idnits 2.17.1 draft-ietf-i2nsf-nsf-monitoring-data-model-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 11, 2019) is 1872 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-26) exists of draft-ietf-netconf-subscribed-notifications-23 == Outdated reference: A later version (-25) exists of draft-ietf-netconf-yang-push-22 ** Downref: Normative reference to an Informational RFC: RFC 4949 ** Downref: Normative reference to an Historic RFC: RFC 6587 == Outdated reference: A later version (-05) exists of draft-ietf-i2nsf-capability-04 == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-02 == Outdated reference: A later version (-29) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-02 == Outdated reference: A later version (-26) exists of draft-ietf-i2nsf-registration-interface-dm-01 == Outdated reference: A later version (-08) exists of draft-ietf-i2nsf-terminology-07 == Outdated reference: A later version (-08) exists of draft-yang-i2nsf-nfv-architecture-04 == Outdated reference: A later version (-16) exists of draft-yang-i2nsf-security-policy-translation-02 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 2 errors (**), 0 flaws (~~), 10 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong 3 Internet-Draft C. Chung 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: September 12, 2019 S. Hares 6 L. Xia 7 Huawei 8 H. Birkholz 9 Fraunhofer SIT 10 March 11, 2019 12 I2NSF NSF Monitoring YANG Data Model 13 draft-ietf-i2nsf-nsf-monitoring-data-model-00 15 Abstract 17 This document proposes an information model and the corresponding 18 YANG data model for monitoring Network Security Functions (NSFs) in 19 the Interface to Network Security Functions (I2NSF) framework. If 20 the monitoring of NSFs is performed in a comprehensive way, it is 21 possible to detect the indication of malicious activity, anomalous 22 behavior or the potential sign of denial of service attacks in a 23 timely manner. This monitoring functionality is based on the 24 monitoring information that is generated by NSFs. Thus, this 25 document describes not only an information model for monitoring NSFs 26 along with a YANG data diagram, but also the corresponding YANG data 27 model for monitoring NSFs. 29 Editorial Note (To be removed by RFC Editor) 31 Please update these statements within the document with the RFC 32 number to be assigned to this document: 34 "This version of this YANG module is part of RFC 6087;" 36 "RFC XXXX: I2NSF NSF Monitoring YANG Data Model" 38 "reference: RFC 6087" 40 Please update the "revision" date of the YANG module. 42 Status of This Memo 44 This Internet-Draft is submitted in full conformance with the 45 provisions of BCP 78 and BCP 79. 47 Internet-Drafts are working documents of the Internet Engineering 48 Task Force (IETF). Note that other groups may also distribute 49 working documents as Internet-Drafts. The list of current Internet- 50 Drafts is at https://datatracker.ietf.org/drafts/current/. 52 Internet-Drafts are draft documents valid for a maximum of six months 53 and may be updated, replaced, or obsoleted by other documents at any 54 time. It is inappropriate to use Internet-Drafts as reference 55 material or to cite them other than as "work in progress." 57 This Internet-Draft will expire on September 12, 2019. 59 Copyright Notice 61 Copyright (c) 2019 IETF Trust and the persons identified as the 62 document authors. All rights reserved. 64 This document is subject to BCP 78 and the IETF Trust's Legal 65 Provisions Relating to IETF Documents 66 (https://trustee.ietf.org/license-info) in effect on the date of 67 publication of this document. Please review these documents 68 carefully, as they describe your rights and restrictions with respect 69 to this document. Code Components extracted from this document must 70 include Simplified BSD License text as described in Section 4.e of 71 the Trust Legal Provisions and are provided without warranty as 72 described in the Simplified BSD License. 74 Table of Contents 76 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 77 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 78 2.1. Requirements Notation . . . . . . . . . . . . . . . . . . 4 79 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 80 2.3. YANG . . . . . . . . . . . . . . . . . . . . . . . . . . 4 81 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 82 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 83 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 84 4.2. Notifications and Events . . . . . . . . . . . . . . . . 7 85 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8 86 4.4. I2NSF Monitoring Terminology for Retained Information . . 8 87 5. Conveyance of NSF Monitoring Information . . . . . . . . . . 9 88 5.1. Information Types and Acquisition Methods . . . . . . . . 10 89 6. Basic Information Model for All Monitoring Data . . . . . . . 11 90 7. Extended Information Model for Monitoring Data . . . . . . . 11 91 7.1. System Alarm . . . . . . . . . . . . . . . . . . . . . . 11 92 7.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 12 93 7.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 12 94 7.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12 95 7.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 13 96 7.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 13 98 7.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13 99 7.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13 100 7.2.2. Configuration Change . . . . . . . . . . . . . . . . 14 101 7.3. System Log . . . . . . . . . . . . . . . . . . . . . . . 14 102 7.3.1. Access Logs . . . . . . . . . . . . . . . . . . . . . 14 103 7.3.2. Resource Utilization Logs . . . . . . . . . . . . . . 15 104 7.3.3. User Activity Logs . . . . . . . . . . . . . . . . . 15 105 7.4. System Counters . . . . . . . . . . . . . . . . . . . . . 16 106 7.4.1. Interface counters . . . . . . . . . . . . . . . . . 16 107 7.5. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 17 108 7.5.1. DDoS Event . . . . . . . . . . . . . . . . . . . . . 17 109 7.5.2. Session Table Event . . . . . . . . . . . . . . . . . 18 110 7.5.3. Virus Event . . . . . . . . . . . . . . . . . . . . . 18 111 7.5.4. Intrusion Event . . . . . . . . . . . . . . . . . . . 19 112 7.5.5. Botnet Event . . . . . . . . . . . . . . . . . . . . 20 113 7.5.6. Web Attack Event . . . . . . . . . . . . . . . . . . 21 114 7.6. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 22 115 7.6.1. DDoS Logs . . . . . . . . . . . . . . . . . . . . . . 22 116 7.6.2. Virus Logs . . . . . . . . . . . . . . . . . . . . . 22 117 7.6.3. Intrusion Logs . . . . . . . . . . . . . . . . . . . 23 118 7.6.4. Botnet Logs . . . . . . . . . . . . . . . . . . . . . 23 119 7.6.5. DPI Logs . . . . . . . . . . . . . . . . . . . . . . 23 120 7.6.6. Vulnerabillity Scanning Logs . . . . . . . . . . . . 24 121 7.6.7. Web Attack Logs . . . . . . . . . . . . . . . . . . . 25 122 7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 25 123 7.7.1. Firewall counters . . . . . . . . . . . . . . . . . . 25 124 7.7.2. Policy Hit Counters . . . . . . . . . . . . . . . . . 27 125 8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 27 126 9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 28 127 10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 36 128 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71 129 12. Security Considerations . . . . . . . . . . . . . . . . . . . 72 130 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 72 131 13.1. Normative References . . . . . . . . . . . . . . . . . . 72 132 13.2. Informative References . . . . . . . . . . . . . . . . . 74 133 Appendix A. Changes from draft-hong-i2nsf-nsf-monitoring-data- 134 model-06 . . . . . . . . . . . . . . . . . . . . . . 