< draft-ietf-i2nsf-capability-data-model-04.txt.orig | draft-ietf-i2nsf-capability-data-model-04.txt > | |||
---|---|---|---|---|
skipping to change at page 1, line 20 ¶ | skipping to change at page 1, line 20 ¶ | |||
Q. Lin | Q. Lin | |||
Huawei | Huawei | |||
March 28, 2019 | March 28, 2019 | |||
I2NSF Capability YANG Data Model | I2NSF Capability YANG Data Model | |||
draft-ietf-i2nsf-capability-data-model-04 | draft-ietf-i2nsf-capability-data-model-04 | |||
Abstract | Abstract | |||
This document defines a YANG data model for capabilities of various | This document defines a YANG data model for capabilities of various | |||
Network Security Functions (NSFs) in Interface to Network Security | Network Security Functions (NSFs) in the Interface to Network Security | |||
Functions (I2NSF) framework to cetrally manage capabilities of varios | Functions (I2NSF) framework to centrally manage capabilities of various | |||
NSFs. | NSFs. | |||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
skipping to change at page 2, line 36 ¶ | skipping to change at page 2, line 36 ¶ | |||
Appendix A. Changes from draft-ietf-i2nsf-capability-data- | Appendix A. Changes from draft-ietf-i2nsf-capability-data- | |||
model-03 . . . . . . . . . . . . . . . . . . . . . . 42 | model-03 . . . . . . . . . . . . . . . . . . . . . . 42 | |||
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 42 | Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 42 | |||
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 42 | Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 42 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42 | |||
1. Introduction | 1. Introduction | |||
As the industry becomes more sophisticated and network devices (e.g., | As the industry becomes more sophisticated and network devices (e.g., | |||
Internet of Things, Self-driving vehicles, and VoIP/VoLTE | Internet of Things, Self-driving vehicles, and VoIP/VoLTE | |||
smartphones), service providers have a lot of problems mentioned in | smartphones), service providers have a lot of the problems described in | |||
[RFC8192]. To resolve these problems, [i2nsf-nsf-cap-im] specifies | [RFC8192]. To resolve these problems, [i2nsf-nsf-cap-im] specifies | |||
the information model of the capabilities of Network Security | the information model of the capabilities of Network Security | |||
Functions (NSFs). | Functions (NSFs). | |||
This document provides a data model using YANG [RFC6020][RFC7950] | This document provides a data model using YANG [RFC6020][RFC7950] | |||
that defines the capabilities of NSFs to centrally manage | that defines the capabilities of NSFs to centrally manage the | |||
capabilities of those security devices. The security devices can | capabilities of those security devices. The security devices can | |||
register their own capabilities into Network Operator Management | register their own capabilities into a Network Operator Management | |||
(Mgmt) System (i.e., Security Controller) with this YANG data model | (Mgmt) System (i.e., Security Controller) with this YANG data model | |||
through the registration interface [RFC8329]. With the capabilities | through the registration interface [RFC8329]. With the capabilities | |||
of those security devices registered centrally, those security | of those security devices maintained centrally, those security | |||
devices can be easily managed [RFC8329]. This YANG data model is | devices can be easily managed [RFC8329]. This YANG data model is | |||
based on the information model for I2NSF NSF capabilities | based on the information model for I2NSF NSF capabilities | |||
[i2nsf-nsf-cap-im]. | [i2nsf-nsf-cap-im]. | |||
This YANG data model uses an "Event-Condition-Action" (ECA) policy | This YANG data model uses an "Event-Condition-Action" (ECA) policy | |||
model that is used as the basis for the design of I2NSF Policy | model that is used as the basis for the design of I2NSF Policy | |||
described in [RFC8329] and [i2nsf-nsf-cap-im]. Rules. The "ietf- | as described in [RFC8329] and [i2nsf-nsf-cap-im]. The "ietf- | |||
i2nsf-capability" YANG module defined in this document provides the | i2nsf-capability" YANG module defined in this document provides the | |||
following features: | following features: | |||
o Definition for general capabilities of network security functions. | o Definition for general capabilities of network security functions. | |||
o Definition for event capabilities of generic network security | o Definition for event capabilities of generic network security | |||
function. | functions. | |||
o Definition for condition capabilities of generic network security | o Definition for condition capabilities of generic network security | |||
function. | functions. | |||
o Definition for condition capabilities of advanced network security | o Definition for condition capabilities of advanced network security | |||
function. | functions. | |||
o Definition for action capabilities of generic network security | o Definition for action capabilities of generic network security | |||
function. | functions. | |||
o Definition for resolution strategy capabilities of generic network | o Definition for resolution strategy capabilities of generic network | |||
security function. | security functions. | |||
o Definition for default action capabilities of generic network | o Definition for default action capabilities of generic network | |||
security function. | security functions. | |||
2. Requirements Language | 2. Requirements Language | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in [RFC2119][RFC8174]. | document are to be interpreted as described in [RFC2119][RFC8174]. | |||
3. Terminology | 3. Terminology | |||
This document uses the terminology described in | This document uses the terminology described in | |||
skipping to change at page 4, line 27 ¶ | skipping to change at page 4, line 27 ¶ | |||
denotes a "list" and "leaf-list". | denotes a "list" and "leaf-list". | |||
o Parentheses enclose choice and case nodes, and case nodes are also | o Parentheses enclose choice and case nodes, and case nodes are also | |||
marked with a colon (":"). | marked with a colon (":"). | |||
o Ellipsis ("...") stands for contents of subtrees that are not | o Ellipsis ("...") stands for contents of subtrees that are not | |||
shown. | shown. | |||
4. Overview | 4. Overview | |||
This section explains overview how the YANG data model can be used in | This section provides as overview of how the YANG data model can be used in | |||
I2NSF framework described in [RFC8329]. Figure 1 shows capabilities | the I2NSF framework described in [RFC8329]. Figure 1 shows the capabilities | |||
of NSFs in I2NSF Framework. As shown in this figure, Developer's | of NSFs in I2NSF Framework. As shown in this figure, an NSF Developer's | |||
Mgmt System can register NSFs with capabilities that the network | Mgmt System can register NSFs and the capabilities that the network | |||
security device can support. To register NSFs in this way, the | security device can support. To register NSFs in this way, the | |||
Developer's Mgmt System utilizes this standardized capabilities YANG | Developer's Mgmt System utilizes this standardized capabilities YANG | |||
data model through registration interface. With the capabilities of | data model through its registration interface. With the capabilities of | |||
those network security devices registered centrally, those security | those network security devices maintained centrally, those security | |||
devices can be easily managed, which can resolve the a lot of | devices can be easily managed, which can resolve many of the | |||
problems described in [RFC8192]. The following shows use cases. | problems described in [RFC8192]. The use cases are described below. | |||
Note [i2nsf-nsf-yang] is used to configure security policy rules of | Note that [i2nsf-nsf-yang] is used to configure the security policy rules of | |||
generic network security functions and [i2nsf-advanced-nsf-dm] is | the generic network security functions and [i2nsf-advanced-nsf-dm] is | |||
used to configure security policy rules of advanced network security | used to configure security policy rules of advanced network security | |||
functions according to the capabilities of network security devices | functions according to the capabilities of network security devices | |||
registed in I2NSF Framework. | registed in the I2NSF Framework. | |||
+-------------------------------------------------------+ | +-------------------------------------------------------+ | |||
| I2NSF User (e.g., Overlay Network Mgmt, Enterprise | | | I2NSF User (e.g., Overlay Network Mgmt, Enterprise | | |||
| Network Mgmt, another network domain's mgmt, etc.) | | | Network Mgmt, another network domain's mgmt, etc.) | | |||
+--------------------+----------------------------------+ | +--------------------+----------------------------------+ | |||
| | | | |||
Consumer-Facing Interface | | Consumer-Facing Interface | | |||
| | | | |||
| I2NSF | | I2NSF | |||
+-----------------+------------+ Registration +-------------+ | +-----------------+------------+ Registration +-------------+ | |||
skipping to change at page 5, line 36 ¶ | skipping to change at page 5, line 36 ¶ | |||
+-------+ +-------+ +-------+ +-------+ | +-------+ +-------+ +-------+ +-------+ | |||
NSF-1 NSF-m NSF-1 NSF-n | NSF-1 NSF-m NSF-1 NSF-n | |||
E = {} E = {user} E = {dev} E = {time} | E = {} E = {user} E = {dev} E = {time} | |||
C = {IPv4} C = {IPv6} C = {IPv4, IPv6} C = {IPv4} | C = {IPv4} C = {IPv6} C = {IPv4, IPv6} C = {IPv4} | |||
A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} | A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} A = {Allow, Deny} | |||
Developer Mgmt System A Developer Mgmt System B | Developer Mgmt System A Developer Mgmt System B | |||
Figure 1: Capabilities of NSFs in I2NSF Framework | Figure 1: Capabilities of NSFs in I2NSF Framework | |||
o If network manager wants to apply security policy rules about | o If a network manager wants to apply security policy rules to | |||
blocking malicious users, it is a tremendous burden to apply all | block malicious users, it is a tremendous burden to apply all | |||
of these rules to NSFs one by one. This problem can be resolved | of the needed rules to NSFs one-by-one. This problem can be resolved | |||
