idnits 2.17.1 draft-hong-i2nsf-nsf-monitoring-data-model-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (November 15, 2018) is 1987 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-26) exists of draft-ietf-netconf-subscribed-notifications-17 == Outdated reference: A later version (-25) exists of draft-ietf-netconf-yang-push-20 ** Downref: Normative reference to an Informational RFC: RFC 4949 ** Downref: Normative reference to an Historic RFC: RFC 6587 == Outdated reference: A later version (-05) exists of draft-ietf-i2nsf-capability-04 == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-02 == Outdated reference: A later version (-29) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-02 == Outdated reference: A later version (-26) exists of draft-ietf-i2nsf-registration-interface-dm-01 == Outdated reference: A later version (-08) exists of draft-ietf-i2nsf-terminology-06 == Outdated reference: A later version (-15) exists of draft-ietf-i2rs-rib-data-model-10 == Outdated reference: A later version (-08) exists of draft-yang-i2nsf-nfv-architecture-04 == Outdated reference: A later version (-16) exists of draft-yang-i2nsf-security-policy-translation-02 Summary: 3 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong 3 Internet-Draft J. Kim 4 Intended status: Standards Track D. Hong 5 Expires: May 19, 2019 Sungkyunkwan University 6 S. Hares 7 L. Xia 8 Huawei 9 H. Birkholz 10 Fraunhofer SIT 11 November 15, 2018 13 A YANG Data Model for Monitoring I2NSF Network Security Functions 14 draft-hong-i2nsf-nsf-monitoring-data-model-06 16 Abstract 18 This document proposes an information model and the corresponding 19 YANG data model for monitoring Network Security Functions (NSFs) in 20 the Interface to Network Security Functions (I2NSF) framework. If 21 the monitoring of NSFs is performed in a comprehensive way, it is 22 possible to detect the indication of malicious activity, anomalous 23 behavior or the potential sign of denial of service attacks in a 24 timely manner. This monitoring functionality is based on the 25 monitoring information that is generated by NSFs. Thus, this 26 document describes not only a YANG data diagram to specify an 27 information model for monitoring NSFs, but also the corresponding 28 YANG data model for monitoring NSFs. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on May 19, 2019. 47 Copyright Notice 49 Copyright (c) 2018 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (https://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 66 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 67 4. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 68 5. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 69 5.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 70 5.2. Notifications and Events . . . . . . . . . . . . . . . . 7 71 5.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8 72 5.4. I2NSF Monitoring Terminology for Retained Information . . 8 73 6. Conveyance of NSF Monitoring Information . . . . . . . . . . 9 74 6.1. Information Types and Acquisition Methods . . . . . . . . 10 75 7. Basic Information Model for All Monitoring Data . . . . . . . 10 76 8. Extended Information Model for Monitoring Data . . . . . . . 11 77 8.1. System Alarm . . . . . . . . . . . . . . . . . . . . . . 11 78 8.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 11 79 8.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 12 80 8.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12 81 8.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 12 82 8.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 13 83 8.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13 84 8.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13 85 8.2.2. Configuration Change . . . . . . . . . . . . . . . . 14 86 8.3. System Log . . . . . . . . . . . . . . . . . . . . . . . 14 87 8.3.1. Access Logs . . . . . . . . . . . . . . . . . . . . . 14 88 8.3.2. Resource Utilization Logs . . . . . . . . . . . . . . 15 89 8.3.3. User Activity Logs . . . . . . . . . . . . . . . . . 15 90 8.4. System Counters . . . . . . . . . . . . . . . . . . . . . 16 91 8.4.1. Interface counters . . . . . . . . . . . . . . . . . 16 92 8.5. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 17 93 8.5.1. DDoS Event . . . . . . . . . . . . . . . . . . . . . 17 94 8.5.2. Session Table Event . . . . . . . . . . . . . . . . . 18 95 8.5.3. Virus Event . . . . . . . . . . . . . . . . . . . . . 18 96 8.5.4. Intrusion Event . . . . . . . . . . . . . . . . . . . 19 97 8.5.5. Botnet Event . . . . . . . . . . . . . . . . . . . . 20 98 8.5.6. Web Attack Event . . . . . . . . . . . . . . . . . . 21 99 8.6. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 21 100 8.6.1. DDoS Logs . . . . . . . . . . . . . . . . . . . . . . 22 101 8.6.2. Virus Logs . . . . . . . . . . . . . . . . . . . . . 22 102 8.6.3. Intrusion Logs . . . . . . . . . . . . . . . . . . . 23 103 8.6.4. Botnet Logs . . . . . . . . . . . . . . . . . . . . . 23 104 8.6.5. DPI Logs . . . . . . . . . . . . . . . . . . . . . . 23 105 8.6.6. Vulnerabillity Scanning Logs . . . . . . . . . . . . 24 106 8.6.7. Web Attack Logs . . . . . . . . . . . . . . . . . . . 25 107 8.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 25 108 8.7.1. Firewall counters . . . . . . . . . . . . . . . . . . 25 109 8.7.2. Policy Hit Counters . . . . . . . . . . . . . . . . . 26 110 9. YANG Data Diagrams . . . . . . . . . . . . . . . . . . . . . 27 111 10. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 28 112 11. YANG Data Model Structure . . . . . . . . . . . . . . . . . . 29 113 12. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 37 114 13. Security Considerations . . . . . . . . . . . . . . . . . . . 71 115 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 71 116 14.1. Normative References . . . . . . . . . . . . . . . . . . 71 117 14.2. Informative References . . . . . . . . . . . . . . . . . 72 118 Appendix A. Changes from draft-hong-i2nsf-nsf-monitoring-data- 119 model-05 . . . . . . . . . . . . . . . . . . . . . . 74 120 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 74 121 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 74 122 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 74 124 1. Introduction 126 According to [I-D.ietf-i2nsf-terminology], the interface provided by 127 a Network Security Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or 128 Anti-Virus function) to administrative entities (e.g., Security 129 Controller) to enable remote management (i.e., configuring and 130 monitoring) is referred to as an I2NSF NSF-Facing Interface 131 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. Monitoring procedures 132 intent to acquire vital types of data with respect to NSFs, (e.g., 133 alarms, records, and counters) via data in motion (e.g., queries, 134 notifications, and events). The monitoring of NSF plays an important 135 role in an overall security framework, if it is done in a timely and 136 comprehensive way. The monitoring information generated by an NSF 137 can be a good, early indication of anomalous behavior or malicious 138 activity, such as denial of service attacks (DoS). 140 This document defines a comprehensive NSF monitoring information 141 model that provides visibility for an NSF for Security Controller. 142 It specifies the information and illustrates the methods that enable 143 an NSF to provide the information required in order to be monitored 144 in a scalable and efficient way via the NSF-Facing Interface. The 145 information model for monitoring presented in this document is a 146 complementary information model to the information model for the 147 security policy provisioning functionality of the NSF-Facing 148 Interface specified in [I-D.ietf-i2nsf-capability]. 150 This document also defines a YANG [RFC6020] data model for monitoring 151 NSFs, which is derived from the information model for NSF monitoring. 153 2. Requirements Language 155 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 156 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 157 document are to be interpreted as described in [RFC2119]. 159 3. Terminology 161 This document uses the terminology described in 162 [I-D.ietf-i2nsf-terminology][RFC8329]. 164 o Information Model: An information model is a representation of 165 concepts of interest to an environment in a form that is 166 independent of data repository, data definition language, query 167 language, implementation language, and protocol. 169 o Data Model: A data model is a representation of concepts of 170 interest to an environment in a form that is dependent on data 171 repository, data definition language, query language, 172 implementation language, and protocol. 174 4. Use Cases for NSF Monitoring Data 176 As mentioned earlier, monitoring plays a critical role in an overall 177 security framework. The monitoring of the NSF provides very valuable 178 information to the security controller in maintaining the provisioned 179 security posture. Besides this, there are various other reasons to 180 monitor the NSF as listed below: 182 o The security administrator with I2NSF User can configure a policy 183 that is triggered on a specific event occurring in the NSF or the 184 network[RFC8329] [I-D.ietf-i2nsf-consumer-facing-interface-dm]. 185 If a security controller detects the specified event, it 186 configures additional security functions as defined by policies. 188 o The events triggered by an NSF as a result of security policy 189 violation can be used by Security Information and Event Management 190 (SIEM) to detect any suspicious activity in a larger correlation 191 context. 193 o The events and activity logs from an NSF can be used to build 194 advanced analytics, such as behavior and predictive models to 195 improve security posture in large deployments. 197 o The security controller can use events from the NSF for achieving 198 high availability. It can take corrective actions such as 199 restarting a failed NSF and horizontally scaling up the NSF. 201 o The events and activity logs from the NSF can aid in the root 202 cause analysis of an operational issue, so it can improve 203 debugging. 205 o The activity logs from the NSF can be used to build historical 206 data for operational and business reasons. 208 5. Classification of NSF Monitoring Data 210 In order to maintain a strong security posture, it is not only 211 necessary not only to configure an NSF's security policies but also 212 to continuously monitor the NSF by consuming acquirable and 213 observable information. This enables security administrators to 214 assess the state of the network topology in a timely fashion. It is 215 not possible to block all the internal and external threats based on 216 static security posture. A more practical approach is supported by 217 enabling dynamic security measures, for which continuous visibility 218 is required. This document defines a set of information elements 219 (and their scope) that can be acquired from an NSF and can be used as 220 NSF monitoring information. In essence, these types of monitoring 221 information can be leveraged to support constant visibility on 222 multiple levels of granularity and can be consumed by the 223 corresponding functions. 225 Three basic domains about the monitoring information originating from 226 a system entity [RFC4949] or an NSF are highlighted in this document. 228 o Retention and Emission 230 o Notifications and Events 232 o Unsolicited Poll and Solicited Push 234 The Alarm Management Framework in [RFC3877] defines an Event as 235 something that happens which may be of interest. It defines a fault 236 as a change in status, crossing a threshold, or an external input to 237 the system. In the I2NSF domain, I2NSF events 239 [I-D.ietf-i2nsf-terminology] are created and the scope of the Alarm 240 Management Framework's Events is still applicable due to its broad 241 definition. The model presented in this document elaborates on the 242 workflow of creating I2NSF events in the context of NSF monitoring 243 and on the way initial I2NSF events are created. 245 As with I2NSF components, every generic system entity can include a 246 set of capabilities [I-D.ietf-i2nsf-terminology] that creates 247 information about the context, composition, configuration, state or 248 behavior of that system entity. This information is intended to be 249 provided to other consumers of information and in the scope of this 250 document, which deals with NSF information monitoring in an automated 251 fashion. 253 5.1. Retention and Emission 255 Typically, a system entity populates standardized interface, such as 256 SNMP, NETCONF, RESTCONF or CoMI to provide and emit created 257 information directly via NSF-Facing Interface 258 [I-D.ietf-i2nsf-terminology]. Alternatively, the created information 259 is retained inside the system entity (or a hierarchy of system 260 entities in a composite device) via records or counters that are not 261 exposed directly via NSF-Facing Interfaces. 263 Information emitted via standardized interfaces can be consumed by an 264 I2NSF User [I-D.ietf-i2nsf-terminology] that includes the capability 265 to consume information not only via an I2NSF Interface(e.g., 266 [I-D.ietf-i2nsf-consumer-facing-interface-dm]) but also via 267 interfaces complementary to the standardized interfaces a generic 268 system entity provides. 