idnits 2.17.1 draft-hong-i2nsf-nsf-monitoring-data-model-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 19, 2017) is 2444 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group H. Hong 3 Internet-Draft J. Jeong 4 Intended status: Standards Track J. Kim 5 Expires: January 20, 2018 Sungkyunkwan University 6 S. Hares 7 L. Xia 8 Huawei 9 July 19, 2017 11 I2NSF Network Security Function Monitoring YANG Data Model 12 draft-hong-i2nsf-nsf-monitoring-data-model-00 14 Abstract 16 This document proposes a YANG data model for monitoring Network 17 Security Functions (NSFs) in the Interface to Network Security 18 Functions (I2NSF) system. If the monitoring of NSFs is performed in 19 a timely and comrehensive way, it is possible to detect the 20 indication of malicious activity, anomalous behavior or the potential 21 sign of denial of service attacks. This monitoring functionality is 22 based on the monitoring information that is generated by NSFs. Thus, 23 this document describes not only a data tree to specify monitoring 24 information model but also a YANG data model for monitoring NSFs. 26 Status of This Memo 28 This Internet-Draft is submitted to IETF in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF), its areas, and its working groups. Note that 33 other groups may also distribute working documents as Internet- 34 Drafts. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 The list of current Internet-Drafts can be accessed at 42 http://www.ietf.org/ietf/1id-abstracts.txt. 44 The list of Internet-Draft Shadow Directories can be accessed at 45 http://www.ietf.org/shadow.html. 47 This Internet-Draft will expire on January 20, 2018. 49 Copyright Notice 51 Copyright (c) 2017 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (http://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 68 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 70 4. Information Model Structure . . . . . . . . . . . . . . . . . 4 71 5. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 12 72 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 45 73 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 45 74 7.1. Normative References . . . . . . . . . . . . . . . . . . . 45 75 7.2. Informative References . . . . . . . . . . . . . . . . . . 45 77 1. Introduction 79 This document defines a YANG [RFC6020] data model for monitoring 80 Network Security Functions (NSFs). This monitoring means the 81 aquisition of vital information about NSFs via notifications, events, 82 records or counters. The data model for the monitoring presented in 83 this document is derived from the information model for the security 84 policy provisioning of the NSF-Facing Interface specified in 85 [i2nsf-monitoring-im]. 87 2. Requirements Language 89 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 90 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 91 document are to be interpreted as described in [RFC2119]. 93 3. Terminology 95 This document uses the terminology described in 96 [i2nsf-terminology][i2nsf-framework]. Especially, the following 97 terms are from [i2nsf-monitoring-im]. 99 o Information Model: An information model is a representation of 100 concepts of interest to an environment in a form that is 101 independent of data repository, data definition language, query 102 language, implementation language, and protocol. 104 o Data Model: A data model is a representation of concepts of 105 interest to an environment in a form that is dependent on data 106 repository, data definition language, query language, 107 implementation language, and protocol. 109 3.1. Tree Diagrams 111 A simplified graphical representation of the data model is used in 112 this document. The meaning of the symbols in these diagrams 113 [i2rs-rib-data-model] is as follows: 115 o Brackets "[" and "]" enclose list keys. 117 o Abbreviations before data node names: "rw" means configuration 118 (read-write) and "ro" state data (read-only). 120 o Symbols after data node names: "?" means an optional node and "*" 121 denotes a "list" and "leaf-list". 123 o Parentheses enclose choice and case nodes, and case nodes are also 124 marked with a colon (":"). 126 o Ellipsis ("...") stands for contents of subtrees that are not 127 shown. 129 4. Information Model Structure 131 Figure 1 shows the overview of a structure tree of monitoring 132 information based on the [i2nsf-monitoring-im]. 134 module: ietf-i2nsf-monitoring-information 135 +--rw monitoring-message 136 +--rw monitoring-messages* [message-id] 137 +--rw message-id uint8 138 +--rw message-version uint8 139 +--rw (message-type)? 140 | +--:(alarm) 141 | | +--rw (alarm-type)? 142 | | +--:(system-alarm) 143 | | +--rw memory-alarm 144 | | | +--rw event-name string 145 | | | +--rw usage? uint8 146 | | | +--rw threshold? uint8 147 | | | +--rw message string 148 | | | +--rw module-name string 149 | | +--rw cpu-alarm 150 | | | +--rw event-name string 151 | | | +--rw usage? uint8 152 | | | +--rw threshold? uint8 153 | | | +--rw message string 154 | | +--rw disk-alarm 155 | | | +--rw event-name string 156 | | | +--rw usage? uint8 157 | | | +--rw threshold? uint8 158 | | | +--rw message string 159 | | +--rw hardware-alarm 160 | | | +--rw event-name string 161 | | | +--rw usage? uint8 162 | | | +--rw threshold? uint8 163 | | | +--rw message string 164 | | | +--rw component-name? string 165 | | +--rw interface-alarm 166 | | +--rw event-name string 167 | | +--rw usage? uint8 168 | | +--rw threshold? uint8 169 | | +--rw message string 170 | | +--rw interface-name? string 171 | | +--rw interface-state 172 | | +--rw up boolean 173 | | +--rw down boolean 174 | | +--rw congested boolean 175 | +--:(event) 176 | | +--rw (event-type)? 