yang models for i2nsf capabilities
play

Yang Models for I2NSF Capabilities - PowerPoint PPT Presentation

Oct 25, 2022 •95 likes •258 views

Yang Models for I2NSF Capabilities draft-hares-i2nsf-capabilities-yang Susan Hares Co-author: Robert Moskowitz` Capability Model (Xia, et al.) External Meta External ECA Model Model Capability sub-model Attack Mitigation Network Security

  1. Yang Models for I2NSF Capabilities draft-hares-i2nsf-capabilities-yang Susan Hares Co-author: Robert Moskowitz`

  2. Capability Model (Xia, et al.) External Meta External ECA Model Model Capability sub-model Attack Mitigation Network Security Content Security Sub-model Sub-Model Sub-Model draft-xia-i2nsf-capability-interface-im-06.txt

  3. Capability sub-model Common Super Class for ECA ECA Policy Rule Objects Ietf-pkt-eca-policy Ietf-pkt-eca-policy Event = packet reception ECA Policy rules Conditions, Actions

  4. Uses common ietf-i2nsf-capability packet ECA Filter +--rw nsf-capabilities with config, I2RS, +--rw capability* [name] +--rw nsf-name string BGP-FS storage +--rw cfg-net-secctl-capabilities | uses pkt-eca-policy:pkt-eca-policy-set +--rw cfg-net-sec-content-capabilities | uses i2nsf-content-caps Common packet ECA | uses i2nsf-content-sec-actions Filters are done so that +--rw cfg-attack-mitigate-capabilities* common actions in routers with firewalls, or | uses i2nsf-mitigate-caps firewalls with routing +--rw ITResource [ITresource-name] have common policy | uses cfg-ITResources rules to compare for conflict resolution

  5. Network Security Network Security Sub-Model +--rw cfg-net-secctl-capabilities | uses pkt-eca-policy:pkt-eca-policy-set Additional Index by which to loo-up information – Not in module ietf-pkt-eca-policy Global Model, +--rw pkt-eca-policy-cfg but necessary for ease of use | +--rw pkt-eca-policy-set | +--rw groups* [group-name] | | +--rw group-name string | | +--rw vrf-name string | | +--rw address-family | | +--rw group-rule-list* [rule-name] | | | +--rw rule-name | | | +--rw rule-order-id | | | +--rw default-action-id integer | | | +--rw default-resolution-strategy-id integer

  6. External ECA Model Security Policy Rule Apply Accounting Apply Profile Authentication Signature ECA Policy ECAPolicy Rule ECA Policy Rule Policy Rule Rule Traffic Authorization Inspectiion ECA Policy Rule Policy rule

  7. Figure 7 (Xia, et al) Linked to Yang Traffic Inspection Traffic Inspection Method Policy rule Traffic Inspection detail MGT ECA Policy Rule Rule # (config + opstate) Rule Name OP-State Configuration External Rule Policy Statistics Installed Rule Data Match Conflict on match status Action Needed Condition Resolution

  8. Xia et al. Info Model Lacks detail on Content Security Control Attack Mitigation capabilities Capabilities Attack SYN flood Anti-virus UDP flood • Intrusion Prevention ICMP flood • URL Filtering IP fragment flood, • File Blocking IPv6 related attacks • Data Filtering HTTP flood, • Application Behavior Control HTTPS flood • Mail Filtering DNS flood, • Packet Capturing DNS amplification, • File Isolation SSL DDoS, • IP sweep, Draft-hares-i2nsf- Draft-jeong-i2nsf- Port scanning capability treats as capbility-interface Ping of Death, capabilities to be treats as actions Oversized ICMP queried

  9. Network Security module ietf-pkt-eca-policy Sub-Model +--rw pkt-eca-policy-cfg | +--rw pkt-eca-policy-set | +--rw groups | | …. | +--rw rules* [order-id rule-name] | +--rw order-id | +--rw rule-name Condition rules | +--rw cfg-rule-conditions [cfgr-cnd-id] | | +--rw cfgr-cnd-id integer Event (time, user) | | +--rw eca-event-match | | | +--rw time-event-match* | | | | ... | | | +--rw user-event-match* Condition rules | | | | ... Packet (L1-L4) header, | | +--rw eca-condition-match Context) | | | +--rw eca-pkt-matches* | | | | ... (L1-L4 matches) | | | +--rw eca-user-matches* | | | | ... (user, schedule, region, target, state direction