by managing the capabilities of NSFs. If network manager wants to | by managing the capabilities of NSFs. If network manager wants to | |||
block malicious users with IPv6, network manager sends the | block malicious users with IPv6, the network manager sends the | |||
security policy rules about blocking the users to Network Operator | security policy rules to block the users to the Network Operator | |||
Mgmt System using I2NSF user (i.e., a web browser or a software). | Mgmt System using I2NSF user interface (i.e., a web browser or a software). | |||
When the Network Operator Mgmt System receives the security policy | When the Network Operator Mgmt System receives the security policy | |||
rules, it automatically sends that security policy rules to | rules, it automatically sends that security policy rules to | |||
appropriate NSFs (i.e., NSF-m in Developer Mgmt System A and NSF-1 | appropriate NSFs (i.e., NSF-m in Developer Mgmt System A and NSF-1 | |||
in Developer Mgmt System B) which can support the capabilities | in Developer Mgmt System B) which can support the capabilities | |||
(i.e., IPv6). Therefore, I2NSF User need not consider NSFs where | (i.e., IPv6). Therefore, an I2NSF User need not consider to which NSFs | |||
to apply the rules. | the rules apply. | |||
o If NSFs find the malicious packets, it is a tremendous burden for | o If NSFs encounter malicious packets, it is a tremendous burden for | |||
network manager to apply the rule about blocking the malicious | the network manager to apply rules to block the malicious | |||
packets to NSFs one by one. This problem can be resolved by | packets to NSFs one-by-one. This problem can be resolved by | |||
managing the capabilities of NSFs. If NSFs find the suspicious | managing the capabilities of NSFs. If NSFs encounter suspicious | |||
packets with IPv4, they can ask the Network Operator Mgmt System | IPv4 packets4, they can ask the Network Operator Mgmt System | |||
for information about the suspicious packets with IPv4. to alter | for information about the suspicious IPv4 packets in order to alter | |||
specific rules and/or configurations. When the Network Operator | specific rules and/or configurations. When the Network Operator | |||
Mgmt System receives information, it inspects the information | Mgmt System receives information, it inspects the information | |||
about the suspicious packets with IPv4. If the suspicious packets | about the suspicious IPv4 packets. If the suspicious packets | |||
are determined to be malicious packets, the Network Operator Mgmt | are determined to be malicious packets, the Network Operator Mgmt | |||
System creates and sends the security policy rule against | System creates and sends the security policy rules blocking | |||
malicious packets to appropriate NSFs (i.e., NSF-1 in Developer | malicious packets to appropriate NSFs (i.e., NSF-1 in Developer | |||
Mgmt System A and NSF-1 and NSF-n in Developer Mgmt System B) | Mgmt System A and NSF-1 and NSF-n in Developer Mgmt System B) | |||
which can support the capabilities (i.e., IPv4). Therefore, the | which can support the capabilities (i.e., IPv4). Therefore, the | |||
new security policy rule against malicious packets can be applied | new security policy rules blocking malicious packets can be applied | |||
to appropriate NSFs without intervention of humans. | to appropriate NSFs without human intervention. | |||
5. YANG Tree Diagram | 5. YANG Tree Diagram | |||
This section shows an YANG tree diagram of capabilities for network | This section shows an YANG tree diagram of capabilities for network | |||
security functions, as defined in the [i2nsf-nsf-cap-im]. | security functions, as defined in the [i2nsf-nsf-cap-im]. | |||
5.1. Capabilities of Network Security Function | 5.1. Network Security Function (NSF) Capabilities | |||
This section shows YANG tree diagram for capabilities of network | This section shows YANG tree diagram for NFS capabilities. | |||
security functions. | ||||
module: ietf-i2nsf-capability | module: ietf-i2nsf-capability | |||
+--rw nsf | +--rw nsf | |||
+--rw time-capabilities* enumeration | +--rw time-capabilities* enumeration | |||
+--rw event-capabilities | +--rw event-capabilities | |||
| +--rw system-event-capa* identityref | | +--rw system-event-capa* identityref | |||
| +--rw system-alarm-capa* identityref | | +--rw system-alarm-capa* identityref | |||
+--rw condition-capabilities | +--rw condition-capabilities | |||
| +--rw generic-nsf-capabilities | | +--rw generic-nsf-capabilities | |||
| | +--rw ipv4-capa* identityref | | | +--rw ipv4-capa* identityref | |||
| | +--rw ipv6-capa* identityref | | | +--rw ipv6-capa* identityref | |||
| | +--rw tcp-capa* identityref | | | +--rw tcp-capa* identityref | |||
| | +--rw udp-capa* identityref | | | +--rw udp-capa* identityref | |||
| | +--rw icmp-capa* identityref | | | +--rw icmp-capa* identityref | |||
| +--rw advanced-nsf-capabilities | | +--rw advanced-nsf-capabilities | |||
| | +--rw antivirus-capa* identityref | | | +--rw anti-virus-capa* identityref | |||
| | +--rw antiddos-capa* identityref | | | +--rw anti-ddos-capa* identityref | |||
| | +--rw ips-capa* identityref | | | +--rw ips-capa* identityref | |||
| | +--rw url-capa* identityref | | | +--rw url-capa* identityref | |||
| | +--rw voip-volte-capa* identityref | | | +--rw voip-volte-capa* identityref | |||
| +--rw context-capabilities* identityref | | +--rw context-capabilities* identityref | |||
+--rw action-capabilities | +--rw action-capabilities | |||
| +--rw ingress-action-capa* identityref | | +--rw ingress-action-capa* identityref | |||
| +--rw egress-action-capa* identityref | | +--rw egress-action-capa* identityref | |||
| +--rw log-action-capa* identityref | | +--rw log-action-capa* identityref | |||
+--rw resolution-strategy-capabilities* identityref | +--rw resolution-strategy-capabilities* identityref | |||
+--rw default-action-capabilities* identityref | +--rw default-action-capabilities* identityref | |||
+--rw ipsec-method* identityref | +--rw ipsec-method* identityref | |||
Figure 2: YANG Tree Diagram for Capabilities of Network Security | Figure 2: YANG Tree Diagram for NSF Capabilities | |||
Functions | ||||
This YANG tree diagram shows capabilities of network security | This YANG tree diagram shows capabilities of network security | |||
functions. | functions. | |||
The NSF includes NSF capabilities. The NSF capabilities include time | The model includes NSF capabilities. The NSF capabilities include time | |||
capabilities, event capabilities, condition capabilities, action | capabilities, event capabilities, condition capabilities, action | |||
capabilities, resolution strategy capabilities, and default action | capabilities, resolution strategy capabilities, and default action | |||
capabilities. | capabilities. | |||
Time capabilities are used to specify capabilities when to execute | Time capabilities are used to specify the capability to specify when | |||
the I2NSF policy rule. The time capabilities are defined as absolute | to execute the I2NSF policy rule. The time capabilities are defined | |||
time and periodic time. | in terms of absolute time and periodic time. | |||
Event capabilities are used to specify capabilities how to trigger | Event capabilities are used to specify how to trigger | |||
the evaluation of the condition clause of the I2NSF Policy Rule. The | the evaluation of the condition clause of the I2NSF Policy Rule. The | |||
event capabilities are defined as system event and system alarm. The | defined event capabilities are system event and system alarm. The | |||
event capability can be extended according to specific vendor | event capability can be extended according to specific vendor | |||
condition features. The event capability is described in detail in | condition features. The event capability is described in detail in | |||
[i2nsf-nsf-cap-im]. | [i2nsf-nsf-cap-im]. | |||
Condition capabilities are used to specify capabilities of a set of | Condition capabilities are used to specify capabilities of a set of | |||
attributes, features, and/or values that are to be compared with a | attributes, features, and/or values that are to be compared with a | |||
set of known attributes, features, and/or values in order to | set of known attributes, features, and/or values in order to | |||
determine whether or not the set of actions in that (imperative) | determine whether or not the set of actions in that (imperative) | |||
I2NSF policy rule can be executed or not. The condition capability | I2NSF policy rule can be executed. The condition capabilities | |||
is classified as condition capabilities of generic network security | are classified in terms of generic network security | |||
functions and advanced network security functions. The condition | functions and advanced network security functions. The condition | |||
capabilities of generic network security functions are defined as | capabilities of generic network security functions are defined as | |||
IPv4 capability, IPv6 capability, tcp capability, udp capability, and | IPv4 capability, IPv6 capability, TCP capability, UDP capability, and | |||
icmp capability. The condition capabilities of advanced network | ICMP capability. The condition capabilities of advanced network | |||
security functions are defined as antivirus capability, antiddos | security functions are defined as anti-virus capability, anti-DDoS | |||
capability, ips capability, http capability, and VoIP/VoLTE | capability, IPS capability, HTTP capability, and VoIP/VoLTE | |||
capability. The condition capability can be extended according to | capability. The condition capability can be extended according to | |||
specific vendor condition features. The condition capability is | specific vendor condition features. The condition capability is | |||
described in detail in [i2nsf-nsf-cap-im]. | described in detail in [i2nsf-nsf-cap-im]. | |||
Action capabilities is used to specify capabilities how to control | Action capabilities are used to specify capabilities of how to control | |||
and monitor aspects of flow-based NSFs when the event and condition | and monitor aspects of flow-based NSFs when the event and condition | |||
clauses are satisfied. The action capabilities are defined as | clauses are satisfied. The action capabilities are defined as | |||