177 | | +--:(system-event) 178 | | | +--rw access-violation 179 | | | | +--rw event-name string 180 | | | | +--rw user-name string 181 | | | | +--rw group string 182 | | | | +--rw login-ip inet:ipv4-address 183 | | | | +--rw authentication-mode 184 | | | | | +--rw local-auth boolean 185 | | | | | +--rw third-part-auth boolean 186 | | | | | +--rw exemption-auth boolean 187 | | | | | +--rw sso-auth boolean 188 | | | | +--rw message string 189 | | | +--rw config-change 190 | | | +--rw event-name string 191 | | | +--rw user-name string 192 | | | +--rw group string 193 | | | +--rw login-ip inet:ipv4-address 194 | | | +--rw authentication-mode 195 | | | | +--rw local-auth boolean 196 | | | | +--rw third-part-auth boolean 197 | | | | +--rw exemption-auth boolean 198 | | | | +--rw sso-auth boolean 199 | | | +--rw message string 200 | | +--:(nsf-event) 201 | | +--rw ddos-event 202 | | | +--rw event-name string 203 | | | +--rw user-name? string 204 | | | +--rw message? string 205 | | | +--rw src-ip? inet:ipv4-address 206 | | | +--rw dst-ip? inet:ipv4-address 207 | | | +--rw src-port? inet:port-number 208 | | | +--rw dst-port? inet:port-number 209 | | | +--rw src-zone? string 210 | | | +--rw dst-zone? string 211 | | | +--rw rule-id uint8 212 | | | +--rw rule-name string 213 | | | +--rw profile? string 214 | | | +--rw raw-info? string 215 | | | +--rw ddos-attack-type 216 | | | | +--rw syn-flood? boolean 217 | | | | +--rw ack-flood? boolean 218 | | | | +--rw syn-ack-flood? boolean 219 | | | | +--rw fin-rst-flood? boolean 220 | | | | +--rw tcp-con-flood? boolean 221 | | | | +--rw udp-flood? boolean 222 | | | | +--rw icmp-flood? boolean 223 | | | | +--rw https-flood? boolean 224 | | | | +--rw http-flood? boolean 225 | | | | +--rw dns-reply-flood? boolean 226 | | | | +--rw dns-query-flood? boolean 227 | | | | +--rw sip-flood? boolean 228 | | | +--rw start-time yang:date-and-time 229 | | | +--rw end-time yang:date-and-time 230 | | | +--rw attack-rate? uint32 231 | | | +--rw attack-speed? uint32 232 | | +--rw session-table-event 233 | | | +--rw event-name? string 234 | | | +--rw current-session? uint8 235 | | | +--rw maximum-session? uint8 236 | | | +--rw threshold? uint8 237 | | | +--rw message? string 238 | | +--rw virus-event 239 | | | +--rw event-name string 240 | | | +--rw user-name? string 241 | | | +--rw message? string 242 | | | +--rw src-ip? inet:ipv4-address 243 | | | +--rw dst-ip? inet:ipv4-address 244 | | | +--rw src-port? inet:port-number 245 | | | +--rw dst-port? inet:port-number 246 | | | +--rw src-zone? string 247 | | | +--rw dst-zone? string 248 | | | +--rw rule-id uint8 249 | | | +--rw rule-name string 250 | | | +--rw profile? string 251 | | | +--rw raw-info? string 252 | | | +--rw virus-type 253 | | | | +--rw trajan? boolean 254 | | | | +--rw worm? boolean 255 | | | | +--rw macro? boolean 256 | | | +--rw virus-name? string 257 | | | +--rw file-type? string 258 | | | +--rw file-name? string 259 | | +--rw intrusion-event 260 | | | +--rw event-name string 261 | | | +--rw user-name? string 262 | | | +--rw message? string 263 | | | +--rw src-ip? inet:ipv4-address 264 | | | +--rw dst-ip? inet:ipv4-address 265 | | | +--rw src-port? inet:port-number 266 | | | +--rw dst-port? inet:port-number 267 | | | +--rw src-zone? string 268 | | | +--rw dst-zone? string 269 | | | +--rw rule-id uint8 270 | | | +--rw rule-name string 271 | | | +--rw profile? string 272 | | | +--rw raw-info? string 273 | | | +--rw protocol 274 | | | | +--rw tcp? boolean 275 | | | | +--rw udp? boolean 276 | | | | +--rw icmp? boolean 277 | | | | +--rw icmpv6? boolean 278 | | | | +--rw ip? boolean 279 | | | | +--rw http? boolean 280 | | | | +--rw ftp? boolean 281 | | | +--rw intrusion-attack-type 282 | | | +--rw brutal-force? boolean 283 | | | +--rw buffer-overflow? boolean 284 | | +--rw botnet-event 285 | | | +--rw event-name string 286 | | | +--rw user-name? string 287 | | | +--rw message? string 288 | | | +--rw src-ip? inet:ipv4-address 289 | | | +--rw dst-ip? inet:ipv4-address 290 | | | +--rw src-port? inet:port-number 291 | | | +--rw dst-port? inet:port-number 292 | | | +--rw src-zone? string 293 | | | +--rw dst-zone? string 294 | | | +--rw rule-id uint8 295 | | | +--rw rule-name string 296 | | | +--rw profile? string 297 | | | +--rw raw-info? string 298 | | | +--rw protocol 299 | | | | +--rw tcp? boolean 300 | | | | +--rw udp? boolean 301 | | | | +--rw icmp? boolean 302 | | | | +--rw icmpv6? boolean 303 | | | | +--rw ip? boolean 304 | | | | +--rw http? boolean 305 | | | | +--rw ftp? boolean 306 | | | +--rw botnet-name? string 307 | | | +--rw role? string 308 | | +--rw web-attack-event 309 | | +--rw event-name string 310 | | +--rw user-name? string 311 | | +--rw message? string 312 | | +--rw src-ip? inet:ipv4-address 313 | | +--rw dst-ip? inet:ipv4-address 314 | | +--rw src-port? inet:port-number 315 | | +--rw dst-port? inet:port-number 316 | | +--rw src-zone? string 317 | | +--rw dst-zone? string 318 | | +--rw rule-id uint8 319 | | +--rw rule-name string 320 | | +--rw profile? string 321 | | +--rw raw-info? string 322 | | +--rw web-attack-type 323 | | | +--rw sql-injection? boolean 324 | | | +--rw command-injection? boolean 325 | | | +--rw xss? boolean 326 | | | +--rw csrf? boolean 327 | | +--rw req-method 328 | | | +--rw put? boolean 329 | | | +--rw get? boolean 330 | | +--rw req-url? string 331 | | +--rw url-category? string 332 | | +--rw filtering-type 333 | | +--rw blacklist? boolean 334 | | +--rw whitelist? boolean 335 | | +--rw user-defined? boolean 336 | | +--rw balicious-category? boolean 337 | | +--rw unknown? boolean 338 | +--:(log) 339 | | +--rw (log-type)? 340 | | +--:(system-log) 341 | | | +--rw access-logs 342 | | | | +--rw login-ip inet:ipv4-address 343 | | | | +--rw administartor? string 344 | | | | +--rw login-mode? login-mode 345 | | | | +--rw operation-type? operation-type 346 | | | | +--rw result? string 347 | | | | +--rw content? string 348 | | | +--rw resource-utiliz-logs 349 | | | | +--rw system-status? string 350 | | | | +--rw cpu-usage? uint8 351 | | | | +--rw memory-usage? uint8 352 | | | | +--rw disk-usage? uint8 353 | | | | +--rw disk-left? uint8 354 | | | | +--rw session-num? uint8 355 | | | | +--rw process-num? uint8 356 | | | | +--rw in-traffic-rate? uint32 357 | | | | +--rw out-traffic-rate? uint32 358 | | | | +--rw in-traffic-speed? uint32 359 | | | | +--rw out-traffic-speed? uint32 360 | | | +--rw user-activity-logs 361 | | | +--rw user string 362 | | | +--rw group string 363 | | | +--rw login-ip inet:ipv4-address 364 | | | +--rw authentication-mode 365 | | | | +--rw local-auth boolean 366 | | | | +--rw third-part-auth boolean 367 | | | | +--rw exemption-auth boolean 368 | | | | +--rw sso-auth boolean 369 | | | +--rw access-mode 370 | | | | +--rw ppp? boolean 371 | | | | +--rw svn? boolean 372 | | | | +--rw local? boolean 373 | | | +--rw online-duration? string 374 | | | +--rw logout-duration? string 375 | | | +--rw addtional-info? string 376 | | +--:(nsf-log) 377 | | +--rw ddos-logs 378 | | | +--rw attack-type? string 379 | | | +--rw attack-ave-rate? uint32 380 | | | +--rw attack-ave-speed? uint32 381 | | | +--rw attack-pkt-num? uint32 382 | | | +--rw attack-src-ip? inet:ipv4-address 383 | | | +--rw action? all-action 384 | | | +--rw os? string 385 | | +--rw virus-logs 386 | | | +--rw protocol 387 | | | | +--rw tcp? boolean 388 | | | | +--rw udp? boolean 389 | | | | +--rw icmp? boolean 390 | | | | +--rw