  10. Jeong Comparison +--rw policy +--rw policy-name string +--rw policy-id string +--rw rule *[rule-id] +--rw rule-name string +--rw rule-id uint 8 Condition rules +--rw event Event (time, user) | +-- rw time-event-list? *[time-id] | …. | +--rw user-action? | … Condition rules +--rw condition Packet (L1-L4) header, | +--rw packet-content-values Context) | …. | +--rw context values | (user, schedule, region, target, device, state)

  11. module ietf-pkt-eca-policy +--rw pkt-eca-policy-cfg Network Security | +--rw pkt-eca-policy-set Sub-Model | +--rw groups | | …. | +--rw rules* [order-id rule-name] | +--rw order-id | +--rw rule-name | +--rw cfg-rule-conditions [cfgr-cnd-id] Actions | ….. | +--rw cfg-rule-actions [cfgr-action-id] | | +--rw cfgr-action-id | | +--rw eca-actions* [action-id] | | | +--rw action-id uint32 | | | +--rw eca-ingress-act* | | | | ... (permit, deny, mirror) | | | +--rw eca-fwd-actions* | | | | ... (invoke, tunnel encap, fwd) | | | +--rw eca-egress-act* | | | | .. . | | | +--rw eca-qos-actions* | | | | ... | | | +--rw eca-security-actions*

  12. module ietf-pkt-eca-policy +--rw pkt-eca-policy-cfg Network Security | +--rw pkt-eca-policy-set Sub-Model | +--rw groups | | …. | +--rw rules* [order-id rule-name] | +--rw order-id | +--rw rule-name Policy on | +--rw cfg-rule-conditions [cfgr-cnd-id] resolving | ….. Policy conflicts | +--rw cfg-rule-actions [cfgr-action-id] | |…… – Not in global | +--rw pc-resolution-strategies* [strategy-id] model | | +--rw strategy-id integer | | +--rw filter-strategy identityref | | | .. FMR, ADTP, Longest-match | | +--rw global-strategy identityref | | +--rw mandatory-strategy identityref | | | +--rw local-strategy identityref | | +--rw resolution-fcn uint32 | | +--rw resolution-value uint32 | | +--rw resolution-info string | | +--rw associated-ext-data* | | | +--rw ext-data-id integer *

  13. module ietf-pkt-eca-policy Network Security +--rw pkt-eca-policy-cfg Sub-Model | +--rw pkt-eca-policy-set | +--rw groups | | …. | +--rw rules* [order-id rule-name] | +--rw order-id | +--rw rule-name | +--rw cfg-rule-conditions [cfgr-cnd-id] | ….. | +--rw cfg-rule-actions [cfgr-action-id] | |…… | +--rw pc-resolution-strategies* [strategy-id] | |…. | +--rw cfg-external-data External Data | | +--rw cfg-ext-data-id | | ….

  14. Jeong Comparison +--rw policy +--rw policy-name string +--rw policy-id string +--rw rule *[rule-id] +--rw rule-name string Advanced security +--rw rule-id uint 8 actions need to be +--rw event resolved | … +--rw condition | …. +--rw action | choice of ingress, egress, advance actions) | advance actions = content security control (normal + voip) | + attack mitigation | +--rpcs (time-event add/delete, user add/delete, region add/delete)

  15. Recommendation • IM/DM need to determine if Content Security Control Capabilities and Attack Mitigation capabilities - are queried or advanced actions, • Use of rpcs for addition: – Events – Conditions, – Actions • Merging of basic functions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Yang-Push Notification Capabilities tle Balazs Lengyel, Alex Clemm, Benoit Claise 11/18/2019

Yang-Push Notification Capabilities tle Balazs Lengyel, Alex Clemm, Benoit Claise 11/18/2019

Yang-Push Notification Capabilities tle Balazs Lengyel, Alex Clemm, Benoit Claise 11/18/2019 draft-ietf-netconf-notification-capabilities-05/06 The problem A contract MAYBe A YANG-Push Publisher has a

419 views • 5 slides
YANG Data Models for TE and RSVP drafu-ietg-teas-yang-te-08 drafu-ietg-teas-yang-rsvp-07

YANG Data Models for TE and RSVP drafu-ietg-teas-yang-te-08 drafu-ietg-teas-yang-rsvp-07