270 Information retained on a system entity requires a corresponding 271 I2NSF User to access aggregated records of information, typically in 272 the form of log-files or databases. There are ways to aggregate 273 records originating from different system entities over a network, 274 for examples via Syslog Protocol [RFC5424] or Syslog over TCP 275 [RFC6587]. But even if records are conveyed, the result is the same 276 kind of retention in form of a bigger aggregate of records on another 277 system entity. 279 An I2NSF User is required to process fresh [RFC4949] records created 280 by I2NSF Functions in order to provide them to other I2NSF Components 281 via the corresponding I2NSF Interfaces in a timely manner. This 282 process is effectively based on homogenizing functions, which can 283 access and convert specific kinds of records into information that 284 can be provided and emitted via I2NSF interfaces. 286 When retained or emitted, the information required to support 287 monitoring processes has to be processed by an I2NSF User at some 288 point in the workflow. Typical locations of these I2NSF Users are: 290 o a system entity that creates the information 292 o a system entity that retains an aggregation of records 294 o an I2NSF Component that includes the capabilities of using 295 standardized interfaces provided by other system entities that are 296 not I2NSF Components 298 o an I2NSF Component that creates the information 300 5.2. Notifications and Events 302 A specific task of I2NSF User is to process I2NSF Policy Rules 303 [I-D.ietf-i2nsf-terminology]. The rules of a policy are composed of 304 three clauses: Events, Conditions, and Actions. In consequence, an 305 I2NSF Event is specified to trigger an I2NSF Policy Rule. Such an 306 I2NSF Event is defined as any important occurrence over time in the 307 system being managed, and/or in the environment of the system being 308 managed in [I-D.ietf-i2nsf-terminology], which aligns well with the 309 generic definition of Event from [RFC3877]. 311 The model illustrated in this document introduces a complementary 312 type of information that can be a conveyed notification. 314 Notification: An occurrence of a change of context, composition, 315 configuration, state or behavior of a system entity that can be 316 directly or indirectly observed by an I2NSF User and can be used 317 as input for an event-clause in I2NSF Policy Rules. 319 A notification is similar to an I2NSF Event with the exception 320 that it is created by a system entity that is not an I2NSF 321 Component and that its importance is yet to be assessed. 322 Semantically, a notification is not an I2NSF Event in the context 323 of I2NSF, although they can potentially use the exact same 324 information or data model. In respect to [RFC3877], a 325 Notification is a specific subset of events, because they convey 326 information about something that happens which may be of interest. 327 In consequence, Notifications may contain information with very 328 low expressiveness or relevance. Hence, additional post- 329 processing functions, such as aggregation, correlation or simple 330 anomaly detection, might have to be employed to satisfy a level of 331 expressiveness that is required for an event-clause of an I2NSF 332 Policy Rule. 334 It is important to note that the consumer of a notification (the 335 observer) assesses the importance of a notification and not the 336 producer. The producer can include metadata in a notification that 337 supports the observer in assessing the importance (even metadata 338 about severity), but the deciding entity is an I2NSF User. 340 5.3. Unsolicited Poll and Solicited Push 342 The freshness of the monitored information depends on the acquisition 343 method. Ideally, an I2NSF User is accessing every relevant 344 information about the I2NSF Component and is emitting I2NSF Events to 345 a monitor entity(e.g., Security Controller and I2NSF User) NSF 346 timely. Publication of events via a pubsub/broker model, peer-2-peer 347 meshes, or static defined channels are only a few examples on how a 348 solicited push of I2NSF Events can be facilitated. The actual 349 mechanic implemented by an I2NSF Component is out of the scope of 350 this document. 352 Often, the corresponding management interfaces have to be queried in 353 intervals or on-demand if required by an I2NSF Policy rule. In some 354 cases, a collection of information has to be conducted via login 355 mechanics provided by a system entity. Accessing records of 356 information via this kind of unsolicited polls can introduce a 357 significant latency in regard to the freshness of the monitored 358 information. The actual definition of intervals implemented by an 359 I2NSF Component is also out of scope of this document. 361 5.4. I2NSF Monitoring Terminology for Retained Information 363 Records: Unlike information emitted via notifications and events, 364 records do not require immediate attention from an analyst but may 365 be useful for visibility and retroactive cyber forensic. 366 Depending on the record format, there are different qualities in 367 regard to structure and detail. Records are typically stored in 368 log-files or databases on a system entity or NSF. Records in the 369 form of log-files usually include less structures but potentially 370 more detailed information in regard to the changes of a system 371 entity's characteristics. In contrast, databases often use more 372 strict schemas or data models, therefore enforcing a better 373 structure. However, they inhibit storing information that do not 374 match those models ("closed world assumption"). Records can be 375 continuously processed by I2NSF Agents that act as I2NSF Producer 376 and emit events via functions specifically tailored to a certain 377 type of record. Typically, records are information generated 378 either by an NSF or a system entity about operational and 379 informational data, or various changes in system characteristics, 380 such as user activities, network/traffic status, and network 381 activity. They are important for debugging, auditing and security 382 forensic. 384 Counters: A specific representation of continuous value changes of 385 information elements that potentially occur in high frequency. 386 Prominent example are network interface counters, e.g., PDU amount 387 or byte amount, drop counters, and error counters. Counters are 388 useful in debugging and visibility into operational behavior of an 389 NSF. An I2NSF Agent that observes the progression of counters can 390 act as an I2NSF Producer and emit events in respect to I2NSF 391 Policy Rules. 393 6. Conveyance of NSF Monitoring Information 395 As per the use cases of NSF monitoring data, information needs to be 396 conveyed to various I2NSF Consumers based on requirements imposed by 397 I2NSF Capabilities and workflows. There are multiple aspects to be 398 considered in regard to the emission of monitoring information to 399 requesting parties as listed below: 401 o Pull-Push Model: A set of data can be pushed by an NSF to a 402 requesting party or pulled by a requesting party from an NSF. 403 Specific types of information might need both the models at the 404 same time if there are multiple I2NSF Consumers with varying 405 requirements. In general, any I2NSF Event including a high 406 severity assessment is considered to be of great importance and 407 should be processed as soon as possible (push-model). Records, in 408 contrast, are typically not as critical (pull-model). The I2NSF 409 Architecture does not mandate a specific scheme for each type of 410 information and is therefore out of scope of this document. 412 o Pub-Sub Model: In order for an I2NSF Provider to push monitoring 413 information to multiple appropriate I2NSF Consumers, a 414 subscription can be maintained by both I2NSF Components. 415 Discovery of available monitoring information can be supported by 416 an I2NSF Controller that takes the role of a broker and therefore 417 includes I2NSF Capabilities that support registration. 419 o Export Frequency: Monitoring information can be emitted 420 immediately upon generation by an NSF to requesting I2NSF 421 Consumers or can be pushed periodically. The frequency of 422 exporting the data depends upon its size and timely usefulness. 423 It is out of the scope of I2NSF and left to each NSF 424 implementation. 426 o Authentication: There may be a need for authentication between an 427 I2NSF Producer of monitoring information and its corresponding 428 I2NSF Consumer to ensure that critical information remains 429 confidential. Authentication in the scope of I2NSF can also 430 require its corresponding content authorization. This may be 431 necessary, for example, if an NSF emits monitoring information to 432 an I2NSF Consumer outside its administrative domain. The I2NSF 433 Architecture does not mandate when and how specific authentication 434 has to be implemented. 436 o Data-Transfer Model: Monitoring information can be pushed by an 437 NSF using a connection-less model that does require a persistent 438 connection or streamed over a persistent connection. An 439 appropriate model depends on the I2NSF Consumer requirements and 440 the semantics of the information to be conveyed. 442 o Data Model and Interaction Model for Data in Motion: There are a 443 lot of transport mechanisms such as IP, UDP, and TCP. There are 444 also open source implementations for specific set of data such as 445 systems counter, e.g. IPFIX [RFC7011] and NetFlow [RFC3954]. The 446 I2NSF does not mandate any specific method for a given data set, 447 so it is up to each implementation. 449 6.1. Information Types and Acquisition Methods 451 In this document, most defined information types defined benefit from 452 high visibility with respect to value changes, e.g., alarms and 453 records. In contrast, values that change monotonically in a 454 continuous way do not benefit from this high visibility. On the 455 contrary, emitting each change would result in a useless amount of 456 value updates. Hence, values, such as counter, are best acquired in 457 periodic intervals. 459 The mechanisms provided by YANG Push [I-D.ietf-netconf-yang-push] and 460 YANG Subscribed Notifications 461 [I-D.ietf-netconf-subscribed-notifications] address exactly these set 462 of requirements. YANG also enables semantically well-structured 463 information, as well as subscriptions to datastores or event streams 464 - by changes or periodically. 466 In consequence, this information model in this document is intended 467 to support data models used in solicited or unsolicited event streams 468 that potentially are facilitated by a subscription mechanism. A 469 subset of information elements defined in the information model 470 address this domain of application. 472 7. Basic Information Model for All Monitoring Data 474 As explained in the above section, there is a wealth of data 475 available from the NSF that can be monitored. Firstly, there must be 476 some general information with each monitoring message sent from an 477 NSF that helps a consumer to identify meta data with that message, 478 which are listed as below: 480 o message_version: It indicates the version of the data format and 481 is a two-digit decimal numeral starting from 01. 483 o message_type: Event, Alert, Alarm, Log, Counter, etc. 485 o time_stamp: It indicates the time when the message is generated. 487 o vendor_name: The name of the NSF vendor. 489 o NSF_name: The name (or IP) of the NSF generating the message. 491 o Module_name: The module name outputting the message. 493 o Severity: It indicates the level of the logs. There are total 494 eight levels, from 0 to 7. The smaller the numeral is, the higher 495 the severity is. 497 8. Extended Information Model for Monitoring Data 499 This section covers the additional information associated with the 500 system messages. The extended information model is only for the 501 structured data such as alarm. Any unstructured data is specified 502 with basic information model only. 504 8.1. System Alarm 506 Characteristics: 508 o acquisition_method: subscription 510 o emission_type: on-change 512 o dampening_type: no-dampening 514 8.1.1. Memory Alarm 516 The following information should be included in a Memory Alarm: 518 o event_name: MEM_USAGE_ALARM 520 o module_name: It indicates the NSF module responsible for 521 generating this alarm. 523 o usage: specifies the amount of memory used. 525 o threshold: The threshold triggering the alarm 527 o severity: The severity of the alarm such as critical, high, 528 medium, low 530 o message: The memory usage exceeded the threshold 532 8.1.2. CPU Alarm 534 The following information should be included in a CPU Alarm: 536 o event_name: CPU_USAGE_ALARM 538 o usage: Specifies the amount of CPU used. 540 o threshold: The threshold triggering the event 542 o severity: The severity of the alarm such as critical, high, 543 medium, low 545 o message: The CPU usage exceeded the threshold. 547 8.1.3. Disk Alarm 549 The following information should be included in a Disk Alarm: 551 o event_name: DISK_USAGE_ALARM 553 o usage: Specifies the amount of disk space used. 555 o threshold: The threshold triggering the event 557 o severity: The severity of the alarm such as critical, high, 558 medium, low 560 o message: The disk usage exceeded the threshold. 