ingress action capability, egress action capability, and log action | ingress-action capability, egress0-action capability, and log-action | |||
capability. The action capability can be extended according to | capability. The action capability can be extended according to | |||
specific vendor action features. The action capability is described | specific vendor action features. The action capability is described | |||
in detail in [i2nsf-nsf-cap-im]. | in detail in [i2nsf-nsf-cap-im]. | |||
Resolution strategy capabilities are used to specify capabilities how | Resolution strategy capabilities are used to specify capabilities of how | |||
to resolve conflicts that occur between the actions of the same or | to resolve conflicts that occur between the actions of the same or | |||
different policy rules that are matched and contained in this | different policy rules that are matched and contained in this | |||
particular NSF. The resolution strategy capabilities are defined as | particular NSF. The resolution strategy capabilities are defined as | |||
First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized | First Matching Rule (FMR), Last Matching Rule (LMR), Prioritized | |||
Matching Rule (PMR) with Errors (PMRE), and Prioritized Matching Rule | Matching Rule (PMR), Prioritized Matching Rule with Errors (PMRE), | |||
with No Errors (PMRN). The resolution strategy capability can be | and Prioritized Matching Rule with No Errors (PMRN). The resolution | |||
extended according to specific vendor action features. The | strategy capabilities can be extended according to specific vendor | |||
resolution strategy capability is described in detail in | action features. The resolution strategy capability is described in | |||
[i2nsf-nsf-cap-im]. | detail in [i2nsf-nsf-cap-im]. | |||
Default action capabilities are used to specify capabilities how to | Default action capabilities are used to specify capabilities of how to | |||
execute I2NSF policy rule when no rule matches a packet. The default | execute I2NSF policy rules when no rule matches a packet. The default | |||
action capabilities are defined as pass, drop, reject, alert, and | action capabilities are defined as pass, drop, reject, alert, and | |||
mirror. The default action capability can be extended according to | mirror. The default action capability can be extended according to | |||
specific vendor action features. The default action capability is | specific vendor action features. The default action capability is | |||
described in detail in [i2nsf-nsf-cap-im]. | described in detail in [i2nsf-nsf-cap-im]. | |||
IPsec method capabilities are used to specify capabilities how to | IPsec method capabilities are used to specify capabilities of how to | |||
support an Internet key exchange for the security communication. The | support an Internet Key Exchange (IKE) for security communication. The | |||
default action capabilities are defined as ike and ikeless. The | default action capabilities are defined as IKE and IKE-less. The | |||
default action capability can be extended according to specific | default action capability can be extended according to specific | |||
vendor action features. The default action capability is described | vendor action features. The default action capability is described | |||
in detail in [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. | in detail in [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. | |||
6. YANG Data Modules | 6. YANG Data Modules | |||
6.1. I2NSF Capability YANG Data Module | 6.1. I2NSF Capability YANG Data Module | |||
This section introduces an YANG data module for capabilities of | This section introduces a YANG data module for Network Security | |||
network security functions, as defined in the [i2nsf-nsf-cap-im]. | Function (NSF) capabilities, as defined in the [i2nsf-nsf-cap-im]. | |||
<CODE BEGINS> file "ietf-i2nsf-capability@2019-03-28.yang" | <CODE BEGINS> file "ietf-i2nsf-capability@2019-03-28.yang" | |||
module ietf-i2nsf-capability { | module ietf-i2nsf-capability { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace | namespace | |||
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; | "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; | |||
prefix | prefix | |||
iicapa; | iicapa; | |||
skipping to change at page 10, line 30 ¶ | skipping to change at page 10, line 30 ¶ | |||
reference | reference | |||
"RFC XXXX: I2NSF Capability YANG Data Model"; | "RFC XXXX: I2NSF Capability YANG Data Model"; | |||
} | } | |||
/* | /* | |||
* Identities | * Identities | |||
*/ | */ | |||
identity event { | identity event { | |||
description | description | |||
"Base identity for event of policy."; | "Base identity for I2NSF policy events."; | |||
reference | reference | |||
"draft-hong-i2nsf-nsf-monitoring-data-model-06 | "draft-hong-i2nsf-nsf-monitoring-data-model-06 | |||
- Event"; | - Event"; | |||
} | } | |||
identity system-event-capa { | identity system-event-capa { | |||
base event; | base event; | |||
description | description | |||
"Identity for system event"; | "Identity for system events"; | |||
reference | reference | |||
"draft-hong-i2nsf-nsf-monitoring-data-model-06 | "draft-hong-i2nsf-nsf-monitoring-data-model-06 | |||
- System alarm"; | - System alarm"; | |||
} | } | |||
identity system-alarm-capa { | identity system-alarm-capa { | |||
base event; | base event; | |||
description | description | |||
"Identity for system alarm"; | "Identity for system alarms"; | |||
reference | reference | |||
"draft-hong-i2nsf-nsf-monitoring-data-model-06 | "draft-hong-i2nsf-nsf-monitoring-data-model-06 | |||
- System alarm"; | - System alarm"; | |||
} | } | |||
identity access-violation { | identity access-violation { | |||
base system-event-capa; | base system-event-capa; | |||
description | description | |||
"Identity for access violation | "Identity for access violation events"; | |||
among system events"; | ||||
reference | reference | |||
"draft-hong-i2nsf-nsf-monitoring-data-model-06 | "draft-hong-i2nsf-nsf-monitoring-data-model-06 | |||
- System event"; | - System event"; | |||
} | } | |||
identity configuration-change { | identity configuration-change { | |||
base system-event-capa; | base system-event-capa; | |||
description | description | |||
"Identity for configuration change | "Identity for configuration change events"; | |||
among system events"; | ||||
reference | reference | |||
"draft-hong-i2nsf-nsf-monitoring-data-model-06 | "draft-hong-i2nsf-nsf-monitoring-data-model-06 | |||
- System event"; | - System event"; | |||
} | } | |||
identity memory-alarm { | identity memory-alarm { | |||
base system-alarm-capa; | base system-alarm-capa; | |||
description | description | |||
"Identity for memory alarm | "Identity for memory alarm events"; | |||
among system alarms"; | ||||
reference | reference | |||
"draft-hong-i2nsf-nsf-monitoring-data-model-06 | "draft-hong-i2nsf-nsf-monitoring-data-model-06 | |||
- System alarm"; | - System alarm"; | |||
} | } | |||
identity cpu-alarm { | identity cpu-alarm { | |||
base system-alarm-capa; | base system-alarm-capa; | |||
description | description | |||
"Identity for cpu alarm | "Identity for CPU alarm events"; | |||
among system alarms"; | ||||
reference | reference | |||
"draft-hong-i2nsf-nsf-monitoring-data-model-06 | "draft-hong-i2nsf-nsf-monitoring-data-model-06 | |||
- System alarm"; | - System alarm"; | |||
} | } | |||
identity disk-alarm { | identity disk-alarm { | |||
base system-alarm-capa; | base system-alarm-capa; | |||
description | description | |||
"Identity for disk alarm | "Identity for disk alarm events"; | |||
among system alarms"; | ||||
reference | reference | |||
"draft-hong-i2nsf-nsf-monitoring-data-model-06 | "draft-hong-i2nsf-nsf-monitoring-data-model-06 | |||
- System alarm"; | - System alarm"; | |||
} | } | |||
identity hardware-alarm { | identity hardware-alarm { | |||
base system-alarm-capa; | base system-alarm-capa; | |||
description | description | |||
"Identity for hardware alarm | "Identity for hardware alarm events"; | |||
among system alarms"; | ||||
reference | reference | |||
"draft-hong-i2nsf-nsf-monitoring-data-model-06 | "draft-hong-i2nsf-nsf-monitoring-data-model-06 | |||
- System alarm"; | - System alarm"; | |||
} | } | |||
identity interface-alarm { | identity interface-alarm { | |||
base system-alarm-capa; | base system-alarm-capa; | |||
description | description | |||
"Identity for interface alarm | "Identity for interface alarm events"; | |||
among system alarms"; | ||||
reference | reference | |||
"draft-hong-i2nsf-nsf-monitoring-data-model-06 | "draft-hong-i2nsf-nsf-monitoring-data-model-06 | |||
- System alarm"; | - System alarm"; | |||
} | } | |||
identity condition { | identity condition { | |||
description | description | |||
"Base identity for conditions of policy"; | "Base identity for policy conditions"; | |||
} | } | |||
identity context-capa { | identity context-capa { | |||
base condition; | base condition; | |||
description | description | |||
"Identity for capabilities of context condition"; | "Identity for context condition capability"; | |||
} | } | |||
identity acl-number { | identity acl-number { | |||
base context-capa; | base context-capa; | |||
description | description | |||
"Identity for acl number capability | "Identity for ACL number condition capability"; | |||
of context condition"; | ||||
} | } | |||
identity application { | identity application { | |||
base context-capa; | base context-capa; | |||
description | description | |||
"Identity for application capability | "Identity for application condition capability"; | |||
of context condition"; | ||||
} | } | |||
identity target { | identity target { | |||
base context-capa; | base context-capa; | |||
description | description | |||
"Identity for target capability | "Identity for target condition capability"; | |||
of context condition"; | ||||
} | } | |||
identity user { | identity user { | |||
base context-capa; | base context-capa; | |||
description | description | |||
"Identity for user capability | "Identity for user condition capability"; | |||
of context condition"; | ||||
} | } | |||
identity group { | identity group { | |||
base context-capa; | base context-capa; | |||
description | description | |||
"Identity for group capability | "Identity for group condition capability"; | |||