76 135 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 76 136 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 77 137 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 77 139 1. Introduction 141 According to [I-D.ietf-i2nsf-terminology], the interface provided by 142 a Network Security Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or 143 Anti-Virus function) to administrative entities (e.g., Security 144 Controller) to enable remote management (i.e., configuring and 145 monitoring) is referred to as an I2NSF NSF-Facing Interface 147 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. Monitoring procedures 148 intent to acquire vital types of data with respect to NSFs, (e.g., 149 alarms, records, and counters) via data in motion (e.g., queries, 150 notifications, and events). The monitoring of NSF plays an important 151 role in an overall security framework, if it is done in a timely and 152 comprehensive way. The monitoring information generated by an NSF 153 can be a good, early indication of anomalous behavior or malicious 154 activity, such as denial of service attacks (DoS). 156 This document defines a comprehensive NSF monitoring information 157 model that provides visibility for an NSF for Security Controller. 158 It specifies the information and illustrates the methods that enable 159 an NSF to provide the information required in order to be monitored 160 in a scalable and efficient way via the NSF-Facing Interface. The 161 information model for monitoring presented in this document is a 162 complementary information model to the information model for the 163 security policy provisioning functionality of the NSF-Facing 164 Interface specified in [I-D.ietf-i2nsf-capability]. 166 This document also defines a YANG [RFC7950] data model for monitoring 167 NSFs, which is derived from the information model for NSF monitoring. 169 2. Terminology 171 2.1. Requirements Notation 173 This document does not propose a protocol standard, and the use of 174 words such as "should" follow their ordinary English meaning and not 175 that for normative languages defined in [RFC2119] [RFC8174]. 177 2.2. Definitions 179 The terms, which are used in this document, are defined in the I2NSF 180 terminology document [I-D.ietf-i2nsf-terminology]. 182 2.3. YANG 184 This document follows the guidelines of [RFC6087], uses the common 185 YANG types defined in [RFC6991], and adopts the Network Management 186 Datastore Architecture (NMDA). The meaning of the symbols in tree 187 diagrams is defined in [RFC8340]. 189 3. Use Cases for NSF Monitoring Data 191 As mentioned earlier, monitoring plays a critical role in an overall 192 security framework. The monitoring of the NSF provides very valuable 193 information to the security controller in maintaining the provisioned 194 security posture. Besides this, there are various other reasons to 195 monitor the NSF as listed below: 197 o The security administrator with I2NSF User can configure a policy 198 that is triggered on a specific event occurring in the NSF or the 199 network [RFC8329] [I-D.ietf-i2nsf-consumer-facing-interface-dm]. 200 If a security controller detects the specified event, it 201 configures additional security functions as defined by policies. 203 o The events triggered by an NSF as a result of security policy 204 violation can be used by Security Information and Event Management 205 (SIEM) to detect any suspicious activity in a larger correlation 206 context. 208 o The events and activity logs from an NSF can be used to build 209 advanced analytics, such as behavior and predictive models to 210 improve security posture in large deployments. 212 o The security controller can use events from the NSF for achieving 213 high availability. It can take corrective actions such as 214 restarting a failed NSF and horizontally scaling up the NSF. 216 o The events and activity logs from the NSF can aid in the root 217 cause analysis of an operational issue, so it can improve 218 debugging. 220 o The activity logs from the NSF can be used to build historical 221 data for operational and business reasons. 223 4. Classification of NSF Monitoring Data 225 In order to maintain a strong security posture, it is not only 226 necessary not only to configure an NSF's security policies but also 227 to continuously monitor the NSF by consuming acquirable and 228 observable information. This enables security administrators to 229 assess the state of the network topology in a timely fashion. It is 230 not possible to block all the internal and external threats based on 231 static security posture. A more practical approach is supported by 232 enabling dynamic security measures, for which continuous visibility 233 is required. This document defines a set of information elements 234 (and their scope) that can be acquired from an NSF and can be used as 235 NSF monitoring information. In essence, these types of monitoring 236 information can be leveraged to support constant visibility on 237 multiple levels of granularity and can be consumed by the 238 corresponding functions. 240 Three basic domains about the monitoring information originating from 241 a system entity [RFC4949] or an NSF are highlighted in this document. 243 o Retention and Emission 245 o Notifications and Events 247 o Unsolicited Poll and Solicited Push 249 The Alarm Management Framework in [RFC3877] defines an Event as 250 something that happens which may be of interest. It defines a fault 251 as a change in status, crossing a threshold, or an external input to 252 the system. In the I2NSF domain, I2NSF events 253 [I-D.ietf-i2nsf-terminology] are created and the scope of the Alarm 254 Management Framework's Events is still applicable due to its broad 255 definition. The model presented in this document elaborates on the 256 workflow of creating I2NSF events in the context of NSF monitoring 257 and on the way initial I2NSF events are created. 259 As with I2NSF components, every generic system entity can include a 260 set of capabilities [I-D.ietf-i2nsf-terminology] that creates 261 information about the context, composition, configuration, state or 262 behavior of that system entity. This information is intended to be 263 provided to other consumers of information and in the scope of this 264 document, which deals with NSF information monitoring in an automated 265 fashion. 267 4.1. Retention and Emission 269 Typically, a system entity populates standardized interface, such as 270 SNMP, NETCONF, RESTCONF or CoMI to provide and emit created 271 information directly via NSF-Facing Interface 272 [I-D.ietf-i2nsf-terminology]. Alternatively, the created information 273 is retained inside the system entity (or a hierarchy of system 274 entities in a composite device) via records or counters that are not 275 exposed directly via NSF-Facing Interfaces. 277 Information emitted via standardized interfaces can be consumed by an 278 I2NSF User [I-D.ietf-i2nsf-terminology] that includes the capability 279 to consume information not only via an I2NSF Interface(e.g., 280 [I-D.ietf-i2nsf-consumer-facing-interface-dm]) but also via 281 interfaces complementary to the standardized interfaces a generic 282 system entity provides. 284 Information retained on a system entity requires a corresponding 285 I2NSF User to access aggregated records of information, typically in 286 the form of log-files or databases. There are ways to aggregate 287 records originating from different system entities over a network, 288 for examples via Syslog Protocol [RFC5424] or Syslog over TCP 289 [RFC6587]. But even if records are conveyed, the result is the same 290 kind of retention in form of a bigger aggregate of records on another 291 system entity. 293 An I2NSF User is required to process fresh [RFC4949] records created 294 by I2NSF Functions in order to provide them to other I2NSF Components 295 via the corresponding I2NSF Interfaces in a timely manner. This 296 process is effectively based on homogenizing functions, which can 297 access and convert specific kinds of records into information that 298 can be provided and emitted via I2NSF interfaces. 300 When retained or emitted, the information required to support 301 monitoring processes has to be processed by an I2NSF User at some 302 point in the workflow. Typical locations of these I2NSF Users are: 304 o a system entity that creates the information 306 o a system entity that retains an aggregation of records 308 o an I2NSF Component that includes the capabilities of using 309 standardized interfaces provided by other system entities that are 310 not I2NSF Components 312 o an I2NSF Component that creates the information 314 4.2. Notifications and Events 316 A specific task of I2NSF User is to process I2NSF Policy Rules 317 [I-D.ietf-i2nsf-terminology]. The rules of a policy are composed of 318 three clauses: Events, Conditions, and Actions. In consequence, an 319 I2NSF Event is specified to trigger an I2NSF Policy Rule. Such an 320 I2NSF Event is defined as any important occurrence over time in the 321 system being managed, and/or in the environment of the system being 322 managed in [I-D.ietf-i2nsf-terminology], which aligns well with the 323 generic definition of Event from [RFC3877]. 325 The model illustrated in this document introduces a complementary 326 type of information that can be a conveyed notification. 328 Notification: An occurrence of a change of context, composition, 329 configuration, state or behavior of a system entity that can be 330 directly or indirectly observed by an I2NSF User and can be used 331 as input for an event-clause in I2NSF Policy Rules. 333 A notification is similar to an I2NSF Event with the exception 334 that it is created by a system entity that is not an I2NSF 335 Component and that its importance is yet to be assessed. 336 Semantically, a notification is not an I2NSF Event in the context 337 of I2NSF, although they can potentially use the exact same 338 information or data model. In respect to [RFC3877], a 339 Notification is a specific subset of events, because they convey 340 information about something that happens which may be of interest. 341 In consequence, Notifications may contain information with very 342 low expressiveness or relevance. Hence, additional post- 343 processing functions, such as aggregation, correlation or simple 344 anomaly detection, might have to be employed to satisfy a level of 345 expressiveness that is required for an event-clause of an I2NSF 346 Policy Rule. 348 It is important to note that the consumer of a notification (the 349 observer) assesses the importance of a notification and not the 350 producer. The producer can include metadata in a notification that 351 supports the observer in assessing the importance (even metadata 352 about severity), but the deciding entity is an I2NSF User. 354 4.3. Unsolicited Poll and Solicited Push 356 The freshness of the monitored information depends on the acquisition 357 method. Ideally, an I2NSF User is accessing every relevant 358 information about the I2NSF Component and is emitting I2NSF Events to 359 a monitor entity(e.g., Security Controller and I2NSF User) NSF 360 timely. Publication of events via a pubsub/broker model, peer-2-peer 361 meshes, or static defined channels are only a few examples on how a 362 solicited push of I2NSF Events can be facilitated. The actual 363 mechanic implemented by an I2NSF Component is out of the scope of 364 this document. 366 Often, the corresponding management interfaces have to be queried in 367 intervals or on-demand if required by an I2NSF Policy rule. In some 368 cases, a collection of information has to be conducted via login 369 mechanics provided by a system entity. Accessing records of 370 information via this kind of unsolicited polls can introduce a 371 significant latency in regard to the freshness of the monitored 372 information. The actual definition of intervals implemented by an 373 I2NSF Component is also out of scope of this document. 375 4.4. I2NSF Monitoring Terminology for Retained Information 377 Records: Unlike information emitted via notifications and events, 378 records do not require immediate attention from an analyst but may 379 be useful for visibility and retroactive cyber forensic. 380 Depending on the record format, there are different qualities in 381 regard to structure and detail. Records are typically stored in 382 log-files or databases on a system entity or NSF. Records in the 383 form of log-files usually include less structures but potentially 384 more detailed information in regard to the changes of a system 385 entity's characteristics. In contrast, databases often use more 386 strict schemas or data models, therefore enforcing a better 387 structure. However, they inhibit storing information that do not 388 match those models ("closed world assumption"). Records can be 389 continuously processed by I2NSF Agents that act as I2NSF Producer 390 and emit events via functions specifically tailored to a certain 391 type of record. Typically, records are information generated 392 either by an NSF or a system entity about operational and 393 informational data, or various changes in system characteristics, 394 such as user activities, network/traffic status, and network 395 activity. They are important for debugging, auditing and security 396 forensic. 398 Counters: A specific representation of continuous value changes of 399 information elements that potentially occur in high frequency. 400 Prominent example are network interface counters, e.g., PDU amount 401 or byte amount, drop counters, and error counters. Counters are 402 useful in debugging and visibility into operational behavior of an 403 NSF. An I2NSF Agent that observes the progression of counters can 404 act as an I2NSF Producer and emit events in respect to I2NSF 405 Policy Rules. 407 5. Conveyance of NSF Monitoring Information 409 As per the use cases of NSF monitoring data, information needs to be 410 conveyed to various I2NSF Consumers based on requirements imposed by 411 I2NSF Capabilities and workflows. There are multiple aspects to be 412 considered in regard to the emission of monitoring information to 413 requesting parties as listed below: 415 o Pull-Push Model: A set of data can be pushed by an NSF to a 416 requesting party or pulled by a requesting party from an NSF. 417 Specific types of information might need both the models at the 418 same time if there are multiple I2NSF Consumers with varying 419 requirements. In general, any I2NSF Event including a high 420 severity assessment is considered to be of great importance and 421 should be processed as soon as possible (push-model). Records, in 422 contrast, are typically not as critical (pull-model). The I2NSF 423 Architecture does not mandate a specific scheme for each type of 424 information and is therefore out of scope of this document. 426 o Pub-Sub Model: In order for an I2NSF Provider to push monitoring 427 information to multiple appropriate I2NSF Consumers, a 428 subscription can be maintained by both I2NSF Components. 429 Discovery of available monitoring information can be supported by 430 an I2NSF Controller that takes the role of a broker and therefore 431 includes I2NSF Capabilities that support registration. 433 o Export Frequency: Monitoring information can be emitted 434 immediately upon generation by an NSF to requesting I2NSF 435 Consumers or can be pushed periodically. The frequency of 436 exporting the data depends upon its size and timely usefulness. 437 It is out of the scope of I2NSF and left to each NSF 438 implementation. 440 o Authentication: There may be a need for authentication between an 441 I2NSF Producer of monitoring information and its corresponding 442 I2NSF Consumer to ensure that critical information remains 443 confidential. Authentication in the scope of I2NSF can also 444 require its corresponding content authorization. This may be 445 necessary, for example, if an NSF emits monitoring information to 446 an I2NSF Consumer outside its administrative domain. The I2NSF 447 Architecture does not mandate when and how specific authentication 448 has to be implemented. 450 o Data-Transfer Model: Monitoring information can be pushed by an 451 NSF using a connection-less model that does require a persistent 452 connection or streamed over a persistent connection. An 453 appropriate model depends on the I2NSF Consumer requirements and 454 the semantics of the information to be conveyed. 456 o Data Model and Interaction Model for Data in Motion: There are a 457 lot of transport mechanisms such as IP, UDP, and TCP. There are 458 also open source implementations for specific set of data such as 459 systems counter, e.g. IPFIX [RFC7011] and NetFlow [RFC3954]. The 460 I2NSF does not mandate any specific method for a given data set, 461 so it is up to each implementation. 463 5.1. Information Types and Acquisition Methods 465 In this document, most defined information types defined benefit from 466 high visibility with respect to value changes, e.g., alarms and 467 records. In contrast, values that change monotonically in a 468 continuous way do not benefit from this high visibility. On the 469 contrary, emitting each change would result in a useless amount of 470 value updates. Hence, values, such as counter, are best acquired in 471 periodic intervals. 473 The mechanisms provided by YANG Push [I-D.ietf-netconf-yang-push] and 474 YANG Subscribed Notifications 475 [I-D.ietf-netconf-subscribed-notifications] address exactly these set 476 of requirements. YANG also enables semantically well-structured 477 information, as well as subscriptions to datastores or event streams 478 - by changes or periodically. 480 In consequence, this information model in this document is intended 481 to support data models used in solicited or unsolicited event streams 482 that potentially are facilitated by a subscription mechanism. A 483 subset of information elements defined in the information model 484 address this domain of application. 486 6. Basic Information Model for All Monitoring Data 488 As explained in the above section, there is a wealth of data 489 available from the NSF that can be monitored. Firstly, there must be 490 some general information with each monitoring message sent from an 491 NSF that helps a consumer to identify meta data with that message, 492 which are listed as below: 494 o message_version: It indicates the version of the data format and 495 is a two-digit decimal numeral starting from 01. 497 o message_type: Event, Alert, Alarm, Log, Counter, etc. 499 o time_stamp: It indicates the time when the message is generated. 501 o vendor_name: The name of the NSF vendor. 503 o NSF_name: The name (or IP) of the NSF generating the message. 505 o Module_name: The module name outputting the message. 507 o Severity: It indicates the level of the logs. There are total 508 eight levels, from 0 to 7. The smaller the numeral is, the higher 509 the severity is. 511 7. Extended Information Model for Monitoring Data 513 This section covers the additional information associated with the 514 system messages. The extended information model is only for the 515 structured data such as alarm. Any unstructured data is specified 516 with basic information model only. 518 7.1. System Alarm 520 Characteristics: 522 o acquisition_method: subscription 524 o emission_type: on-change 526 o dampening_type: no-dampening 528 7.1.1. Memory Alarm 530 The following information should be included in a Memory Alarm: 532 o event_name: MEM_USAGE_ALARM 534 o module_name: It indicates the NSF module responsible for 535 generating this alarm. 537 o usage: specifies the amount of memory used. 539 o threshold: The threshold triggering the alarm 541 o severity: The severity of the alarm such as critical, high, 542 medium, low 544 o message: The memory usage exceeded the threshold 546 7.1.2. CPU Alarm 548 The following information should be included in a CPU Alarm: 550 o event_name: CPU_USAGE_ALARM 552 o usage: Specifies the amount of CPU used. 554 o threshold: The threshold triggering the event 556 o severity: The severity of the alarm such as critical, high, 557 medium, low 559 o message: The CPU usage exceeded the threshold. 561 7.1.3. Disk Alarm 563 The following information should be included in a Disk Alarm: 565 o event_name: DISK_USAGE_ALARM 567 o usage: Specifies the amount of disk space used. 569 o threshold: The threshold triggering the event 571 o severity: The severity of the alarm such as critical, high, 572 medium, low 574 o message: The disk usage exceeded the threshold. 576 7.1.4. Hardware Alarm 578 The following information should be included in a Hardware Alarm: 580 o event_name: HW_FAILURE_ALARM 582 o component_name: It indicates the HW component responsible for 583 generating this alarm. 585 o threshold: The threshold triggering the alarm 587 o severity: The severity of the alarm such as critical, high, 588 medium, low 590 o message: The HW component has failed or degraded. 592 7.1.5. Interface Alarm 594 The following information should be included in a Interface Alarm: 596 o event_name: IFNET_STATE_ALARM 598 o interface_Name: The name of interface 600 o interface_state: UP, DOWN, CONGESTED 602 o threshold: The threshold triggering the event 604 o severity: The severity of the alarm such as critical, high, 605 medium, low 607 o message: Current interface state 609 7.2. System Events 611 Characteristics: 613 o acquisition_method: subscription 615 o emission_type: on-change 617 o dampening_type: on-repetition 619 7.2.1. Access Violation 621 The following information should be included in this event: 623 o event_name: ACCESS_DENIED 624 o user: Name of a user 626 o group: Group to which a user belongs 628 o login_ip_address: Login IP address of a user 630 o authentication_mode: User authentication mode. e.g., Local 631 Authentication, Third-Party Server Authentication, Authentication 632 Exemption, Single Sign-On (SSO) Authentication 634 o message: access is denied. 636 7.2.2. Configuration Change 638 The following information should be included in this event: 640 o event_name: CONFIG_CHANGE 642 o user: Name of a user 644 o group: Group to which a user belongs 646 o login_ip_address: Login IP address of a user 648 o authentication_mode: User authentication mode. e.g., Local 649 Authentication, Third-Party Server Authentication, Authentication 650 Exemption, SSO Authentication 652 o message: Configuration is modified. 654 7.3. System Log 656 Characteristics: 658 o acquisition_method: subscription 660 o emission_type: on-change 662 o dampening_type: on-repetition 664 7.3.1. Access Logs 666 Access logs record administrators' login, logout, and operations on a 667 device. By analyzing them, security vulnerabilities can be 668 identified. The following information should be included in an 669 operation report: 671 o Administrator: Administrator that operates on the device 672 o login_ip_address: IP address used by an administrator to log in 674 o login_mode: Specifies the administrator logs in mode e.g. root, 675 user 677 o operation_type: The operation type that the administrator execute, 678 e.g., login, logout, and configuration. 680 o result: Command execution result 682 o content: Operation performed by an administrator after login. 684 7.3.2. Resource Utilization Logs 686 Running reports record the device system's running status, which is 687 useful for device monitoring. The following information should be 688 included in running report: 690 o system_status: The current system's running status 692 o CPU_usage: Specifies the CPU usage. 694 o memory_usage: Specifies the memory usage. 696 o disk_usage: Specifies the disk usage. 698 o disk_left: Specifies the available disk space left. 700 o session_number: Specifies total concurrent sessions. 702 o process_number: Specifies total number of system processes. 704 o in_traffic_rate: The total inbound traffic rate in pps 706 o out_traffic_rate: The total outbound traffic rate in pps 708 o in_traffic_speed: The total inbound traffic speed in bps 710 o out_traffic_speed: The total outbound traffic speed in bps 712 7.3.3. User Activity Logs 714 User activity logs provide visibility into users' online records 715 (such as login time, online/lockout duration, and login IP addresses) 716 and the actions that users perform. User activity reports are 717 helpful to identify exceptions during a user's login and network 718 access activities. 720 o user: Name of a user 722 o group: Group to which a user belongs 724 o login_ip_address: Login IP address of a user 726 o authentication_mode: User authentication mode. e.g., Local 727 Authentication, Third-Party Server Authentication, Authentication 728 Exemption, SSO Authentication 730 o access_mode: User access mode. e.g., PPP, SVN, LOCAL 732 o online_duration: Online duration 734 o lockout_duration: Lockout duration 736 o type: User activities. e.g., Successful User Login, Failed Login 737 attempts, User Logout, Successful User Password Change, Failed 738 User Password Change, User Lockout, User Unlocking, Unknown 740 o cause: Cause of a failed user activity 742 7.4. System Counters 744 Characteristics: 746 o acquisition_method: subscription or query 748 o emission_type: periodical 750 o dampening_type: none 752 7.4.1. Interface counters 754 Interface counters provide visibility into traffic into and out of an 755 NSF, and bandwidth usage. 757 o interface_name: Network interface name configured in NSF 759 o in_total_traffic_pkts: Total inbound packets 761 o out_total_traffic_pkts: Total outbound packets 763 o in_total_traffic_bytes: Total inbound bytes 765 o out_total_traffic_bytes: Total outbound bytes 767 o in_drop_traffic_pkts: Total inbound drop packets 768 o out_drop_traffic_pkts: Total outbound drop packets 770 o in_drop_traffic_bytes: Total inbound drop bytes 772 o out_drop_traffic_bytes: Total outbound drop bytes 774 o in_traffic_ave_rate: Inbound traffic average rate in pps 776 o in_traffic_peak_rate: Inbound traffic peak rate in pps 778 o in_traffic_ave_speed: Inbound traffic average speed in bps 780 o in_traffic_peak_speed: Inbound traffic peak speed in bps 782 o out_traffic_ave_rate: Outbound traffic average rate in pps 784 o out_traffic_peak_rate: Outbound traffic peak rate in pps 786 o out_traffic_ave_speed: Outbound traffic average speed in bps 788 o out_traffic_peak_speed: Outbound traffic peak speed in bps 790 7.5. NSF Events 792 Characteristics: 794 o acquisition_method: subscription 796 o emission_type: on-change 798 o dampening_type: none 800 7.5.1. DDoS Event 802 The following information should be included in a DDoS Event: 804 o event_name: SEC_EVENT_DDoS 806 o sub_attack_type: Any one of SYN flood, ACK flood, SYN-ACK flood, 807 FIN/RST flood, TCP Connection flood, UDP flood, ICMP flood, HTTPS 808 flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood, 809 and etc. 811 o dst_ip: The IP address of a victum under attack 813 o dst_port: The port number that the attrack traffic aims at. 815 o start_time: The time stamp indicating when the attack started 816 o end_time: The time stamp indicating when the attack ended. If the 817 attack is still undergoing when sending out the alarm, this field 818 can be empty. 820 o attack_rate: The PPS of attack traffic 822 o attack_speed: the bps of attack traffic 824 o rule_id: The ID of the rule being triggered 826 o rule_name: The name of the rule being triggered 828 o profile: Security profile that traffic matches. 830 7.5.2. Session Table Event 832 The following information should be included in a Session 833 Table Event: 835 o event_name: SESSION_USAGE_HIGH 837 o current: The number of concurrent sessions 839 o max: The maximum number of sessions that the session table can 840 support 842 o threshold: The threshold triggering the event 844 o message: The number of session table exceeded the threshold. 846 7.5.3. Virus Event 848 The following information should be included in a Virus Event: 850 o event_Name: SEC_EVENT_VIRUS 852 o virus_type: Type of the virus. e.g., trojan, worm, macro virus 853 type 855 o virus_name: Name of the virus 857 o dst_ip: The destination IP address of the packet where the virus 858 is found 860 o src_ip: The source IP address of the packet where the virus is 861 found 863 o src_port: The source port of the packet where the virus is found 864 o dst_port: The destination port of the packet where the virus is 865 found 867 o src_zone: The source security zone of the packet where the virus 868 is found 870 o dst_zone: The destination security zone of the packet where the 871 virus is found 873 o file_type: The type of the file where the virus is hided within 875 o file_name: The name of the file where the virus is hided within 877 o virus_info: The brief introduction of the virus 879 o raw_info: The information describing the packet triggering the 880 event. 882 o rule_id: The ID of the rule being triggered 884 o rule_name: The name of the rule being triggered 886 o profile: Security profile that traffic matches. 888 7.5.4. Intrusion Event 890 The following information should be included in an Intrustion Event: 892 o event_name: The name of event. e.g., SEC_EVENT_Intrusion 894 o sub_attack_type: Attack type, e.g., brutal force and buffer 895 overflow 897 o src_ip: The source IP address of the packet 899 o dst_ip: The destination IP address of the packet 901 o src_port:The source port number of the packet 903 o dst_port: The destination port number of the packet 905 o src_zone: The source security zone of the packet 907 o dst_zone: The destination security zone of the packet 909 o protocol: The employed transport layer protocol. e.g.,TCP and UDP 911 o app: The employed application layer protocol. e.g.,HTTP and FTP 912 o rule_id: The ID of the rule being triggered 914 o rule_name: The name of the rule being triggered 916 o profile: Security profile that traffic matches 918 o intrusion_info: Simple description of intrusion 920 o raw_info: The information describing the packet triggering the 921 event 923 7.5.5. Botnet Event 925 The following information should be included in a Botnet Event: 927 o event_name: The name of event. e.g., SEC_EVENT_Botnet 929 o botnet_name: The name of the detected botnet 931 o src_ip: The source IP address of the packet 933 o dst_ip: The destination IP address of the packet 935 o src_port: The source port number of the packet 937 o dst_port: The destination port number of the packet 939 o src_zone: The source security zone of the packet 941 o dst_zone: The destination security zone of the packet 943 o protocol: The employed transport layer protocol. e.g.,TCP and UDP 945 o app: The employed application layer protocol. e.g.,HTTP and FTP 947 o role: The role of the communicating parties within the botnet: 949 1. The packet from the zombie host to the attacker 951 2. The packet from the attacker to the zombie host 953 3. The packet from the IRC/WEB server to the zombie host 955 4. The packet from the zombie host to the IRC/WEB server 957 5. The packet from the attacker to the IRC/WEB server 959 6. The packet from the IRC/WEB server to the attacker 960 7. The packet from the zombie host to the victim 962 o botnet_info: Simple description of Botnet 964 o rule_id: The ID of the rule being triggered 966 o rule_name: The name of the rule being triggered 968 o profile: Security profile that traffic matches 970 o raw_info: The information describing the packet triggering the 971 event. 973 7.5.6. Web Attack Event 975 The following information should be included in a Web Attack Alarm: 977 o event_name: The name of event. e.g., SEC_EVENT_WebAttack 979 o sub_attack_type: Concret web attack type. e.g., SQL injection, 980 command injection, XSS, CSRF 982 o src_ip: The source IP address of the packet 984 o dst_ip: The destination IP address of the packet 986 o src_port: The source port number of the packet 988 o dst_port: The destination port number of the packet 990 o src_zone: The source security zone of the packet 992 o dst_zone: The destination security zone of the packet 994 o req_method: The method of requirement. For instance, "PUT" and 995 "GET" in HTTP 997 o req_url: Requested URL 999 o url_category: Matched URL category 1001 o filtering_type: URL filtering type. e.g., Blacklist, Whitelist, 1002 User-Defined, Predefined, Malicious Category, and Unknown 1004 o rule_id: The ID of the rule being triggered 1006 o rule_name: The name of the rule being triggered 1007 o profile: Security profile that traffic matches 1009 7.6. NSF Logs 1011 Characteristics: 1013 o acquisition_method: subscription 1015 o emission_type: on-change 1017 o dampening_type: on_repetition 1019 7.6.1. DDoS Logs 1021 Besides the fields in a DDoS Alarm, the following information should 1022 be included in a DDoS Logs: 1024 o attack_type: DDoS 1026 o attack_ave_rate: The average pps of the attack traffic within the 1027 recorded time 1029 o attack_ave_speed: The average bps of the attack traffic within the 1030 recorded time 1032 o attack_pkt_num: The number of attack packets within the recorded 1033 time 1035 o attack_src_ip: The source IP addresses of attack traffics. If 1036 there are a large number of IP addresses, then pick a certain 1037 number of resources according to different rules. 1039 o action: Actions against DDoS attacks. e.g., Allow, Alert, Block, 1040 Discard, Declare, Block-ip, and Block-service. 1042 7.6.2. Virus Logs 1044 Besides the fields in a Virus Alarm, the following information should 1045 be included in a Virus Logs: 1047 o attack_type: Virus 1049 o protocol: The transport layer protocol 1051 o app: The name of the application layer protocol 1053 o times: The time of detecting the virus 1054 o action: The actions dealing with the virus. e.g., alert and block 1056 o os: The OS that the virus will affect. e.g., all, android, ios, 1057 unix, and windows 1059 7.6.3. Intrusion Logs 1061 Besides the fields in an Intrusion Alarm, the following information 1062 should be included in an Intrusion Logs: 1064 o attack_type: Intrusion 1066 o times: The times of intrusions happened in the recorded time 1068 o os: The OS that the intrusion will affect. e.g., all, android, 1069 ios, unix, and windows 1071 o action: The actions dealing with the intrusions. e.g., Allow, 1072 Alert, Block, Discard, Declare, Block-ip, and Block-service 1074 o attack_rate: NUM the pps of attack traffic 1076 o attack_speed: NUM the bps of attack traffic 1078 7.6.4. Botnet Logs 1080 Besides the fields in a Botnet Alarm, the following information 1081 should be included in a Botnet Logs: 1083 o attack_type: Botnet 1085 o botnet_pkt_num:The number of the packets sent to or from the 1086 detected botnet 1088 o action: The actions dealing with the detected packets. e.g., 1089 Allow, Alert, Block, Discard, Declare, Block-ip, and Block- 1090 service. 1092 o os: The OS that the attack aims at. e.g., all, android, ios, unix, 1093 and windows. 1095 7.6.5. DPI Logs 1097 DPI Logs provide statistics on uploaded and downloaded files and 1098 data, sent and received emails, and alert and block records on 1099 websites. It is helpful to learn risky user behaviors and why access 1100 to some URLs is blocked or allowed with an alert record. 1102 o type: DPI action types. e.g., File Blocking, Data Filtering, and 1103 Application Behavior Control 1105 o file_name: The file name 1107 o file_type: The file type 1109 o src_zone: Source security zone of traffic 1111 o dst_zone: Destination security zone of traffic 1113 o src_region: Source region of traffic 1115 o dst_region: Destination region of traffic 1117 o src_ip: Source IP address of traffic 1119 o src_user: User who generates traffic 1121 o dst_ip: Destination IP address of traffic 1123 o src_port: Source port of traffic 1125 o dst_port: Destination port of traffic 1127 o protocol: Protocol type of traffic 1129 o app: Application type of traffic 1131 o policy_id: Security policy id that traffic matches 1133 o policy_name: Security policy name that traffic matches 1135 o action: Action defined in the file blocking rule, data filtering 1136 rule, or application behavior control rule that traffic matches. 1138 7.6.6. Vulnerabillity Scanning Logs 1140 Vulnerability scanning logs record the victim host and its related 1141 vulnerability information that should to be fixed. The following 1142 information should be included in the report: 1144 o victim_ip: IP address of the victim host which has vulnerabilities 1146 o vulnerability_id: The vulnerability id 1148 o vulnerability_level: The vulnerability level. e.g., high, middle, 1149 and low 1151 o OS: The operating system of the victim host 1153 o service: The service which has vulnerabillity in the victim host 1155 o protocol: The protocol type. e.g., TCP and UDP 1157 o port: The port number 1159 o vulnerability_info: The information about the vulnerability 1161 o fix_suggestion: The fix suggestion to the vulnerability. 1163 7.6.7. Web Attack Logs 1165 Besides the fields in an Web Attack Alarm, the following information 1166 should be included in a Web Attack Report: 1168 o attack_type: Web Attack 1170 o rsp_code: Response code 1172 o req_clientapp: The client application 1174 o req_cookies: Cookies 1176 o req_host: The domain name of the requested host 1178 o raw_info: The information describing the packet triggering the 1179 event. 1181 7.7. NSF Counters 1183 Characteristics: 1185 o acquisition_method: subscription or query 1187 o emission_type: periodical 1189 o dampening_type: none 1191 7.7.1. Firewall counters 1193 Firewall counters provide visibility into traffic signatures, 1194 bandwidth usage, and how the configured security and bandwidth 1195 policies have been applied. 1197 o src_zone: Source security zone of traffic 1198 o dst_zone: Destination security zone of traffic 1200 o src_region: Source region of traffic 1202 o dst_region: Destination region of traffic 1204 o src_ip: Source IP address of traffic 1206 o src_user: User who generates traffic 1208 o dst_ip: Destination IP address of traffic 1210 o src_port: Source port of traffic 1212 o dst_port: Destination port of traffic 1214 o protocol: Protocol type of traffic 1216 o app: Application type of traffic 1218 o policy_id: Security policy id that traffic matches 1220 o policy_name: Security policy name that traffic matches 1222 o in_interface: Inbound interface of traffic 1224 o out_interface: Outbound interface of traffic 1226 o total_traffic: Total traffic volume 1228 o in_traffic_ave_rate: Inbound traffic average rate in pps 1230 o in_traffic_peak_rate: Inbound traffic peak rate in pps 1232 o in_traffic_ave_speed: Inbound traffic average speed in bps 1234 o in_traffic_peak_speed: Inbound traffic peak speed in bps 1236 o out_traffic_ave_rate: Outbound traffic average rate in pps 1238 o out_traffic_peak_rate: Outbound traffic peak rate in pps 1240 o out_traffic_ave_speed: Outbound traffic average speed in bps 1242 o out_traffic_peak_speed: Outbound traffic peak speed in bps. 1244 7.7.2. Policy Hit Counters 1246 Policy Hit Counters record the security policy that traffic matches 1247 and its hit count. It can check if policy configurations are 1248 correct. 1250 o src_zone: Source security zone of traffic 1252 o dst_zone: Destination security zone of traffic 1254 o src_region: Source region of the traffic 1256 o dst_region: Destination region of the traffic 1258 o src_ip: Source IP address of traffic 1260 o src_user: User who generates traffic 1262 o dst_ip: Destination IP address of traffic 1264 o src_port: Source port of traffic 1266 o dst_port: Destination port of traffic 1268 o protocol: Protocol type of traffic 1270 o app: Application type of traffic 1272 o policy_id: Security policy id that traffic matches 1274 o policy_name: Security policy name that traffic matches 1276 o hit_times: The hit times that the security policy matches the 1277 specified traffic. 1279 8. NSF Monitoring Management in I2NSF 1281 A standard model for monitoring data is required for an administrator 1282 to check the monitoring data generated by an NSF. The administrator 1283 can check the monitoring data through the following process. When 1284 the NSF monitoring data that is under the standard format is 1285 generated, the NSF forwards it to the security controller. The 1286 security controller delivers it to I2NSF Consumer or Developer's 1287 Management System (DMS) so that the administrator can know the state 1288 of the I2NSF framework. 1290 In order to communicate with other components, an I2NSF framework 1291 [RFC8329] requires the interfaces. The three main interfaces in 1292 I2NSF framwork are used for sending monitoring data as follows: 1294 o I2NSF Consumer-Facing Interface 1295 [I-D.ietf-i2nsf-consumer-facing-interface-dm]: When an I2NSF User 1296 makes a security policy and forwards it to the Security Controller 1297 via Consumer-Facing Interface, it can specify the threat-feed for 1298 threat prevention, the custom list, the malicious code scan group, 1299 and the event map group. They can be used as an event to be 1300 monitored by an NSF. 1302 o I2NSF Registration Interface 1303 [I-D.ietf-i2nsf-registration-interface-dm]: The Network Functions 1304 Virtualization (NFV) architecture provides the lifecycle 1305 management of a Virtual Network Function (VNF) via the Ve-Vnfm 1306 interface. The role of Ve-Vnfm is to request VNF lifecycle 1307 management (e.g., the instantiation and de-instantiation of an 1308 NSF, and load balancing among NSFs), exchange configuration 1309 information, and exchange status information for a network 1310 service. In the I2NSF framework, the DMS manages data about 1311 resource states and network traffic for the lifecycle management 1312 of an NSF. Therefore, the generated monitoring data from NSFs are 1313 delivered from the Security Controller to the DMS via Registration 1314 Interface. These data are delivered from the DMS to the VNF 1315 Manager in the Management and Orchestration (MANO) in the NFV 1316 system [I-D.yang-i2nsf-nfv-architecture]. 1318 o I2NSF NSF-Facing Interface 1319 [I-D.ietf-i2nsf-nsf-facing-interface-dm]: After a high-level 1320 security policy from I2NSF User is translated by security policy 1321 translator [I-D.yang-i2nsf-security-policy-translation] in the 1322 Security Controller, the translated security policy (i.e., low- 1323 level policy) is applied to an NSF via NSF-Facing Interface. The 1324 monitoring data model specifies the list of events that can 1325 trigger Event-Condition-Action (ECA) policies via NSF-Facing 1326 Interface. 1328 9. Tree Structure 1330 The tree structure of the NSF monitoring YANG module is provided 1331 below: 1333 module: ietf-i2nsf-monitor 1334 +--rw counters 1335 +--rw system-interface 1336 | +--rw acquisition-method? identityref 1337 | +--rw emission-type? identityref 1338 | +--rw dampening-type? identityref 1339 | +--rw interface-name? string 1340 | +--rw in-total-traffic-pkts? uint32 1341 | +--rw out-total-traffic-pkts? uint32 1342 | +--rw in-total-traffic-bytes? uint32 1343 | +--rw out-total-traffic-bytes? uint32 1344 | +--rw in-drop-traffic-pkts? uint32 1345 | +--rw out-drop-traffic-pkts? uint32 1346 | +--rw in-drop-traffic-bytes? uint32 1347 | +--rw out-drop-traffic-bytes? uint32 1348 | +--rw total-traffic? uint32 1349 | +--rw in-traffic-ave-rate? uint32 1350 | +--rw in-traffic-peak-rate? uint32 1351 | +--rw in-traffic-ave-speed? uint32 1352 | +--rw in-traffic-peak-speed? uint32 1353 | +--rw out-traffic-ave-rate? uint32 1354 | +--rw out-traffic-peak-rate? uint32 1355 | +--rw out-traffic-ave-speed? uint32 1356 | +--rw out-traffic-peak-speed? uint32 1357 | +--rw message? string 1358 | +--rw time-stamp? yang:date-and-time 1359 | +--rw vendor-name? string 1360 | +--rw nsf-name? string 1361 | +--rw module-name? string 1362 | +--rw severity? severity 1363 +--rw nsf-firewall 1364 | +--rw acquisition-method? identityref 1365 | +--rw emission-type? identityref 1366 | +--rw dampening-type? identityref 1367 | +--rw src-ip? inet:ipv4-address 1368 | +--rw dst-ip? inet:ipv4-address 1369 | +--rw src-port? inet:port-number 1370 | +--rw dst-port? inet:port-number 1371 | +--rw src-zone? string 1372 | +--rw dst-zone? string 1373 | +--rw src-region? string 1374 | +--rw dst-region? string 1375 | +--rw policy-id? uint8 1376 | +--rw policy-name? string 1377 | +--rw src-user? string 1378 | +--rw protocol? identityref 1379 | +--rw app? string 1380 | +--rw total-traffic? uint32 1381 | +--rw in-traffic-ave-rate? uint32 1382 | +--rw in-traffic-peak-rate? uint32 1383 | +--rw in-traffic-ave-speed? uint32 1384 | +--rw in-traffic-peak-speed? uint32 1385 | +--rw out-traffic-ave-rate? uint32 1386 | +--rw out-traffic-peak-rate? uint32 1387 | +--rw out-traffic-ave-speed? uint32 1388 | +--rw out-traffic-peak-speed? uint32 1389 +--rw nsf-policy-hits 1390 +--rw acquisition-method? identityref 1391 +--rw emission-type? identityref 1392 +--rw dampening-type? identityref 1393 +--rw src-ip? inet:ipv4-address 1394 +--rw dst-ip? inet:ipv4-address 1395 +--rw src-port? inet:port-number 1396 +--rw dst-port? inet:port-number 1397 +--rw src-zone? string 1398 +--rw dst-zone? string 1399 +--rw src-region? string 1400 +--rw dst-region? string 1401 +--rw policy-id? uint8 1402 +--rw policy-name? string 1403 +--rw src-user? string 1404 +--rw protocol? identityref 1405 +--rw app? string 1406 +--rw message? string 1407 +--rw time-stamp? yang:date-and-time 1408 +--rw vendor-name? string 1409 +--rw nsf-name? string 1410 +--rw module-name? string 1411 +--rw severity? severity 1412 +--rw hit-times? uint32 1414 notifications: 1415 +---n system-detection-alarm 1416 | +--ro alarm-catagory? identityref 1417 | +--ro acquisition-method? identityref 1418 | +--ro emission-type? identityref 1419 | +--ro dampening-type? identityref 1420 | +--ro usage? uint8 1421 | +--ro threshold? uint8 1422 | +--ro message? string 1423 | +--ro time-stamp? yang:date-and-time 1424 | +--ro vendor-name? string 1425 | +--ro nsf-name? string 1426 | +--ro module-name? string 1427 | +--ro severity? severity 1428 +---n system-detection-event 1429 | +--ro event-catagory? identityref 1430 | +--ro acquisition-method? identityref 1431 | +--ro emission-type? identityref 1432 | +--ro dampening-type? identityref 1433 | +--ro user string 1434 | +--ro group string 1435 | +--ro login-ip-addr inet:ipv4-address 1436 | +--ro authentication? identityref 1437 | +--ro message? string 1438 | +--ro time-stamp? yang:date-and-time 1439 | +--ro vendor-name? string 1440 | +--ro nsf-name? string 1441 | +--ro module-name? string 1442 | +--ro severity? severity 1443 +---n nsf-detection-flood 1444 | +--ro event-name? identityref 1445 | +--ro dst-ip? inet:ipv4-address 1446 | +--ro dst-port? inet:port-number 1447 | +--ro rule-id uint8 1448 | +--ro rule-name string 1449 | +--ro profile? string 1450 | +--ro raw-info? string 1451 | +--ro sub-attack-type? identityref 1452 | +--ro start-time yang:date-and-time 1453 | +--ro end-time yang:date-and-time 1454 | +--ro attack-rate? uint32 1455 | +--ro attack-speed? uint32 1456 | +--ro message? string 1457 | +--ro time-stamp? yang:date-and-time 1458 | +--ro vendor-name? string 1459 | +--ro nsf-name? string 1460 | +--ro module-name? string 1461 | +--ro severity? severity 1462 +---n nsf-detection-session-table 1463 | +--ro current-session? uint8 1464 | +--ro maximum-session? uint8 1465 | +--ro threshold? uint8 1466 | +--ro message? string 1467 | +--ro time-stamp? yang:date-and-time 1468 | +--ro vendor-name? string 1469 | +--ro nsf-name? string 1470 | +--ro module-name? string 1471 | +--ro severity? severity 1472 +---n nsf-detection-virus 1473 | +--ro src-ip? inet:ipv4-address 1474 | +--ro dst-ip? inet:ipv4-address 1475 | +--ro src-port? inet:port-number 1476 | +--ro dst-port? inet:port-number 1477 | +--ro src-zone? string 1478 | +--ro dst-zone? string 1479 | +--ro rule-id uint8 1480 | +--ro rule-name string 1481 | +--ro profile? string 1482 | +--ro raw-info? string 1483 | +--ro virus? identityref 1484 | +--ro virus-name? string 1485 | +--ro file-type? string 1486 | +--ro file-name? string 1487 | +--ro message? string 1488 | +--ro time-stamp? yang:date-and-time 1489 | +--ro vendor-name? string 1490 | +--ro nsf-name? string 1491 | +--ro module-name? string 1492 | +--ro severity? severity 1493 +---n nsf-detection-intrusion 1494 | +--ro src-ip? inet:ipv4-address 1495 | +--ro dst-ip? inet:ipv4-address 1496 | +--ro src-port? inet:port-number 1497 | +--ro dst-port? inet:port-number 1498 | +--ro src-zone? string 1499 | +--ro dst-zone? string 1500 | +--ro rule-id uint8 1501 | +--ro rule-name string 1502 | +--ro profile? string 1503 | +--ro raw-info? string 1504 | +--ro protocol? identityref 1505 | +--ro app? string 1506 | +--ro sub-attack-type? identityref 1507 | +--ro message? string 1508 | +--ro time-stamp? yang:date-and-time 1509 | +--ro vendor-name? string 1510 | +--ro nsf-name? string 1511 | +--ro module-name? string 1512 | +--ro severity? severity 1513 +---n nsf-detection-botnet 