icmpv6? boolean 391 | | | | +--rw ip? boolean 392 | | | | +--rw http? boolean 393 | | | | +--rw ftp? boolean 394 | | | +--rw attack-type? string 395 | | | +--rw action? all-action 396 | | | +--rw os? string 397 | | | +--rw time yang:date-and-time 398 | | +--rw intrusion-logs 399 | | | +--rw attack-type? string 400 | | | +--rw action? all-action 401 | | | +--rw time yang:date-and-time 402 | | | +--rw attack-rate? uint32 403 | | | +--rw attack-speed? uint32 404 | | +--rw botnet-logs 405 | | | +--rw attack-type? string 406 | | | +--rw botnet-pkt-num? uint8 407 | | | +--rw action? all-action 408 | | | +--rw os? string 409 | | +--rw dpi-logs 410 | | | +--rw dpi-type? dpi-type 411 | | | +--rw src-ip? inet:ipv4-address 412 | | | +--rw dst-ip? inet:ipv4-address 413 | | | +--rw src-port? inet:port-number 414 | | | +--rw dst-port? inet:port-number 415 | | | +--rw src-zone? string 416 | | | +--rw dst-zone? string 417 | | | +--rw src-region? string 418 | | | +--rw dst-region? string 419 | | | +--rw policy-id uint8 420 | | | +--rw policy-name string 421 | | | +--rw src-user? string 422 | | | +--rw protocol 423 | | | | +--rw tcp? boolean 424 | | | | +--rw udp? boolean 425 | | | | +--rw icmp? boolean 426 | | | | +--rw icmpv6? boolean 427 | | | | +--rw ip? boolean 428 | | | | +--rw http? boolean 429 | | | | +--rw ftp? boolean 430 | | | +--rw file-type? string 431 | | | +--rw file-name? string 432 | | +--rw vul-scan-logs* [vulnerability-id] 433 | | | +--rw vul-id uint8 434 | | | +--rw victim-ip? inet:ipv4-address 435 | | | +--rw protocol 436 | | | | +--rw tcp? boolean 437 | | | | +--rw udp? boolean 438 | | | | +--rw icmp? boolean 439 | | | | +--rw icmpv6? boolean 440 | | | | +--rw ip? boolean 441 | | | | +--rw http? boolean 442 | | | | +--rw ftp? boolean 443 | | | +--rw port-num? inet:port-number 444 | | | +--rw level? severity 445 | | | +--rw os? string 446 | | | +--rw addtional-info? string 447 | | +--rw web-attack-logs 448 | | +--rw attack-type? string 449 | | +--rw rsp-code? string 450 | | +--rw req-clientapp? string 451 | | +--rw req-cookies? string 452 | | +--rw req-host? string 453 | | +--rw raw-info? string 454 | +--:(counters) 455 | +--rw (counter-type)? 456 | +--:(system-counter) 457 | | +--rw interface-counters 458 | | +--rw interface-name? string 459 | | +--rw in-total-traffic-pkts? uint32 460 | | +--rw out-total-traffic-pkts? uint32 461 | | +--rw in-total-traffic-bytes? uint32 462 | | +--rw out-total-traffic-bytes? uint32 463 | | +--rw in-drop-traffic-pkts? uint32 464 | | +--rw out-drop-traffic-pkts? uint32 465 | | +--rw in-drop-traffic-bytes? uint32 466 | | +--rw out-drop-traffic-bytes? uint32 467 | | +--rw total-traffic? uint32 468 | | +--rw in-traffic-ave-rate? uint32 469 | | +--rw in-traffic-peak-rate? uint32 470 | | +--rw in-traffic-ave-speed? uint32 471 | | +--rw in-traffic-peak-speed? uint32 472 | | +--rw out-traffic-ave-rate? uint32 473 | | +--rw out-traffic-peak-rate? uint32 474 | | +--rw out-traffic-ave-speed? uint32 475 | | +--rw out-traffic-peak-speed? uint32 476 | +--:(nsf-counter) 477 | +--rw firewall-counters 478 | | +--rw src-ip? inet:ipv4-address 479 | | +--rw dst-ip? inet:ipv4-address 480 | | +--rw src-port? inet:port-number 481 | | +--rw dst-port? inet:port-number 482 | | +--rw src-zone? string 483 | | +--rw dst-zone? string 484 | | +--rw src-region? string 485 | | +--rw dst-region? string 486 | | +--rw policy-id uint8 487 | | +--rw policy-name string 488 | | +--rw src-user? string 489 | | +--rw protocol 490 | | | +--rw tcp? boolean 491 | | | +--rw udp? boolean 492 | | | +--rw icmp? boolean 493 | | | +--rw icmpv6? boolean 494 | | | +--rw ip? boolean 495 | | | +--rw http? boolean 496 | | | +--rw ftp? boolean 497 | | +--rw total-traffic? uint32 498 | | +--rw in-traffic-ave-rate? uint32 499 | | +--rw in-traffic-peak-rate? uint32 500 | | +--rw in-traffic-ave-speed? uint32 501 | | +--rw in-traffic-peak-speed? uint32 502 | | +--rw out-traffic-ave-rate? uint32 503 | | +--rw out-traffic-peak-rate? uint32 504 | | +--rw out-traffic-ave-speed? uint32 505 | | +--rw out-traffic-peak-speed? uint32 506 | | +--rw bound 507 | | +--rw in-interface? boolean 508 | | +--rw out-interface? boolean 509 | +--rw policy-hit-counters 510 | +--rw src-ip? inet:ipv4-address 511 | +--rw dst-ip? inet:ipv4-address 512 | +--rw src-port? inet:port-number 513 | +--rw dst-port? inet:port-number 514 | +--rw src-zone? string 515 | +--rw dst-zone? string 516 | +--rw src-region? string 517 | +--rw dst-region? string 518 | +--rw policy-id uint8 519 | +--rw policy-name string 520 | +--rw src-user? string 521 | +--rw protocol 522 | | +--rw tcp? boolean 523 | | +--rw udp? boolean 524 | | +--rw icmp? boolean 525 | | +--rw icmpv6? boolean 526 | | +--rw ip? boolean 527 | | +--rw http? boolean 528 | | +--rw ftp? boolean 529 | +--rw total-traffic? uint32 530 | +--rw in-traffic-ave-rate? uint32 531 | +--rw in-traffic-peak-rate? uint32 532 | +--rw in-traffic-ave-speed? uint32 533 | +--rw in-traffic-peak-speed? uint32 534 | +--rw out-traffic-ave-rate? uint32 535 | +--rw out-traffic-peak-rate? uint32 536 | +--rw out-traffic-ave-speed? uint32 537 | +--rw out-traffic-peak-speed? uint32 538 | +--rw hit-times? uint32 539 +--rw time-stamp yang:date-and-time 540 +--rw severity severity 541 +--rw vendor-name? string 543 Figure 1: Information Model for NSF Monitoring 545 5. YANG Data Model 547 This section introduces a YANG data model for the information model 548 of monitoring inforamtion based on [i2nsf-monitoring-im]. 550 file "ietf-i2nsf-nsf-monitoring-data-model@20170719.yang" 552 module ietf-i2nsf-monitoring-information { 553 namespace 554 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring-data-model"; 555 prefix 556 monitoring-information; 557 import ietf-inet-types{ 558 prefix inet; 559 } 560 import ietf-yang-types { 561 prefix yang; 562 } 564 organization 565 "IETF I2NSF (Interface to Network Security Functions) 566 Working Group"; 568 contact 569 "WG Web: 570 WG List: 572 WG Chair: Linda Dunbar 573 575 Editor: Dongjin Hong 576 578 Editor: Jaehoon Paul Jeong 579 "; 581 description 582 "This module defines a YANG data module for monitoring NSFs."; 584 revision "2017-07-19" { 585 description "Initial revision"; 586 reference 587 "draft-zhang-i2nsf-info-model-monitoring-04"; 588 } 589 typedef severity { 590 type enumeration { 591 enum high { 592 description 593 "high-level"; 594 } 595 enum middle { 596 description 597 "middle-level"; 598 } 599 enum low { 600 description 601 "low-level"; 602 } 603 } 604 description 605 "This is used for indicating the severity"; 607 } 608 typedef