of context condition"; | ||||
} | } | |||
identity geography { | identity geography { | |||
base context-capa; | base context-capa; | |||
description | description | |||
"Identity for geography capability | "Identity for geography condition capability"; | |||
of context condition"; | ||||
} | } | |||
identity ipv4-capa { | identity ipv4-capa { | |||
base condition; | base condition; | |||
description | description | |||
"Identity for capabilities of IPv4 condition"; | "Identity for IPv4 condition capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol"; | "RFC 791: Internet Protocol"; | |||
} | } | |||
identity exact-ipv4-header-length { | identity exact-ipv4-header-length { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for exact header length capability | "Identity for exact-match IPv4 header-length condition | |||
of IPv4 condition"; | capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Header Length"; | "RFC 791: Internet Protocol - Header Length"; | |||
} | } | |||
identity range-ipv4-header-length { | identity range-ipv4-header-length { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for range header length capability | "Identity for range-match IPv4 header-length condition | |||
of IPv4 condition"; | capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Header Length"; | "RFC 791: Internet Protocol - Header Length"; | |||
} | } | |||
identity ipv4-tos { | identity ipv4-tos { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for type of service capability | "Identity for IPv4 Type-Of-Service (TOS) condition | |||
of IPv4 condition"; | capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Type of Service"; | "RFC 791: Internet Protocol - Type of Service"; | |||
} | } | |||
identity exact-ipv4-total-length { | identity exact-ipv4-total-length { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for exact total length capability | "Identity for IPv4 exact-match total length condition | |||
of IPv4 condition"; | capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Total Length"; | "RFC 791: Internet Protocol - Total Length"; | |||
} | } | |||
identity range-ipv4-total-length { | identity range-ipv4-total-length { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for range total length capability | "Identity for IPv4 range-match total length condition | |||
of IPv4 condition"; | of IPv4 capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Total Length"; | "RFC 791: Internet Protocol - Total Length"; | |||
} | } | |||
identity ipv4-id { | identity ipv4-id { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for identification capability | "Identity for IPv4 identification condition | |||
of IPv4 condition"; | capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Identification"; | "RFC 791: Internet Protocol - Identification"; | |||
} | } | |||
identity ipv4-fragment-flags { | identity ipv4-fragment-flags { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for fragment flags capability | "Identity for IPv4 fragment flags condition | |||
of IPv4 condition"; | capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Fragmentation Flags"; | "RFC 791: Internet Protocol - Fragmentation Flags"; | |||
} | } | |||
identity exact-ipv4-fragment-offset { | identity exact-ipv4-fragment-offset { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for exact fragment offset capability | "Identity for exact-match IPv4 fragment offset condition | |||
of IPv4 condition"; | capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Fragmentation Offset"; | "RFC 791: Internet Protocol - Fragmentation Offset"; | |||
} | } | |||
identity range-ipv4-fragment-offset { | identity range-ipv4-fragment-offset { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for range fragment offset capability | "Identity for range-match IPv4 fragment offset condition | |||
of IPv4 condition"; | capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Fragmentation Offset"; | "RFC 791: Internet Protocol - Fragmentation Offset"; | |||
} | } | |||
identity exact-ipv4-ttl { | identity exact-ipv4-ttl { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for exact time to live capability | "Identity for exact-match IPv4 Time-To-Live (TTL) IPv4 | |||
of IPv4 condition"; | condition capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Time To Live (TTL)"; | "RFC 791: Internet Protocol - Time To Live (TTL)"; | |||
} | } | |||
identity range-ipv4-ttl { | identity range-ipv4-ttl { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for range time to live capability | "Identity for range-match Time-To-Live (TTL) IPv4 | |||
of IPv4 condition"; | condition capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Time To Live (TTL)"; | "RFC 791: Internet Protocol - Time To Live (TTL)"; | |||
} | } | |||
identity ipv4-protocol { | identity ipv4-protocol { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for protocol capability | "Identity for IPv4 protocol condition capability"; | |||
of IPv4 condition"; | ||||
reference | reference | |||
"RFC 790: Assigned numbers - Assigned Internet | "RFC 790: Assigned numbers - Assigned Internet | |||
Protocol Number | Protocol Number | |||
RFC 791: Internet Protocol - Protocol"; | RFC 791: Internet Protocol - Protocol"; | |||
} | } | |||
identity exact-ipv4-address { | identity exact-ipv4-address { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for exact address capability | "Identity for exact-match IP4 address condition | |||
of IPv4 condition"; | capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Address"; | "RFC 791: Internet Protocol - Address"; | |||
} | } | |||
identity range-ipv4-address { | identity range-ipv4-address { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for range-address capability | "Identity for range-match IPv4 address condition | |||
of IPv4 condition"; | capability"; | |||
reference | reference | |||
"RFC 791: Internet Protocol - Address"; | "RFC 791: Internet Protocol - Address"; | |||
} | } | |||
identity ipv4-ipopts { | identity ipv4-ip-opts { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for option capability | "Identity for IPv4 option condition capability"; | |||
of IPv4 condition"; | ||||
reference | reference | |||
"RFC 791: Internet Protocol - Options"; | "RFC 791: Internet Protocol - Options"; | |||
} | } | |||
identity ipv4-sameip { | identity ipv4-same-ip { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for sameIP capability | "Identity for IPv4 same IP condition capability"; | |||
of IPv4 condition"; | ||||
} | } | |||
identity ipv4-geoip { | identity ipv4-geo-ip { | |||
base ipv4-capa; | base ipv4-capa; | |||
description | description | |||
"Identity for geography capability | "Identity for IPv4 geography condition capability"; | |||
of IPv4 condition"; | ||||
} | } | |||
identity ipv6-capa { | identity ipv6-capa { | |||
base condition; | base condition; | |||
description | description | |||
"Identity for capabilities of IPv6 condition"; | "Identity for IPv6 condition capabilities"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification"; | Specification"; | |||
} | } | |||
identity ipv6-traffic-class { | identity ipv6-traffic-class { | |||
base ipv6-capa; | base ipv6-capa; | |||
description | description | |||
"Identity for traffic class capability | "Identity for IPv6 traffic class condition capability"; | |||
of IPv6 condition"; | ||||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Traffic Class"; | Specification - Traffic Class"; | |||
} | } | |||
identity exact-ipv6-flow-label { | identity exact-ipv6-flow-label { | |||
base ipv6-capa; | base ipv6-capa; | |||
description | description | |||
"Identity for exact flow label capability | "Identity for exact-match IPv6 flow label condition | |||
of IPv6 condition"; | capability"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Flow Label"; | Specification - Flow Label"; | |||
} | } | |||
identity range-ipv6-flow-label { | identity range-ipv6-flow-label { | |||
base ipv6-capa; | base ipv6-capa; | |||
description | description | |||
"Identity for range flow label capability | "Identity for range-match IPv6 flow label condition | |||
of IPv6 condition"; | capability"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Flow Label"; | Specification - Flow Label"; | |||
} | } | |||
identity exact-ipv6-payload-length { | identity exact-ipv6-payload-length { | |||
base ipv6-capa; | base ipv6-capa; | |||
description | description | |||
"Identity for exact payload length capability | "Identity for exact-match IPv6 payload length condition | |||
of IPv6 condition"; | capability"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Payload Length"; | Specification - Payload Length"; | |||
} | } | |||
identity range-ipv6-payload-length { | identity range-ipv6-payload-length { | |||
base ipv6-capa; | base ipv6-capa; | |||
description | description | |||
"Identity for range payload length capability | "Identity for range-match IPv6 payload length condition | |||
of IPv6 condition"; | capability"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Payload Length"; | Specification - Payload Length"; | |||
} | } | |||
identity ipv6-next-header { | identity ipv6-next-header { | |||
base ipv6-capa; | base ipv6-capa; | |||
description | description | |||
"Identity for next header capability | "Identity for IPv6 next header condition capability"; | |||
of IPv6 condition"; | ||||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Next Header"; | Specification - Next Header"; | |||
} | } | |||
identity exact-ipv6-hop-limit { | identity exact-ipv6-hop-limit { | |||
base ipv6-capa; | base ipv6-capa; | |||
description | description | |||
"Identity for exact hop limit capability | "Identity for exact-match IPv6 hop limit condition | |||
of IPv6 condition"; | capability"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Hop Limit"; | Specification - Hop Limit"; | |||
} | } | |||
identity range-ipv6-hop-limit { | identity range-ipv6-hop-limit { | |||
base ipv6-capa; | base ipv6-capa; | |||
description | description | |||
"Identity for range hop limit capability | "Identity for range-match IPv6 hop limit condition | |||
of IPv6 condition"; | capability"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Hop Limit"; | Specification - Hop Limit"; | |||
} | } | |||
identity exact-ipv6-address { | identity exact-ipv6-address { | |||
base ipv6-capa; | base ipv6-capa; | |||