562 8.1.4. Hardware Alarm 564 The following information should be included in a Hardware Alarm: 566 o event_name: HW_FAILURE_ALARM 568 o component_name: It indicates the HW component responsible for 569 generating this alarm. 571 o threshold: The threshold triggering the alarm 572 o severity: The severity of the alarm such as critical, high, 573 medium, low 575 o message: The HW component has failed or degraded. 577 8.1.5. Interface Alarm 579 The following information should be included in a Interface Alarm: 581 o event_name: IFNET_STATE_ALARM 583 o interface_Name: The name of interface 585 o interface_state: UP, DOWN, CONGESTED 587 o threshold: The threshold triggering the event 589 o severity: The severity of the alarm such as critical, high, 590 medium, low 592 o message: Current interface state 594 8.2. System Events 596 Characteristics: 598 o acquisition_method: subscription 600 o emission_type: on-change 602 o dampening_type: on-repetition 604 8.2.1. Access Violation 606 The following information should be included in this event: 608 o event_name: ACCESS_DENIED 610 o user: Name of a user 612 o group: Group to which a user belongs 614 o login_ip_address: Login IP address of a user 616 o authentication_mode: User authentication mode. e.g., Local 617 Authentication, Third-Party Server Authentication, Authentication 618 Exemption, Single Sign-On (SSO) Authentication 620 o message: access is denied. 622 8.2.2. Configuration Change 624 The following information should be included in this event: 626 o event_name: CONFIG_CHANGE 628 o user: Name of a user 630 o group: Group to which a user belongs 632 o login_ip_address: Login IP address of a user 634 o authentication_mode: User authentication mode. e.g., Local 635 Authentication, Third-Party Server Authentication, Authentication 636 Exemption, SSO Authentication 638 o message: Configuration is modified. 640 8.3. System Log 642 Characteristics: 644 o acquisition_method: subscription 646 o emission_type: on-change 648 o dampening_type: on-repetition 650 8.3.1. Access Logs 652 Access logs record administrators' login, logout, and operations on a 653 device. By analyzing them, security vulnerabilities can be 654 identified. The following information should be included in an 655 operation report: 657 o Administrator: Administrator that operates on the device 659 o login_ip_address: IP address used by an administrator to log in 661 o login_mode: Specifies the administrator logs in mode e.g. root, 662 user 664 o operation_type: The operation type that the administrator execute, 665 e.g., login, logout, and configuration. 667 o result: Command execution result 668 o content: Operation performed by an administrator after login. 670 8.3.2. Resource Utilization Logs 672 Running reports record the device system's running status, which is 673 useful for device monitoring. The following information should be 674 included in running report: 676 o system_status: The current system's running status 678 o CPU_usage: Specifies the CPU usage. 680 o memory_usage: Specifies the memory usage. 682 o disk_usage: Specifies the disk usage. 684 o disk_left: Specifies the available disk space left. 686 o session_number: Specifies total concurrent sessions. 688 o process_number: Specifies total number of system processes. 690 o in_traffic_rate: The total inbound traffic rate in pps 692 o out_traffic_rate: The total outbound traffic rate in pps 694 o in_traffic_speed: The total inbound traffic speed in bps 696 o out_traffic_speed: The total outbound traffic speed in bps 698 8.3.3. User Activity Logs 700 User activity logs provide visibility into users' online records 701 (such as login time, online/lockout duration, and login IP addresses) 702 and the actions that users perform. User activity reports are 703 helpful to identify exceptions during a user's login and network 704 access activities. 706 o user: Name of a user 708 o group: Group to which a user belongs 710 o login_ip_address: Login IP address of a user 712 o authentication_mode: User authentication mode. e.g., Local 713 Authentication, Third-Party Server Authentication, Authentication 714 Exemption, SSO Authentication 716 o access_mode: User access mode. e.g., PPP, SVN, LOCAL 718 o online_duration: Online duration 720 o lockout_duration: Lockout duration 722 o type: User activities. e.g., Successful User Login, Failed Login 723 attempts, User Logout, Successful User Password Change, Failed 724 User Password Change, User Lockout, User Unlocking, Unknown 726 o cause: Cause of a failed user activity 728 8.4. System Counters 730 Characteristics: 732 o acquisition_method: subscription or query 734 o emission_type: periodical 736 o dampening_type: none 738 8.4.1. Interface counters 740 Interface counters provide visibility into traffic into and out of an 741 NSF, and bandwidth usage. 743 o interface_name: Network interface name configured in NSF 745 o in_total_traffic_pkts: Total inbound packets 747 o out_total_traffic_pkts: Total outbound packets 749 o in_total_traffic_bytes: Total inbound bytes 751 o out_total_traffic_bytes: Total outbound bytes 753 o in_drop_traffic_pkts: Total inbound drop packets 755 o out_drop_traffic_pkts: Total outbound drop packets 757 o in_drop_traffic_bytes: Total inbound drop bytes 759 o out_drop_traffic_bytes: Total outbound drop bytes 761 o in_traffic_ave_rate: Inbound traffic average rate in pps 763 o in_traffic_peak_rate: Inbound traffic peak rate in pps 764 o in_traffic_ave_speed: Inbound traffic average speed in bps 766 o in_traffic_peak_speed: Inbound traffic peak speed in bps 768 o out_traffic_ave_rate: Outbound traffic average rate in pps 770 o out_traffic_peak_rate: Outbound traffic peak rate in pps 772 o out_traffic_ave_speed: Outbound traffic average speed in bps 774 o out_traffic_peak_speed: Outbound traffic peak speed in bps 776 8.5. NSF Events 778 Characteristics: 780 o acquisition_method: subscription 782 o emission_type: on-change 784 o dampening_type: none 786 8.5.1. DDoS Event 788 The following information should be included in a DDoS Event: 790 o event_name: SEC_EVENT_DDoS 792 o sub_attack_type: Any one of SYN flood, ACK flood, SYN-ACK flood, 793 FIN/RST flood, TCP Connection flood, UDP flood, ICMP flood, HTTPS 794 flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood, 795 and etc. 797 o dst_ip: The IP address of a victum under attack 799 o dst_port: The port number that the attrack traffic aims at. 801 o start_time: The time stamp indicating when the attack started 803 o end_time: The time stamp indicating when the attack ended. If the 804 attack is still undergoing when sending out the alarm, this field 805 can be empty. 807 o attack_rate: The PPS of attack traffic 809 o attack_speed: the bps of attack traffic 811 o rule_id: The ID of the rule being triggered 812 o rule_name: The name of the rule being triggered 814 o profile: Security profile that traffic matches. 816 8.5.2. Session Table Event 818 The following information should be included in a Session 819 Table Event: 821 o event_name: SESSION_USAGE_HIGH 823 o current: The number of concurrent sessions 825 o max: The maximum number of sessions that the session table can 826 support 828 o threshold: The threshold triggering the event 830 o message: The number of session table exceeded the threshold. 832 8.5.3. Virus Event 834 The following information should be included in a Virus Event: 836 o event_Name: SEC_EVENT_VIRUS 838 o virus_type: Type of the virus. e.g., trojan, worm, macro virus 839 type 841 o virus_name: Name of the virus 843 o dst_ip: The destination IP address of the packet where the virus 844 is found 846 o src_ip: The source IP address of the packet where the virus is 847 found 849 o src_port: The source port of the packet where the virus is found 851 o dst_port: The destination port of the packet where the virus is 852 found 854 o src_zone: The source security zone of the packet where the virus 855 is found 857 o dst_zone: The destination security zone of the packet where the 858 virus is found 860 o file_type: The type of the file where the virus is hided within 862 o file_name: The name of the file where the virus is hided within 864 o virus_info: The brief introduction of the virus 866 o raw_info: The information describing the packet triggering the 867 event. 869 o rule_id: The ID of the rule being triggered 871 o rule_name: The name of the rule being triggered 873 o profile: Security profile that traffic matches. 875 8.5.4. Intrusion Event 877 The following information should be included in an Intrustion Event: 879 o event_name: The name of event. e.g., SEC_EVENT_Intrusion 881 o sub_attack_type: Attack type, e.g., brutal force and buffer 882 overflow 884 o src_ip: The source IP address of the packet 886 o dst_ip: The destination IP address of the packet 888 o src_port:The source port number of the packet 890 o dst_port: The destination port number of the packet 892 o src_zone: The source security zone of the packet 894 o dst_zone: The destination security zone of the packet 896 o protocol: The employed transport layer protocol. e.g.,TCP and UDP 898 o app: The employed application layer protocol. e.g.,HTTP and FTP 900 o rule_id: The ID of the rule being triggered 902 o rule_name: The name of the rule being triggered 904 o profile: Security profile that traffic matches 906 o intrusion_info: Simple description of intrusion 907 o raw_info: The information describing the packet triggering the 908 event 910 8.5.5. Botnet Event 912 The following information should be included in a Botnet Event: 914 o event_name: The name of event. e.g., SEC_EVENT_Botnet 916 o botnet_name: The name of the detected botnet 918 o src_ip: The source IP address of the packet 920 o dst_ip: The destination IP address of the packet 922 o src_port: The source port number of the packet 924 o dst_port: The destination port number of the packet 926 o src_zone: The source security zone of the packet 928 o dst_zone: The destination security zone of the packet 930 o protocol: The employed transport layer protocol. e.g.,TCP and UDP 932 o app: The employed application layer protocol. e.g.,HTTP and FTP 934 o role: The role of the communicating parties within the botnet: 936 1. The packet from the zombie host to the attacker 938 2. The packet from the attacker to the zombie host 940 3. The packet from the IRC/WEB server to the zombie host 942 4. The packet from the zombie host to the IRC/WEB server 944 5. The packet from the attacker to the IRC/WEB server 946 6. The packet from the IRC/WEB server to the attacker 948 7. The packet from the zombie host to the victim 950 o botnet_info: Simple description of Botnet 952 o rule_id: The ID of the rule being triggered 954 o rule_name: The name of the rule being triggered 955 o profile: Security profile that traffic matches 957 o raw_info: The information describing the packet triggering the 958 event. 960 8.5.6. Web Attack Event 962 The following information should be included in a Web Attack Alarm: 964 o event_name: The name of event. e.g., SEC_EVENT_WebAttack 966 o sub_attack_type: Concret web attack type. e.g., SQL injection, 967 command injection, XSS, CSRF 969 o src_ip: The source IP address of the packet 971 o dst_ip: The destination IP address of the packet 973 o src_port: The source port number of the packet 975 o dst_port: The destination port number of the packet 977 o src_zone: The source security zone of the packet 979 o dst_zone: The destination security zone of the packet 981 o req_method: The method of requirement. For instance, "PUT" and 982 "GET" in HTTP 984 o req_url: Requested URL 986 o url_category: Matched URL category 988 o filtering_type: URL filtering type. e.g., Blacklist, Whitelist, 989 User-Defined, Predefined, Malicious Category, and Unknown 991 o rule_id: The ID of the rule being triggered 993 o rule_name: The name of the rule being triggered 995 o profile: Security profile that traffic matches 997 8.6. NSF Logs 999 Characteristics: 1001 o acquisition_method: subscription 1002 o emission_type: on-change 1004 o dampening_type: on_repetition 1006 8.6.1. DDoS Logs 1008 Besides the fields in a DDoS Alarm, the following information should 1009 be included in a DDoS Logs: 1011 o attack_type: DDoS 1013 o attack_ave_rate: The average pps of the attack traffic within the 1014 recorded time 1016 o attack_ave_speed: The average bps of the attack traffic within the 1017 recorded time 1019 o attack_pkt_num: The number of attack packets within the recorded 1020 time 1022 o attack_src_ip: The source IP addresses of attack traffics. If 1023 there are a large number of IP addresses, then pick a certain 1024 number of resources according to different rules. 1026 o action: Actions against DDoS attacks. e.g., Allow, Alert, Block, 1027 Discard, Declare, Block-ip, and Block-service. 1029 8.6.2. Virus Logs 1031 Besides the fields in a Virus Alarm, the following information should 1032 be included in a Virus Logs: 1034 o attack_type: Virus 1036 o protocol: The transport layer protocol 1038 o app: The name of the application layer protocol 1040 o times: The time of detecting the virus 1042 o action: The actions dealing with the virus. e.g., alert and block 1044 o os: The OS that the virus will affect. e.g., all, android, ios, 1045 unix, and windows 1047 8.6.3. Intrusion Logs 1049 Besides the fields in an Intrusion Alarm, the following information 1050 should be included in an Intrusion Logs: 1052 o attack_type: Intrusion 1054 o times: The times of intrusions happened in the recorded time 1056 o os: The OS that the intrusion will affect. e.g., all, android, 1057 ios, unix, and windows 1059 o action: The actions dealing with the intrusions. e.g., Allow, 1060 Alert, Block, Discard, Declare, Block-ip, and Block-service 1062 o attack_rate: NUM the pps of attack traffic 1064 o attack_speed: NUM the bps of attack traffic 1066 8.6.4. Botnet Logs 1068 Besides the fields in a Botnet Alarm, the following information 1069 should be included in a Botnet Logs: 1071 o attack_type: Botnet 1073 o botnet_pkt_num:The number of the packets sent to or from the 1074 detected botnet 1076 o action: The actions dealing with the detected packets. e.g., 1077 Allow, Alert, Block, Discard, Declare, Block-ip, and Block- 1078 service. 