Hi all, Firstly, I really like Sue’s design of I2NSF capability interface data model even it’s in the very beginning stage now. I think it’s very promising. My Comments to Diego:
发件人: I2nsf [mailto:[email protected]] 代表 DIEGO LOPEZ GARCIA 发送时间: 2016年6月9日 5:41 收件人: Susan Hares 抄送: [email protected]; [email protected]; Linda Dunbar 主题: Re: [I2nsf] Help on turning I2NSF Information Models to Data Models Hi, Just a quick reply from a not too deep reading and a few minutes of thinking about it. I see this approach promising, and better structured than previous proposals on how to work at the Capability interface. [Frank]: Could you please remind me what is the “previous proposals”? Do you mean the current information model design? Any more details? It is my impression that this is well aligned with the model we have been applying in the SECURED project. Be goode, On 8 Jun 2016, at 19:23 , Susan Hares <[email protected]<mailto:[email protected]>> wrote: I’m working on some data models for I2NSF that intersect with I2RS Filter-Based RIB Models and BGP Flow Specification Data models. I could use some advice from the authors of the following information models. My focus is to be able to drive the use the flow filter Yang models (I2NSF packet-filters, Filter-Based RIB (config, I2RS, BGP input), and BGP Flow Specification transmission of filters) to drive the simple firewall rules found in the Linux iptables user program (netfilter kernel module). I am trying to get a set of Yang data models that can interact with a process (e.g. iptable++ user program named flow-filters) that communicates with a confd (cisco netconf deamon set) that handles NETCONF/RESTCONF and uses Yang to create the data base. I am creating prototype Data models that mirror the following drafts: • Capability model for South Bound interface (I2NSF manager to NSF device) https://datatracker.ietf.org/doc/draft-xia-i2nsf-capability-interface-im/ • Inter-Cloud DDoS Mitigation API – https://datatracker.ietf.org/doc/draft-fang-i2nsf-inter-cloud-ddos-mitigation-api/ • An Information Model for the Monitoring of Network Security Functions - https://tools.ietf.org/html/draft-zhang-i2nsf-info-model-monitoring-00 My understanding is the I2NSF capability interface focus on the south-bound interface to the NSF. To start out a Yang data model, I have created high-level Yang structures for these three models. I’ll be asking questions about each model in a separate email thread, but answer me in any email thread. First on the capability model, network security control is a list of ECA policies, network security content capability is a list of security content capabilities, and attack mitigation is a list of attack mitigation capabilities. A suggested Yang High-level model structure is below. My question is how does an I2NSF manager engage the packet security policies? Does putting a policy in the network security control means it gets transmitted to the NSF device, and installed? Does the capability model provide both the way to list the functions (security content and mitigation) and a way to engage these functions? Sue Hares Initial Yang models ---------- ietf-i2nsf-capability-SBI +--rw i2nsf-policy-list +--rw policy-list-name string - name of policy list +--rw i2nsf-policy-rule* [name] +--rw name string - name of policy rule +--rw net-sec-ctl-rules uses ietf-pkt-eca-sec-policy // packet ECA security policy +--rw net-sec-content // list of content security capabilities uses i2nsf-sec-content // grouping of security capabilities +--rw net-attack-mitigate // list of mitigation capabilities / uses i2nsf-mitigate-rules //grouping of mitigation capabilities Is this a good way to start the capabilities structure? I have definitions for each of the “uses” statements in different models, but I need help understanding if this structure is correct. ietf-pkt-eca-sec-policy can be an extension of the I2RS/Configuration filters for packet Filter-Based RIBS. For the i2nsf-sec-content-capbility, does this form make sense: +--i2nsf-sec-content +--rw i2nsf-sec-content-cap* [order-id function-set-name] +--rw order-id // order # if in ordered list +--rw function-set-name string // name for function +--rw anti-virus // basic security content action | +--rw public-anti-virus [name] // anti-virus capability from public sources | … // (yang structure details) | +--rw vendor-anti-virus [vendor] // anti-virus capability from vendor | | …. The mitigation has a similar structure to the i2nsf-sec-content. +--i2nsf-attack-mitigation +--rw i2nsf-attack-mitigate-fcn* [order-id, fcn-name] +--rw order-id +--rw fcn-name +--rw syn-flood | +--rw public-syn-flood* [name] | | ... | +--rw vendor-syn-flood* [vendor] | | ... +--rw UDP flood _______________________________________________ I2nsf mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/i2nsf -- "Esta vez no fallaremos, Doctor Infierno" Dr Diego R. Lopez Telefonica I+D http://people.tid.es/diego.lopez/ e-mail: [email protected]<mailto:[email protected]> Tel: +34 913 129 041 Mobile: +34 682 051 091 ---------------------------------- ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