description | description | |||
"Identity for exact address capability | "Identity for exact-match IPv6 address condition | |||
of IPv6 condition"; | capability"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Address"; | Specification - Address"; | |||
} | } | |||
identity range-ipv6-address { | identity range-ipv6-address { | |||
base ipv6-capa; | base ipv6-capa; | |||
description | description | |||
"Identity for range address capability | "Identity for exact-match IPv6 address condition | |||
of IPv6 condition"; | capability"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Address"; | Specification - Address"; | |||
} | } | |||
identity tcp-capa { | identity tcp-capa { | |||
base condition; | base condition; | |||
description | description | |||
"Identity for capabilities of tcp condition"; | "Identity for TCP condition capabilities"; | |||
reference | reference | |||
"RFC 793: Transmission Control Protocol"; | "RFC 793: Transmission Control Protocol"; | |||
} | } | |||
identity exact-tcp-port-num { | identity exact-tcp-port-num { | |||
base tcp-capa; | base tcp-capa; | |||
description | description | |||
"Identity for exact port number capability | "Identity for exact-match TCP port number condition | |||
of tcp condition"; | capability"; | |||
reference | reference | |||
"RFC 793: Transmission Control Protocol - Port Number"; | "RFC 793: Transmission Control Protocol - Port Number"; | |||
} | } | |||
identity range-tcp-port-num { | identity range-tcp-port-num { | |||
base tcp-capa; | base tcp-capa; | |||
description | description | |||
"Identity for range port number capability | "Identity for range-match TCP port number condition | |||
of tcp condition"; | capability"; | |||
reference | reference | |||
"RFC 793: Transmission Control Protocol - Port Number"; | "RFC 793: Transmission Control Protocol - Port Number"; | |||
} | } | |||
identity exact-tcp-seq-num { | identity exact-tcp-seq-num { | |||
base tcp-capa; | base tcp-capa; | |||
description | description | |||
"Identity for exact sequence number capability | "Identity for exact-match TCP sequence number condition | |||
of tcp condition"; | capability"; | |||
reference | reference | |||
"RFC 793: Transmission Control Protocol - Sequence Number"; | "RFC 793: Transmission Control Protocol - Sequence Number"; | |||
} | } | |||
identity range-tcp-seq-num { | identity range-tcp-seq-num { | |||
base tcp-capa; | base tcp-capa; | |||
description | description | |||
"Identity for range sequence number capability | "Identity for range-match TCP sequence number condition | |||
of tcp condition"; | capability"; | |||
reference | reference | |||
"RFC 793: Transmission Control Protocol - Sequence Number"; | "RFC 793: Transmission Control Protocol - Sequence Number"; | |||
} | } | |||
identity exact-tcp-ack-num { | identity exact-tcp-ack-num { | |||
base tcp-capa; | base tcp-capa; | |||
description | description | |||
"Identity for exact acknowledgement number capability | "Identity for exact-match TCP acknowledgement number condition | |||
of tcp condition"; | capability"; | |||
reference | reference | |||
"RFC 793: Transmission Control Protocol - Acknowledgement Number"; | "RFC 793: Transmission Control Protocol - Acknowledgement Number"; | |||
} | } | |||
identity range-tcp-ack-num { | identity range-tcp-ack-num { | |||
base tcp-capa; | base tcp-capa; | |||
description | description | |||
"Identity for range acknowledgement number capability | "Identity for range-match TCP acknowledgement number condition | |||
of tcp condition"; | capability"; | |||
reference | reference | |||
"RFC 793: Transmission Control Protocol - Acknowledgement Number"; | "RFC 793: Transmission Control Protocol - Acknowledgement Number"; | |||
} | } | |||
identity exact-tcp-window-size { | identity exact-tcp-window-size { | |||
base tcp-capa; | base tcp-capa; | |||
description | description | |||
"Identity for exact window size capability | "Identity for exact-match TCP window size condition | |||
of tcp condition"; | capability"; | |||
reference | reference | |||
"RFC 793: Transmission Control Protocol - Window Size"; | "RFC 793: Transmission Control Protocol - Window Size"; | |||
} | } | |||
identity range-tcp-window-size { | identity range-tcp-window-size { | |||
base tcp-capa; | base tcp-capa; | |||
description | description | |||
"Identity for range window size capability | "Identity for range--match TCP window size condition | |||
of tcp condition"; | capability"; | |||
reference | reference | |||
"RFC 793: Transmission Control Protocol - Window Size"; | "RFC 793: Transmission Control Protocol - Window Size"; | |||
} | } | |||
identity tcp-flags { | identity tcp-flags { | |||
base tcp-capa; | base tcp-capa; | |||
description | description | |||
"Identity for flags capability | "Identity for TCP flags condition capability"; | |||
of tcp condition"; | ||||
reference | reference | |||
"RFC 793: Transmission Control Protocol - Flags"; | "RFC 793: Transmission Control Protocol - Flags"; | |||
} | } | |||
identity udp-capa { | identity udp-capa { | |||
base condition; | base condition; | |||
description | description | |||
"Identity for capabilities of udp condition"; | "Identity for UDP condition capabilities"; | |||
reference | reference | |||
"RFC 768: User Datagram Protocol"; | "RFC 768: User Datagram Protocol"; | |||
} | } | |||
identity exact-udp-port-num { | identity exact-udp-port-num { | |||
base udp-capa; | base udp-capa; | |||
description | description | |||
"Identity for exact port number capability | "Identity for exact-match UDP port number condition | |||
of udp condition"; | capability"; | |||
reference | reference | |||
"RFC 768: User Datagram Protocol - Port Number"; | "RFC 768: User Datagram Protocol - Port Number"; | |||
} | } | |||
identity range-udp-port-num { | identity range-udp-port-num { | |||
base udp-capa; | base udp-capa; | |||
description | description | |||
"Identity for range port number capability | "Identity for range-match UDP port number condition | |||
of udp condition"; | capability"; | |||
reference | reference | |||
"RFC 768: User Datagram Protocol - Port Number"; | "RFC 768: User Datagram Protocol - Port Number"; | |||
} | } | |||
identity exact-udp-total-length { | identity exact-udp-total-length { | |||
base udp-capa; | base udp-capa; | |||
description | description | |||
"Identity for exact total-length capability | "Identity for exact-match UDP total length condition | |||
of udp condition"; | capability"; | |||
reference | reference | |||
"RFC 768: User Datagram Protocol - Total Length"; | "RFC 768: User Datagram Protocol - Total Length"; | |||
} | } | |||
identity range-udp-total-length { | identity range-udp-total-length { | |||
base udp-capa; | base udp-capa; | |||
description | description | |||
"Identity for range total-length capability | "Identity for range-match UDP total length condition | |||
of udp condition"; | capability"; | |||
reference | reference | |||
"RFC 768: User Datagram Protocol - Total Length"; | "RFC 768: User Datagram Protocol - Total Length"; | |||
} | } | |||
identity icmp-capa { | identity icmp-capa { | |||
base condition; | base condition; | |||
description | description | |||
"Identity for capabilities of icmp condition"; | "Identity for ICMP condition capabilities"; | |||
reference | reference | |||
"RFC 792: Internet Control Message Protocol"; | "RFC 792: Internet Control Message Protocol"; | |||
} | } | |||
identity icmp-type { | identity icmp-type { | |||
base icmp-capa; | base icmp-capa; | |||
description | description | |||
"Identity for icmp type capability | "Identity for ICMP type condition capability"; | |||
of icmp condition"; | ||||
reference | reference | |||
"RFC 792: Internet Control Message Protocol"; | "RFC 792: Internet Control Message Protocol"; | |||
} | } | |||
identity url-capa { | identity url-capa { | |||
base condition; | base condition; | |||
description | description | |||
"Identity for capabilities of url condition"; | "Identity for URL condition capabilities"; | |||
} | } | |||
identity pre-defined { | identity pre-defined { | |||
base url-capa; | base url-capa; | |||
description | description | |||
"Identity for pre-defined capabilities of | "Identity for URL pre-defined condition capabilities"; | |||
url condition"; | ||||
} | } | |||
identity user-defined { | identity user-defined { | |||
base url-capa; | base url-capa; | |||
description | description | |||
"Identity for user-defined capabilities of | "Identity for URL user-defined condition capabilities"; | |||
url condition"; | ||||
} | } | |||
identity log-action-capa { | identity log-action-capa { | |||
description | description | |||
"Identity for capabilities of log action"; | "Identity for log-action capabilities"; | |||
} | } | |||
identity rule-log { | identity rule-log { | |||
base log-action-capa; | base log-action-capa; | |||
description | description | |||
"Identity for rule log capability | "Identity for rule log log-action capability"; | |||
of log action"; | ||||
} | } | |||
identity session-log { | identity session-log { | |||
base log-action-capa; | base log-action-capa; | |||
description | description | |||
"Identity for session log capability | "Identity for session log log-action capability"; | |||
of log action"; | ||||
} | } | |||
identity ingress-action-capa { | identity ingress-action-capa { | |||
description | description | |||
"Identity for capabilities of ingress action"; | "Identity for ingress-action capabilities"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Action"; | of NSFs Capabilities - Action"; | |||
} | } | |||
identity egress-action-capa { | identity egress-action-capa { | |||
description | description | |||
"Base identity for egress action"; | "Identity for egress-action capabilities"; | |||
} | } | |||
identity default-action-capa { | identity default-action-capa { | |||
description | description | |||
"Identity for capabilities of default action"; | "Identity for default-action capabilities"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Default action"; | of NSFs Capabilities - Default action"; | |||
} | } | |||
identity pass { | identity pass { | |||
base ingress-action-capa; | base ingress-action-capa; | |||
base egress-action-capa; | base egress-action-capa; | |||
base default-action-capa; | base default-action-capa; | |||
