I2NSF Capability YANG Data Model
Huawei
7453 Hickory HillSalineMI48176USA+1-734-604-0332shares@ndzh.com
Department of Software
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 299 4957+82 31 290 7996pauljeong@skku.eduhttp://iotlab.skku.edu/people-jaehoon-jeong.php
Department of Computer Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 10 8273 0930timkim@skku.edu
HTT Consulting
Oak ParkMIUSA+1-248-968-9809rgm@htt-consult.com
Huawei
101 Software Avenue, Yuhuatai DistrictNanjingJiangsuChinaFrank.xialiang@huawei.comInternet-Draft
This document defines a YANG data model for capabilities that enables an I2NSF user to control various network security functions in network security devices via an I2NSF security controller.
proposes two different types of interfaces:
Interface between I2NSF user and I2NSF security controller called I2NSF consumer-facing interface
Interface between I2NSF security controller and network security functions (NSFs) called I2NSF NSF-facing interface
This document provides a YANG model that defines the capabilities
for security devices that can be utilized by I2NSF NSF-facing
interface between the I2NSF security controller and the NSF devices
to express the capabilities of NSF devices. This YANG model can
also be used by the IN2SF user (or I2NSF client) to provide a
complete list of the I2NSF capabilities that can be controlled by
the security controller.
This document defines a YANG data model based on the .
Terms used in document are defined in .
defines the following type of functionality in NSFs.
Network Security Control
Content Security Control
Attack Mitigation Control
This document contains high-level YANG for each type of control.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .
This document uses the terminology described in . Especially, the
following terms are from :
Data Model: A data model is a representation of concepts of
interest to an environment in a form that is dependent on data
repository, data definition language, query language,
implementation language, and protocol.
Information Model: An information model is a representation of
concepts of interest to an environment in a form that is
independent of data repository, data definition language, query
language, implementation language, and protocol.
A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these diagrams is as
follows:
Brackets "[" and "]" enclose list keys.
Abbreviations before data node names: "rw" means configuration (read-write) and "ro" state data (read-only).
Symbols after data node names: "?" means an optional node and "*"
denotes a "list" and "leaf-list".
Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
Ellipsis ("...") stands for contents of subtrees that are not
shown.
This section provides an overview of the high-level YANG.
The high-level YANG capabilities per NSF devices, controller, or application is the following:
Each of these section mirror sections in: . The high-level YANG for
net-sec-control-capabilities, con-sec-control-capabilities, and
attack-mitigation-capabilities. This draft also utilizes the
concepts originated in Basile, Lioy, Pitscheider, and Zhao[2015]
concerning conflict resolution, use of external data, and
IT-Resources. The authors are grateful to Cataldo for pointing out
this excellent work.
This section expands the
This section expands the
The high-level YANG below expands the following section of the top-level model:
This section provides information on capabilities.
This section has information on capabilities location and IT resources. Additional input is needed.
This section provides location for capabilities.
This section has location for capabilities. Additional input is needed.
This section provides a link between capabilities and IT resources.
This section has a list of IT resources by name. Additional input is needed.
Notifications indicate when rules are added or deleted.
These notifications will be defined later.
This section introduces a YANG module for the information model of I2NSF capability interface, as defined in the .
No IANA considerations exist for this document at this time. URL will be added.
This document introduces no additional security threats and SHOULD
follow the security requirements as stated in .
This work was supported by Institute for Information & communications
Technology Promotion (IITP) grant funded by the Korea government (MSIP)
(No.R-20160222-002755, Cloud based Security Intelligence Technology
Development for the Customized Security Service Provisioning).
This document has greatly benefited from inputs by Daeyoung Hyun, Dongjin Hong, Hyoungshick Kim, Jung-Soo Park, Tae-Jin Ahn, and Se-Hui Lee.
Key words for use in RFCs to Indicate Requirement LevelsYANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)Information Model of NSFs CapabilitiesI2NSF Problem Statement and Use casesInterface to Network Security Functions (I2NSF) TerminologyA YANG Data Model for Routing Information Base (RIB)Generic Policy Information Model for
Simplified Use of Policy Abstractions (SUPA) Framework for Interface to Network Security Functions
The following changes are made from draft-hares-i2nsf-capability-data-model-01:
This draft is revised to support the acquisition of the information of NSFs such as an NSF's IP address and resources related to capabilities.
To support the capability information, location, and resources of an NSF, container component is replaced with grouping component.