"; "The name of this registered NSF. The NSF name MUST be unique
} to identify the NSF with the capability. The name can be an
container nsf-capability-info { arbitrary string including FQDN (Fully Qualified Domain
Name).";
}
container nsf-capability-info {
description description
"Capability description of this NSF"; "Capability description of this NSF";
uses nsf-capability-info; uses nsf-capability-info;
} }
container nsf-access-info { container nsf-access-info {
description description
"Network access information of this NSF"; "Network access information of this NSF";
uses nsf-access-info; uses nsf-access-info;
}
} }
} }
}
rpc nsf-capability-query { rpc nsf-capability-query {
description description
"Description of the capabilities that the "Description of the capabilities that the
Security Controller requests to the DMS"; Security Controller requests to the DMS";
input { input {
container query-nsf-capability { container query-nsf-capability {
description description
"Description of the capabilities to request"; "Description of the capabilities to request";
uses cap:nsf-capabilities; uses nsfcap:nsf-capabilities;
// RFC Ed.: replace YYYY with actual RFC number of
// draft-ietf-i2nsf-capability-data-model and remove this note.
reference "RFC YYYY: I2NSF Capability YANG Data Model"; reference "RFC YYYY: I2NSF Capability YANG Data Model";
} //RFC Ed.: replace YYYY with actual RFC number of
//draft-ietf-i2nsf-capability-data-model and remove this note.
} }
output { }
container nsf-access-info { output {
container nsf-access-info {
description description
"Network access information of an NSF "Network access information of an NSF
with the requested capabilities"; with the requested capabilities";
leaf nsf-name {
type string;
description
"The name of this registered NSF. The NSF name MUST be
unique to identify the NSF with the capability. The name
can be an arbitrary string including FQDN (Fully Qualified
Domain Name).";
}
uses nsf-access-info; uses nsf-access-info;
}
} }
}
} }
}
}
<CODE ENDS> <CODE ENDS>
Figure 11: Registration Interface YANG Data Model Figure 11: Registration Interface YANG Data Model
6. IANA Considerations 6. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface
skipping to change at page 20, line 26 skipping to change at page 20, line 39
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341, Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018, DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>. <https://www.rfc-editor.org/info/rfc8341>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>.
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of
Documents Containing YANG Data Models", BCP 216, RFC 8407, Documents Containing YANG Data Models", BCP 216, RFC 8407,
DOI 10.17487/RFC8407, October 2018, DOI 10.17487/RFC8407, October 2018,
<https://www.rfc-editor.org/info/rfc8407>. <https://www.rfc-editor.org/info/rfc8407>.
[RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini,
S., and N. Bahadur, "A YANG Data Model for the Routing S., and N. Bahadur, "A YANG Data Model for the Routing
Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431,
September 2018, <https://www.rfc-editor.org/info/rfc8431>. September 2018, <https://www.rfc-editor.org/info/rfc8431>.
skipping to change at page 20, line 48 skipping to change at page 21, line 17
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525, and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019, DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>. <https://www.rfc-editor.org/info/rfc8525>.
[I-D.ietf-i2nsf-capability-data-model] [I-D.ietf-i2nsf-capability-data-model]
Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q.
Lin, "I2NSF Capability YANG Data Model", Work in Progress, Lin, "I2NSF Capability YANG Data Model", Work in Progress,
Internet-Draft, draft-ietf-i2nsf-capability-data-model-17, Internet-Draft, draft-ietf-i2nsf-capability-data-model-19,
14 August 2021, <https://www.ietf.org/archive/id/draft- 28 September 2021, <https://www.ietf.org/archive/id/draft-
ietf-i2nsf-capability-data-model-17.txt>. ietf-i2nsf-capability-data-model-19.txt>.
8.2. Informative References 8.2. Informative References
[RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
Reserved for Documentation", RFC 3849, Reserved for Documentation", RFC 3849,
DOI 10.17487/RFC3849, July 2004, DOI 10.17487/RFC3849, July 2004,
<https://www.rfc-editor.org/info/rfc3849>. <https://www.rfc-editor.org/info/rfc3849>.
[RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks
Reserved for Documentation", RFC 5737, Reserved for Documentation", RFC 5737,
skipping to change at page 21, line 31 skipping to change at page 21, line 49
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>. <https://www.rfc-editor.org/info/rfc8329>.
[I-D.ietf-i2nsf-nsf-monitoring-data-model] [I-D.ietf-i2nsf-nsf-monitoring-data-model]
Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H.
Birkholz, "I2NSF NSF Monitoring Interface YANG Data Birkholz, "I2NSF NSF Monitoring Interface YANG Data
Model", Work in Progress, Internet-Draft, draft-ietf- Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-monitoring-data-model-09, 24 August 2021, i2nsf-nsf-monitoring-data-model-10, 15 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
monitoring-data-model-09.txt>. monitoring-data-model-10.txt>.
[RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- [RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "A YANG Data Model for IPsec Flow Protection Based Garcia, "A YANG Data Model for IPsec Flow Protection Based
on Software-Defined Networking (SDN)", RFC 9061, on Software-Defined Networking (SDN)", RFC 9061,
DOI 10.17487/RFC9061, July 2021, DOI 10.17487/RFC9061, July 2021,
<https://www.rfc-editor.org/info/rfc9061>. <https://www.rfc-editor.org/info/rfc9061>.
[I-D.ietf-nvo3-vxlan-gpe] [I-D.ietf-nvo3-vxlan-gpe]
(Editor), F. M., (editor), L. K., and U. E. (editor), (Editor), F. M., (editor), L. K., and U. E. (editor),
"Generic Protocol Extension for VXLAN (VXLAN-GPE)", Work "Generic Protocol Extension for VXLAN (VXLAN-GPE)", Work
in Progress, Internet-Draft, draft-ietf-nvo3-vxlan-gpe-11, in Progress, Internet-Draft, draft-ietf-nvo3-vxlan-gpe-12,
6 March 2021, <https://www.ietf.org/archive/id/draft-ietf- 22 September 2021, <https://www.ietf.org/archive/id/draft-
nvo3-vxlan-gpe-11.txt>. ietf-nvo3-vxlan-gpe-12.txt>.
[nfv-framework] [nfv-framework]
"Network Functions Virtualisation (NFV); Architectureal "Network Functions Virtualisation (NFV); Architectureal
Framework", ETSI GS NFV 002 ETSI GS NFV 002 V1.1.1, Framework", ETSI GS NFV 002 ETSI GS NFV 002 V1.1.1,
October 2013. October 2013.
Appendix A. XML Examples of I2NSF Registration Interface Data Model Appendix A. XML Examples of I2NSF Registration Interface Data Model
This section describes XML examples of the I2NSF Registration This section describes XML examples of the I2NSF Registration
Interface data model under the assumption of registering several Interface data model under the assumption of registering several
skipping to change at page 22, line 21 skipping to change at page 22, line 39
A.1. Example 1: Registration for the Capabilities of a General Firewall A.1. Example 1: Registration for the Capabilities of a General Firewall
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
a general firewall in either IPv4 networks [RFC5737] or IPv6 networks a general firewall in either IPv4 networks [RFC5737] or IPv6 networks
[RFC3849]. [RFC3849].
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>general_firewall_capability</capability-name> <nsf-name>general_firewall</nsf-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>cap:next-header</ipv4-capability> <ipv4-capability>nsfcap:next-header</ipv4-capability>
<ipv4-capability>cap:source-address</ipv4-capability> <ipv4-capability>nsfcap:source-address</ipv4-capability>
<ipv4-capability>cap:destination-address</ipv4-capability> <ipv4-capability>nsfcap:destination-address</ipv4-capability>
<tcp-capability>cap:source-port-number</tcp-capability> <tcp-capability>nsfcap:source-port-number</tcp-capability>
<tcp-capability>cap:destination-port-number</tcp-capability> <tcp-capability>nsfcap:destination-port-number</tcp-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
skipping to change at page 23, line 24 skipping to change at page 23, line 41
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>general_firewall</capability-name>
<ip>192.0.2.11</ip> <ip>192.0.2.11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 12: Configuration XML for Registration of a General Figure 12: Configuration XML for Registration of a General
Firewall in an IPv4 Network Firewall in an IPv4 Network
Figure 12 shows the configuration XML for registering a general Figure 12 shows the configuration XML for registering a general
firewall in an IPv4 network [RFC5737] and its capabilities as firewall in an IPv4 network [RFC5737] and its capabilities as
follows. follows.
skipping to change at page 24, line 7 skipping to change at page 24, line 27
4. The NSF can determine whether the packets are allowed to pass, 4. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
5. The NSF can support IPsec not through IKEv2, but through a 5. The NSF can support IPsec not through IKEv2, but through a
Security Controller [RFC9061]. Security Controller [RFC9061].
6. The NSF can have processing power and bandwidth. 6. The NSF can have processing power and bandwidth.
7. The IPv4 address of the NSF is 192.0.2.11. 7. The IPv4 address of the NSF is 192.0.2.11.
8. The port of the NSF is 3000. 8. The port of the NSF is 49152.
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>general_firewall_capability</capability-name> <nsf-name>general_firewall</nsf-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv6-capability>cap:next-header</ipv6-capability> <ipv6-capability>nsfcap:next-header</ipv6-capability>
<ipv6-capability>cap:source-address</ipv6-capability> <ipv6-capability>nsfcap:source-address</ipv6-capability>
<ipv6-capability>cap:destination-address</ipv6-capability> <ipv6-capability>nsfcap:destination-address</ipv6-capability>
<tcp-capability>cap:source-port-number</tcp-capability> <tcp-capability>nsfcap:source-port-number</tcp-capability>
<tcp-capability>cap:destination-port-number</tcp-capability> <tcp-capability>nsfcap:destination-port-number</tcp-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
skipping to change at page 25, line 15 skipping to change at page 25, line 35
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>general_firewall</capability-name>
<ip>2001:DB8:0:1::11</ip> <ip>2001:DB8:0:1::11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 13: Configuration XML for Registration of a General Figure 13: Configuration XML for Registration of a General
Firewall in an IPv6 Network Firewall in an IPv6 Network
In addition, Figure 13 shows the configuration XML for registering a In addition, Figure 13 shows the configuration XML for registering a
general firewall in an IPv6 network [RFC3849] and its capabilities as general firewall in an IPv6 network [RFC3849] and its capabilities as
follows. follows.
skipping to change at page 25, line 44 skipping to change at page 26, line 15
3. The NSF can inspect the port number(s) and flow direction for the 3. The NSF can inspect the port number(s) and flow direction for the
transport layer protocol, i.e., TCP and UDP. transport layer protocol, i.e., TCP and UDP.
4. The NSF can determine whether the packets are allowed to pass, 4. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
5. The NSF can have processing power and bandwidth. 5. The NSF can have processing power and bandwidth.
6. The IPv6 address of the NSF is 2001:DB8:0:1::11. 6. The IPv6 address of the NSF is 2001:DB8:0:1::11.
7. The port of the NSF is 3000. 7. The port of the NSF is 49152.
A.2. Example 2: Registration for the Capabilities of a Time-based A.2. Example 2: Registration for the Capabilities of a Time-based
Firewall Firewall
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
a time-based firewall in either IPv4 networks [RFC5737] or IPv6 a time-based firewall in either IPv4 networks [RFC5737] or IPv6
networks [RFC3849]. networks [RFC3849].
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>time_based_firewall_capability</capability-name> <nsf-name>time_based_firewall</nsf-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<event-capabilities> <event-capabilities>
<time-capabilities>cap:absolute-time</time-capabilities> <time-capabilities>nsfcap:absolute-time</time-capabilities>
<time-capabilities>cap:periodic-time</time-capabilities> <time-capabilities>nsfcap:periodic-time</time-capabilities>
</event-capabilities> </event-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>cap:next-header</ipv4-capability> <ipv4-capability>nsfcap:next-header</ipv4-capability>
<ipv4-capability>cap:source-address</ipv4-capability> <ipv4-capability>nsfcap:source-address</ipv4-capability>
<ipv4-capability>cap:destination-address</ipv4-capability> <ipv4-capability>nsfcap:destination-address</ipv4-capability>
<tcp-capability>cap:source-port-number</tcp-capability> <tcp-capability>nsfcap:source-port-number</tcp-capability>
<tcp-capability>cap:destination-port-number</tcp-capability> <tcp-capability>nsfcap:destination-port-number</tcp-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
skipping to change at page 27, line 15 skipping to change at page 27, line 35
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>time_based_firewall</capability-name>
<ip>192.0.2.11</ip> <ip>192.0.2.11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 14: Configuration XML for Registration of a Time-based Figure 14: Configuration XML for Registration of a Time-based
Firewall in an IPv4 Network Firewall in an IPv4 Network
Figure 14 shows the configuration XML for registering a time-based Figure 14 shows the configuration XML for registering a time-based
firewall in an IPv4 network [RFC5737] and its capabilities as firewall in an IPv4 network [RFC5737] and its capabilities as
follows. follows.
skipping to change at page 27, line 45 skipping to change at page 28, line 16
address(es), IPv4 destination address(es), TCP source port address(es), IPv4 destination address(es), TCP source port
number(s), and TCP destination port number(s). number(s), and TCP destination port number(s).
4. The NSF can determine whether the packets are allowed to pass, 4. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
5. The NSF can have processing power and bandwidth. 5. The NSF can have processing power and bandwidth.
6. The IPv4 address of the NSF is 192.0.2.11. 6. The IPv4 address of the NSF is 192.0.2.11.
7. The port of the NSF is 3000. 7. The port of the NSF is 49152.
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>time_based_firewall_capability</capability-name> <nsf-name>time_based_firewall</nsf-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<event-capabilities> <event-capabilities>
<time-capabilities>cap:absolute-time</time-capabilities> <time-capabilities>nsfcap:absolute-time</time-capabilities>
<time-capabilities>cap:periodic-time</time-capabilities> <time-capabilities>nsfcap:periodic-time</time-capabilities>
</event-capabilities> </event-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv6-capability>cap:next-header</ipv6-capability> <ipv6-capability>nsfcap:next-header</ipv6-capability>
<ipv6-capability>cap:source-address</ipv6-capability> <ipv6-capability>nsfcap:source-address</ipv6-capability>
<ipv6-capability>cap:destination-address</ipv6-capability> <ipv6-capability>nsfcap:destination-address</ipv6-capability>
<tcp-capability>cap:source-port-number</tcp-capability> <tcp-capability>nsfcap:source-port-number</tcp-capability>
<tcp-capability>cap:destination-port-number</tcp-capability> <tcp-capability>nsfcap:destination-port-number</tcp-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
skipping to change at page 29, line 15 skipping to change at page 29, line 29
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>time_based_firewall</capability-name>
<ip>2001:DB8:0:1::11</ip> <ip>2001:DB8:0:1::11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 15: Configuration XML for Registration of a Time-based Figure 15: Configuration XML for Registration of a Time-based
Firewall in an IPv6 Network Firewall in an IPv6 Network
In addition, Figure 15 shows the configuration XML for registering a In addition, Figure 15 shows the configuration XML for registering a
time-based firewall in an IPv6 network [RFC3849] and its capabilities time-based firewall in an IPv6 network [RFC3849] and its capabilities
as follows. as follows.
skipping to change at page 29, line 45 skipping to change at page 30, line 9
address(es), IPv6 destination address(es), TCP source port address(es), IPv6 destination address(es), TCP source port
number(s), and TCP destination port number(s). number(s), and TCP destination port number(s).
4. The NSF can determine whether the packets are allowed to pass, 4. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
5. The NSF can have processing power and bandwidth. 5. The NSF can have processing power and bandwidth.
6. The IPv6 address of the NSF is 2001:DB8:0:1::11. 6. The IPv6 address of the NSF is 2001:DB8:0:1::11.
7. The port of the NSF is 3000. 7. The port of the NSF is 49152.
A.3. Example 3: Registration for the Capabilities of a Web Filter A.3. Example 3: Registration for the Capabilities of a Web Filter
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
a web filter in either IPv4 networks [RFC5737] or IPv6 networks a web filter in either IPv4 networks [RFC5737] or IPv6 networks
[RFC3849]. [RFC3849].
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>web_filter</capability-name> <nsf-name>web_filter</nsf-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<url-capability>cap:user-defined</url-capability> <url-capability>nsfcap:user-defined</url-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
skipping to change at page 31, line 4 skipping to change at page 31, line 16
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>web_filter</capability-name>
<ip>192.0.2.11</ip> <ip>192.0.2.11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 16: Configuration XML for Registration of a Web Filter in Figure 16: Configuration XML for Registration of a Web Filter in
an IPv4 Network an IPv4 Network
Figure 16 shows the configuration XML for registering a web filter in Figure 16 shows the configuration XML for registering a web filter in
an IPv4 network [RFC5737] and its capabilities are as follows. an IPv4 network [RFC5737] and its capabilities are as follows.
skipping to change at page 31, line 33 skipping to change at page 31, line 43
2. The NSF can inspect URL from a pre-defined database or a added 2. The NSF can inspect URL from a pre-defined database or a added
new URL by user (user-defined). new URL by user (user-defined).
3. The NSF can determine whether the packets are allowed to pass, 3. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
4. The NSF can have processing power and bandwidth. 4. The NSF can have processing power and bandwidth.
5. The IPv4 address of the NSF is 192.0.2.11. 5. The IPv4 address of the NSF is 192.0.2.11.
6. The port of the NSF is 3000. 6. The port of the NSF is 49152.
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>web_filter</capability-name> <nsf-name>web_filter</nsf-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<url-capability>cap:user-defined</url-capability> <url-capability>nsfcap:user-defined</url-capability>
<url-capability>cap:pre-defined</url-capability> <url-capability>nsfcap:pre-defined</url-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
skipping to change at page 32, line 38 skipping to change at page 32, line 49
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>web_filter</capability-name>
<ip>2001:DB8:0:1::11</ip> <ip>2001:DB8:0:1::11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 17: Configuration XML for Registration of a Web Filter in Figure 17: Configuration XML for Registration of a Web Filter in
an IPv6 Network an IPv6 Network
In addition, Figure 17 shows the configuration XML for registering a In addition, Figure 17 shows the configuration XML for registering a
web filter in an IPv6 network [RFC3849] and its capabilities are as web filter in an IPv6 network [RFC3849] and its capabilities are as
follows. follows.
skipping to change at page 33, line 17 skipping to change at page 33, line 27
2. The NSF can inspect URL from a pre-defined database or a added 2. The NSF can inspect URL from a pre-defined database or a added
new URL by user (user-defined). new URL by user (user-defined).
3. The NSF can determine whether the packets are allowed to pass, 3. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
4. The NSF can have processing power and bandwidth. 4. The NSF can have processing power and bandwidth.
5. The IPv6 address of the NSF is 2001:DB8:0:1::11. 5. The IPv6 address of the NSF is 2001:DB8:0:1::11.
6. The port of the NSF is 3000. 6. The port of the NSF is 49152.
A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE A.4. Example 4: Registration for the Capabilities of a VoIP/VoLTE
Filter Filter
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
a VoIP/VoLTE filter in either IPv4 networks [RFC5737] or IPv6 a VoIP/VoLTE filter in either IPv4 networks [RFC5737] or IPv6
networks [RFC3849]. networks [RFC3849].
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>voip_volte_filter</capability-name> <nsf-name>voip_volte_filter</nsf-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<voip-volte-capability>cap:call-id</voip-volte-capability> <voip-volte-capability>nsfcap:call-id</voip-volte-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
skipping to change at page 34, line 29 skipping to change at page 34, line 38
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>voip_volte_filter</capability-name>
<ip>192.0.2.11</ip> <ip>192.0.2.11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 18: Configuration XML for Registration of a VoIP/VoLTE Figure 18: Configuration XML for Registration of a VoIP/VoLTE
Filter in an IPv4 Network Filter in an IPv4 Network
Figure 18 shows the configuration XML for registering a VoIP/VoLTE Figure 18 shows the configuration XML for registering a VoIP/VoLTE
filter in an IPv4 network [RFC5737] and its capabilities are as filter in an IPv4 network [RFC5737] and its capabilities are as
follows. follows.
skipping to change at page 35, line 5 skipping to change at page 35, line 14
2. The NSF can inspect a call id for VoIP/VoLTE packets. 2. The NSF can inspect a call id for VoIP/VoLTE packets.
3. The NSF can determine whether the packets are allowed to pass, 3. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
4. The NSF can have processing power and bandwidth. 4. The NSF can have processing power and bandwidth.
5. The IPv4 address of the NSF is 192.0.2.11. 5. The IPv4 address of the NSF is 192.0.2.11.
6. The port of the NSF is 3000. 6. The port of the NSF is 49152.
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>voip_volte_filter</capability-name> <nsf-name>voip_volte_filter</nsf-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<voip-volte-capability>cap:call-id</voip-volte-capability> <voip-volte-capability>nsfcap:call-id</voip-volte-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
<outbound-average>1000</outbound-average> <outbound-average>1000</outbound-average>
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>voip_volte_filter</capability-name>
<ip>2001:DB8:0:1::11</ip> <ip>2001:DB8:0:1::11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 19: Configuration XML for Registration of a VoIP/VoLTE Figure 19: Configuration XML for Registration of a VoIP/VoLTE
Filter in an IPv6 Network Filter in an IPv6 Network
Figure 19 shows the configuration XML for registering a VoIP/VoLTE Figure 19 shows the configuration XML for registering a VoIP/VoLTE
filter in an IPv6 network [RFC3849] and its capabilities are as filter in an IPv6 network [RFC3849] and its capabilities are as
follows. follows.
skipping to change at page 36, line 35 skipping to change at page 36, line 43
2. The NSF can inspect a call id for VoIP/VoLTE packets. 2. The NSF can inspect a call id for VoIP/VoLTE packets.
3. The NSF can determine whether the packets are allowed to pass, 3. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
4. The NSF can have processing power and bandwidth. 4. The NSF can have processing power and bandwidth.
5. The IPv6 address of the NSF is 2001:DB8:0:1::11. 5. The IPv6 address of the NSF is 2001:DB8:0:1::11.
6. The port of the NSF is 3000. 6. The port of the NSF is 49152.
A.5. Example 5: Registration for the Capabilities of a DDoS Mitigator A.5. Example 5: Registration for the Capabilities of a DDoS Mitigator
This section shows an XML example for registering the capabilities of This section shows an XML example for registering the capabilities of
a DDoS mitigator in either IPv4 networks [RFC5737] or IPv6 networks a DDoS mitigator in either IPv4 networks [RFC5737] or IPv6 networks
[RFC3849]. [RFC3849].
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name>anti_DDoS</capability-name> <nsf-name>anti_DDoS</nsf-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<anti-ddos-capability> <anti-ddos-capability>
cap:packet-rate nsfcap:packet-rate
</anti-ddos-capability> </anti-ddos-capability>
<anti-ddos-capability> <anti-ddos-capability>
cap:flow-rate nsfcap:flow-rate
</anti-ddos-capability> </anti-ddos-capability>
<anti-ddos-capability> <anti-ddos-capability>
cap:byte-rate nsfcap:byte-rate
</anti-ddos-capability> </anti-ddos-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:rate-limit nsfcap:rate-limit
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:rate-limit nsfcap:rate-limit
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
skipping to change at page 38, line 11 skipping to change at page 38, line 21
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>
http_and_https_flood_mitigation
</capability-name>
<ip>192.0.2.11</ip> <ip>192.0.2.11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 20: Configuration XML for Registration of a DDoS Mitigator Figure 20: Configuration XML for Registration of a DDoS Mitigator
in an IPv4 Network in an IPv4 Network
Figure 20 shows the configuration XML for registering a DDoS Figure 20 shows the configuration XML for registering a DDoS
mitigator in an IPv4 network [RFC5737] and its capabilities are as mitigator in an IPv4 network [RFC5737] and its capabilities are as
follows. follows.
skipping to change at page 38, line 39 skipping to change at page 38, line 46
2. The NSF can detect the amount of packet, flow, and byte rate in 2. The NSF can detect the amount of packet, flow, and byte rate in
the network for potential DDoS Attack. the network for potential DDoS Attack.
3. The NSF can determine whether the packets are allowed to pass, 3. The NSF can determine whether the packets are allowed to pass,
drop, or mirror. drop, or mirror.
4. The NSF can have processing power and bandwidth. 4. The NSF can have processing power and bandwidth.
5. The IPv4 address of the NSF is 192.0.2.11. 5. The IPv4 address of the NSF is 192.0.2.11.
6. The port of the NSF is 3000. 6. The port of the NSF is 49152.
<nsf-registrations <nsf-registrations
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<nsf-information> <nsf-information>
<capability-name> <nsf-name>anti_DDoS</nsf-name>
anti_DDoS
</capability-name>
<nsf-capability-info> <nsf-capability-info>
<security-capability> <security-capability>
<condition-capabilities> <condition-capabilities>
<advanced-nsf-capabilities> <advanced-nsf-capabilities>
<anti-ddos-capability> <anti-ddos-capability>
cap:packet-rate nsfcap:packet-rate
</anti-ddos-capability> </anti-ddos-capability>
<anti-ddos-capability> <anti-ddos-capability>
cap:flow-rate nsfcap:flow-rate
</anti-ddos-capability> </anti-ddos-capability>
<anti-ddos-capability> <anti-ddos-capability>
cap:byte-rate nsfcap:byte-rate
</anti-ddos-capability> </anti-ddos-capability>
</advanced-nsf-capabilities> </advanced-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:rate-limit nsfcap:rate-limit
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:rate-limit nsfcap:rate-limit
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</security-capability> </security-capability>
<performance-capability> <performance-capability>
<processing> <processing>
<processing-average>1000</processing-average> <processing-average>1000</processing-average>
<processing-peak>5000</processing-peak> <processing-peak>5000</processing-peak>
</processing> </processing>
<bandwidth> <bandwidth>
<outbound> <outbound>
skipping to change at page 40, line 12 skipping to change at page 40, line 21
<outbound-peak>5000</outbound-peak> <outbound-peak>5000</outbound-peak>
</outbound> </outbound>
<inbound> <inbound>
<inbound-average>1000</inbound-average> <inbound-average>1000</inbound-average>
<inbound-peak>5000</inbound-peak> <inbound-peak>5000</inbound-peak>
</inbound> </inbound>
</bandwidth> </bandwidth>
</performance-capability> </performance-capability>
</nsf-capability-info> </nsf-capability-info>
<nsf-access-info> <nsf-access-info>
<capability-name>anti_DDoS</capability-name>
<ip>2001:DB8:0:1::11</ip> <ip>2001:DB8:0:1::11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</nsf-information> </nsf-information>
</nsf-registrations> </nsf-registrations>
Figure 21: Configuration XML for Registration of a DDoS Mitigator Figure 21: Configuration XML for Registration of a DDoS Mitigator
in an IPv6 Network in an IPv6 Network
In addition, Figure 21 shows the configuration XML for registering a In addition, Figure 21 shows the configuration XML for registering a
DDoS mitigator in an IPv6 network [RFC3849] and its capabilities are DDoS mitigator in an IPv6 network [RFC3849] and its capabilities are
as follows. as follows.
skipping to change at page 40, line 38 skipping to change at page 40, line 46
2. The NSF can detect the amount of packet, flow, and byte rate in 2. The NSF can detect the amount of packet, flow, and byte rate in
the network for potential DDoS Attack. the network for potential DDoS Attack.
3. The NSF can determine whether the packets are allowed to pass, 3. The NSF can determine whether the packets are allowed to pass,
drop, mirror, or rate-limit. drop, mirror, or rate-limit.
4. The NSF can have processing power and bandwidth. 4. The NSF can have processing power and bandwidth.
5. The IPv6 address of the NSF is 2001:DB8:0:1::11. 5. The IPv6 address of the NSF is 2001:DB8:0:1::11.
6. The port of the NSF is 3000. 6. The port of the NSF is 49152.
A.6. Example 6: Query for the Capabilities of a Time-based Firewall A.6. Example 6: Query for the Capabilities of a Time-based Firewall
This section shows an XML example for querying the capabilities of a This section shows an XML example for querying the capabilities of a
time-based firewall in either IPv4 networks [RFC5737] or IPv6 time-based firewall in either IPv4 networks [RFC5737] or IPv6
networks [RFC3849]. networks [RFC3849].
<rpc message-id="101" <rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<nsf-capability-query <nsf-capability-query
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<query-i2nsf-capability-info> <query-i2nsf-capability-info>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv4-capability>cap:next-header</ipv4-capability> <ipv4-capability>nsfcap:next-header</ipv4-capability>
<ipv4-capability>cap:source-address</ipv4-capability> <ipv4-capability>nsfcap:source-address</ipv4-capability>
<ipv4-capability>cap:destination-address</ipv4-capability> <ipv4-capability>nsfcap:destination-address</ipv4-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</query-i2nsf-capability-info> </query-i2nsf-capability-info>
</nsf-capability-query> </nsf-capability-query>
</rpc> </rpc>
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<nsf-access-info <nsf-access-info
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface">
<capability-name>time-based-firewall</capability-name> <nsf-name>time_based_firewall</nsf-name>
<ip>192.0.2.11</ip> <ip>192.0.2.11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</rpc-reply> </rpc-reply>
Figure 22: Configuration XML for Query of a Time-based Firewall Figure 22: Configuration XML for Query of a Time-based Firewall
in an IPv4 Network in an IPv4 Network
Figure 22 shows the XML configuration for querying the capabilities Figure 22 shows the XML configuration for querying the capabilities
of a time-based firewall in an IPv4 network [RFC5737]. The access of a time-based firewall in an IPv4 network [RFC5737]. The access
information of the announced time-based firewall has the IPv4 address information of the announced time-based firewall has the IPv4 address
of 192.0.2.11 and the port number of 3000. of 192.0.2.11 and the port number of 49152.