description | description | |||
"Identity for pass"; | "Identity for pass action capability"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Actions and | of NSFs Capabilities - Actions and | |||
default action"; | default action"; | |||
} | } | |||
identity drop { | identity drop { | |||
base ingress-action-capa; | base ingress-action-capa; | |||
base egress-action-capa; | base egress-action-capa; | |||
base default-action-capa; | base default-action-capa; | |||
description | description | |||
"Identity for drop"; | "Identity for drop action capability"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Actions and | of NSFs Capabilities - Actions and | |||
default action"; | default action"; | |||
} | } | |||
identity reject { | identity reject { | |||
base ingress-action-capa; | base ingress-action-capa; | |||
base egress-action-capa; | base egress-action-capa; | |||
base default-action-capa; | base default-action-capa; | |||
description | description | |||
"Identity for reject"; | "Identity for reject action capability"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Actions and | of NSFs Capabilities - Actions and | |||
default action"; | default action"; | |||
} | } | |||
identity alert { | identity alert { | |||
base ingress-action-capa; | base ingress-action-capa; | |||
base egress-action-capa; | base egress-action-capa; | |||
base default-action-capa; | base default-action-capa; | |||
description | description | |||
"Identity for alert"; | "Identity for alert action capability"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Actions and | of NSFs Capabilities - Actions and | |||
default action"; | default action"; | |||
} | } | |||
identity mirror { | identity mirror { | |||
base ingress-action-capa; | base ingress-action-capa; | |||
base egress-action-capa; | base egress-action-capa; | |||
base default-action-capa; | base default-action-capa; | |||
description | description | |||
"Identity for mirror"; | "Identity for mirror action capability"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Actions and | of NSFs Capabilities - Actions and | |||
default action"; | default action"; | |||
} | } | |||
identity invoke-signaling { | identity invoke-signaling { | |||
base egress-action-capa; | base egress-action-capa; | |||
description | description | |||
"Identity for invoke signaling"; | "Identity for invoke signaling action capability"; | |||
} | } | |||
identity tunnel-encapsulation { | identity tunnel-encapsulation { | |||
base egress-action-capa; | base egress-action-capa; | |||
description | description | |||
"Identity for tunnel encapsulation"; | "Identity for tunnel encapsulation action capability"; | |||
} | } | |||
identity forwarding { | identity forwarding { | |||
base egress-action-capa; | base egress-action-capa; | |||
description | description | |||
"Identity for forwarding"; | "Identity for forwarding action capability"; | |||
} | } | |||
identity redirection { | identity redirection { | |||
base egress-action-capa; | base egress-action-capa; | |||
description | description | |||
"Identity for redirection"; | "Identity for redirection"; | |||
} | } | |||
identity resolution-strategy-capa { | identity resolution-strategy-capa { | |||
description | description | |||
"Base identity for resolution strategy"; | "Base identity for resolution strategy capabilities"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Resolution Strategy"; | of NSFs Capabilities - Resolution Strategy"; | |||
} | } | |||
identity fmr { | identity fmr { | |||
base resolution-strategy-capa; | base resolution-strategy-capa; | |||
description | description | |||
"Identity for First Matching Rule (FMR)"; | "Identity for First Matching Rule (FMR) resolution | |||
strategy capability"; | ||||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Resolution Strategy"; | of NSFs Capabilities - Resolution Strategy"; | |||
} | } | |||
identity lmr { | identity lmr { | |||
base resolution-strategy-capa; | base resolution-strategy-capa; | |||
description | description | |||
"Identity for Last Matching Rule (LMR)"; | "Identity for Last Matching Rule (LMR) resolution | |||
strategy capability"; | ||||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Resolution Strategy"; | of NSFs Capabilities - Resolution Strategy"; | |||
} | } | |||
identity pmr { | identity pmr { | |||
base resolution-strategy-capa; | base resolution-strategy-capa; | |||
description | description | |||
"Identity for Prioritized Matching Rule (PMR)"; | "Identity for Prioritized Matching Rule (PMR) resolution | |||
strategy capability"; | ||||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Resolution Strategy"; | of NSFs Capabilities - Resolution Strategy"; | |||
} | } | |||
identity pmre { | identity pmre { | |||
base resolution-strategy-capa; | base resolution-strategy-capa; | |||
description | description | |||
"Identity for Prioritized Matching Rule | "Identity for Prioritized Matching Rule | |||
with Errors (PMRE)"; | with Errors (PMRE) resolution strategy capability"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Resolution Strategy"; | of NSFs Capabilities - Resolution Strategy"; | |||
} | } | |||
identity pmrn { | identity pmrn { | |||
base resolution-strategy-capa; | base resolution-strategy-capa; | |||
description | description | |||
"Identity for Prioritized Matching Rule | "Identity for Prioritized Matching Rule | |||
with No Errors (PMRN)"; | with No Errors (PMRN) resolution strategy capability"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Resolution Strategy"; | of NSFs Capabilities - Resolution Strategy"; | |||
} | } | |||
identity advanced-nsf-capa { | identity advanced-nsf-capa { | |||
description | description | |||
"Base identity for advanced | "Base identity for advanced | |||
network security function capabilities"; | Network Security Function (NSF) capabilities"; | |||
reference | reference | |||
"RFC 8329: Framework for Interface to Network Security | "RFC 8329: Framework for Interface to Network Security | |||
Functions - Differences from ACL Data Models | Functions - Differences from ACL Data Models | |||
draft-dong-i2nsf-asf-config-01: Configuration of | draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller"; | Controller"; | |||
} | } | |||
identity antivirus-capa { | identity anti-virus-capa { | |||
base advanced-nsf-capa; | base advanced-nsf-capa; | |||
description | description | |||
"Identity for antivirus capabilities"; | "Identity for advanced NSF anti-virus capabilities"; | |||
reference | reference | |||
"RFC 8329: Framework for Interface to Network Security | "RFC 8329: Framework for Interface to Network Security | |||
Functions - Differences from ACL Data Models | Functions - Differences from ACL Data Models | |||
draft-dong-i2nsf-asf-config-01: Configuration of | draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antivirus"; | Controller - Anti-virus"; | |||
} | } | |||
identity antiddos-capa { | identity anti-ddos-capa { | |||
base advanced-nsf-capa; | base advanced-nsf-capa; | |||
description | description | |||
"Identity for antiddos capabilities"; | "Identity for advanced NSF anti-DDoS capabilities"; | |||
reference | reference | |||
"RFC 8329: Framework for Interface to Network Security | "RFC 8329: Framework for Interface to Network Security | |||
Functions - Differences from ACL Data Models | Functions - Differences from ACL Data Models | |||
draft-dong-i2nsf-asf-config-01: Configuration of | draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity ips-capa { | identity ips-capa { | |||
base advanced-nsf-capa; | base advanced-nsf-capa; | |||
description | description | |||
"Identity for IPS capabilities"; | "Identity for advanced NSF Intrusion Prevention System | |||
(IPS) capabilities"; | ||||
reference | reference | |||
"RFC 8329: Framework for Interface to Network Security | "RFC 8329: Framework for Interface to Network Security | |||
Functions - Differences from ACL Data Models | Functions - Differences from ACL Data Models | |||
draft-dong-i2nsf-asf-config-01: Configuration of | draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Intrusion Prevention System"; | Controller - Intrusion Prevention System"; | |||
} | } | |||
identity voip-volte-capa { | identity voip-volte-capa { | |||
base advanced-nsf-capa; | base advanced-nsf-capa; | |||
description | description | |||
"Identity for VoIP/VoLTE capabilities"; | "Identity for advanced NSF VoIP/VoLTE capabilities"; | |||
reference | reference | |||
"RFC 3261: SIP: Session Initiation Protocol | "RFC 3261: SIP: Session Initiation Protocol | |||
RFC 8329: Framework for Interface to Network Security | RFC 8329: Framework for Interface to Network Security | |||
Functions - Differences from ACL Data Models | Functions - Differences from ACL Data Models | |||
draft-dong-i2nsf-asf-config-01: Configuration of | draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller"; | Controller"; | |||
} | } | |||
identity detect { | identity detect { | |||
base antivirus-capa; | base anti-virus-capa; | |||
description | description | |||
"Identity for detect capabilities | "Identity for advanced NSF anti-virus detect capability"; | |||
of antivirus"; | ||||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antivirus"; | Controller - Anti-Virus"; | |||
} | } | |||
identity exception-application { | identity exception-application { | |||
base antivirus-capa; | base anti-virus-capa; | |||
description | description | |||
"Identity for exception application capabilities | "Identity for advanced NSF anti-virus exception application | |||
of antivirus"; | capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antivirus"; | Controller - Anti-Virus"; | |||
} | } | |||
identity exception-signature { | identity exception-signature { | |||
base antivirus-capa; | base anti-virus-capa; | |||
description | description | |||
"Identity for exception signature capabilities | "Identity for advanced NSF anti-virus exception signature | |||
of antivirus"; | capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antivirus"; | Controller - Anti-Virus"; | |||
} | } | |||
identity whitelists { | identity white-list { | |||
base antivirus-capa; | base anti-virus-capa; | |||
description | description | |||
"Identity for whitelists capabilities | "Identity for advanced NSF anti-virus white list | |||