1080 o os: The OS that the attack aims at. e.g., all, android, ios, unix, 1081 and windows. 1083 8.6.5. DPI Logs 1085 DPI Logs provide statistics on uploaded and downloaded files and 1086 data, sent and received emails, and alert and block records on 1087 websites. It is helpful to learn risky user behaviors and why access 1088 to some URLs is blocked or allowed with an alert record. 1090 o type: DPI action types. e.g., File Blocking, Data Filtering, and 1091 Application Behavior Control 1093 o file_name: The file name 1094 o file_type: The file type 1096 o src_zone: Source security zone of traffic 1098 o dst_zone: Destination security zone of traffic 1100 o src_region: Source region of traffic 1102 o dst_region: Destination region of traffic 1104 o src_ip: Source IP address of traffic 1106 o src_user: User who generates traffic 1108 o dst_ip: Destination IP address of traffic 1110 o src_port: Source port of traffic 1112 o dst_port: Destination port of traffic 1114 o protocol: Protocol type of traffic 1116 o app: Application type of traffic 1118 o policy_id: Security policy id that traffic matches 1120 o policy_name: Security policy name that traffic matches 1122 o action: Action defined in the file blocking rule, data filtering 1123 rule, or application behavior control rule that traffic matches. 1125 8.6.6. Vulnerabillity Scanning Logs 1127 Vulnerability scanning logs record the victim host and its related 1128 vulnerability information that should to be fixed. The following 1129 information should be included in the report: 1131 o victim_ip: IP address of the victim host which has vulnerabilities 1133 o vulnerability_id: The vulnerability id 1135 o vulnerability_level: The vulnerability level. e.g., high, middle, 1136 and low 1138 o OS: The operating system of the victim host 1140 o service: The service which has vulnerabillity in the victim host 1141 o protocol: The protocol type. e.g., TCP and UDP 1143 o port: The port number 1145 o vulnerability_info: The information about the vulnerability 1147 o fix_suggestion: The fix suggestion to the vulnerability. 1149 8.6.7. Web Attack Logs 1151 Besides the fields in an Web Attack Alarm, the following information 1152 should be included in a Web Attack Report: 1154 o attack_type: Web Attack 1156 o rsp_code: Response code 1158 o req_clientapp: The client application 1160 o req_cookies: Cookies 1162 o req_host: The domain name of the requested host 1164 o raw_info: The information describing the packet triggering the 1165 event. 1167 8.7. NSF Counters 1169 Characteristics: 1171 o acquisition_method: subscription or query 1173 o emission_type: periodical 1175 o dampening_type: none 1177 8.7.1. Firewall counters 1179 Firewall counters provide visibility into traffic signatures, 1180 bandwidth usage, and how the configured security and bandwidth 1181 policies have been applied. 1183 o src_zone: Source security zone of traffic 1185 o dst_zone: Destination security zone of traffic 1187 o src_region: Source region of traffic 1188 o dst_region: Destination region of traffic 1190 o src_ip: Source IP address of traffic 1192 o src_user: User who generates traffic 1194 o dst_ip: Destination IP address of traffic 1196 o src_port: Source port of traffic 1198 o dst_port: Destination port of traffic 1200 o protocol: Protocol type of traffic 1202 o app: Application type of traffic 1204 o policy_id: Security policy id that traffic matches 1206 o policy_name: Security policy name that traffic matches 1208 o in_interface: Inbound interface of traffic 1210 o out_interface: Outbound interface of traffic 1212 o total_traffic: Total traffic volume 1214 o in_traffic_ave_rate: Inbound traffic average rate in pps 1216 o in_traffic_peak_rate: Inbound traffic peak rate in pps 1218 o in_traffic_ave_speed: Inbound traffic average speed in bps 1220 o in_traffic_peak_speed: Inbound traffic peak speed in bps 1222 o out_traffic_ave_rate: Outbound traffic average rate in pps 1224 o out_traffic_peak_rate: Outbound traffic peak rate in pps 1226 o out_traffic_ave_speed: Outbound traffic average speed in bps 1228 o out_traffic_peak_speed: Outbound traffic peak speed in bps. 1230 8.7.2. Policy Hit Counters 1232 Policy Hit Counters record the security policy that traffic matches 1233 and its hit count. It can check if policy configurations are 1234 correct. 1236 o src_zone: Source security zone of traffic 1238 o dst_zone: Destination security zone of traffic 1240 o src_region: Source region of the traffic 1242 o dst_region: Destination region of the traffic 1244 o src_ip: Source IP address of traffic 1246 o src_user: User who generates traffic 1248 o dst_ip: Destination IP address of traffic 1250 o src_port: Source port of traffic 1252 o dst_port: Destination port of traffic 1254 o protocol: Protocol type of traffic 1256 o app: Application type of traffic 1258 o policy_id: Security policy id that traffic matches 1260 o policy_name: Security policy name that traffic matches 1262 o hit_times: The hit times that the security policy matches the 1263 specified traffic. 1265 9. YANG Data Diagrams 1267 A simplified graphical representation of the data model is used in 1268 this document. The meaning of the symbols in these diagrams 1269 [I-D.ietf-i2rs-rib-data-model] is as follows: 1271 o Brackets "[" and "]" enclose list keys. 1273 o Abbreviations before data node names: "rw" means configuration 1274 (read-write) and "ro" state data (read-only). 1276 o Symbols after data node names: "?" means an optional node and "*" 1277 denotes a "list" and "leaf-list". 1279 o Parentheses enclose choice and case nodes, and case nodes are 1280 alsoconfigure marked with a colon (":"). 1282 o Ellipsis ("...") stands for contents of subtrees that are not 1283 shown. 1285 10. NSF Monitoring Management in I2NSF 1287 A standard model for monitoring data is required for an administrator 1288 to check the monitoring data generated by an NSF. The administrator 1289 can check the monitoring data through the following process. When 1290 the NSF monitoring data that is under the standard format is 1291 generated, the NSF forwards it to the security controller. The 1292 security controller delivers it to I2NSF Consumer or Developer's 1293 Management System (DMS) so that the administrator can know the state 1294 of the I2NSF framework. 1296 In order to communicate with other components, an I2NSF framework 1297 [RFC8329] requires the interfaces. The three main interfaces in 1298 I2NSF framwork are used for sending monitoring data as follows: 1300 o I2NSF Consumer-Facing Interface 1301 [I-D.ietf-i2nsf-consumer-facing-interface-dm]: When an I2NSF User 1302 makes a security policy and forwards it to the Security Controller 1303 via Consumer-Facing Interface, it can specify the threat-feed for 1304 threat prevention, the custom list, the malicious code scan group, 1305 and the event map group. They can be used as an event to be 1306 monitored by an NSF. 1308 o I2NSF Registration Interface 1309 [I-D.ietf-i2nsf-registration-interface-dm]: The Network Functions 1310 Virtualization (NFV) architecture provides the lifecycle 1311 management of a Virtual Network Function (VNF) via the Ve-Vnfm 1312 interface. The role of Ve-Vnfm is to request VNF lifecycle 1313 management (e.g., the instantiation and de-instantiation of an 1314 NSF, and load balancing among NSFs), exchange configuration 1315 information, and exchange status information for a network 1316 service. In the I2NSF framework, the DMS manages data about 1317 resource states and network traffic for the lifecycle management 1318 of an NSF. Therefore, the generated monitoring data from NSFs are 1319 delivered from the Security Controller to the DMS via Registration 1320 Interface. These data are delivered from the DMS to the VNF 1321 Manager in the Management and Orchestration (MANO) in the NFV 1322 system [I-D.yang-i2nsf-nfv-architecture]. 1324 o I2NSF NSF-Facing Interface 1325 [I-D.ietf-i2nsf-nsf-facing-interface-dm]: After a high-level 1326 security policy from I2NSF User is translated by security policy 1327 translator [I-D.yang-i2nsf-security-policy-translation] in the 1328 Security Controller, the translated security policy (i.e., low- 1329 level policy) is applied to an NSF via NSF-Facing Interface. The 1330 monitoring data model specifies the list of events that can 1331 trigger Event-Condition-Action (ECA) policies via NSF-Facing 1332 Interface. 1334 11. YANG Data Model Structure 1336 Figure 1 shows the overview of a YANG data tree of the NSF monitoring 1337 information model. 1339 module: ietf-i2nsf-nsf-monitoring-dm 1340 +--rw counters 1341 +--rw system-interface 1342 | +--rw acquisition-method? identityref 1343 | +--rw emission-type? identityref 1344 | +--rw dampening-type? identityref 1345 | +--rw interface-name? string 1346 | +--rw in-total-traffic-pkts? uint32 1347 | +--rw out-total-traffic-pkts? uint32 1348 | +--rw in-total-traffic-bytes? uint32 1349 | +--rw out-total-traffic-bytes? uint32 1350 | +--rw in-drop-traffic-pkts? uint32 1351 | +--rw out-drop-traffic-pkts? uint32 1352 | +--rw in-drop-traffic-bytes? uint32 1353 | +--rw out-drop-traffic-bytes? uint32 1354 | +--rw total-traffic? uint32 1355 | +--rw in-traffic-ave-rate? uint32 1356 | +--rw in-traffic-peak-rate? uint32 1357 | +--rw in-traffic-ave-speed? uint32 1358 | +--rw in-traffic-peak-speed? uint32 1359 | +--rw out-traffic-ave-rate? uint32 1360 | +--rw out-traffic-peak-rate? uint32 1361 | +--rw out-traffic-ave-speed? uint32 1362 | +--rw out-traffic-peak-speed? uint32 1363 | +--rw message? string 1364 | +--rw time-stamp? yang:date-and-time 1365 | +--rw vendor-name? string 1366 | +--rw nsf-name? string 1367 | +--rw module-name? string 1368 | +--rw severity? severity 1369 +--rw nsf-firewall 1370 | +--rw acquisition-method? identityref 1371 | +--rw emission-type? identityref 1372 | +--rw dampening-type? identityref 1373 | +--rw src-ip? inet:ipv4-address 1374 | +--rw dst-ip? inet:ipv4-address 1375 | +--rw src-port? inet:port-number 1376 | +--rw dst-port? inet:port-number 1377 | +--rw src-zone? string 1378 | +--rw dst-zone? string 1379 | +--rw src-region? string 1380 | +--rw dst-region? string 1381 | +--rw policy-id? uint8 1382 | +--rw policy-name? string 1383 | +--rw src-user? string 1384 | +--rw protocol? identityref 1385 | +--rw app? string 1386 | +--rw total-traffic? uint32 1387 | +--rw in-traffic-ave-rate? uint32 1388 | +--rw in-traffic-peak-rate? uint32 1389 | +--rw in-traffic-ave-speed? uint32 1390 | +--rw in-traffic-peak-speed? uint32 1391 | +--rw out-traffic-ave-rate? uint32 1392 | +--rw out-traffic-peak-rate? uint32 1393 | +--rw out-traffic-ave-speed? uint32 1394 | +--rw out-traffic-peak-speed? uint32 1395 +--rw nsf-policy-hits 1396 +--rw acquisition-method? identityref 1397 +--rw emission-type? identityref 1398 +--rw dampening-type? identityref 1399 +--rw src-ip? inet:ipv4-address 1400 +--rw dst-ip? inet:ipv4-address 1401 +--rw src-port? inet:port-number 1402 +--rw dst-port? inet:port-number 1403 +--rw src-zone? string 1404 +--rw dst-zone? string 1405 +--rw src-region? string 1406 +--rw dst-region? string 1407 +--rw policy-id? uint8 1408 +--rw policy-name? string 1409 +--rw src-user? string 1410 +--rw protocol? identityref 1411 +--rw app? string 1412 +--rw message? string 1413 +--rw time-stamp? yang:date-and-time 1414 +--rw vendor-name? string 1415 +--rw nsf-name? string 1416 +--rw module-name? string 1417 +--rw severity? severity 1418 +--rw hit-times? uint32 1420 notifications: 1421 +---n system-detection-alarm 1422 | +--ro alarm-catagory? identityref 1423 | +--ro acquisition-method? identityref 1424 | +--ro emission-type? identityref 1425 | +--ro dampening-type? identityref 1426 | +--ro usage? uint8 1427 | +--ro threshold? uint8 1428 | +--ro message? string 1429 | +--ro time-stamp? yang:date-and-time 1430 | +--ro vendor-name? string 1431 | +--ro nsf-name? string 1432 | +--ro module-name? string 1433 | +--ro severity? severity 1434 +---n system-detection-event 1435 | +--ro event-catagory? identityref 1436 | +--ro acquisition-method? identityref 1437 | +--ro emission-type? identityref 1438 | +--ro dampening-type? identityref 1439 | +--ro user string 1440 | +--ro group string 1441 | +--ro login-ip-addr inet:ipv4-address 1442 | +--ro authentication? identityref 1443 | +--ro message? string 1444 | +--ro time-stamp? yang:date-and-time 1445 | +--ro vendor-name? string 1446 | +--ro nsf-name? string 1447 | +--ro module-name? string 1448 | +--ro severity? severity 1449 +---n nsf-detection-flood 1450 | +--ro event-name? identityref 1451 | +--ro dst-ip? inet:ipv4-address 1452 | +--ro dst-port? inet:port-number 1453 | +--ro rule-id uint8 1454 | +--ro rule-name string 1455 | +--ro profile? string 1456 | +--ro raw-info? string 1457 | +--ro sub-attack-type? identityref 1458 | +--ro start-time