all-action { 609 type enumeration { 610 enum allow { 611 description 612 "TBD"; 613 } 614 enum alert { 615 description 616 "TBD"; 617 } 618 enum block { 619 description 620 "TBD"; 621 } 622 enum discard { 623 description 624 "TBD"; 625 } 626 enum declare { 627 description 628 "TBD"; 629 } 630 enum block-ip { 631 description 632 "TBD"; 633 } 634 enum block-service{ 635 description 636 "TBD"; 637 } 638 } 639 description 640 "This is used for protocol"; 641 } 642 typedef dpi-type{ 643 type enumeration { 644 enum file-blocking{ 645 description 646 "TBD"; 647 } 648 enum data-filtering{ 649 description 650 "TBD"; 651 } 652 enum application-behavior-control{ 653 description 654 "TBD"; 656 } 657 } 658 description 659 "This is used for dpi type"; 660 } 661 typedef operation-type{ 662 type enumeration { 663 enum login{ 664 description 665 "TBD"; 666 } 667 enum logout{ 668 description 669 "TBD"; 670 } 671 enum configuration{ 672 description 673 "TBD"; 674 } 675 } 676 description 677 "This is used for operation type"; 678 } 679 typedef login-mode{ 680 type enumeration { 681 enum root{ 682 description 683 "TBD"; 684 } 685 enum user{ 686 description 687 "TBD"; 688 } 689 enum guest{ 690 description 691 "TBD"; 692 } 693 } 694 description 695 "This is used for login mode"; 696 } 697 grouping protocol { 698 description 699 "A set of protocols"; 700 container protocol { 701 description 702 "Protocol types: 703 TCP, UDP, ICMP, ICMPv6, IP, HTTP, FTP and etc."; 705 leaf tcp { 706 type boolean; 707 description 708 "TCP protocol type."; 709 } 710 leaf udp { 711 type boolean; 712 description 713 "UDP protocol type."; 714 } 715 leaf icmp { 716 type boolean; 717 description 718 "ICMP protocol type."; 719 } 720 leaf icmpv6 { 721 type boolean; 722 description 723 "ICMPv6 protocol type."; 724 } 725 leaf ip { 726 type boolean; 727 description 728 "IP protocol type."; 729 } 730 leaf http { 731 type boolean; 732 description 733 "HTTP protocol type."; 734 } 735 leaf ftp { 736 type boolean; 737 description 738 "ftp protocol type."; 739 } 740 } 741 } 742 grouping traffic-rates { 743 description 744 "A set of traffic rates 745 for statistics data"; 746 leaf total-traffic { 747 type uint32; 748 description 749 "Total traffic"; 750 } 751 leaf in-traffic-ave-rate { 752 type uint32; 753 description 754 "Inbound traffic average rate in pps"; 755 } 756 leaf in-traffic-peak-rate { 757 type uint32; 758 description 759 "Inbound traffic peak rate in pps"; 760 } 761 leaf in-traffic-ave-speed { 762 type uint32; 763 description 764 "Inbound traffic average speed in bps"; 765 } 766 leaf in-traffic-peak-speed { 767 type uint32; 768 description 769 "Inbound traffic peak speed in bps"; 770 } 771 leaf out-traffic-ave-rate { 772 type uint32; 773 description 774 "Outbound traffic average rate in pps"; 775 } 776 leaf out-traffic-peak-rate { 777 type uint32; 778 description 779 "Outbound traffic peak rate in pps"; 780 } 781 leaf out-traffic-ave-speed { 782 type uint32; 783 description 784 "Outbound traffic average speed in bps"; 785 } 786 leaf out-traffic-peak-speed { 787 type uint32; 788 description 789 "Outbound traffic peak speed in bps"; 790 } 791 } 792 grouping i2nsf-system-alarm-type-content { 793 description 794 "A set of system alarm type contents"; 795 leaf event-name { 796 type string; 797 mandatory true; 798 description 799 "This is used to distinguish event type"; 800 } 801 leaf usage { 802 type uint8; 803 description 804 "specifies the amount of usage"; 805 } 806 leaf threshold { 807 type uint8; 808 description 809 "The threshold triggering the alarm or the event"; 810 } 811 leaf message { 812 type string; 813 mandatory true; 814 description 815 "The usage exceeded the threshold"; 816 } 817 } 818 grouping i2nsf-system-event-type-content { 819 description 820 "A set of system event type contents"; 821 leaf event-name { 822 type string; 823 mandatory true; 824 description 825 "ACCESS_DENIED, CONFIG_CHANGE and so on."; 826 } 827 leaf user-name { 828 type string; 829 mandatory true; 830 description 831 "Name of a user"; 832 } 833 leaf group { 834 type string; 835 mandatory true; 836 description 837 "Group to which a user belongs."; 838 } 839 leaf login-ip { 840 type inet:ipv4-address; 841 mandatory true; 842 description 843 "Login IP address of a user."; 844 } 845 container authentication-mode { 846 description 847 "User authentication mode. e.g., Local Authentication, 848 Third-Party Server Authentication, 849 Authentication Exemption, SSO Authentication."; 850 leaf local-authentication { 851 type boolean; 852 mandatory true; 853 description 854 "Authentication-mode : local authentication."; 855 } 856 leaf third-part-server-authentication { 857 type boolean; 858 mandatory true; 859 description 860 "TBD"; 861 } 862 leaf exemption-authentication { 863 type boolean; 864 mandatory true; 865 description 866 "TBD"; 867 } 868 leaf sso-authentication { 869 type boolean; 870 mandatory true; 871 description 872 "TBD"; 873 } 874 } 875 leaf message { 876 type string; 877 mandatory true; 878 description 879 "The message for system events"; 880 } 881 } 882 grouping i2nsf-nsf-event-type-content { 883 description 884 "A set of nsf event type contents"; 885 leaf event-name { 886 type string; 887 mandatory true; 888 description 889 "This is used to distinguish event type"; 890 } 891 leaf user-name { 892 type string; 893 description 894 "User name who generates traffic"; 895 } 896 leaf message { 897 type string; 898 description 899 "The message for nsf events"; 900 } 901 leaf src-ip { 902 type inet:ipv4-address; 903 description 904 "The source IP address of the packet"; 905 } 906 leaf dst-ip { 907 type inet:ipv4-address; 908 description 909 "The destination IP address of the packet"; 910 } 911 leaf src-port { 912 type inet:port-number; 913 description 914 "The source port of the packet"; 915 } 916 leaf dst-port { 917 type inet:port-number; 918 description 919 "The destination port of the packet"; 920 } 921 leaf src-zone { 922 type string; 923 description 924 "The source security zone of the packet"; 925 } 926 leaf dst-zone { 927 type string; 928 description 929 "The destination security zone of the packet"; 930 } 931 leaf rule-id { 932 type uint8; 933 mandatory true; 934 description 935 "The ID of the rule being triggered"; 936 } 937 leaf rule-name { 938 type string; 939 mandatory true; 940 description 941 "The name of the rule being triggered"; 942 } 943 leaf profile { 944 type string; 945 description 946 "Security profile that traffic matches."; 947 } 948 leaf raw-info { 949 type string; 950 description 951 "The information describing the packet 952 triggering the event."; 953 } 954 } 955 grouping i2nsf-system-counter-type-content{ 956 description 957 "A set of system counter type contents"; 958 leaf interface-name { 959 type string; 960 description 961 "Network interface name configured in NSF"; 962 } 963 leaf in-total-traffic-pkts { 964 type uint32; 965 description 966 "Total inbound packets"; 967 } 968 leaf out-total-traffic-pkts { 969 type uint32; 970 description 971 "Total outbound packets"; 972 } 973 leaf in-total-traffic-bytes { 974 type uint32; 975 description 976 "Total inbound bytes"; 977 } 978 leaf out-total-traffic-bytes { 979 type uint32; 980 description 981 "Total outbound bytes"; 982 } 983 leaf in-drop-traffic-pkts { 984 type uint32; 985 description 986 "Total inbound drop packets"; 987 } 988 leaf out-drop-traffic-pkts { 989 type uint32; 990 description 991 "Total outbound drop packets"; 992 } 993 leaf in-drop-traffic-bytes { 994 type uint32; 995 description 996 "Total inbound drop bytes"; 997 } 998 leaf out-drop-traffic-bytes { 999 type uint32; 1000 description 1001 "Total outbound drop bytes"; 1002 } 1003 uses traffic-rates; 1004 } 1005 grouping i2nsf-nsf-counters-type-content{ 1006 description 1007 "A set of nsf counters type contents"; 1008 leaf src-ip { 1009 type inet:ipv4-address; 1010 description 1011 "The source IP address of the packet"; 1012 } 1013 leaf dst-ip { 1014 type inet:ipv4-address; 1015 description 1016 "The destination IP address of the packet"; 1017 } 1018 leaf src-port { 1019 type inet:port-number; 1020 description 1021 "The source port of the packet"; 1022 } 1023 leaf dst-port { 1024 type inet:port-number; 1025 description 1026 "The destination port of the packet"; 1027 } 1028 leaf src-zone { 1029 type string; 1030 description 1031 "The source security zone of the packet"; 1032 } 1033 leaf dst-zone { 1034 type string; 1035 description 1036 "The destination security zone of the packet"; 1037 } 1038 leaf src-region { 1039 type string; 1040 description 1041 "Source region of the traffic"; 1042 } 1043 leaf dst-region{ 1044 type string; 1045 description 1046 "Destination region of the traffic"; 1047 } 1048 leaf policy-id { 1049 type uint8; 1050 mandatory true; 1051 description 1052 "The ID of the policy being triggered"; 1053 } 1054 leaf policy-name { 1055 type string; 1056 mandatory true; 1057 description 1058 "The name of the policy being triggered"; 1059 } 1060 leaf src-user{ 1061 type string; 1062 description 1063 "User who generates traffic"; 1064 } 1065 uses protocol; 1066 uses traffic-rates; 1067 } 1069 container monitoring-message { 1070 description 1071 "The message for monitoring information"; 1072 list monitoring-messages { 1073 key message-id; 1074 description 1075 "The messages according to monitoring information"; 1076 leaf message-id { 1077 type uint8; 1078 mandatory true; 1079 description 1080 "This is message ID 1081 This is key for monitoring messages"; 1082 } 1083 leaf message-version { 1084 type uint8; 1085 mandatory true; 1086 description 1087 "The version of message"; 1088 } 1089 choice message-type { 1090 description 1091 "The type of message"; 1092 case alarm { 1093 description 1094 "If the message type is alarm"; 1095 choice alarm-type { 1096 description 1097 "This is alarm type such as system alarm"; 1098 case system-alarm{ 1099 description 1100 "If the alarm type is system alarm"; 1101 container memory-alarm { 1102 description 1103 "This is memory alarm in 1104 system alarm"; 1105 uses i2nsf-system-alarm-type-content; 1106 leaf module-name { 1107 type string; 1108 mandatory true; 1109 description 1110 "Indicate the NSF module 1111 responsible for generating 1112 this alarm"; 1113 } 1114 } 1115 container cpu-alarm { 1116 description 1117 "This is cpu alarm in system alarm"; 1118 uses i2nsf-system-alarm-type-content; 1119 } 1120 container disk-alarm { 1121 description 1122 "This is disk alarm in system alarm"; 1123 uses i2nsf-system-alarm-type-content; 1124 } 1125 container hardware-alarm { 1126 description 1127 "This is hardware alarm 1128 in system alarm"; 1129 uses i2nsf-system-alarm-type-content; 1130 leaf component-name { 1131 type string; 1132 description 1133 "Indicate the HW component 1134 responsible for generating 1135 this alarm."; 1136 } 1138 } 1139 container interface-alarm { 1140 description 1141 "This is interface alarm 1142 in system alarm"; 1143 uses i2nsf-system-alarm-type-content; 1144 leaf interface-name { 1145 type string; 1146 description 1147 "The name of interface."; 1148 } 1149 container interface-state { 1150 description 1151 "This is isnteface state 1152 in interface-alarm"; 1153 leaf up { 1154 type boolean; 1155 mandatory true; 1156 description 1157 "The state of interface is up"; 1158 } 1159 leaf down { 1160 type boolean; 1161 mandatory true; 1162 description 1163 "The state of interface is down"; 1164 } 1165 leaf congested { 1166 type boolean; 1167 mandatory true; 1168 description 1169 "The state of interface is 1170 congested"; 1171 } 1172 } 1173 } 1174 } 1175 } 1176 } 1177 case event { 1178 description 1179 "If the message type is event"; 1180 choice event-type { 1181 description 1182 "This is event type such as system event 1183 and nsf event."; 1184 case system-event { 1185 description 1186 "If the event type is system event"; 1187 container access-violation { 1188 description 1189 "If the system event is 1190 access violation"; 1191 uses i2nsf-system-event-type-content; 1192 } 1193 container config-change { 1194 description 1195 "If the system event is 1196 config change violation"; 1197 uses i2nsf-system-event-type-content; 1198 } 1199 } 1200 case nsf-event { 1201 description 1202 "If the event type is nsf event"; 1203 container ddos-event { 1204 description 1205 "If the event type is DDoS event"; 1206 uses i2nsf-nsf-event-type-content; 1207 container ddos-attack-type{ 1208 description 1209 "Type of DDoS attack"; 1210 leaf syn-flood{ 1211 type boolean; 1212 description 1213 "If the DDoS attack is 1214 syn flood"; 1215 } 1216 leaf ack-flood{ 1217 type boolean; 1218 description 1219 "If the DDoS attack is 1220 ack flood"; 1221 } 1222 leaf syn-ack-flood{ 1223 type boolean; 1224 description 1225 "If the DDoS attack is 1226 syn ack flood"; 1227 } 1228 leaf fin-rst-flood{ 1229 type boolean; 1230 description 1231 "If the DDoS attack is 1232 fin rst flood"; 1233 } 1234 leaf tcp-connection-flood{ 1235 type boolean; 1236 description 1237 "If the DDoS attack is 1238 tcp connection flood"; 1239 } 1240 leaf udp-flood{ 1241 type boolean; 1242 description 1243 "If the DDoS attack is 1244 udp flood"; 1245 } 1246 leaf icmp-flood{ 1247 type boolean; 1248 description 1249 "If the DDoS attack is 1250 icmp flood"; 1251 } 1252 leaf https-flood{ 1253 type boolean; 1254 description 1255 "If the DDoS attack is 1256 https flood"; 1257 } 1258 leaf http-flood{ 1259 type boolean; 1260 description 1261 "If the DDoS attack is 1262 http flood"; 1263 } 1264 leaf dns-reply-flood{ 1265 type boolean; 1266 description 1267 "If the DDoS attack is 1268 dns reply flood"; 1269 } 1270 leaf dns-query-flood{ 1271 type boolean; 1272 description 1273 "If the DDoS attack is 1274 dns query flood"; 1275 } 1276 leaf sip-flood{ 1277 type boolean; 1278 description 1279 "If the DDoS attack is 1280 sip flood"; 1281 } 1283 } 1284 leaf start-time { 1285 type yang:date-and-time; 1286 mandatory true; 1287 description 1288 "The time stamp indicating 1289 when the attack started"; 1290 } 1291 leaf end-time { 1292 type yang:date-and-time; 1293 mandatory true; 1294 description 1295 "The time stamp indicating 1296 when the attack ended"; 1297 } 1298 leaf attack-rate { 1299 type uint32; 1300 description 1301 "The PPS of attack traffic"; 1302 } 1303 leaf attack-speed { 1304 type uint32; 1305 description 1306 "the bps of attack traffic"; 1307 } 1308 } 1309 container session-table-event { 1310 description 1311 "If the event type is session 1312 table event"; 1313 leaf event-name { 1314 type string; 1315 description 1316 "The event name for 1317 session table event"; 1318 } 1319 leaf current-session { 1320 type uint8; 1321 description 1322 "The number of concurrent 1323 sessions"; 1324 } 1325 leaf maximum-session { 1326 type uint8; 1327 description 1328 "The maximum number of sessions 1329 that the session table can 1330 support"; 1332 } 1333 leaf threshold { 1334 type uint8; 1335 description 1336 "The threshold triggering 1337 the event"; 1338 } 1339 leaf message { 1340 type string; 1341 description 1342 "The number of session table 1343 exceeded the threshold"; 1344 } 1345 } 1346 container virus-event { 1347 description 1348 "If the event type is virus event"; 1349 uses i2nsf-nsf-event-type-content; 1350 container virus-type { 1351 description 1352 "The type of virus"; 1353 leaf trajan { 1354 type boolean; 1355 description 1356 "If the virus type is trajan"; 1357 } 1358 leaf worm { 1359 type boolean; 1360 description 1361 "If the virus type is worm"; 1362 } 1363 leaf macro { 1364 type boolean; 1365 description 1366 "If the virus type is macro"; 1367 } 1368 } 1369 leaf virus-name { 1370 type string; 1371 description 1372 "The name of virus"; 1373 } 1374 leaf file-type { 1375 type string; 1376 description 1377 "The type of file"; 1378 } 1379 leaf file-name { 1380 type string; 1381 description 1382 "The name of file"; 1383 } 1384 } 1385 container intrusion-event { 1386 description 1387 "If the event type is intrusion event"; 1388 uses i2nsf-nsf-event-type-content; 1389 uses protocol; 1390 container intrusion-attack-type { 1391 description 1392 "The attack type of intrusion"; 1393 leaf brutal-force { 1394 type boolean; 1395 description 1396 "The intrusion type is 1397 brutal force"; 1398 } 1399 leaf buffer-overflow { 1400 type boolean; 1401 description 1402 "The intrusion type is 1403 buffer overflow"; 1404 } 1405 } 1406 } 1407 container botnet-event { 1408 description 1409 "If the event type is botnet event"; 1410 uses i2nsf-nsf-event-type-content; 1411 uses protocol; 1412 leaf botnet-name { 1413 type string; 1414 description 1415 "The name of the detected botnet"; 1416 } 1417 leaf role { 1418 type string; 1419 description 1420 "The role of the communicating 1421 parties within the botnet"; 1422 } 1423 } 1424 container web-attack-event { 1425 description 1426 "If the event type is web 1427 attack event"; 1429 uses i2nsf-nsf-event-type-content; 1430 container web-attack-type { 1431 description 1432 "To determine the attack 1433 type"; 1434 leaf sql-injection { 1435 type boolean; 1436 description 1437 "If the web attack type is 1438 sql injection"; 1439 } 1440 leaf command-injection { 1441 type boolean; 1442 description 1443 "If the web attack type is 1444 command injection"; 1445 } 1446 leaf xss { 1447 type boolean; 1448 description 1449 "If the web attack type is 1450 xss injection"; 1451 } 1452 leaf csrf { 1453 type boolean; 1454 description 1455 "If the web attack type is 1456 csrf injection"; 1457 } 1458 } 1459 container req-method { 1460 description 1461 "The method of requirement. 1462 For instance, PUT or GET 1463 in HTTP"; 1464 leaf put{ 1465 type boolean; 1466 description 1467 "If req method is PUT"; 1468 } 1469 leaf get { 1470 type boolean; 1471 description 1472 "If req method is GET"; 1473 } 1474 } 1475 leaf req-url { 1476 type string; 1477 description 1478 "Requested URL"; 1479 } 1480 leaf url-category { 1481 type string; 1482 description 1483 "Matched URL category"; 1484 } 1485 container filtering-type { 1486 description 1487 "URL filtering type, 1488 e.g., Blacklist, Whitelist, 1489 User-Defined, Predefined, 1490 Malicious Category, Unknown"; 1491 leaf blacklist { 1492 type boolean; 1493 description 1494 "The filtering type is 1495 blacklist"; 1496 } 1497 leaf whitelist { 1498 type boolean; 1499 description 1500 "The filtering type is 1501 whitelist"; 1502 } 1503 leaf user-defined { 1504 type boolean; 1505 description 1506 "The filtering type is 1507 user defined"; 1508 } 1509 leaf balicious-category{ 1510 type boolean; 1511 description 1512 "The filtering type is 1513 balicious category"; 1514 } 1515 leaf unknown { 1516 type boolean; 1517 description 1518 "The filtering type is 1519 unknown"; 1520 } 1521 } 1522 } 1523 } 1524 } 1526 } 1527 case log { 1528 description 1529 "If the message type is log"; 1530 choice log-type { 1531 description 1532 "The type of log"; 1533 case system-log{ 1534 description 1535 "If the log type is system log"; 1536 container access-logs { 1537 description 1538 "If the log is access logs 1539 in system log"; 1540 leaf login-ip { 1541 type inet:ipv4-address; 1542 mandatory true; 1543 description 1544 "Login IP address of a user."; 1545 } 1546 leaf administartor { 1547 type string; 1548 description 1549 "Administrator that 1550 operates on the device"; 1551 } 1552 leaf login-mode { 1553 type login-mode; 1554 description 1555 "Specifies the 1556 administrator logs in mode"; 1557 } 1558 leaf operation-type { 1559 type operation-type; 1560 description 1561 "The operation type that 1562 the administrator execute"; 1563 } 1564 leaf result { 1565 type string; 1566 description 1567 "Command execution result"; 1568 } 1569 leaf content { 1570 type string; 1571 