of antivirus"; | capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antivirus"; | Controller - Anti-Virus"; | |||
} | } | |||
identity syn-flood-action { | identity syn-flood-action { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
description | description | |||
"Identity for syn flood action capabilities | "Identity for advanced NSF anti-DDoS sync flood | |||
of antiddos"; | action capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity udp-flood-action { | identity udp-flood-action { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
description | description | |||
"Identity for udp flood action capabilities | "Identity for advanced NSF anti-DDoS UDP flood | |||
of antiddos"; | action capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity http-flood-action { | identity http-flood-action { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
description | description | |||
"Identity for http flood action capabilities | "Identity for advanced NSF anti-DDoS HTTP flood | |||
of antiddos"; | action capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity https-flood-action { | identity https-flood-action { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
description | description | |||
"Identity for https flood action capabilities | "Identity for advanced NSF anti-DDoS HTTPS flood | |||
of antiddos"; | action capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity dns-request-flood-action { | identity dns-request-flood-action { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
description | description | |||
"Identity for dns request flood action capabilities | "Identity for advanced NSF anti-DDoS DNS Request flood | |||
of antiddos"; | action capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity dns-reply-flood-action { | identity dns-reply-flood-action { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
description | description | |||
"Identity for dns reply flood action capabilities | "Identity for advanced NSF anti-DDoS DNS Reply flood | |||
of antiddos"; | action capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity icmp-flood-action { | identity icmp-flood-action { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
description | description | |||
"Identity for icmp flood action capabilities | "Identity for advanced NSF anti-DDoS ICMP flood | |||
of antiddos"; | action capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity sip-flood-action { | identity sip-flood-action { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
description | description | |||
"Identity for sip flood action capabilities | "Identity for advanced NSF anti-DDoS SIP flood | |||
of antiddos"; | action capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity detect-mode { | identity detect-mode { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
description | description | |||
"Identity for detect mode capabilities | "Identity for advanced NSF anti-DDoS detect mode | |||
of antiddos"; | capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity baseline-learn { | identity baseline-learning { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
description | description | |||
"Identity for baseline learn capabilities | "Identity for advanced NSF anti-DDoS baseline learning | |||
of antiddos"; | capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Antiddos"; | Controller - Anti-DDoS"; | |||
} | } | |||
identity signature-set { | identity signature-set { | |||
base ips-capa; | base ips-capa; | |||
description | description | |||
"Identity for signature set capabilities | "Identity for advanced NSF IPS signature set | |||
of IPS"; | capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Intrusion Prevention System"; | Controller - Intrusion Prevention System"; | |||
} | } | |||
identity ips-exception-signature { | identity ips-exception-signature { | |||
base ips-capa; | base ips-capa; | |||
description | description | |||
"Identity for ips exception signature capabilities | "Identity for advanced NSF IPS exception signature | |||
of IPS"; | capability"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller - Intrusion Prevention System"; | Controller - Intrusion Prevention System"; | |||
} | } | |||
identity voice-id { | identity voice-id { | |||
base voip-volte-capa; | base voip-volte-capa; | |||
description | description | |||
"Identity for voice-id capabilities | "Identity for advanced NSF VoIP/VoLTE voice-id | |||
of VoIP/VoLTE"; | capability"; | |||
reference | reference | |||
"RFC 3261: SIP: Session Initiation Protocol"; | "RFC 3261: SIP: Session Initiation Protocol"; | |||
} | } | |||
identity user-agent { | identity user-agent { | |||
base voip-volte-capa; | base voip-volte-capa; | |||
description | description | |||
"Identity for user agent capabilities | "Identity for advanced NSF VoIP/VoLTE user agent | |||
of VoIP/VoLTE"; | capability"; | |||
reference | reference | |||
"RFC 3261: SIP: Session Initiation Protocol"; | "RFC 3261: SIP: Session Initiation Protocol"; | |||
} | } | |||
identity ipsec-capa { | identity ipsec-capa { | |||
description | description | |||
"Base identity for an IPsec"; | "Base identity for an IPsec capabilities"; | |||
} | } | |||
identity ike { | identity ike { | |||
base ipsec-capa; | base ipsec-capa; | |||
description | description | |||
"Identity for an IKE"; | "Identity for an IPSec Internet Key Exchange (IKE) | |||
capability"; | ||||
} | } | |||
identity ikeless { | identity ikeless { | |||
base ipsec-capa; | base ipsec-capa; | |||
description | description | |||
"Identity for an IKEless"; | "Identity for an IPSec without Internet Key | |||
Exchange (IKE) capability"; | ||||
} | } | |||
/* | /* | |||
* Grouping | * Grouping | |||
*/ | */ | |||
grouping nsf-capabilities { | grouping nsf-capabilities { | |||
description | description | |||
"Capabilities of network security funtion"; | "Network Security Function (NSF) Capabilities"; | |||
reference | reference | |||
"RFC 8329: Framework for Interface to Network Security | "RFC 8329: Framework for Interface to Network Security | |||
Functions - I2NSF Flow Security Policy Structure | Functions - I2NSF Flow Security Policy Structure | |||
draft-ietf-i2nsf-capability-04: Information Model | draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Capability Information Model Design"; | of NSFs Capabilities - Capability Information Model Design"; | |||
leaf-list time-capabilities { | leaf-list time-capabilities { | |||
type enumeration { | type enumeration { | |||
enum absolute-time { | enum absolute-time { | |||
description | description | |||
"Capabilities of absolute time. | "Absolute Time Capabilities. | |||
If network security function has the absolute time | If network security function has the absolute time | |||
capability, the network security function | capability, the network security function | |||
supports rule execution according to absolute time."; | supports rule execution according to absolute time."; | |||
} | } | |||
enum periodic-time { | enum periodic-time { | |||
description | description | |||
"Capabilities of periodic time. | "Periodic time capabilities. | |||
If network security function has the periodic time | If network security function has the periodic time | |||
capability, the network security function | capability, the network security function | |||
supports rule execution according to periodic time."; | supports rule execution according to periodic time."; | |||
} | } | |||
} | } | |||
description | description | |||
"This is capabilities for time"; | "Time capabilities"; | |||
} | } | |||
container event-capabilities { | container event-capabilities { | |||
description | description | |||
"Capabilities of events. | "Capabilities of events. | |||
If network security function has | If network security function has | |||
the event capabilities, the network security functions | the event capabilities, the network security functions | |||
supports rule execution according to system event | supports rule execution according to system event | |||
and system alarm."; | and system alarm."; | |||
skipping to change at page 33, line 18 ¶ | skipping to change at page 33, line 18 ¶ | |||
Policy Model Overview | Policy Model Overview | |||
draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG | draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG | |||
Data Model for Monitoring I2NSF Network Security | Data Model for Monitoring I2NSF Network Security | |||
Functions - System Alarm and System Events"; | Functions - System Alarm and System Events"; | |||
leaf-list system-event-capa { | leaf-list system-event-capa { | |||
type identityref { | type identityref { | |||
base system-event-capa; | base system-event-capa; | |||
} | } | |||
description | description | |||
"Capabilities for a system event"; | "System event capabilities"; | |||
} | } | |||
leaf-list system-alarm-capa { | leaf-list system-alarm-capa { | |||
type identityref { | type identityref { | |||
base system-alarm-capa; | base system-alarm-capa; | |||
} | } | |||
description | description | |||
"Capabilities for a system alarm"; | "Capabilities for a system alarm"; | |||
} | } | |||
} | } | |||
container condition-capabilities { | container condition-capabilities { | |||
description | description | |||
"Capabilities of conditions."; | "Condition capabilities of conditions."; | |||
container generic-nsf-capabilities { | container generic-nsf-capabilities { | |||
description | description | |||
"Capabilities of conditions. | "Generic condition capabilities. | |||
If a network security function has | If a network security function has | |||
the condition capabilities, the network security function | the condition capabilities, the network security function | |||
supports rule execution according to conditions of IPv4, | supports rule execution according to conditions of IPv4, | |||
IPv6, foruth layer, ICMP, and payload."; | IPv6, TCP, UDP, ICMP, and payload."; | |||
reference | reference | |||
"RFC 791: Internet Protocol | "RFC 791: Internet Protocol | |||
RFC 792: Internet Control Message Protocol | RFC 792: Internet Control Message Protocol | |||
RFC 793: Transmission Control Protocol | RFC 793: Transmission Control Protocol | |||
RFC 2460: Internet Protocol, Version 6 (IPv6) | RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Next Header | Specification - Next Header | |||
RFC 8329: Framework for Interface to Network Security | RFC 8329: Framework for Interface to Network Security | |||