yang:date-and-time 1459 | +--ro end-time yang:date-and-time 1460 | +--ro attack-rate? uint32 1461 | +--ro attack-speed? uint32 1462 | +--ro message? string 1463 | +--ro time-stamp? yang:date-and-time 1464 | +--ro vendor-name? string 1465 | +--ro nsf-name? string 1466 | +--ro module-name? string 1467 | +--ro severity? severity 1468 +---n nsf-detection-session-table 1469 | +--ro current-session? uint8 1470 | +--ro maximum-session? uint8 1471 | +--ro threshold? uint8 1472 | +--ro message? string 1473 | +--ro time-stamp? yang:date-and-time 1474 | +--ro vendor-name? string 1475 | +--ro nsf-name? string 1476 | +--ro module-name? string 1477 | +--ro severity? severity 1478 +---n nsf-detection-virus 1479 | +--ro src-ip? inet:ipv4-address 1480 | +--ro dst-ip? inet:ipv4-address 1481 | +--ro src-port? inet:port-number 1482 | +--ro dst-port? inet:port-number 1483 | +--ro src-zone? string 1484 | +--ro dst-zone? string 1485 | +--ro rule-id uint8 1486 | +--ro rule-name string 1487 | +--ro profile? string 1488 | +--ro raw-info? string 1489 | +--ro virus? identityref 1490 | +--ro virus-name? string 1491 | +--ro file-type? string 1492 | +--ro file-name? string 1493 | +--ro message? string 1494 | +--ro time-stamp? yang:date-and-time 1495 | +--ro vendor-name? string 1496 | +--ro nsf-name? string 1497 | +--ro module-name? string 1498 | +--ro severity? severity 1499 +---n nsf-detection-intrusion 1500 | +--ro src-ip? inet:ipv4-address 1501 | +--ro dst-ip? inet:ipv4-address 1502 | +--ro src-port? inet:port-number 1503 | +--ro dst-port? inet:port-number 1504 | +--ro src-zone? string 1505 | +--ro dst-zone? string 1506 | +--ro rule-id uint8 1507 | +--ro rule-name string 1508 | +--ro profile? string 1509 | +--ro raw-info? string 1510 | +--ro protocol? identityref 1511 | +--ro app? string 1512 | +--ro sub-attack-type? identityref 1513 | +--ro message? string 1514 | +--ro time-stamp? yang:date-and-time 1515 | +--ro vendor-name? string 1516 | +--ro nsf-name? string 1517 | +--ro module-name? string 1518 | +--ro severity? severity 1519 +---n nsf-detection-botnet 1520 | +--ro src-ip? inet:ipv4-address 1521 | +--ro dst-ip? inet:ipv4-address 1522 | +--ro src-port? inet:port-number 1523 | +--ro dst-port? inet:port-number 1524 | +--ro src-zone? string 1525 | +--ro dst-zone? string 1526 | +--ro rule-id uint8 1527 | +--ro rule-name string 1528 | +--ro profile? string 1529 | +--ro raw-info? string 1530 | +--ro attack-type? identityref 1531 | +--ro protocol? identityref 1532 | +--ro botnet-name? string 1533 | +--ro role? string 1534 | +--ro message? string 1535 | +--ro time-stamp? yang:date-and-time 1536 | +--ro vendor-name? string 1537 | +--ro nsf-name? string 1538 | +--ro module-name? string 1539 | +--ro severity? severity 1540 +---n nsf-detection-web-attack 1541 | +--ro src-ip? inet:ipv4-address 1542 | +--ro dst-ip? inet:ipv4-address 1543 | +--ro src-port? inet:port-number 1544 | +--ro dst-port? inet:port-number 1545 | +--ro src-zone? string 1546 | +--ro dst-zone? string 1547 | +--ro rule-id uint8 1548 | +--ro rule-name string 1549 | +--ro profile? string 1550 | +--ro raw-info? string 1551 | +--ro sub-attack-type? identityref 1552 | +--ro request-method? identityref 1553 | +--ro req-uri? string 1554 | +--ro uri-category? string 1555 | +--ro filtering-type* identityref 1556 | +--ro message? string 1557 | +--ro time-stamp? yang:date-and-time 1558 | +--ro vendor-name? string 1559 | +--ro nsf-name? string 1560 | +--ro module-name? string 1561 | +--ro severity? severity 1562 +---n system-access-log 1563 | +--ro login-ip inet:ipv4-address 1564 | +--ro administrator? string 1565 | +--ro login-mode? login-mode 1566 | +--ro operation-type? operation-type 1567 | +--ro result? string 1568 | +--ro content? string 1569 | +--ro acquisition-method? identityref 1570 | +--ro emission-type? identityref 1571 | +--ro dampening-type? identityref 1572 +---n system-res-util-log 1573 | +--ro system-status? string 1574 | +--ro cpu-usage? uint8 1575 | +--ro memory-usage? uint8 1576 | +--ro disk-usage? uint8 1577 | +--ro disk-left? uint8 1578 | +--ro session-num? uint8 1579 | +--ro process-num? uint8 1580 | +--ro in-traffic-rate? uint32 1581 | +--ro out-traffic-rate? uint32 1582 | +--ro in-traffic-speed? uint32 1583 | +--ro out-traffic-speed? uint32 1584 | +--ro acquisition-method? identityref 1585 | +--ro emission-type? identityref 1586 | +--ro dampening-type? identityref 1587 +---n system-user-activity-log 1588 | +--ro acquisition-method? identityref 1589 | +--ro emission-type? identityref 1590 | +--ro dampening-type? identityref 1591 | +--ro user string 1592 | +--ro group string 1593 | +--ro login-ip-addr inet:ipv4-address 1594 | +--ro authentication? identityref 1595 | +--ro access? identityref 1596 | +--ro online-duration? string 1597 | +--ro logout-duration? string 1598 | +--ro addtional-info? string 1599 +---n nsf-log-ddos 1600 | +--ro attack-type? identityref 1601 | +--ro attack-ave-rate? uint32 1602 | +--ro attack-ave-speed? uint32 1603 | +--ro attack-pkt-num? uint32 1604 | +--ro attack-src-ip? inet:ipv4-address 1605 | +--ro action? log-action 1606 | +--ro acquisition-method? identityref 1607 | +--ro emission-type? identityref 1608 | +--ro dampening-type? identityref 1609 | +--ro message? string 1610 | +--ro time-stamp? yang:date-and-time 1611 | +--ro vendor-name? string 1612 | +--ro nsf-name? string 1613 | +--ro module-name? string 1614 | +--ro severity? severity 1615 +---n nsf-log-virus 1616 | +--ro attack-type? identityref 1617 | +--ro action? log-action 1618 | +--ro os? string 1619 | +--ro time yang:date-and-time 1620 | +--ro acquisition-method? identityref 1621 | +--ro emission-type? identityref 1622 | +--ro dampening-type? identityref 1623 | +--ro message? string 1624 | +--ro time-stamp? yang:date-and-time 1625 | +--ro vendor-name? string 1626 | +--ro nsf-name? string 1627 | +--ro module-name? string 1628 | +--ro severity? severity 1629 +---n nsf-log-intrusion 1630 | +--ro attack-type? identityref 1631 | +--ro action? log-action 1632 | +--ro time yang:date-and-time 1633 | +--ro attack-rate? uint32 1634 | +--ro attack-speed? uint32 1635 | +--ro acquisition-method? identityref 1636 | +--ro emission-type? identityref 1637 | +--ro dampening-type? identityref 1638 | +--ro message? string 1639 | +--ro time-stamp? yang:date-and-time 1640 | +--ro vendor-name? string 1641 | +--ro nsf-name? string 1642 | +--ro module-name? string 1643 | +--ro severity? severity 1644 +---n nsf-log-botnet 1645 | +--ro attack-type? identityref 1646 | +--ro action? log-action 1647 | +--ro botnet-pkt-num? uint8 1648 | +--ro os? string 1649 | +--ro acquisition-method? identityref 1650 | +--ro emission-type? identityref 1651 | +--ro dampening-type? identityref 1652 | +--ro message? string 1653 | +--ro time-stamp? yang:date-and-time 1654 | +--ro vendor-name? string 1655 | +--ro nsf-name? string 1656 | +--ro module-name? string 1657 | +--ro severity? severity 1658 +---n nsf-log-dpi 1659 | +--ro attack-type? dpi-type 1660 | +--ro acquisition-method? identityref 1661 | +--ro emission-type? identityref 1662 | +--ro dampening-type? identityref 1663 | +--ro src-ip? inet:ipv4-address 1664 | +--ro dst-ip? inet:ipv4-address 1665 | +--ro src-port? inet:port-number 1666 | +--ro dst-port? inet:port-number 1667 | +--ro src-zone? string 1668 | +--ro dst-zone? string 1669 | +--ro src-region? string 1670 | +--ro dst-region? string 1671 | +--ro policy-id? uint8 1672 | +--ro policy-name? string 1673 | +--ro src-user? string 1674 | +--ro protocol? identityref 1675 | +--ro app? string 1676 | +--ro message? string 1677 | +--ro time-stamp? yang:date-and-time 1678 | +--ro vendor-name? string 1679 | +--ro nsf-name? string 1680 | +--ro module-name? string 1681 | +--ro severity? severity 1682 +---n nsf-log-vuln-scan 1683 | +--ro vulnerability-id? uint8 1684 | +--ro victim-ip? inet:ipv4-address 1685 | +--ro protocol? identityref 1686 | +--ro port-num? inet:port-number 1687 | +--ro level? severity 1688 | +--ro os? string 1689 | +--ro vulnerability-info? string 1690 | +--ro fix-suggestion? string 1691 | +--ro service? string 1692 | +--ro acquisition-method? identityref 1693 | +--ro emission-type? identityref 1694 | +--ro dampening-type? identityref 1695 | +--ro message? string 1696 | +--ro time-stamp? yang:date-and-time 1697 | +--ro vendor-name? string 1698 | +--ro nsf-name? string 1699 | +--ro module-name? string 1700 | +--ro severity? severity 1701 +---n nsf-log-web-attack 1702 +--ro attack-type? identityref 1703 +--ro rsp-code? string 1704 +--ro req-clientapp? string 1705 +--ro req-cookies? string 1706 +--ro req-host? string 1707 +--ro raw-info? string 1708 +--ro acquisition-method? identityref 1709 +--ro emission-type? identityref 1710 +--ro dampening-type? identityref 1711 +--ro message? string 1712 +--ro time-stamp? yang:date-and-time 1713 +--ro vendor-name? string 1714 +--ro nsf-name? string 1715 +--ro module-name? string 1716 +--ro severity? severity 1717 Figure 1: Information Model for NSF Monitoring 1719 12. YANG Data Model 1721 This section introduces a YANG data model for the information model 1722 of the NSF monitoring inforamtion model. 1724 file "ietf-i2nsf-nsf-monitoring-dm@2018-11-15.yang" 1725 module ietf-i2nsf-nsf-monitoring-dm { 1726 yang-version 1.1; 1727 namespace 1728 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring-dm"; 1729 prefix 1730 monitoring-information; 1731 import ietf-inet-types{ 1732 prefix inet; 1733 } 1734 import ietf-yang-types { 1735 prefix yang; 1736 } 1737 organization 1738 "IETF I2NSF (Interface to Network Security Functions) 1739 Working Group"; 1740 contact 1741 "WG Web: 1742 WG List: 1744 WG Chair: Linda Dunbar 1745 1747 Editor: Jaehoon Paul Jeong 1748 1750 Editor: Dongjin Hong 1751 "; 1753 description 1754 "This module defines a YANG data module for monitoring NSFs."; 1756 revision "2018-11-15" { 1757 description "Seventh revision"; 1758 reference 1759 "draft-zhang-i2nsf-info-model-monitoring-07"; 1760 } 1762 typedef severity { 1763 type enumeration { 1764 enum high { 1765 description 1766 "high-level"; 1767 } 1768 enum middle { 1769 description 1770 "middle-level"; 1771 } 1772 enum low { 1773 description 1774 "low-level"; 1775 } 1776 } 1777 description 1778 "An indicator representing severity"; 1779 } 1780 typedef log-action { 1781 type enumeration { 1782 enum allow { 1783 description 1784 "If action is allow"; 1785 } 1786 enum alert { 1787 description 1788 "If action is alert"; 1789 } 1790 enum block { 1791 description 1792 "If action is block"; 1793 } 1794 enum discard { 1795 description 1796 "If action is discard"; 1797 } 1798 enum declare { 1799 description 1800 "If action is declare"; 1801 } 1802 enum block-ip { 1803 description 1804 "If action is block-ip"; 1805 } 1806 enum block-service{ 1807 description 1808 "If action is block-service"; 1809 } 1810 } 1811 description 1812 "This is used for protocol"; 1814 } 1815 typedef dpi-type{ 1816 type enumeration { 1817 enum file-blocking{ 1818 description 1819 "DPI for blocking file"; 1820 } 1821 enum data-filtering{ 1822 description 1823 "DPI for filtering data"; 1824 } 1825 enum application-behavior-control{ 1826 description 1827 "DPI for controlling application behavior"; 1828 } 1829 } 1830 description 1831 "This is used for dpi type"; 1832 } 1833 typedef operation-type{ 1834 type enumeration { 1835 enum login{ 1836 description 1837 "Login operation"; 1838 } 1839 enum logout{ 1840 description 1841 "Logout operation"; 1842 } 1843 enum configuration{ 1844 description 1845 "Configuration operation"; 1846 } 1847 } 1848 description 1849 "An indicator representing operation-type"; 1850 } 1851 typedef login-mode{ 1852 type enumeration { 1853 enum root{ 1854 description 1855 "Root login-mode"; 1856 } 1857 enum user{ 1858 description 1859 "User login-mode"; 1860 } 1861 enum guest{ 1862 description 1863 "Guest login-mode"; 1864 } 1865 } 1866 description 1867 "An indicater representing login-mode"; 1868 } 1870 identity characteristics { 1871 description 1872 "Base identity for monitoring information 1873 characteristics"; 1874 } 1875 identity acquisition-method { 1876 base characteristics; 1877 description 1878 "The type of acquisition-method. Can be multiple types at once."; 1879 } 1880 identity subscription { 1881 base acquisition-method; 1882 description 1883 "The acquisition-method type is subscription"; 1884 } 1885 identity query { 1886 base acquisition-method; 1887 description 1888 "The acquisition-method type is query"; 1889 } 1890 identity emission-type { 1891 base characteristics; 1892 description 1893 "The type of emission-type."; 1894 } 1895 identity periodical { 1896 base emission-type; 1897 description 1898 "The emission-type type is periodical."; 1899 } 1900 identity on-change { 1901 base emission-type; 1902 description 1903 "The emission-type type is on-change."; 1904 } 1905 identity dampening-type { 1906 base characteristics; 1907 description 1908 "The type of dampening-type."; 1909 } 1910 identity no-dampening { 1911 base dampening-type; 1912 description 1913 "The dampening-type is no-dampening."; 1914 } 1915 identity on-repetition { 1916 base dampening-type; 1917 description 1918 "The dampening-type is on-repetition."; 1919 } 1920 identity none { 1921 base dampening-type; 1922 description 1923 "The dampening-type is none."; 1924 } 1926 identity authentication-mode { 1927 description 1928 "User authentication mode types: e.g., Local Authentication, 1929 Third-Party Server Authentication, 1930 Authentication Exemption, or Single Sign-On (SSO) 