description 1572 "Operation performed by 1573 an administrator after login."; 1575 } 1576 } 1577 container resource-utiliz-logs { 1578 description 1579 "If the log is resource utilize 1580 logs in system log"; 1581 leaf system-status { 1582 type string; 1583 description 1584 "TBD"; 1585 } 1586 leaf cpu-usage { 1587 type uint8; 1588 description 1589 "specifies the amount of 1590 cpu usage"; 1591 } 1592 leaf memory-usage { 1593 type uint8; 1594 description 1595 "specifies the amount of 1596 memory usage"; 1597 } 1598 leaf disk-usage { 1599 type uint8; 1600 description 1601 "specifies the amount of 1602 disk usage"; 1603 } 1604 leaf disk-left { 1605 type uint8; 1606 description 1607 "specifies the amount of 1608 disk left"; 1609 } 1610 leaf session-num { 1611 type uint8; 1612 description 1613 "The total number of 1614 sessions"; 1615 } 1616 leaf process-num { 1617 type uint8; 1618 description 1619 "The total number of 1620 process"; 1621 } 1622 leaf in-traffic-rate { 1623 type uint32; 1624 description 1625 "The total inbound 1626 traffic rate in pps"; 1627 } 1628 leaf out-traffic-rate { 1629 type uint32; 1630 description 1631 "The total outbound 1632 traffic rate in pps"; 1633 } 1634 leaf in-traffic-speed { 1635 type uint32; 1636 description 1637 "The total inbound 1638 traffic speed in bps"; 1639 } 1640 leaf out-traffic-speed { 1641 type uint32; 1642 description 1643 "The total outbound 1644 traffic speed in bps"; 1645 } 1646 } 1647 container user-activity-logs { 1648 description 1649 "If the log is user activity 1650 logs in system log"; 1651 leaf user { 1652 type string; 1653 mandatory true; 1654 description 1655 "Name of a user"; 1656 } 1657 leaf group { 1658 type string; 1659 mandatory true; 1660 description 1661 "Group to which a user belongs."; 1662 } 1663 leaf login-ip { 1664 type inet:ipv4-address; 1665 mandatory true; 1666 description 1667 "Login IP address of a user."; 1668 } 1669 container authentication-mode { 1670 description 1671 "User authentication mode. e.g., 1672 Local Authentication, 1673 Third-Party Server Authentication, 1674 Authentication Exemption, SSO Authentication."; 1675 leaf local-authentication { 1676 type boolean; 1677 mandatory true; 1678 description 1679 "Authentication-mode : local authentication."; 1680 } 1681 leaf third-part-server-authentication { 1682 type boolean; 1683 mandatory true; 1684 description 1685 "TBD"; 1686 } 1687 leaf exemption-authentication { 1688 type boolean; 1689 mandatory true; 1690 description 1691 "TBD"; 1692 } 1693 leaf sso-authentication { 1694 type boolean; 1695 mandatory true; 1696 description 1697 "TBD"; 1698 } 1699 } 1700 container access-mode { 1701 description 1702 "TBD"; 1703 leaf ppp{ 1704 type boolean; 1705 description 1706 "TBD"; 1707 } 1708 leaf svn{ 1709 type boolean; 1710 description 1711 "TBD"; 1712 } 1713 leaf local{ 1714 type boolean; 1715 description 1716 "TBD"; 1717 } 1718 } 1719 leaf online-duration { 1720 type string; 1721 description 1722 "TBD"; 1723 } 1724 leaf logout-duration { 1725 type string; 1726 description 1727 "TBD"; 1728 } 1729 leaf addtional-info { 1730 type string; 1731 description 1732 "TBD"; 1733 } 1734 } 1735 } 1736 case nsf-log{ 1737 description 1738 "If the log type is nsf log"; 1739 container ddos-logs { 1740 description 1741 "If the log is DDoS logs 1742 in nsf log"; 1743 leaf attack-type{ 1744 type string; 1745 description 1746 "DDoS"; 1747 } 1748 leaf attack-ave-rate { 1749 type uint32; 1750 description 1751 "The ave PPS of 1752 attack traffic"; 1753 } 1754 leaf attack-ave-speed { 1755 type uint32; 1756 description 1757 "the ave bps of 1758 attack traffic"; 1759 } 1760 leaf attack-pkt-num{ 1761 type uint32; 1762 description 1763 "the number of 1764 attack packets"; 1765 } 1766 leaf attack-src-ip { 1767 type inet:ipv4-address; 1768 description 1769 "TBD"; 1770 } 1771 leaf action { 1772 type all-action; 1773 description 1774 "TBD"; 1775 } 1776 leaf os { 1777 type string; 1778 description 1779 "simple os information"; 1780 } 1781 } 1782 container virus-logs { 1783 description 1784 "If the log is virus logs 1785 in nsf log"; 1786 uses protocol; 1787 leaf attack-type{ 1788 type string; 1789 description 1790 "Virus"; 1791 } 1792 leaf action{ 1793 type all-action; 1794 description 1795 "TBD"; 1796 } 1797 leaf os{ 1798 type string; 1799 description 1800 "simple os information"; 1801 } 1802 leaf time { 1803 type yang:date-and-time; 1804 mandatory true; 1805 description 1806 "Indicate the time when the 1807 message is generated"; 1808 } 1809 } 1810 container intrusion-logs { 1811 description 1812 "If the log is intrusion logs 1813 in nsf log"; 1814 leaf attack-type{ 1815 type string; 1816 description 1817 "Intrusion"; 1818 } 1819 leaf action{ 1820 type all-action; 1821 description 1822 "TBD"; 1823 } 1824 leaf time { 1825 type yang:date-and-time; 1826 mandatory true; 1827 description 1828 "Indicate the time when the 1829 message is generated"; 1830 } 1831 leaf attack-rate { 1832 type uint32; 1833 description 1834 "The PPS of attack traffic"; 1835 } 1836 leaf attack-speed { 1837 type uint32; 1838 description 1839 "the bps of attack traffic"; 1840 } 1841 } 1842 container botnet-logs { 1843 description 1844 "If the log is botnet logs 1845 in nsf log"; 1846 leaf attack-type{ 1847 type string; 1848 description 1849 "Botnet"; 1850 } 1851 leaf botnet-pkt-num{ 1852 type uint8; 1853 description 1854 "The number of the packets 1855 sent to or from the 1856 detected botnet"; 1857 } 1858 leaf action{ 1859 type all-action; 1860 description 1861 "TBD"; 1862 } 1863 leaf os{ 1864 type string; 1865 description 1866 "simple os information"; 1867 } 1868 } 1869 container dpi-logs { 1870 description 1871 "If the log is dpi logs 1872 in nsf log"; 1873 leaf dpi-type{ 1874 type dpi-type; 1875 description 1876 "The type of dpi"; 1877 } 1878 leaf src-ip { 1879 type inet:ipv4-address; 1880 description 1881 "The source IP address of the packet"; 1882 } 1883 leaf dst-ip { 1884 type inet:ipv4-address; 1885 description 1886 "The destination IP address of the packet"; 1887 } 1888 leaf src-port { 1889 type inet:port-number; 1890 description 1891 "The source port of the packet"; 1892 } 1893 leaf dst-port { 1894 type inet:port-number; 1895 description 1896 "The destination port of the packet"; 1897 } 1898 leaf src-zone { 1899 type string; 1900 description 1901 "The source security zone of the packet"; 1902 } 1903 leaf dst-zone { 1904 type string; 1905 description 1906 "The destination security zone of the packet"; 1907 } 1908 leaf src-region { 1909 type string; 1910 description 1911 "Source region of the