Functions - I2NSF Flow Security Policy Structure | Functions - I2NSF Flow Security Policy Structure | |||
draft-ietf-i2nsf-capability-04: Information Model | draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Design Principles and ECA Policy | of NSFs Capabilities - Design Principles and ECA Policy | |||
Model Overview"; | Model Overview"; | |||
leaf-list ipv4-capa { | leaf-list ipv4-capa { | |||
type identityref { | type identityref { | |||
base ipv4-capa; | base ipv4-capa; | |||
} | } | |||
description | description | |||
"Capabilities for an IPv4 packet"; | "IPv4 packet capabilities"; | |||
reference | reference | |||
"RFC 791: Internet Protocol"; | "RFC 791: Internet Protocol"; | |||
} | } | |||
leaf-list ipv6-capa { | leaf-list ipv6-capa { | |||
type identityref { | type identityref { | |||
base ipv6-capa; | base ipv6-capa; | |||
} | } | |||
description | description | |||
"Capabilities for an IPv6 packet"; | "IPv6 packet capabilities"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) | "RFC 2460: Internet Protocol, Version 6 (IPv6) | |||
Specification - Next Header"; | Specification - Next Header"; | |||
} | } | |||
leaf-list tcp-capa { | leaf-list tcp-capa { | |||
type identityref { | type identityref { | |||
base tcp-capa; | base tcp-capa; | |||
} | } | |||
description | description | |||
"Capabilities for a tcp packet"; | "TCP packet capabilities"; | |||
reference | reference | |||
"RFC 793: Transmission Control Protocol"; | "RFC 793: Transmission Control Protocol"; | |||
} | } | |||
leaf-list udp-capa { | leaf-list udp-capa { | |||
type identityref { | type identityref { | |||
base udp-capa; | base udp-capa; | |||
} | } | |||
description | description | |||
"Capabilities for an udp packet"; | "UDP packet capabilities"; | |||
reference | reference | |||
"RFC 768: User Datagram Protocol"; | "RFC 768: User Datagram Protocol"; | |||
} | } | |||
leaf-list icmp-capa { | leaf-list icmp-capa { | |||
type identityref { | type identityref { | |||
base icmp-capa; | base icmp-capa; | |||
} | } | |||
description | description | |||
"Capabilities for an ICMP packet"; | "ICMP packet capabilities"; | |||
reference | reference | |||
"RFC 2460: Internet Protocol, Version 6 (IPv6) "; | "RFC 2460: Internet Protocol, Version 6 (IPv6) "; | |||
} | } | |||
} | } | |||
container advanced-nsf-capabilities { | container advanced-nsf-capabilities { | |||
description | description | |||
"Capabilities of advanced network security functions, | "Advanced Network Security Function (NSF) Capabilities, | |||
such as anti virus, anti DDoS, IPS, and VoIP/VoLTE."; | such as, anti-virus, anti-DDoS, IPS, and VoIP/VoLTE."; | |||
reference | reference | |||
"RFC 8329: Framework for Interface to Network Security | "RFC 8329: Framework for Interface to Network Security | |||
Functions - Differences from ACL Data Models | Functions - Differences from ACL Data Models | |||
draft-dong-i2nsf-asf-config-01: Configuration of | draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller"; | Controller"; | |||
leaf-list antivirus-capa { | leaf-list anti-virus-capa { | |||
type identityref { | type identityref { | |||
base antivirus-capa; | base anti-virus-capa; | |||
} | } | |||
description | description | |||
"Capabilities for an antivirus"; | "Anti-virus capabilities"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller"; | Controller"; | |||
} | } | |||
leaf-list antiddos-capa { | leaf-list anti-ddos-capa { | |||
type identityref { | type identityref { | |||
base antiddos-capa; | base anti-ddos-capa; | |||
} | } | |||
description | description | |||
"Capabilities for an antiddos"; | "Anti-DDoS capabilities"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller"; | Controller"; | |||
} | } | |||
leaf-list ips-capa { | leaf-list ips-capa { | |||
type identityref { | type identityref { | |||
base ips-capa; | base ips-capa; | |||
} | } | |||
description | description | |||
"Capabilities for an ips"; | "Intrusion Prevention System (IPS) capabilities"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller"; | Controller"; | |||
} | } | |||
leaf-list url-capa { | leaf-list url-capa { | |||
type identityref { | type identityref { | |||
base url-capa; | base url-capa; | |||
} | } | |||
description | description | |||
"Capabilities for a url category"; | "URL capabilities"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller"; | Controller"; | |||
} | } | |||
leaf-list voip-volte-capa { | leaf-list voip-volte-capa { | |||
type identityref { | type identityref { | |||
base voip-volte-capa; | base voip-volte-capa; | |||
} | } | |||
description | description | |||
"Capabilities for a voip and volte"; | "VoIP and VoLTE capabilities"; | |||
reference | reference | |||
"draft-dong-i2nsf-asf-config-01: Configuration of | "draft-dong-i2nsf-asf-config-01: Configuration of | |||
Advanced Security Functions with I2NSF Security | Advanced Security Functions with I2NSF Security | |||
Controller"; | Controller"; | |||
} | } | |||
} | } | |||
leaf-list context-capabilities { | leaf-list context-capabilities { | |||
type identityref { | type identityref { | |||
base context-capa; | base context-capa; | |||
} | } | |||
description | description | |||
"Capabilities for a context security"; | "Security context capabilities"; | |||
} | } | |||
} | } | |||
container action-capabilities { | container action-capabilities { | |||
description | description | |||
"Capabilities of actions. | "Action Capabilities of actions. | |||
If network security function has | If the Network Security Function (NSF) has | |||
the action capabilities, the network security function | action capabilities, it supports the attendant | |||
supports rule execution according to actions."; | actions for policy rules."; | |||
leaf-list ingress-action-capa { | leaf-list ingress-action-capa { | |||
type identityref { | type identityref { | |||
base ingress-action-capa; | base ingress-action-capa; | |||
} | } | |||
description | description | |||
"Capabilities for an action"; | "Ingress-action capabilities"; | |||
} | } | |||
leaf-list egress-action-capa { | leaf-list egress-action-capa { | |||
type identityref { | type identityref { | |||
base egress-action-capa; | base egress-action-capa; | |||
} | } | |||
description | description | |||
"Capabilities for an egress action"; | "Egress-action capabilities"; | |||
} | } | |||
leaf-list log-action-capa { | leaf-list log-action-capa { | |||
type identityref { | type identityref { | |||
base log-action-capa; | base log-action-capa; | |||
} | } | |||
description | description | |||
"Capabilities for a log action"; | "Log-action capabilities"; | |||
} | } | |||
} | } | |||
leaf-list resolution-strategy-capabilities { | leaf-list resolution-strategy-capabilities { | |||
type identityref { | type identityref { | |||
base resolution-strategy-capa; | base resolution-strategy-capa; | |||
} | } | |||
description | description | |||
"Capabilities for a resolution strategy. | "Resolution strategy capabilities. | |||
The resolution strategies can be used to | The resolution strategies can be used to | |||
specify how to resolve conflicts that occur between | specify how to resolve conflicts that occur between | |||
the actions of the same or different policy rules that | the actions of the same or different policy rules that | |||
are matched and contained in this particular NSF"; | are matched for the same packet and by a particular NSF"; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Resolution strategy"; | of NSFs Capabilities - Resolution strategy"; | |||
} | } | |||
leaf-list default-action-capabilities { | leaf-list default-action-capabilities { | |||
type identityref { | type identityref { | |||
base default-action-capa; | base default-action-capa; | |||
} | } | |||
description | description | |||
"Capabilities for a default action. | "Default Action capabilities. | |||
A default action is used to execute I2NSF policy rule | A default action is used to execute I2NSF policy rules | |||
when no rule matches a packet. The default action is | when no rule matches a packet. The default action is | |||
defined as pass, drop, reject, alert, and mirror."; | defined as pass, drop, reject, alert, or mirror."; | |||
reference | reference | |||
"draft-ietf-i2nsf-capability-04: Information Model | "draft-ietf-i2nsf-capability-04: Information Model | |||
of NSFs Capabilities - Default action"; | of NSFs Capabilities - Default action"; | |||
} | } | |||
leaf-list ipsec-method { | leaf-list ipsec-method { | |||
type identityref { | type identityref { | |||
base ipsec-capa; | base ipsec-capa; | |||
} | } | |||
description | description | |||
"Capabilities for an IPsec method"; | "IPsec method capabilities"; | |||
reference | reference | |||
" draft-ietf-i2nsf-sdn-ipsec-flow-protection-04"; | "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04"; | |||
} | } | |||
} | } | |||
/* | /* | |||
* Data nodes | * Data nodes | |||
*/ | */ | |||
container nsf { | container nsf { | |||
description | description | |||
"The list of capabilities of | "The list of Network Security Function (NSF) capabilities"; | |||
network security function"; | ||||
uses nsf-capabilities; | uses nsf-capabilities; | |||
} | } | |||
} | } | |||
<CODE ENDS> | <CODE ENDS> | |||
Figure 3: YANG Data Module of I2NSF Capability | Figure 3: YANG Data Module of I2NSF Capability | |||
7. IANA Considerations | 7. IANA Considerations | |||
This document requests IANA to register the following URI in the | This document requests IANA to register the following URI in the | |||
"IETF XML Registry" [RFC3688]: | "IETF XML Registry" [RFC3688]: | |||
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability | Uri: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability | |||
Registrant Contact: The IESG. | Registrant Contact: The IESG. | |||
XML: N/A; the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
This document requests IANA to register the following YANG module in | This document requests IANA to register the following YANG module in | |||
the "YANG Module Names" registry [RFC7950]. | the "YANG Module Names" registry [RFC7950]. | |||
name: ietf-i2nsf-capability | name: ietf-i2nsf-capability | |||
End of changes. 226 change blocks. | ||||
346 lines changed or deleted | 323 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |