Interface to Network Security Functions (I2NSF) L. Xia Internet-Draft Q. Lin Intended status: Standards Track Huawei Expires: September 13, 2017 March 12, 2017 Policy Object for Interface to Network Security Functions (I2NSF) draft-xia-i2nsf-security-policy-object-00 Abstract This document describes policy objects used in the Interface to Network Security Functions (I2NSF) policy rules and defines the attributes of each policy object. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 13, 2017. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Xia & Lin Expires September 13, 2017 [Page 1] Internet-Draft Policy Object for I2NSF March 2017 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Policy Object . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Address Object . . . . . . . . . . . . . . . . . . . . . 5 4.1.1. The addressName Attribute . . . . . . . . . . . . . . 5 4.1.2. The addressRange Attribute . . . . . . . . . . . . . 5 4.2. Address Group Object . . . . . . . . . . . . . . . . . . 6 4.2.1. The addressGroupName Attribute . . . . . . . . . . . 6 4.2.2. The addressReference Attribute . . . . . . . . . . . 6 4.2.3. The addressRange Attribute . . . . . . . . . . . . . 6 4.3. Domain Group Object . . . . . . . . . . . . . . . . . . . 6 4.3.1. The domainGroupName Attribute . . . . . . . . . . . . 6 4.3.2. The domainNameList Attribute . . . . . . . . . . . . 7 4.4. Region Object . . . . . . . . . . . . . . . . . . . . . . 7 4.4.1. The regionName Attribute . . . . . . . . . . . . . . 7 4.4.2. The regionLocation Attribute . . . . . . . . . . . . 7 4.4.2.1. The regionLongitude Attribute . . . . . . . . . . 7 4.4.2.2. The regionLatitude Attribute . . . . . . . . . . 7 4.4.3. The regionIPAddress Attribute . . . . . . . . . . . . 7 4.5. Region Group Object . . . . . . . . . . . . . . . . . . . 8 4.5.1. The regionGroupName Attribute . . . . . . . . . . . . 8 4.5.2. The regionGroupReference Attribute . . . . . . . . . 8 4.6. Service Object . . . . . . . . . . . . . . . . . . . . . 8 4.6.1. The serviceName Attribute . . . . . . . . . . . . . . 8 4.6.2. The serviceList Attribute . . . . . . . . . . . . . . 8 4.6.2.1. The serviceProtocol Attribute . . . . . . . . . . 8 4.6.2.2. The serviceProtocolNumber Attribute . . . . . . . 8 4.6.2.3. The serviceSourcePort Attribute . . . . . . . . . 9 4.6.2.4. The serviceDestinationPort Attribute . . . . . . 9 4.6.2.5. The serviceICMPType Attribute . . . . . . . . . . 9 4.7. Service Group Object . . . . . . . . . . . . . . . . . . 9 4.7.1. The serviceGroupName Attribute . . . . . . . . . . . 9 4.7.2. The serviceReference Attribute . . . . . . . . . . . 9 4.8. Application Object . . . . . . . . . . . . . . . . . . . 10 4.8.1. The applicationName Attribute . . . . . . . . . . . . 10 4.8.2. The applicationCategory Attribute . . . . . . . . . . 10 4.8.3. The applicationSubCategory Attribute . . . . . . . . 10 4.8.4. The applicationTransmissionModel Attribute . . . . . 10 4.8.5. The applicationLabel Attribute . . . . . . . . . . . 10 4.8.6. The applicationRiskLevel Attribute . . . . . . . . . 10 4.9. Application Group Object . . . . . . . . . . . . . . . . 10 4.9.1. The applicationGroupName Attribute . . . . . . . . . 11 4.9.2. The applicationReference Attribute . . . . . . . . . 11 4.10. Schedule Object . . . . . . . . . . . . . . . . . . . . . 11 4.10.1. The scheduleName Attribute . . . . . . . . . . . . . 11 Xia & Lin Expires September 13, 2017 [Page 2] Internet-Draft Policy Object for I2NSF March 2017 4.10.2. The scheduleList Attribute . . . . . . . . . . . . . 11 4.10.2.1. The scheduleType Attribute . . . . . . . . . . . 11 4.10.2.2. The scheduleStartTime Attribute . . . . . . . . 11 4.10.2.3. The scheduleEndTime Attribute . . . . . . . . . 11 4.10.2.4. The scheduleWeekDay Attribute . . . . . . . . . 11 4.11. User Object . . . . . . . . . . . . . . . . . . . . . . . 12 4.11.1. The userName Attribute . . . . . . . . . . . . . . . 12 4.11.2. The userParentGroup Attribute . . . . . . . . . . . 12 4.11.3. The userSecurityGroup Attribute . . . . . . . . . . 12 4.11.4. The userDomain Attribute . . . . . . . . . . . . . . 12 4.11.5. The userPassword Attribute . . . . . . . . . . . . . 12 4.11.6. The userExpirationTime Attribute . . . . . . . . . . 12 4.11.7. The userAllowSharing Attribute . . . . . . . . . . . 13 4.11.8. The userBindingStatus Attribute . . . . . . . . . . 13 4.11.9. The userBindingAddress Attribute . . . . . . . . . . 13 4.12. User Group Object . . . . . . . . . . . . . . . . . . . . 13 4.12.1. The userGroupName Attribute . . . . . . . . . . . . 13 4.12.2. The userGroupParentGroup Attribute . . . . . . . . . 13 4.12.3. The userGroupDomain Attribute . . . . . . . . . . . 14 4.12.4. The userGroupReference Attribute . . . . . . . . . . 14 4.12.5. The userGroupAllowSharing Attribute . . . . . . . . 14 4.13. Security Group Object . . . . . . . . . . . . . . . . . . 14 4.13.1. The securityGroupName Attribute . . . . . . . . . . 14 4.13.2. The securityGroupParentGroup Attribute . . . . . . . 14 4.13.3. The securityGroupDomain Attribute . . . . . . . . . 14 4.13.4. The securityGroupType Attribute . . . . . . . . . . 14 4.13.5. The securityGroupReference Attribute . . . . . . . . 15 4.13.6. The securityGroupFilters Attribute . . . . . . . . . 15 4.13.7. The securityGroupAllowSharing Attribute . . . . . . 15 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 8.1. Normative References . . . . . . . . . . . . . . . . . . 15 8.2. Informative References . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 1. Introduction I2NSF policy consists of policy rules that are used to provision NSF instances. The I2NSF policy rule is defined by using "Event- Condition-Action" (ECA) model described in Framework for Interface to Network Security Functions [I-D.ietf-i2nsf-framework]. In the ECA model, a condition is used to determine whether or not the predefined actions should be executed. A condition usually consists of several attributes. Information Model of NSFs Capabilities [I-D.ietf-i2nsf-capability] describes or illustrates attributes of different Condition subclasses. When configuring policy rules by Xia & Lin Expires September 13, 2017 [Page 3] Internet-Draft Policy Object for I2NSF March 2017 using attributes, it is no surprise to see that the same value of an attribute or the same value set of several attributes are configured for several times or more. And modifications of the policy rules are also very complex and time-consuming. To facilitate the provisioning of NSF instances, this document describes a set of policy objects which are reusable and can be referenced by variable I2NSF policy rules. A policy object can be identified by a set of data items, such as IP addresses, TCP/UDP ports, and domain names. Each policy object is predefined and named in order to be used in I2NSF policy rules. By defining policy objects, the creation and maintenance of policy rules are greatly simplified. o A policy object can be referenced in different policy rules as required to provide re-usability. And a policy rule can reference several policy objects. o The modification of a policy object will be propagated to the I2NSF policy rules that reference this object. No modification should be made to the related policy rules. In this document, a set of policy objects are described, and for each policy object, several related attributes are defined. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. Terminology This document uses the terminology described in Interface to Network Security Functions (I2NSF) Terminology [I-D.ietf-i2nsf-terminology]. 4. Policy Object Policy objects are collections of commonly used condition attributes. Different policy objects consist of different attributes. For each policy object, a description of this policy object may be an optional attribute. The following figure shows the policy objects defined in this document. Xia & Lin Expires September 13, 2017 [Page 4] Internet-Draft Policy Object for I2NSF March 2017 Policy Object | +---Address Object | +---Address Group Object | +---Domain Group Object | +---Region Object | +---Region Group Object | +---Service Object | +---Service Group Object | +---Application Object | +---Application Group Object | +---Schedule Object | +---User Object | +---User Group Object | +---Security Group Object Figure 1: The policy objects 4.1. Address Object An address object is a collection of IPv4/IPv6 addresses or MAC addresses. It consists of the following attributes: 4.1.1. The addressName Attribute This attribute defines the unique name of the address object. 4.1.2. The addressRange Attribute This attribute defines a set of IPv4/IPv6 addresses or MAC addresses, or a range of contiguous IPv4/IPv6 addresses. The IPv4 address range can be defined by IPv4 address with wildcard mask, or IPv4 address with subnet mask (subnet mask address or length of the subnet mask), or the start address and the end address of the IPv4 address range. Xia & Lin Expires September 13, 2017 [Page 5] Internet-Draft Policy Object for I2NSF March 2017 The IPv6 address range can be defined by IPv6 address with length of the prefix, or the start address and the end address of the IPv6 address range. 4.2. Address Group Object An address group object is composed of several address items that require the same policy enforcement. An address item can be an IPv4/ IPv6 address, or a MAC address, or a range of contiguous IPv4/IPv6 addresses, or existing address object, or existing address group object. An address group object consists of the following attributes: 4.2.1. The addressGroupName Attribute This attribute defines the unique name of the address group object. 4.2.2. The addressReference Attribute This attribute refers to the existing address objects or existing address group objects identified by their unique names. 4.2.3. The addressRange Attribute This attribute is the same as the addressRange attribute of address object. It can define a set of IPv4/IPv6 addresses or MAC addresses, or a range of contiguous IPv4/IPv6 addresses. The IPv4 address range can be defined by IPv4 address with wildcard mask, or IPv4 address with subnet mask (subnet mask address or length of the subnet mask), or the start address and the end address of the IPv4 address range. The IPv6 address range can be defined by IPv6 address with length of the prefix, or the start address and the end address of the IPv6 address range. 4.3. Domain Group Object A domain group object is a collection of domain names that require the same policy enforcement. It consists of the following attributes: 4.3.1. The domainGroupName Attribute This attribute defines the unique name of the domain group object. Xia & Lin Expires September 13, 2017 [Page 6] Internet-Draft Policy Object for I2NSF March 2017 4.3.2. The domainNameList Attribute This attribute defines a set of domain names. The domain name can be matched in two modes: exact match and suffix match. Thus a domain name can be added by using the full string of the domain name (e.g., www.example.com) or a domain name begins with a wildcard (e.g., *.example.com). 4.4. Region Object A region object is an IPv4/IPv6 address of a geographical region or a collection of IPv4/IPv6 addresses located in the same geographical region. A set of region objects which can be referenced directly should be predefined by NSFs. A region object consists of the following attributes: 4.4.1. The regionName Attribute This attribute defines the unique name of the region object. 4.4.2. The regionLocation Attribute This attribute defines the longitude and latitude of the region. It consists of two sub-attributes: 4.4.2.1. The regionLongitude Attribute This attribute defines the longitude of the region. 4.4.2.2. The regionLatitude Attribute This attribute defines the latitude of the region. 4.4.3. The regionIPAddress Attribute This attribute defines a set of IPv4/IPv6 addresses or a range of contiguous IPv4/IPv6 addresses. And an IP address can only belong to one region object. The IPv4 address range can be defined by IPv4 address with wildcard mask, IPv4 address with subnet mask (subnet mask address or length of the subnet mask), or the start address and the end address of the IPv4 address range. The IPv6 address range can be defined by IPv6 address with length of the prefix, or the start address and the end address of the IPv6 address range. Xia & Lin Expires September 13, 2017 [Page 7] Internet-Draft Policy Object for I2NSF March 2017 4.5. Region Group Object A region group object is a collection of region objects that require the same policy enforcement. It consists of the following attributes: 4.5.1. The regionGroupName Attribute This attribute defines the unique name of the region group object. 4.5.2. The regionGroupReference Attribute This attribute refers to the existing region objects or region group objects identified by their unique names. 4.6. Service Object A service object is one or more services that can be identified by certain information, such as protocol type, source port number and destination port number. A set of well-known services should be predefined by NSFs as service objects to support direct reference. A service object consists of the following attributes: 4.6.1. The serviceName Attribute This attribute defines the unique name of the service object. 4.6.2. The serviceList Attribute This attribute defined a set of services. A service can be defined by the following sub-attributes. 4.6.2.1. The serviceProtocol Attribute This attribute defines the protocol type of the service. The value of this attribute is selected from six types of protocols: TCP, UDP, SCTP, ICMP, ICMPv6 or IP. 4.6.2.2. The serviceProtocolNumber Attribute This attribute defines the protocol number for IP protocol. The protocol number is the protocol field value in IP packet which identifies which kind of upper layer protocol is used. Xia & Lin Expires September 13, 2017 [Page 8] Internet-Draft Policy Object for I2NSF March 2017 4.6.2.3. The serviceSourcePort Attribute This attribute defines the source port number range for TCP, UDP or SCTP protocol. A single port number or a range of port numbers can be set. 4.6.2.4. The serviceDestinationPort Attribute This attribute defines the destination port number range for TCP, UDP or SCTP protocol. A single port number or a range of port numbers can be set. 4.6.2.5. The serviceICMPType Attribute This attribute defines the ICMP/ICMPv6 type for ICMP or ICMPv6 protocol. The ICMP/ICMPv6 type can be identified by ICMP/ICMPv6 type number and ICMP/ICMPv6 message code. Thus, this attribute has two sub-attributes: serviceICMPTypeNumber and serviceICMPMessageCode. The serviceICMPTypeNumber Attribute: It defines the ICMP/ICMPv6 type number and shall be defined together with the serviceICMPMessageCode attribute. For example, if the ICMP packet type is Echo, this attribute shall be set to 8 and the serviceICMPMessageCode attribute shall be set to 0. The serviceICMPMessageCode Attribute: It defines the ICMP/ICMPv6 message code and shall be defined together with the serviceICMPTypeNumber attribute. For example, if the ICMP packet type is Echo, this attribute shall be set to 0 and the serviceICMPTypeNumber attribute shall be set to 8. 4.7. Service Group Object A service group object is a collection of service objects that require the same policy enforcement. It consists of the following attributes: 4.7.1. The serviceGroupName Attribute This attribute defines the unique name of the service group object. 4.7.2. The serviceReference Attribute This attribute refers to the existing service objects or service group objects identified by their unique names. Xia & Lin Expires September 13, 2017 [Page 9] Internet-Draft Policy Object for I2NSF March 2017 4.8. Application Object An application object is a kind of application that can be identified by several features, such as category, subcategory or risk level. A set of well-known application objects should be predefined by NSFs to support direct reference. An application object consists of the following attributes: 4.8.1. The applicationName Attribute This attribute defines the unique name of the application object. 4.8.2. The applicationCategory Attribute This attribute defines the category of the application. The value of this attribute is selected from a predefined set of categories, e.g., general category, network application category. 4.8.3. The applicationSubCategory Attribute This attribute defines the subcategory of the application. The value of this attribute is selected from a predefined set of subcategories, e.g., search engine subcategory, electronic commerce subcategory. 4.8.4. The applicationTransmissionModel Attribute This attribute defines the data transmission model of the application. The value of this attribute is selected from a predefined set of transmission models, e.g., client/server model, peer-to-peer model. 4.8.5. The applicationLabel Attribute This attribute defines a set of labels for the application. The values of this attribute are selected from a predefined set of labels, e.g., database, encrypted-communication. 4.8.6. The applicationRiskLevel Attribute This attribute defines a risk level for the application. The value of this attribute is selected from a predefined number of risk levels. 4.9. Application Group Object An application group object is a collection of application objects that require the same policy enforcement. It consists of the following attributes: Xia & Lin Expires September 13, 2017 [Page 10] Internet-Draft Policy Object for I2NSF March 2017 4.9.1. The applicationGroupName Attribute This attribute defines the unique name of the application group object. 4.9.2. The applicationReference Attribute This attribute refers to the existing application objects or application group objects identified by their unique names. 4.10. Schedule Object A schedule object is a set of time ranges. There are two kinds of time ranges: periodic time range and absolute time range. A periodic time range occurs every week. An absolute time range occurs only once. A schedule object consists of the following attributes: 4.10.1. The scheduleName Attribute This attribute defines the unique name of the schedule object. 4.10.2. The scheduleList Attribute This attribute defines a set of time ranges. A time range can be defined by the following sub-attributes. 4.10.2.1. The scheduleType Attribute This attribute defines the type of a time range. The value of this attribute is selected from the two types: periodic, absolute. 4.10.2.2. The scheduleStartTime Attribute For a periodic time range, this attribute defines the start time in a day. For an absolute time range, this attribute defines the start time and start date. 4.10.2.3. The scheduleEndTime Attribute For a periodic time range, this attribute defines the end time in a day. For an absolute time range, this attribute defines the end time and end date. 4.10.2.4. The scheduleWeekDay Attribute This attribute defines the days in a week that the periodic time range takes effect. Xia & Lin Expires September 13, 2017 [Page 11] Internet-Draft Policy Object for I2NSF March 2017 4.11. User Object A user object identifies a person who may access network resources. It is the basis of implementing user-based I2NSF policy. The user objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. User objects that require the same policy enforcement are grouped as user group objects or security group objects. The user group objects are organized as a hierarchical structure. A security group object consists of user objects from different user group objects that require the same policy enforcement. A user object consists of the following attributes: 4.11.1. The userName Attribute This attribute refers to the user name that used for user authentication. 4.11.2. The userParentGroup Attribute This attribute refers to the existing parent user group object to which this user object belongs. The parent user group object is identified by its unique name. A user object can only belong to one user group object. 4.11.3. The userSecurityGroup Attribute This attribute refers to the existing security group object to which this user object belongs. The security user group object is identified by its unique name. A user object can belong to several security group objects. 4.11.4. The userDomain Attribute This attribute refers to the authentication domain to which this user object belongs. 4.11.5. The userPassword Attribute If user is authenticated locally on the NSF, this attribute is mandatory. It defines the password corresponding to the user name. 4.11.6. The userExpirationTime Attribute This attribute defines when will this user object expire. Xia & Lin Expires September 13, 2017 [Page 12] Internet-Draft Policy Object for I2NSF March 2017 4.11.7. The userAllowSharing Attribute This attribute defines whether this user account identified by the userName and userPassword attribute is allowed to be shared by different persons. If allowed, this user object can be logged on to several devices simultaneously. 4.11.8. The userBindingStatus Attribute This attribute defines whether the user object is bound to IP addresses, or MAC addresses, or IP/MAC address pairs. It is selected from three binding modes: no binding, unidirectional binding, and bidirectional binding. For no binding mode, the user object is not bound to any IP or MAC address or IP/MAC address pair. For unidirectional binding mode, the addresses or address pairs bound to this user object also can be bound to other users. For bidirectional binding mode, the addresses or address pairs bound to this user should not be bound to other bidirectional binding user object. 4.11.9. The userBindingAddress Attribute This attribute defines the bound IP addresses, or MAC addresses, or IP/MAC address pairs. If the userBindingStatus is unidirectional binding or bidirectional binding, this attribute is mandatory. 4.12. User Group Object A user object group is a collection of user objects that require the same policy enforcement and it usually corresponds to a physical entity such as a department. The user group objects are organized as a hierarchical structure. A user group object may belong to another user group object. The user group objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. It consists of the following attributes: 4.12.1. The userGroupName Attribute This attribute defines the unique name of the user group object. 4.12.2. The userGroupParentGroup Attribute This attribute refers to the existing parent user group object to which this user group object belongs. The parent user group object is identified by its unique name. A user group object can only belong to one parent user group object. Xia & Lin Expires September 13, 2017 [Page 13] Internet-Draft Policy Object for I2NSF March 2017 4.12.3. The userGroupDomain Attribute This attribute refers to the authentication domain to which this user group object belongs. 4.12.4. The userGroupReference Attribute This attribute refers to the existing user objects or user group objects which belong to this user group object. 4.12.5. The userGroupAllowSharing Attribute This attribute defines whether the user objects of this user group object are allowed to be shared by different persons. If allowed, all user objects of this user group object can be logged on to several devices simultaneously. 4.13. Security Group Object A security group object consists of user objects from different user group objects that require the same policy enforcement. The security group objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. This attribute consists of the following attributes: 4.13.1. The securityGroupName Attribute This attribute defines the unique name of the security group object. 4.13.2. The securityGroupParentGroup Attribute This attribute refers to the existing parent security group objects to which this security group object belongs. The parent security group objects are identified by their unique names. 4.13.3. The securityGroupDomain Attribute This attribute refers to the authentication domain to which this security group object belongs. 4.13.4. The securityGroupType Attribute This attribute defines the type of the security group object. There are two types: static and dynamic. For static security group, the member objects are fixed and added as required. For dynamic security group, the member objects are dynamically generated by setting filtering rules. Xia & Lin Expires September 13, 2017 [Page 14] Internet-Draft Policy Object for I2NSF March 2017 4.13.5. The securityGroupReference Attribute This attribute defines the member objects for static security group object. It refers to the existing user objects or security group objects which belong to this security group object. 4.13.6. The securityGroupFilters Attribute This attribute defines the filtering rules for dynamic security group object. 4.13.7. The securityGroupAllowSharing Attribute This attribute defines whether the user objects of this security group object are allowed to be shared by different persons. If allowed, all user objects of this security group object can be logged on to several devices simultaneously. 5. Acknowledgements 6. IANA Considerations This document requires no IANA actions. 7. Security Considerations When the policy objects are transmitted, the integrity of these policy objects should be guaranteed. NSFs should verify that the modifications of policy objects come from the authenticated security controller. And NSF should protect the stored policy objects from being tampered. 8. References 8.1. Normative References [I-D.ietf-i2nsf-capability] Xia, L., Strassner, J., Zhang, D., Li, K., Basile, C., Lioy, A., Lopez, D., Lopez, E., BOUTHORS, N., and L. Fang, "Information Model of NSFs Capabilities", 2016, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Xia & Lin Expires September 13, 2017 [Page 15] Internet-Draft Policy Object for I2NSF March 2017 8.2. Informative References [I-D.ietf-i2nsf-framework] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", 2016, . [I-D.ietf-i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Birkholz, "Interface to Network Security Functions (I2NSF) Terminology", 2016, . Authors' Addresses Liang Xia Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu 210012 China Email: Frank.xialiang@huawei.com Qiushi Lin Huawei Huawei Industrial Base Shenzhen, Guangdong 518129 China Email: linqiushi@huawei.com Xia & Lin Expires September 13, 2017 [Page 16]