traffic"; 1912 } 1913 leaf dst-region{ 1914 type string; 1915 description 1916 "Destination region of the traffic"; 1917 } 1918 leaf policy-id { 1919 type uint8; 1920 mandatory true; 1921 description 1922 "The ID of the policy being triggered"; 1923 } 1924 leaf policy-name { 1925 type string; 1926 mandatory true; 1927 description 1928 "The name of the policy being triggered"; 1929 } 1930 leaf src-user{ 1931 type string; 1932 description 1933 "User who generates traffic"; 1934 } 1935 uses protocol; 1936 leaf file-type { 1937 type string; 1938 description 1939 "The type of file"; 1940 } 1941 leaf file-name { 1942 type string; 1943 description 1944 "The name of file"; 1945 } 1946 } 1947 list vulnerability-scanning-logs { 1948 key vulnerability-id; 1949 description 1950 "If the log is vulnerability 1951 scanning logs in nsf log"; 1952 leaf vulnerability-id{ 1953 type uint8; 1954 description 1955 "The vulnerability id"; 1956 } 1957 leaf victim-ip { 1958 type inet:ipv4-address; 1959 description 1960 "IP address of the victim 1961 host which has vulnerabilities"; 1962 } 1963 uses protocol; 1964 leaf port-num{ 1965 type inet:port-number; 1966 description 1967 "The port number"; 1968 } 1969 leaf level{ 1970 type severity; 1971 description 1972 "The vulnerability severity"; 1973 } 1974 leaf os{ 1975 type string; 1976 description 1977 "simple os information"; 1978 } 1979 leaf addtional-info{ 1980 type string; 1981 description 1982 "TBD"; 1983 } 1984 } 1985 container web-attack-logs { 1986 description 1987 "If the log is web attack 1988 logs in nsf log"; 1989 leaf attack-type{ 1990 type string; 1991 description 1992 "Web Attack"; 1993 } 1994 leaf rsp-code{ 1995 type string; 1996 description 1997 "Response code"; 1998 } 1999 leaf req-clientapp{ 2000 type string; 2001 description 2002 "The client application"; 2003 } 2004 leaf req-cookies{ 2005 type string; 2006 description 2007 "Cookies"; 2008 } 2009 leaf req-host{ 2010 type string; 2011 description 2012 "The domain name of the 2013 requested host"; 2014 } 2015 leaf raw-info{ 2016 type string; 2017 description 2018 "The information describing 2019 the packet triggering the 2020 event."; 2021 } 2022 } 2023 } 2024 } 2025 } 2026 case counters { 2027 description 2028 "If the message type is counters"; 2029 choice counter-type { 2030 description 2031 "The type of counter"; 2032 case system-counter { 2033 container interface-counters { 2034 description 2035 "The system counter type is 2036 interface counter"; 2037 uses i2nsf-system-counter-type-content; 2038 } 2039 } 2040 case nsf-counter{ 2041 container firewall-counters { 2042 description 2043 "The nsf counter type is 2044 firewall counter"; 2045 uses i2nsf-nsf-counters-type-content; 2046 container bound{ 2047 description 2048 "Inbound or Outbound"; 2049 leaf in-interface { 2050 type boolean; 2051 description 2052 "If the bound is inbound"; 2053 } 2054 leaf out-interface { 2055 type boolean; 2056 description 2057 "If the bound is outbound"; 2058 } 2059 } 2060 } 2061 container policy-hit-counters { 2062 description 2063 "The counters of policy hit"; 2064 uses i2nsf-nsf-counters-type-content; 2065 leaf hit-times{ 2066 type uint32; 2067 description 2068 "The hit times for policy"; 2069 } 2070 } 2071 } 2072 } 2073 } 2074 } 2075 leaf time-stamp { 2076 type yang:date-and-time; 2077 mandatory true; 2078 description 2079 "Indicate the time when the message is generated"; 2080 } 2081 leaf severity { 2082 type severity; 2083 mandatory true; 2084 description 2085 "The severity of the alarm such as 2086 critical, high, middle, low."; 2087 } 2088 leaf vendor-name { 2089 type string; 2090 description 2091 "The name of the NSF vendor"; 2092 } 2093 } 2094 } 2095 } 2096 2098 Figure 2: Data Model of Monitoring 2100 6. Acknowledgments 2102 This work was supported by Institute for Information &iamp; 2103 communications Technology Promotion (IITP) grant funded by the Korea 2104 government (MSIP) (R-20160222-002755, Cloud based Security 2105 Intelligence Technology Development for the Customized Security 2106 Service Provisioning). 2108 This document has greatly benefited from inputs by Daeyoung Hyun. 2110 7. References 2112 7.1. Normative References 2114 [RFC2119] Bradner, S., "Key words for use in RFCs to 2115 Indicate Requirement Levels", BCP 14, 2116 RFC 2119, March 1997. 2118 [RFC6020] Bjorklund, M., "YANG - A Data Modeling 2119 Language for the Network Configuration 2120 Protocol (NETCONF)", RFC 6020, October 2010. 2122 7.2. Informative References 2124 [i2rs-rib-data-model] Wang, L., Ananthakrishnan, H., Chen, M., Dass, 2125 A., Kini, S., and N. Bahadur, "A YANG Data 2126 Model for Routing Information Base (RIB)", 2127 draft-ietf-i2rs-rib-data-model-07 (work in 2128 progress), January 2017. 2130 [i2nsf-terminology] Hares,, S., Strassner,, J., Lopez,, D., Xia,, 2131 L., and H. Birkholz,, "Interface to Network 2132 Security Functions (I2NSF) Terminology", 2133 draft-ietf-i2nsf-terminology-04 (work in 2134 progress), July 2017. 2136 [i2nsf-framework] Hares,, S., Lopez,, J., Dunbar, L., Strassner, 2137 J., and R. Kumar, "Framework for Interface to 2138 Network Security Functions", 2139 draft-ietf-i2nsf-framework-05 (work in 2140 progress), May 2017. 2142 [i2nsf-monitoring-im] Xia,, L., Zhang,, D., Wu, Y., Kumar, R., 2143 Lohiya, A., and H. Birkholz, "An Information 2144 Model for the Monitoring of Network Security 2145 Functions (NSF)", 2146 draft-zhang-i2nsf-info-model-monitoring-04 2147 (work in progress), July 2017. 2149 Authors' Addresses 2151 Dongjin Hong 2152 Department of Computer Engineering 2153 Sungkyunkwan University 2154 2066 Seobu-Ro, Jangan-Gu 2155 Suwon, Gyeonggi-Do 16419 2156 Republic of Korea 2158 Phone: +82 10 7630 5473 2159 EMail: dong.jin@skku.edu 2161 Jaehoon Paul Jeong 2162 Department of Software 2163 Sungkyunkwan University 2164 2066 Seobu-Ro, Jangan-Gu 2165 Suwon, Gyeonggi-Do 16419 2166 Republic of Korea 2168 Phone: +82 31 299 4957 2169 Fax: +82 31 290 7996 2170 EMail: pauljeong@skku.edu 2171 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2173 Jinyong Tim Kim 2174 Department of Computer Engineering 2175 Sungkyunkwan University 2176 2066 Seobu-Ro, Jangan-Gu 2177 Suwon, Gyeonggi-Do 16419 2178 Republic of Korea 2180 Phone: +82 10 8273 0930 2181 EMail: timkim@skku.edu 2183 Susan Hares 2184 Huawei 2185 7453 Hickory Hill 2186 Saline, MI 48176 2187 USA 2189 Phone: +1-734-604-0332 2190 EMail: shares@ndzh.com 2191 Liang Xia (Frank) 2192 Huawei 2193 101 Software Avenue, Yuhuatai District 2194 Nanjing, Jiangsu 2195 China 2197 Phone: 2198 EMail: Frank.xialiang@huawei.com