<rpc message-id="101" <rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<nsf-capability-query <nsf-capability-query
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface" xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"
xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"> xmlns:cap="urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability">
<query-i2nsf-capability-info> <query-i2nsf-capability-info>
<time-capabilities>absolute-time</time-capabilities> <time-capabilities>absolute-time</time-capabilities>
<time-capabilities>periodic-time</time-capabilities> <time-capabilities>periodic-time</time-capabilities>
<condition-capabilities> <condition-capabilities>
<generic-nsf-capabilities> <generic-nsf-capabilities>
<ipv6-capability>cap:next-header</ipv6-capability> <ipv6-capability>nsfcap:next-header</ipv6-capability>
<ipv6-capability>cap:source-address</ipv6-capability> <ipv6-capability>nsfcap:source-address</ipv6-capability>
<ipv6-capability>cap:destination-address</ipv6-capability> <ipv6-capability>nsfcap:destination-address</ipv6-capability>
</generic-nsf-capabilities> </generic-nsf-capabilities>
</condition-capabilities> </condition-capabilities>
<action-capabilities> <action-capabilities>
<ingress-action-capability> <ingress-action-capability>
cap:pass nsfcap:pass
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:drop nsfcap:drop
</ingress-action-capability> </ingress-action-capability>
<ingress-action-capability> <ingress-action-capability>
cap:mirror nsfcap:mirror
</ingress-action-capability> </ingress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:pass nsfcap:pass
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:drop nsfcap:drop
</egress-action-capability> </egress-action-capability>
<egress-action-capability> <egress-action-capability>
cap:mirror nsfcap:mirror
</egress-action-capability> </egress-action-capability>
</action-capabilities> </action-capabilities>
</query-i2nsf-capability-info> </query-i2nsf-capability-info>
</nsf-capability-query> </nsf-capability-query>
</rpc> </rpc>
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<nsf-access-info <nsf-access-info
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-reg-interface">
<capability-name>time-based-firewall</capability-name> <nsf-name>time_based_firewall</nsf-name>
<ip>2001:DB8:0:1::11</ip> <ip>2001:DB8:0:1::11</ip>
<port>3000</port> <port>49152</port>
</nsf-access-info> </nsf-access-info>
</rpc-reply> </rpc-reply>
Figure 23: Configuration XML for Query of a Time-based Firewall Figure 23: Configuration XML for Query of a Time-based Firewall
in an IPv6 Network in an IPv6 Network
In addition, Figure 23 shows the XML configuration for querying the In addition, Figure 23 shows the XML configuration for querying the
capabilities of a time-based firewall in an IPv6 network [RFC3849]. capabilities of a time-based firewall in an IPv6 network [RFC3849].
The access information of the announced time-based firewall has the The access information of the announced time-based firewall has the
IPv6 address of 2001:DB8:0:1::11 and the port number of 3000. IPv6 address of 2001:DB8:0:1::11 and the port number of 49152.
Appendix B. NSF Lifecycle Management in NFV Environments Appendix B. NSF Lifecycle Management in NFV Environments
Network Functions Virtualization (NFV) can be used to implement I2NSF Network Functions Virtualization (NFV) can be used to implement I2NSF
framework. In NFV environments, NSFs are deployed as virtual network framework. In NFV environments, NSFs are deployed as virtual network
functions (VNFs). Security Controller can be implemented as an functions (VNFs). Security Controller can be implemented as an
Element Management (EM) of the NFV architecture, and is connected Element Management (EM) of the NFV architecture, and is connected
with the VNF Manager (VNFM) via the Ve-Vnfm interface with the VNF Manager (VNFM) via the Ve-Vnfm interface
[nfv-framework]. Security Controller can use this interface for the [nfv-framework]. Security Controller can use this interface for the
purpose of the lifecycle management of NSFs. If some NSFs need to be purpose of the lifecycle management of NSFs. If some NSFs need to be
 End of changes. 222 change blocks. 
347 lines changed or deleted 345 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/