1931 Authentication."; 1932 } 1933 identity local-authentication { 1934 base authentication-mode; 1935 description 1936 "Authentication-mode : local authentication."; 1937 } 1938 identity third-party-server-authentication { 1939 base authentication-mode; 1940 description 1941 "If authentication-mode is 1942 third-part-server-authentication"; 1943 } 1944 identity exemption-authentication { 1945 base authentication-mode; 1946 description 1947 "If authentication-mode is 1948 exemption-authentication"; 1949 } 1950 identity sso-authentication { 1951 base authentication-mode; 1952 description 1953 "If authentication-mode is 1954 sso-authentication"; 1955 } 1957 identity alarm-type { 1958 description 1959 "Base identity for detectable alarm types"; 1960 } 1961 identity MEM-USAGE-ALARM { 1962 base alarm-type; 1963 description 1964 "A memory alarm is alerted"; 1965 } 1966 identity CPU-USAGE-ALARM { 1967 base alarm-type; 1968 description 1969 "A cpu alarm is alerted"; 1970 } 1971 identity DISK-USAGE-ALARM { 1972 base alarm-type; 1973 description 1974 "A disk alarm is alerted"; 1975 } 1976 identity HW-FAILURE-ALARM { 1977 base alarm-type; 1978 description 1979 "A hardware alarm is alerted"; 1980 } 1981 identity IFNET-STATE-ALARM { 1982 base alarm-type; 1983 description 1984 "An interface alarm is alerted"; 1985 } 1986 identity event-type { 1987 description 1988 "Base identity for detectable event types"; 1989 } 1990 identity ACCESS-DENIED { 1991 base event-type; 1992 description 1993 "The system event is access-denied."; 1994 } 1995 identity CONFIG-CHANGE { 1996 base event-type; 1997 description 1998 "The system event is config-change."; 1999 } 2001 identity flood-type { 2002 description 2003 "Base identity for detectable flood types"; 2004 } 2005 identity syn-flood { 2006 base flood-type; 2007 description 2008 "A SYN flood is detected"; 2009 } 2010 identity ack-flood { 2011 base flood-type; 2012 description 2013 "An ACK flood is detected"; 2014 } 2015 identity syn-ack-flood { 2016 base flood-type; 2017 description 2018 "An SYN-ACK flood is detected"; 2019 } 2020 identity fin-rst-flood { 2021 base flood-type; 2022 description 2023 "A FIN-RST flood is detected"; 2024 } 2025 identity tcp-con-flood { 2026 base flood-type; 2027 description 2028 "A TCP connection flood is detected"; 2029 } 2030 identity udp-flood { 2031 base flood-type; 2032 description 2033 "A UDP flood is detected"; 2034 } 2035 identity icmp-flood { 2036 base flood-type; 2037 description 2038 "An ICMP flood is detected"; 2039 } 2040 identity https-flood { 2041 base flood-type; 2042 description 2043 "A HTTPS flood is detected"; 2044 } 2045 identity http-flood { 2046 base flood-type; 2047 description 2048 "A HTTP flood is detected"; 2049 } 2050 identity dns-reply-flood { 2051 base flood-type; 2052 description 2053 "A DNS reply flood is detected"; 2055 } 2056 identity dns-query-flood { 2057 base flood-type; 2058 description 2059 "A DNS query flood is detected"; 2060 } 2061 identity sip-flood { 2062 base flood-type; 2063 description 2064 "A SIP flood is detected"; 2065 } 2067 identity nsf-event-name { 2068 description 2069 "Base identity for detectable nsf event types"; 2070 } 2071 identity SEC-EVENT-DDOS { 2072 base nsf-event-name; 2073 description 2074 "The nsf event is sec-event-ddos."; 2075 } 2076 identity SESSION-USAGE-HIGH { 2077 base nsf-event-name; 2078 description 2079 "The nsf event is session-usage-high"; 2080 } 2081 identity SEC-EVENT-VIRUS { 2082 base nsf-event-name; 2083 description 2084 "The nsf event is sec-event-virus"; 2085 } 2086 identity SEC-EVENT-INTRUSION { 2087 base nsf-event-name; 2088 description 2089 "The nsf event is sec-event-intrusion"; 2090 } 2091 identity SEC-EVENT-BOTNET { 2092 base nsf-event-name; 2093 description 2094 "The nsf event is sec-event-botnet"; 2095 } 2096 identity SEC-EVENT-WEBATTACK { 2097 base nsf-event-name; 2098 description 2099 "The nsf event is sec-event-webattack"; 2100 } 2101 identity attack-type { 2102 description 2103 "The root ID of attack based notification 2104 in the notification taxonomy"; 2105 } 2106 identity system-attack-type { 2107 base attack-type; 2108 description 2109 "This ID is intended to be used 2110 in the context of system events"; 2111 } 2112 identity nsf-attack-type { 2113 base attack-type; 2114 description 2115 "This ID is intended to be used in the context of nsf event"; 2116 } 2117 identity botnet-attack-type { 2118 base nsf-attack-type; 2119 description 2120 "This is a ID stub limited to indicating 2121 that this attack type is botnet. 2122 The usual semantic and taxonomy is missing 2123 and name is used."; 2124 } 2125 identity virus-type { 2126 base nsf-attack-type; 2127 description 2128 "The type of virus. Can be multiple types at once. This attack 2129 type is associated with a detected system-log virus-attack"; 2130 } 2131 identity trojan { 2132 base virus-type; 2133 description 2134 "The detected virus type is trojan"; 2135 } 2136 identity worm { 2137 base virus-type; 2138 description 2139 "The detected virus type is worm"; 2140 } 2141 identity macro { 2142 base virus-type; 2143 description 2144 "The detected virus type is macro"; 2145 } 2146 identity intrusion-attack-type { 2147 base nsf-attack-type; 2148 description 2149 "The attack type is associatied with 2150 a detectedsystem-log intrusion"; 2152 } 2153 identity brute-force { 2154 base intrusion-attack-type; 2155 description 2156 "The intrusion type is brute-force"; 2157 } 2158 identity buffer-overflow { 2159 base intrusion-attack-type; 2160 description 2161 "The intrusion type is buffer-overflow"; 2162 } 2163 identity web-attack-type { 2164 base nsf-attack-type; 2165 description 2166 "The attack type associated with 2167 a detected system-log web-attack"; 2168 } 2169 identity command-injection { 2170 base web-attack-type; 2171 description 2172 "The detected web attack type is command injection"; 2173 } 2174 identity xss { 2175 base web-attack-type; 2176 description 2177 "The detected web attack type is XSS"; 2178 } 2179 identity csrf { 2180 base web-attack-type; 2181 description 2182 "The detected web attack type is CSRF"; 2183 } 2184 identity ddos-attack-type { 2185 base nsf-attack-type; 2186 description 2187 "The attack type is associated with a detected nsf-log event"; 2188 } 2190 identity req-method { 2191 description 2192 "A set of request types (if applicable). 2193 For instance, PUT or GET in HTTP"; 2194 } 2195 identity put-req { 2196 base req-method; 2197 description 2198 "The detected request type is PUT"; 2199 } 2200 identity get-req { 2201 base req-method; 2202 description 2203 "The detected request type is GET"; 2204 } 2206 identity filter-type { 2207 description 2208 "The type of filter used to detect, for example, 2209 a web-attack. Can be applicable to more than 2210 web-attacks. Can be more than one type."; 2211 } 2212 identity whitelist { 2213 base filter-type; 2214 description 2215 "The applied filter type is whitelist"; 2216 } 2217 identity blacklist { 2218 base filter-type; 2219 description 2220 "The applied filter type is blacklist"; 2221 } 2222 identity user-defined { 2223 base filter-type; 2224 description 2225 "The applied filter type is user-defined"; 2226 } 2227 identity balicious-category { 2228 base filter-type; 2229 description 2230 "The applied filter is balicious category"; 2231 } 2232 identity unknown-filter { 2233 base filter-type; 2234 description 2235 "The applied filter is unknown"; 2236 } 2238 identity access-mode { 2239 description 2240 "Base identity for detectable access mode."; 2241 } 2242 identity ppp { 2243 base access-mode; 2244 description 2245 "Access-mode : ppp"; 2246 } 2247 identity svn { 2248 base access-mode; 2249 description 2250 "Access-mode : svn"; 2251 } 2252 identity local { 2253 base access-mode; 2254 description 2255 "Access-mode : local"; 2256 } 2258 identity protocol-type { 2259 description 2260 "An identity used to enable type choices in leafs 2261 and leaflists wrt protocol metadata."; 2262 } 2263 identity tcp { 2264 base ipv4; 2265 base ipv6; 2266 description 2267 "TCP protocol type."; 2268 } 2269 identity udp { 2270 base ipv4; 2271 base ipv6; 2272 description 2273 "UDP protocol type."; 2274 } 2275 identity icmp { 2276 base ipv4; 2277 base ipv6; 2278 description 2279 "General ICMP protocol type."; 2280 } 2281 identity icmpv4 { 2282 base ipv4; 2283 description 2284 "ICMPv4 protocol type."; 2285 } 2286 identity icmpv6 { 2287 base ipv6; 2288 description 2289 "ICMPv6 protocol type."; 2290 } 2291 identity ip { 2292 base protocol-type; 2293 description 2294 "General IP protocol type."; 2295 } 2296 identity ipv4 { 2297 base ip; 2298 description 2299 "IPv4 protocol type."; 2300 } 2301 identity ipv6 { 2302 base ip; 2303 description 2304 "IPv6 protocol type."; 2305 } 2306 identity http { 2307 base tcp; 2308 description 2309 "HTPP protocol type."; 2310 } 2311 identity ftp { 2312 base tcp; 2313 description 2314 "FTP protocol type."; 2315 } 2316 grouping common-monitoring-data { 2317 description 2318 "The data set of common monitoring"; 2319 leaf message { 2320 type string; 2321 description 2322 "This is a freetext annotation of 2323 monitoring notification content"; 2324 } 2325 leaf time-stamp { 2326 type yang:date-and-time; 2327 description 2328 "Indicates the time of message generation"; 2329 } 2330 leaf vendor-name { 2331 type string; 2332 description 2333 "The name of the NSF vendor"; 2334 } 2335 leaf nsf-name { 2336 type string; 2337 description 2338 "The name (or IP) of the NSF 2339 generating the message"; 2340 } 2341 leaf module-name { 2342 type string; 2343 description 2344 "The module name outputting the message"; 2345 } 2346 leaf severity { 2347 type severity; 2348 description 2349 "The severity of the alarm such 2350 asvcritical, high, middle, low."; 2351 } 2352 } 2353 grouping characteristics{ 2354 description 2355 "A set of monitoring information characteristics"; 2356 leaf acquisition-method { 2357 type identityref { 2358 base acquisition-method; 2359 } 2360 description 2361 "The acquisition-method for characteristics"; 2362 } 2363 leaf emission-type { 2364 type identityref { 2365 base emission-type; 2366 } 2367 description 2368 "The emission-type for characteristics"; 2369 } 2370 leaf dampening-type { 2371 type identityref { 2372 base dampening-type; 2373 } 2374 description 2375 "The dampening-type for characteristics"; 2376 } 2377 } 2378 grouping i2nsf-system-alarm-type-content { 2379 description 2380 "A set of system alarm type contents"; 2381 leaf usage { 2382 type uint8; 2383 description 2384 "specifies the amount of usage"; 2385 } 2386 leaf threshold { 2387 type uint8; 2388 description 2389 "The threshold triggering the alarm or the event"; 2390 } 2391 } 2392 grouping i2nsf-system-event-type-content { 2393 description 2394 "System event metadata associated with system events caused 2395 by user activity."; 2396 leaf user { 2397 type string; 2398 mandatory true; 2399 description 2400 "Name of a user"; 2401 } 2402 leaf group { 2403 type string; 2404 mandatory true; 2405 description 2406 "Group to which a user belongs."; 2407 } 2408 leaf login-ip-addr { 2409 type inet:ipv4-address; 2410 mandatory true; 2411 description 2412 "Login IP address of a user."; 2413 } 2414 leaf authentication { 2415 type identityref { 2416 base authentication-mode; 2417 } 2418 description 2419 "The authentication-mode for authentication"; 2420 } 2421 } 2422 grouping i2nsf-nsf-event-type-content-extend { 2423 description 2424 "A set of common IPv4-related NSF event 2425 content elements"; 2426 leaf src-ip { 2427 type inet:ipv4-address; 2428 description 2429 "The source IP address of the packet"; 2430 } 2431 leaf dst-ip { 2432 type inet:ipv4-address; 2433 description 2434 "The destination IP address of the packet"; 2435 } 2436 leaf src-port { 2437 type inet:port-number; 2438 description 2439 "The source port of the packet"; 2441 } 2442 leaf dst-port { 2443 type inet:port-number; 2444 description 2445 "The destination port of the packet"; 2446 } 2447 leaf src-zone { 2448 type string; 2449 description 2450 "The source security zone of the packet"; 2451 } 2452 leaf dst-zone { 2453 type string; 2454 description 2455 "The destination security zone of the packet"; 2456 } 2457 leaf rule-id { 2458 type uint8; 2459 mandatory true; 2460 description 2461 "The ID of the rule being triggered"; 2462 } 2463 leaf rule-name { 2464 type string; 2465 mandatory true; 2466 description 2467 "The name of the rule being triggered"; 2468 } 2469 leaf profile { 2470 type string; 2471 description 2472 "Security profile that traffic matches."; 2473 } 2474 leaf raw-info { 2475 type string; 2476 description 2477 "The information describing the packet 2478 triggering the event."; 2479 } 2480 } 2481 grouping i2nsf-nsf-event-type-content { 2482 description 2483 "A set of common IPv4-related NSF event 2484 content elements"; 2485 leaf dst-ip { 2486 type inet:ipv4-address; 2487 description 2488 "The destination IP address of the packet"; 2490 } 2491 leaf dst-port { 2492 type inet:port-number; 2493 description 2494 "The destination port of the packet"; 2495 } 2496 leaf rule-id { 2497 type uint8; 2498 mandatory true; 2499 description 2500 "The ID of the rule being triggered"; 2501 } 2502 leaf rule-name { 2503 type string; 2504 mandatory true; 2505 description 2506 "The name of the rule being triggered"; 2507 } 2508 leaf profile { 2509 type string; 2510 description 2511 "Security profile that traffic matches."; 2512 } 2513 leaf raw-info { 2514 type