YANG Data Models for TE and RSVP drafu-ietg-teas-yang-te-08 drafu-ietg-teas-yang-rsvp-07 drafu-ietg-teas-yang-rsvp-te-01 code @ htups://github.com/ietg-mpls-yang/te Tarek Saad (Presenter) and Rakesh Gandhi, Cisco Systems Vishnu Pavan Beeram,

493 views • 17 slides
People Movement Modeling Capabilities and Expansion of Current Models for Broader and More

People Movement Modeling Capabilities and Expansion of Current Models for Broader and More

People Movement Modeling Capabilities and Expansion of Current Models for Broader and More Robust Uses Fire and Evacuation Modelling Technical Conference 2016 Jennifer Wiley Michael Ferreira Steven Strege Agenda Background

362 views • 24 slides
Image Formation and Camera Models Allen Y. Yang Berkeley EE 225b Feb 28th, 2007 Allen Y. Yang

Image Formation and Camera Models Allen Y. Yang Berkeley EE 225b Feb 28th, 2007 Allen Y. Yang

Outline Images and Projection Models Camera Models Camera Intrinsic Parameters Image Formation and Camera Models Allen Y. Yang Berkeley EE 225b Feb 28th, 2007 Allen Y. Yang Image Formation and Camera Models Outline Images and Projection

1.12k views • 13 slides
Capabilities Richard Johns & Gerald Schmidt Contents Brief Review of STAR-CD/es-ice v4.20

Capabilities Richard Johns & Gerald Schmidt Contents Brief Review of STAR-CD/es-ice v4.20

In-Cylinder Engine Calculations: New Features and Upcoming Capabilities Richard Johns & Gerald Schmidt Contents Brief Review of STAR-CD/es-ice v4.20 Combustion Models Spray Models LES New Physics Developments in v4.22

534 views • 41 slides
YANG Data Models for TE and RSVP Tunnels and Interfaces

YANG Data Models for TE and RSVP Tunnels and Interfaces

YANG Data Models for TE and RSVP Tunnels and Interfaces dra;-saad-teas-yang-te-00 dra;-saad-teas-yang-rsvp-00 Tarek Saad

731 views • 15 slides
NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W

NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W

I nternational Telecom m unication Union ITU-T NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W orkshop NGN and its Transport Netw orks Kobe, 2 0 -2 1 April 2 0 0 6 NGN OAM Activities Update

777 views • 15 slides
Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP draft-bharatia-sipping-redirect-00.txt Authors: J. Bharatia, S. Sen, R. Yuhanna, S. Orton, M. Watson Presenter: Mark Watson mwatson@nortelnetworks.com General Motivation SIP

478 views • 5 slides
Modular Matrix Models & Monstrous Moonshine: Yang-Hui He Dept. of Physics and Math/Physics

Modular Matrix Models & Monstrous Moonshine: Yang-Hui He Dept. of Physics and Math/Physics

Modular Matrix Models & Monstrous Moonshine: Yang-Hui He Dept. of Physics and Math/Physics RG, Univ. of Pennsylvannia hep-th/0306092, In Collaboration with: Vishnu Jejjala Feb, 2004, Madison, Wisconsin Modular Matrix Models and Monstrous

479 views • 31 slides
A case study with neutrino interaction models for Ar and CH Guang Yang 1 / 9 Motivation In

A case study with neutrino interaction models for Ar and CH Guang Yang 1 / 9 Motivation In

A case study with neutrino interaction models for Ar and CH Guang Yang 1 / 9 Motivation In order to examine the importance of CH - Build a world that in ND, Ar model does not describe the true universe. - The Ar model will tune its

130 views • 9 slides
Nonstandard Models of Arithmetic and Ramsey Theorem Yang Yue Department of Mathematics National

Nonstandard Models of Arithmetic and Ramsey Theorem Yang Yue Department of Mathematics National

Nonstandard Models of Arithmetic and Ramsey Theorem Yang Yue Department of Mathematics National University of Singapore September 23, 2013 Main Theme This talk is on C ombinatorics, C omputability and R everse Mathematics. Motivations:

1.16k views • 90 slides
Sharp Nearby, Fuzzy Far Away: How Neural Language Models Use Context Zhen Yang,Wei Chen,

Sharp Nearby, Fuzzy Far Away: How Neural Language Models Use Context Zhen Yang,Wei Chen,

Sharp Nearby, Fuzzy Far Away: How Neural Language Models Use Context Zhen Yang,Wei Chen, FengWang, Bo Xu Chinese Academy of Sciences Jing Ye NLP Lab, Soochow University 1 Outline Task Definition Challenges and Solution Approach

453 views • 30 slides
Financial Complexity Physical Capabilities Process Capabilities Other Issues

Financial Complexity Physical Capabilities Process Capabilities Other Issues

Financial Complexity Physical Capabilities Process Capabilities Other Issues Upfront Costs - Financing (PPAs, Tax Credits, ESCOs) Split Incentive Alternatives - Virtual Net Metering Where to start? Intelligent

640 views • 8 slides
Lecture 05:Examples of & Metrics for Process Models what are the constituting elements of

Lecture 05:Examples of & Metrics for Process Models what are the constituting elements of

Contents & Goals Last Lecture: procedure models (iterative, incremental, spiral, etc.), difference to process models, Softwaretechnik / Software-Engineering software metrics This Lecture: Educational Objectives: Capabilities for

379 views • 10 slides
Thistle Capabilities AtBC What is Thistle? Why Thistle? Capabilities Commercial

Thistle Capabilities AtBC What is Thistle? Why Thistle? Capabilities Commercial

Thistle Capabilities AtBC What is Thistle? Why Thistle? Capabilities Commercial Capabilities Thistle Home Thistle is Market Ready Service Targets Benefits to AtBC Thistle Team & Workflow What is Thistle?

522 views • 12 slides
Action - Based Models for Belief - Space Planning Li Yang Ku , Shiraj Sen , Erik G . Learned -

Action - Based Models for Belief - Space Planning Li Yang Ku , Shiraj Sen , Erik G . Learned -

Action - Based Models for Belief - Space Planning Li Yang Ku , Shiraj Sen , Erik G . Learned - Miller and Roderic A . Grupen Goals Address the dual problems of modeling and reasoning by employing an action - based model grounded in the robot

630 views • 6 slides
A Simulation-Driven Approach for Assessing Risks of Complex Systems Fabrizio Baiardi 1 Claudio

A Simulation-Driven Approach for Assessing Risks of Complex Systems Fabrizio Baiardi 1 Claudio

Complex Systems A Simulation-Based Approach Current Prototype Conclusions A Simulation-Driven Approach for Assessing Risks of Complex Systems Fabrizio Baiardi 1 Claudio Telmon 1 Daniele Sgandurra 2 1 Dipartimento di Informatica, Universit` a

601 views • 29 slides
Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1 CS 136, Winter 2008 Outline Basics of network security Definitions Sample attacks Defense mechanisms Lecture 11 Page 2 CS 136,

613 views • 50 slides
Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon,

Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon,

Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon, Laboratoire de Physique (UMR

716 views • 60 slides
Outline Basics of network security Network Security Definitions CS 239 Sample

Outline Basics of network security Network Security Definitions CS 239 Sample

Outline Basics of network security Network Security Definitions CS 239 Sample attacks Computer Software Defense mechanisms March 1, 2004 Lecture 12 Lecture 12 Page 1 Page 2 CS 239, Winter 2004 CS 239, Winter 2004 Some

535 views • 8 slides
Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

3/28/19 Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell at me if I dont notice?) Profs Peter Steenkiste & Justine Sherry & (Guest Lecturer) Sannan Slides almost entirely copied from

288 views • 18 slides
CS333 Intro to Operating Systems Jonathan Walpole Security Overview Different aspects of

CS333 Intro to Operating Systems Jonathan Walpole Security Overview Different aspects of

CS333 Intro to Operating Systems Jonathan Walpole Security Overview Different aspects of security User authentication Protection mechanisms Attacks: - trojan horses, spoofing, logic bombs, trap doors, buffer overflow attacks, viruses,

1.2k views • 59 slides
Goals for Today Learning Objective: Understand why secure systems fail Announcements,

Goals for Today Learning Objective: Understand why secure systems fail Announcements,

Goals for Today Learning Objective: Understand why secure systems fail Announcements, etc: MP3 is now available for download on Compass! DUE APRIL 15th (5 days from now) MP2.5 enrollment now closed! MP4 Release Date

297 views • 19 slides
Internet Discussion Theme: Death by TLAs Slides with * are not testable material

Internet Discussion Theme: Death by TLAs Slides with * are not testable material

Internet Discussion Theme: Death by TLAs Slides with * are not testable material Theme of the Day - An analysis: Well, technically most are initialisms, because we say each letter as opposed to sounding them out as one word.

601 views • 29 slides

More recommend