string; 2515 description 2516 "The information describing the packet 2517 triggering the event."; 2518 } 2519 } 2520 grouping traffic-rates { 2521 description 2522 "A set of traffic rates 2523 for statistics data"; 2524 leaf total-traffic { 2525 type uint32; 2526 description 2527 "Total traffic"; 2528 } 2529 leaf in-traffic-ave-rate { 2530 type uint32; 2531 description 2532 "Inbound traffic average rate in pps"; 2533 } 2534 leaf in-traffic-peak-rate { 2535 type uint32; 2536 description 2537 "Inbound traffic peak rate in pps"; 2539 } 2540 leaf in-traffic-ave-speed { 2541 type uint32; 2542 description 2543 "Inbound traffic average speed in bps"; 2544 } 2545 leaf in-traffic-peak-speed { 2546 type uint32; 2547 description 2548 "Inbound traffic peak speed in bps"; 2549 } 2550 leaf out-traffic-ave-rate { 2551 type uint32; 2552 description 2553 "Outbound traffic average rate in pps"; 2554 } 2555 leaf out-traffic-peak-rate { 2556 type uint32; 2557 description 2558 "Outbound traffic peak rate in pps"; 2559 } 2560 leaf out-traffic-ave-speed { 2561 type uint32; 2562 description 2563 "Outbound traffic average speed in bps"; 2564 } 2565 leaf out-traffic-peak-speed { 2566 type uint32; 2567 description 2568 "Outbound traffic peak speed in bps"; 2569 } 2570 } 2571 grouping i2nsf-system-counter-type-content{ 2572 description 2573 "A set of system counter type contents"; 2574 leaf interface-name { 2575 type string; 2576 description 2577 "Network interface name configured in NSF"; 2578 } 2579 leaf in-total-traffic-pkts { 2580 type uint32; 2581 description 2582 "Total inbound packets"; 2583 } 2584 leaf out-total-traffic-pkts { 2585 type uint32; 2586 description 2587 "Total outbound packets"; 2588 } 2589 leaf in-total-traffic-bytes { 2590 type uint32; 2591 description 2592 "Total inbound bytes"; 2593 } 2594 leaf out-total-traffic-bytes { 2595 type uint32; 2596 description 2597 "Total outbound bytes"; 2598 } 2599 leaf in-drop-traffic-pkts { 2600 type uint32; 2601 description 2602 "Total inbound drop packets"; 2603 } 2604 leaf out-drop-traffic-pkts { 2605 type uint32; 2606 description 2607 "Total outbound drop packets"; 2608 } 2609 leaf in-drop-traffic-bytes { 2610 type uint32; 2611 description 2612 "Total inbound drop bytes"; 2613 } 2614 leaf out-drop-traffic-bytes { 2615 type uint32; 2616 description 2617 "Total outbound drop bytes"; 2618 } 2619 uses traffic-rates; 2620 } 2621 grouping i2nsf-nsf-counters-type-content{ 2622 description 2623 "A set of nsf counters type contents"; 2624 leaf src-ip { 2625 type inet:ipv4-address; 2626 description 2627 "The source IP address of the packet"; 2628 } 2629 leaf dst-ip { 2630 type inet:ipv4-address; 2631 description 2632 "The destination IP address of the packet"; 2633 } 2634 leaf src-port { 2635 type inet:port-number; 2636 description 2637 "The source port of the packet"; 2638 } 2639 leaf dst-port { 2640 type inet:port-number; 2641 description 2642 "The destination port of the packet"; 2643 } 2644 leaf src-zone { 2645 type string; 2646 description 2647 "The source security zone of the packet"; 2648 } 2649 leaf dst-zone { 2650 type string; 2651 description 2652 "The destination security zone of the packet"; 2653 } 2654 leaf src-region { 2655 type string; 2656 description 2657 "Source region of the traffic"; 2658 } 2659 leaf dst-region{ 2660 type string; 2661 description 2662 "Destination region of the traffic"; 2663 } 2664 leaf policy-id { 2665 type uint8; 2666 description 2667 "The ID of the policy being triggered"; 2668 } 2669 leaf policy-name { 2670 type string; 2671 description 2672 "The name of the policy being triggered"; 2673 } 2674 leaf src-user{ 2675 type string; 2676 description 2677 "User who generates traffic"; 2678 } 2679 leaf protocol { 2680 type identityref { 2681 base protocol-type; 2682 } 2683 description 2684 "Protocol type of traffic"; 2685 } 2686 leaf app { 2687 type string; 2688 description 2689 "Application type of traffic"; 2690 } 2691 } 2693 notification system-detection-alarm { 2694 description 2695 "This notification is sent, when a system alarm 2696 is detected."; 2697 leaf alarm-catagory { 2698 type identityref { 2699 base alarm-type; 2700 } 2701 description 2702 "The alarm catagory for 2703 system-detection-alarm notification"; 2704 } 2705 uses characteristics; 2706 uses i2nsf-system-alarm-type-content; 2707 uses common-monitoring-data; 2708 } 2709 notification system-detection-event { 2710 description 2711 "This notification is sent, when a security-sensitive 2712 authentication action fails."; 2713 leaf event-catagory { 2714 type identityref { 2715 base event-type; 2716 } 2717 description 2718 "The event catagory for system-detection-event"; 2719 } 2720 uses characteristics; 2721 uses i2nsf-system-event-type-content; 2722 uses common-monitoring-data; 2723 } 2724 notification nsf-detection-flood { 2725 description 2726 "This notification is sent, 2727 when a specific flood type is detected"; 2728 leaf event-name { 2729 type identityref { 2730 base SEC-EVENT-DDOS; 2732 } 2733 description 2734 "The event name for nsf-detection-flood"; 2735 } 2736 uses i2nsf-nsf-event-type-content; 2737 leaf sub-attack-type { 2738 type identityref { 2739 base flood-type; 2740 } 2741 description 2742 "Any one of Syn flood, ACK flood, SYN-ACK flood, 2743 FIN/RST flood, TCP Connection flood, UDP flood, 2744 Icmp flood, HTTPS flood, HTTP flood, DNS query flood, 2745 DNS reply flood, SIP flood, and etc."; 2746 } 2747 leaf start-time { 2748 type yang:date-and-time; 2749 mandatory true; 2750 description 2751 "The time stamp indicating when the attack started"; 2752 } 2753 leaf end-time { 2754 type yang:date-and-time; 2755 mandatory true; 2756 description 2757 "The time stamp indicating when the attack ended"; 2758 } 2759 leaf attack-rate { 2760 type uint32; 2761 description 2762 "The PPS rate of attack traffic"; 2763 } 2764 leaf attack-speed { 2765 type uint32; 2766 description 2767 "The BPS speed of attack traffic"; 2768 } 2769 uses common-monitoring-data; 2770 } 2771 notification nsf-detection-session-table { 2772 description 2773 "This notification is sent, when an a session table event 2774 is deteced"; 2775 leaf current-session { 2776 type uint8; 2777 description 2778 "The number of concurrent sessions"; 2779 } 2780 leaf maximum-session { 2781 type uint8; 2782 description 2783 "The maximum number of sessions that the session 2784 table can support"; 2785 } 2786 leaf threshold { 2787 type uint8; 2788 description 2789 "The threshold triggering the event"; 2790 } 2791 uses common-monitoring-data; 2792 } 2793 notification nsf-detection-virus { 2794 description 2795 "This notification is sent, when a virus is detected"; 2796 uses i2nsf-nsf-event-type-content-extend; 2797 leaf virus { 2798 type identityref { 2799 base virus-type; 2800 } 2801 description 2802 "The virus type for nsf-detection-virus notification"; 2803 } 2804 leaf virus-name { 2805 type string; 2806 description 2807 "The name of the detected virus"; 2808 } 2810 leaf file-type { 2811 type string; 2812 description 2813 "The type of file virus code is found in (if appicable)."; 2814 } 2815 leaf file-name { 2816 type string; 2817 description 2818 "The name of file virus code is found in (if appicable)."; 2819 } 2820 uses common-monitoring-data; 2821 } 2822 notification nsf-detection-intrusion { 2823 description 2824 "This notification is send, when an intrusion event 2825 is detected."; 2826 uses i2nsf-nsf-event-type-content-extend; 2827 leaf protocol { 2828 type identityref { 2829 base protocol-type; 2830 } 2831 description 2832 "The protocol type for nsf-detection-intrusion notification"; 2833 } 2834 leaf app { 2835 type string; 2836 description 2837 "The employed application layer protocol"; 2838 } 2839 leaf sub-attack-type { 2840 type identityref { 2841 base intrusion-attack-type; 2842 } 2843 description 2844 "The sub attack type for intrusion attack"; 2845 } 2846 uses common-monitoring-data; 2847 } 2848 notification nsf-detection-botnet { 2849 description 2850 "This notification is send, when a botnet event is 2851 detected"; 2852 uses i2nsf-nsf-event-type-content-extend; 2853 leaf attack-type { 2854 type identityref { 2855 base botnet-attack-type; 2856 } 2857 description 2858 "The attack type for botnet attack"; 2859 } 2860 leaf protocol { 2861 type identityref { 2862 base protocol-type; 2863 } 2864 description 2865 "The protocol type for nsf-detection-botnet notification"; 2866 } 2867 leaf botnet-name { 2868 type string; 2869 description 2870 "The name of the detected botnet"; 2871 } 2872 leaf role { 2873 type string; 2874 description 2875 "The role of the communicating 2876 parties within the botnet"; 2877 } 2878 uses common-monitoring-data; 2879 } 2880 notification nsf-detection-web-attack { 2881 description 2882 "This notification is send, when an attack event is 2883 detected"; 2884 uses i2nsf-nsf-event-type-content-extend; 2885 leaf sub-attack-type { 2886 type identityref { 2887 base web-attack-type; 2888 } 2889 description 2890 "Concret web attack type, e.g., sql injection, 2891 command injection, XSS, CSRF"; 2892 } 2893 leaf request-method { 2894 type identityref { 2895 base req-method; 2896 } 2897 description 2898 "The method of requirement. For instance, PUT or 2899 GET in HTTP"; 2900 } 2901 leaf req-uri { 2902 type string; 2903 description 2904 "Requested URI"; 2905 } 2906 leaf uri-category { 2907 type string; 2908 description 2909 "Matched URI category"; 2910 } 2911 leaf-list filtering-type { 2912 type identityref { 2913 base filter-type; 2914 } 2915 description 2916 "URL filtering type, e.g., Blacklist, Whitelist, 2917 User-Defined, Predefined, Malicious Category, 2918 Unknown"; 2919 } 2920 uses common-monitoring-data; 2921 } 2922 notification system-access-log { 2923 description 2924 "The notification is send, if there is 2925 a new system log entry about 2926 a system access event"; 2927 leaf login-ip { 2928 type inet:ipv4-address; 2929 mandatory true; 2930 description 2931 "Login IP address of a user"; 2932 } 2933 leaf administrator { 2934 type string; 2935 description 2936 "Administrator that maintains the device"; 2937 } 2938 leaf login-mode { 2939 type login-mode; 2940 description 2941 "Specifies the administrator log-in mode"; 2942 } 2943 leaf operation-type { 2944 type operation-type; 2945 description 2946 "The operation type that the administrator execute"; 2947 } 2948 leaf result { 2949 type string; 2950 description 2951 "Command execution result"; 2952 } 2953 leaf content { 2954 type string; 2955 description 2956 "The Operation performed by an administrator after login"; 2957 } 2958 uses characteristics; 2959 } 2960 notification system-res-util-log { 2961 description 2962 "This notification is send, if there is 2963 a new log entry representing ressource 2964 utiliztation updates."; 2965 leaf system-status { 2966 type string; 2967 description 2968 "The current systems 2969 running status"; 2970 } 2971 leaf cpu-usage { 2972 type uint8; 2973 description 2974 "Specifies the relative amount of 2975 cpu usage wrt plattform ressources"; 2976 } 2977 leaf memory-usage { 2978 type uint8; 2979 description 2980 "Specifies the amount of memory usage"; 2981 } 2982 leaf disk-usage { 2983 type uint8; 2984 description 2985 "Specifies the amount of disk usage"; 2986 } 2987 leaf disk-left { 2988 type uint8; 2989 description 2990 "Specifies the amount of disk left"; 2991 } 2992 leaf session-num { 2993 type uint8; 2994 description 2995 "The total number of sessions"; 2996 } 2997 leaf process-num { 2998 type uint8; 2999 description 3000 "The total number of process"; 3001 } 3002 leaf in-traffic-rate { 3003 type uint32; 3004 description 3005 "The total inbound traffic rate in pps"; 3006 } 3007 leaf out-traffic-rate { 3008 type uint32; 3009 description 3010 "The total outbount traffic rate in pps"; 3011 } 3012 leaf in-traffic-speed { 3013 type uint32; 3014 description 3015 "The total inbound traffic speed in bps"; 3016 } 3017 leaf out-traffic-speed { 3018 type uint32; 3019 description 3020 "The total outbound traffic speed in bps"; 3021 } 3022 uses characteristics; 3023 } 3024 notification system-user-activity-log { 3025 description 3026 "This notification is send, if there is 3027 a new user activity log entry"; 3028 uses characteristics; 3029 uses i2nsf-system-event-type-content; 3030 leaf access { 3031 type identityref { 3032 base access-mode; 3033 } 3034 description 3035 "The access type for system-user-activity-log notification"; 3036 } 3037 leaf online-duration { 3038 type string; 3039 description 3040 "Online duration"; 3041 } 3042 leaf logout-duration { 3043 type string; 3044 description 3045 "Lockout duration"; 3046 } 3047 leaf addtional-info { 3048 type string; 3049 description 3050 "User activities. e.g., Successful 3051 User Login, Failed Login attempts, 3052 User Logout, Successful User 3053 Password Change, Failed User 3054 Password Change, User Lockout, 3055 User Unlocking, Unknown"; 3056 } 3057 } 3058 notification nsf-log-ddos { 3059 description 3060 "This notification is send, if there is 3061 a new DDoS event log entry in the nsf log"; 3062 leaf attack-type { 3063 type identityref { 3064 base ddos-attack-type; 3065 } 3066 description 3067 "The ddos attack type for 3068 nsf-log-ddos notification"; 3069 } 3070 leaf attack-ave-rate { 3071 type uint32; 3072 description 3073 "The ave PPS of attack traffic"; 3074 } 3075 leaf attack-ave-speed { 3076 type uint32; 3077 description 3078 "the ave bps of attack traffic"; 3079 } 3080 leaf attack-pkt-num { 3081 type uint32; 3082 description 3083 "the number of attack packets"; 3084 } 3085 leaf attack-src-ip { 3086 type inet:ipv4-address; 3087 description 3088 "The source IP addresses of attack 3089 traffics. If there are a large 3090 amount of IP addresses, then 3091 pick a certain number of resources 3092 according to different rules."; 3093 } 3094 leaf action { 3095 type log-action; 3096 description 3097 "Action type: allow, alert, 3098 block, discard, declare, 3099 block-ip, block-service"; 3100 } 3101 uses characteristics; 3102 uses common-monitoring-data; 3103 } 3104 notification nsf-log-virus { 3105 description 3106 "This notification is send, If there is 3107 a new virus event log enry in the nsf log"; 3108 leaf attack-type { 3109 type identityref { 3110 base virus-type; 3111 } 3112 description 3113 "The virus type for nsf-log-virus notification"; 3114 } 3115 leaf action { 3116 type log-action; 3117 description 3118 "Action type: allow, alert, 3119 block, discard, declare, 3120 block-ip, block-service"; 3121 } 3122 leaf os{ 3123 type string; 3124 description 3125 "simple os information"; 3126 } 3127 leaf time { 3128 type yang:date-and-time; 3129 mandatory true; 3130 description 3131 "Indicate the time when the message is generated"; 3132 } 3133 uses characteristics; 3134 uses common-monitoring-data; 3135 } 3136 notification nsf-log-intrusion { 3137 description 3138 "This notification is send, if there is 3139 a new intrusion event log entry in the nsf log"; 3140 leaf attack-type { 3141 type identityref { 3142 base intrusion-attack-type; 3143 } 3144 description 3145 "The intrusion attack type for 3146 nsf-log-intrusion notification"; 3147 } 3148 leaf action { 3149 type log-action; 3150 description 3151 "Action type: allow, alert, 3152 block, discard, declare, 3153 block-ip, block-service"; 3154 } 3155 leaf time { 3156 type yang:date-and-time; 3157 mandatory true; 3158 description 3159 "Indicate the time when the message is generated"; 3160 } 3161 leaf attack-rate { 3162 type uint32; 3163 description 3164 "The PPS of attack traffic"; 3165 } 3166 leaf attack-speed { 3167 type uint32; 3168 description 3169 "The bps of attack traffic"; 3170 } 3171 uses characteristics; 3172 uses common-monitoring-data; 3173 } 3174 notification nsf-log-botnet { 3175 description 3176 "This noticiation is send, if there is 3177 a new botnet event log in the nsf log"; 3178 leaf attack-type { 3179 type identityref { 3180 base botnet-attack-type; 3181 } 3182 description 3183 "The botnet attack type for 3184 nsf-log-botnet notification"; 3185 } 3186 leaf action { 3187 type log-action; 3188 description 3189 "Action type: allow, alert, 3190 block, discard, declare, 3191 block-ip, block-service"; 3192 } 3193 leaf botnet-pkt-num{ 3194 type uint8; 3195 description 3196 "The number of the packets sent to 3197 or from the detected botnet"; 3198 } 3199 leaf os{ 3200 type string; 3201 description 3202 "simple os information"; 3203 } 3204 uses characteristics; 3205 uses common-monitoring-data; 3206 } 3207 notification nsf-log-dpi { 3208 description 3209 "This notification is send, if there is 3210 a new dpi event in the nsf log"; 3211 leaf attack-type { 3212 type dpi-type; 3213 description 3214 "The type of the dpi"; 3215 } 3216 uses characteristics; 3217 uses i2nsf-nsf-counters-type-content; 3218 uses common-monitoring-data; 3219 } 3220 notification nsf-log-vuln-scan { 3221 description 3222 "This notification is send, if there is 3223 a new vulnerability-scan report in the nsf log"; 3224 leaf vulnerability-id { 3225 type uint8; 3226 description 3227 "The vulnerability id"; 3228 } 3229 leaf victim-ip { 3230 type inet:ipv4-address; 3231 description 3232 "IP address of the victim host which has vulnerabilities"; 3233 } 3234 leaf protocol { 3235 type identityref { 3236 base protocol-type; 3237 } 3238 description 3239 "The protocol type for 3240 nsf-log-vuln-scan notification"; 3241 } 3242 leaf port-num { 3243 type inet:port-number; 3244 description 3245 "The port number"; 3246 } 3247 leaf level { 3248 type severity; 3249 description 3250 "The vulnerability severity"; 3251 } 3252 leaf os { 3253 type string; 3254 description 3255 "simple os information"; 3256 } 3257 leaf vulnerability-info { 3258 type string; 3259 description 3260 "The information about the vulnerability"; 3261 } 3262 leaf fix-suggestion { 3263 type string; 3264 description 3265 "The fix suggestion to the vulnerability"; 3266 } 3267 leaf service { 3268 type string; 3269 description 3270 "The service which has vulnerabillity in the victim host"; 3271 } 3272 uses characteristics; 3273 uses common-monitoring-data; 3274 } 3275 notification nsf-log-web-attack { 3276 description 3277 "This notificatio is send, if there is 3278 a new web-attack event in the nsf log"; 3279 leaf attack-type { 3280 type identityref { 3281 base web-attack-type; 3282 } 3283 description 3284 "The web attack type for 3285 nsf-log-web-attack notification"; 3286 } 3287 leaf rsp-code { 3288 type string; 3289 description 3290 "Response code"; 3291 } 3292 leaf req-clientapp { 3293 type string; 3294 description 3295 "The client application"; 3296 } 3297 leaf req-cookies { 3298 type string; 3299 description 3300 "Cookies"; 3301 } 3302 leaf req-host { 3303 type string; 3304 description 3305 "The domain name of the requested host"; 3306 } 3307 leaf raw-info { 3308 type string; 3309 description 3310 "The information describing 3311 the packet triggering the event."; 3312 } 3313 uses characteristics; 3314 uses common-monitoring-data; 3315 } 3316 container counters { 3317 description 3318 "This is probably better covered by an import 3319 as this will not be notifications. 3320 Counter are not very suitable as telemetry, maybe 3321 via periodic subscriptions, which would still 3322 violate principle of least surprise."; 3323 container system-interface { 3324 description 3325 "The system counter type is interface counter"; 3326 uses characteristics; 3327 uses i2nsf-system-counter-type-content; 3328 uses common-monitoring-data; 3329 } 3330 container nsf-firewall { 3331 description 3332 "The nsf counter type is firewall counter"; 3333 uses characteristics; 3334 uses i2nsf-nsf-counters-type-content; 3335 uses traffic-rates; 3336 } 3337 container nsf-policy-hits { 3338 description 3339 "The counters of policy hit"; 3340 uses characteristics; 3341 uses i2nsf-nsf-counters-type-content; 3342 uses common-monitoring-data; 3343 leaf hit-times { 3344 type uint32; 3345 description 3346 "The hit times for policy"; 3347 } 3348 } 3349 } 3350 } 3351 3353 Figure 2: Data Model of Monitoring 3355 13. Security Considerations 3357 The monitoring information of NSF should be protected by the secure 3358 communication channel, to ensure its confidentiality and integrity. 3359 In another side, the NSF and security controller can all be faked, 3360 which lead to undesireable results, i.e., leakage of an NSF's 3361 important operational information, faked NSF sending false 3362 information to mislead security controller. The mutual 3363 authentication is essential to protected against this kind of attack. 3364 The current mainstream security technologies (i.e., TLS, DTLS, IPSEC, 3365 X.509 PKI) can be employed approriately to provide the above security 3366 functions. 3368 In addition, to defend against the DDoS attack caused by a lot of 3369 NSFs sending massive monitoring information to the security 3370 controller, the rate limiting or similar mechanisms should be 3371 considered in an NSF and security controller, whether in advance or 3372 just in the process of DDoS attack. 3374 14. References 3376 14.1. Normative References 3378 [I-D.ietf-netconf-subscribed-notifications] 3379 Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and 3380 A. Tripathy, "Customized Subscriptions to a Publisher's 3381 Event Streams", draft-ietf-netconf-subscribed- 3382 notifications-17 (work in progress), September 2018. 3384 [I-D.ietf-netconf-yang-push] 3385 Clemm, A., Voit, E., Prieto, A., Tripathy, A., Nilsen- 3386 Nygaard, E., Bierman, A., and B. Lengyel, "Subscription to 3387 YANG Datastores", draft-ietf-netconf-yang-push-20 (work in 3388 progress), October 2018. 3390 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3391 Requirement Levels", BCP 14, RFC 2119, March 1997. 3393 [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management 3394 Information Base (MIB)", RFC 3877, September 2004. 3396 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 3397 RFC 4949, August 2007. 3399 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009. 3401 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 3402 Network Configuration Protocol (NETCONF)", RFC 6020, 3403 October 2010. 3405 [RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog 3406 Messages over TCP", RFC 6587, April 2012. 3408 [RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of 3409 the IP Flow Information Export (IPFIX) Protocol for the 3410 Exchange of Flow Information", RFC 7011, September 2013. 3412 14.2. Informative References 3414 [I-D.ietf-i2nsf-capability] 3415 Xia, L., Strassner, J., Basile, C., and D. Lopez, 3416 "Information Model of NSFs Capabilities", draft-ietf- 3417 i2nsf-capability-04 (work in progress), October 2018. 3419 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 3420 Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, 3421 "I2NSF Consumer-Facing Interface YANG Data Model", draft- 3422 ietf-i2nsf-consumer-facing-interface-dm-02 (work in 3423 progress), November 2018. 3425 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 3426 Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, 3427 "I2NSF Network Security Function-Facing Interface YANG 3428 Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-02 3429 (work in progress), November 2018. 3431 [I-D.ietf-i2nsf-registration-interface-dm] 3432 Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF 3433 Registration Interface YANG Data Model", draft-ietf-i2nsf- 3434 registration-interface-dm-01 (work in progress), November 3435 2018. 3437 [I-D.ietf-i2nsf-terminology] 3438 Hares, S., Strassner, J., Lopez, D., Xia, L., and H. 3439 Birkholz, "Interface to Network Security Functions (I2NSF) 3440 Terminology", draft-ietf-i2nsf-terminology-06 (work in 3441 progress), July 2018. 3443 [I-D.ietf-i2rs-rib-data-model] 3444 Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 3445 S., and N. Bahadur, "A YANG Data Model for Routing 3446 Information Base (RIB)", draft-ietf-i2rs-rib-data-model-10 3447 (work in progress), February 2018. 3449 [I-D.yang-i2nsf-nfv-architecture] 3450 Yang, H., Kim, Y., Jeong, J., and J. Kim, "I2NSF on the 3451 NFV Reference Architecture", draft-yang-i2nsf-nfv- 3452 architecture-04 (work in progress), November 2018. 3454 [I-D.yang-i2nsf-security-policy-translation] 3455 Yang, J., Jeong, J., and J. Kim, "I2NSF Registration 3456 Interface YANG Data Model", draft-yang-i2nsf-security- 3457 policy-translation-02 (work in progress), October 2018. 3459 [RFC3954] Claise, B., "Cisco Systems NetFlow Services Export Version 3460 9", RFC 3954, October 2004. 3462 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 3463 Kumar, "Framework for Interface to Network Security 3464 Functions", RFC 8329, February 2018. 3466 Appendix A. Changes from draft-hong-i2nsf-nsf-monitoring-data-model-05 3468 The following changes are made from draft-hong-i2nsf-nsf-monitoring- 3469 data-model-05: 3471 1. This version includes the contents of draft-zhang-i2nsf-info- 3472 model-monitoring-07 for an information model for NSF monitoring. 3474 2. Typos are corrected. 3476 Appendix B. Acknowledgments 3478 This work was supported by Institute for Information & communications 3479 Technology Promotion (IITP) grant funded by the Korea government 3480 (MSIP) (R-20160222-002755, Cloud based Security Intelligence 3481 Technology Development for the Customized Security Service 3482 Provisioning). 3484 Appendix C. Contributors 3486 This document is made by the group effort of I2NSF working group. 3487 Many people actively contributed to this document. The following are 3488 considered co-authors: 3490 o Dacheng Zhang (Huawei) 3492 o Yi Wu (Aliababa Group) 3494 o Rakesh Kumar (Juniper Networks) 3496 o Anil Lohiya (Juniper Networks) 3498 Authors' Addresses 3500 Jaehoon Paul Jeong 3501 Department of Software 3502 Sungkyunkwan University 3503 2066 Seobu-Ro, Jangan-Gu 3504 Suwon, Gyeonggi-Do 16419 3505 Republic of Korea 3507 Phone: +82 31 299 4957 3508 Fax: +82 31 290 7996 3509 EMail: pauljeong@skku.edu 3510 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 3511 Jinyong Tim Kim 3512 Department of Computer Engineering 3513 Sungkyunkwan University 3514 2066 Seobu-Ro, Jangan-Gu 3515 Suwon, Gyeonggi-Do 16419 3516 Republic of Korea 3518 Phone: +82 10 8273 0930 3519 EMail: timkim@skku.edu 3521 Dongjin Hong 3522 Department of Computer Engineering 3523 Sungkyunkwan University 3524 2066 Seobu-Ro, Jangan-Gu 3525 Suwon, Gyeonggi-Do 16419 3526 Republic of Korea 3528 Phone: +82 10 7630 5473 3529 EMail: dong.jin@skku.edu 3531 Susan Hares 3532 Huawei 3533 7453 Hickory Hill 3534 Saline, MI 48176 3535 USA 3537 Phone: +1-734-604-0332 3538 EMail: shares@ndzh.com 3540 Liang Xia (Frank) 3541 Huawei 3542 101 Software Avenue, Yuhuatai District 3543 Nanjing, Jiangsu 3544 China 3546 EMail: Frank.xialiang@huawei.com 3548 Henk Birkholz 3549 Fraunhofer Institute for Secure Information Technology 3550 Rheinstrasse 75 3551 Darmstadt 64295 3552 Germany 3554 EMail: henk.birkholz@sit.fraunhofer.de