1514 | +--ro src-ip? inet:ipv4-address 1515 | +--ro dst-ip? inet:ipv4-address 1516 | +--ro src-port? inet:port-number 1517 | +--ro dst-port? inet:port-number 1518 | +--ro src-zone? string 1519 | +--ro dst-zone? string 1520 | +--ro rule-id uint8 1521 | +--ro rule-name string 1522 | +--ro profile? string 1523 | +--ro raw-info? string 1524 | +--ro attack-type? identityref 1525 | +--ro protocol? identityref 1526 | +--ro botnet-name? string 1527 | +--ro role? string 1528 | +--ro message? string 1529 | +--ro time-stamp? yang:date-and-time 1530 | +--ro vendor-name? string 1531 | +--ro nsf-name? string 1532 | +--ro module-name? string 1533 | +--ro severity? severity 1534 +---n nsf-detection-web-attack 1535 | +--ro src-ip? inet:ipv4-address 1536 | +--ro dst-ip? inet:ipv4-address 1537 | +--ro src-port? inet:port-number 1538 | +--ro dst-port? inet:port-number 1539 | +--ro src-zone? string 1540 | +--ro dst-zone? string 1541 | +--ro rule-id uint8 1542 | +--ro rule-name string 1543 | +--ro profile? string 1544 | +--ro raw-info? string 1545 | +--ro sub-attack-type? identityref 1546 | +--ro request-method? identityref 1547 | +--ro req-uri? string 1548 | +--ro uri-category? string 1549 | +--ro filtering-type* identityref 1550 | +--ro message? string 1551 | +--ro time-stamp? yang:date-and-time 1552 | +--ro vendor-name? string 1553 | +--ro nsf-name? string 1554 | +--ro module-name? string 1555 | +--ro severity? severity 1556 +---n system-access-log 1557 | +--ro login-ip inet:ipv4-address 1558 | +--ro administrator? string 1559 | +--ro login-mode? login-mode 1560 | +--ro operation-type? operation-type 1561 | +--ro result? string 1562 | +--ro content? string 1563 | +--ro acquisition-method? identityref 1564 | +--ro emission-type? identityref 1565 | +--ro dampening-type? identityref 1566 +---n system-res-util-log 1567 | +--ro system-status? string 1568 | +--ro cpu-usage? uint8 1569 | +--ro memory-usage? uint8 1570 | +--ro disk-usage? uint8 1571 | +--ro disk-left? uint8 1572 | +--ro session-num? uint8 1573 | +--ro process-num? uint8 1574 | +--ro in-traffic-rate? uint32 1575 | +--ro out-traffic-rate? uint32 1576 | +--ro in-traffic-speed? uint32 1577 | +--ro out-traffic-speed? uint32 1578 | +--ro acquisition-method? identityref 1579 | +--ro emission-type? identityref 1580 | +--ro dampening-type? identityref 1581 +---n system-user-activity-log 1582 | +--ro acquisition-method? identityref 1583 | +--ro emission-type? identityref 1584 | +--ro dampening-type? identityref 1585 | +--ro user string 1586 | +--ro group string 1587 | +--ro login-ip-addr inet:ipv4-address 1588 | +--ro authentication? identityref 1589 | +--ro access? identityref 1590 | +--ro online-duration? string 1591 | +--ro logout-duration? string 1592 | +--ro addtional-info? string 1593 +---n nsf-log-ddos 1594 | +--ro attack-type? identityref 1595 | +--ro attack-ave-rate? uint32 1596 | +--ro attack-ave-speed? uint32 1597 | +--ro attack-pkt-num? uint32 1598 | +--ro attack-src-ip? inet:ipv4-address 1599 | +--ro action? log-action 1600 | +--ro acquisition-method? identityref 1601 | +--ro emission-type? identityref 1602 | +--ro dampening-type? identityref 1603 | +--ro message? string 1604 | +--ro time-stamp? yang:date-and-time 1605 | +--ro vendor-name? string 1606 | +--ro nsf-name? string 1607 | +--ro module-name? string 1608 | +--ro severity? severity 1609 +---n nsf-log-virus 1610 | +--ro attack-type? identityref 1611 | +--ro action? log-action 1612 | +--ro os? string 1613 | +--ro time yang:date-and-time 1614 | +--ro acquisition-method? identityref 1615 | +--ro emission-type? identityref 1616 | +--ro dampening-type? identityref 1617 | +--ro message? string 1618 | +--ro time-stamp? yang:date-and-time 1619 | +--ro vendor-name? string 1620 | +--ro nsf-name? string 1621 | +--ro module-name? string 1622 | +--ro severity? severity 1623 +---n nsf-log-intrusion 1624 | +--ro attack-type? identityref 1625 | +--ro action? log-action 1626 | +--ro time yang:date-and-time 1627 | +--ro attack-rate? uint32 1628 | +--ro attack-speed? uint32 1629 | +--ro acquisition-method? identityref 1630 | +--ro emission-type? identityref 1631 | +--ro dampening-type? identityref 1632 | +--ro message? string 1633 | +--ro time-stamp? yang:date-and-time 1634 | +--ro vendor-name? string 1635 | +--ro nsf-name? string 1636 | +--ro module-name? string 1637 | +--ro severity? severity 1638 +---n nsf-log-botnet 1639 | +--ro attack-type? identityref 1640 | +--ro action? log-action 1641 | +--ro botnet-pkt-num? uint8 1642 | +--ro os? string 1643 | +--ro acquisition-method? identityref 1644 | +--ro emission-type? identityref 1645 | +--ro dampening-type? identityref 1646 | +--ro message? string 1647 | +--ro time-stamp? yang:date-and-time 1648 | +--ro vendor-name? string 1649 | +--ro nsf-name? string 1650 | +--ro module-name? string 1651 | +--ro severity? severity 1652 +---n nsf-log-dpi 1653 | +--ro attack-type? dpi-type 1654 | +--ro acquisition-method? identityref 1655 | +--ro emission-type? identityref 1656 | +--ro dampening-type? identityref 1657 | +--ro src-ip? inet:ipv4-address 1658 | +--ro dst-ip? inet:ipv4-address 1659 | +--ro src-port? inet:port-number 1660 | +--ro dst-port? inet:port-number 1661 | +--ro src-zone? string 1662 | +--ro dst-zone? string 1663 | +--ro src-region? string 1664 | +--ro dst-region? string 1665 | +--ro policy-id? uint8 1666 | +--ro policy-name? string 1667 | +--ro src-user? string 1668 | +--ro protocol? identityref 1669 | +--ro app? string 1670 | +--ro message? string 1671 | +--ro time-stamp? yang:date-and-time 1672 | +--ro vendor-name? string 1673 | +--ro nsf-name? string 1674 | +--ro module-name? string 1675 | +--ro severity? severity 1676 +---n nsf-log-vuln-scan 1677 | +--ro vulnerability-id? uint8 1678 | +--ro victim-ip? inet:ipv4-address 1679 | +--ro protocol? identityref 1680 | +--ro port-num? inet:port-number 1681 | +--ro level? severity 1682 | +--ro os? string 1683 | +--ro vulnerability-info? string 1684 | +--ro fix-suggestion? string 1685 | +--ro service? string 1686 | +--ro acquisition-method? identityref 1687 | +--ro emission-type? identityref 1688 | +--ro dampening-type? identityref 1689 | +--ro message? string 1690 | +--ro time-stamp? yang:date-and-time 1691 | +--ro vendor-name? string 1692 | +--ro nsf-name? string 1693 | +--ro module-name? string 1694 | +--ro severity? severity 1695 +---n nsf-log-web-attack 1696 +--ro attack-type? identityref 1697 +--ro rsp-code? string 1698 +--ro req-clientapp? string 1699 +--ro req-cookies? string 1700 +--ro req-host? string 1701 +--ro raw-info? string 1702 +--ro acquisition-method? identityref 1703 +--ro emission-type? identityref 1704 +--ro dampening-type? identityref 1705 +--ro message? string 1706 +--ro time-stamp? yang:date-and-time 1707 +--ro vendor-name? string 1708 +--ro nsf-name? string 1709 +--ro module-name? string 1710 +--ro severity? severity 1712 Figure 1: Information Model for NSF Monitoring 1714 10. YANG Data Model 1716 This section introduces a YANG data model for the information model 1717 of the NSF monitoring inforamtion model. 1719 file "ietf-i2nsf-monitor@2019-03-11.yang" 1720 module ietf-i2nsf-monitor { 1721 yang-version 1.1; 1722 namespace 1723 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor"; 1724 prefix 1725 iim; 1726 import ietf-inet-types{ 1727 prefix inet; 1728 reference 1729 "Section 4 of RFC 6991"; 1730 } 1731 import ietf-yang-types { 1732 prefix yang; 1733 reference 1734 "Section 3 of RFC 6991"; 1735 } 1736 organization 1737 "IETF I2NSF (Interface to Network Security Functions) 1738 Working Group"; 1739 contact 1740 "WG Web: 1741 WG List: 1743 WG Chair: Linda Dunbar 1744 1746 Editor: Jaehoon Paul Jeong 1747 1749 Editor: Chaehong Chung 1750 "; 1752 description 1753 "This module is a YANG module for monitoring NSFs. 1755 Copyright (c) 2018 IETF Trust and the persons identified as 1756 authors of the code. All rights reserved. 1758 Redistribution and use in source and binary forms, with or 1759 without modification, is permitted pursuant to, and subject 1760 to the license terms contained in, the Simplified BSD License 1761 set forth in Section 4.c of the IETF Trust's Legal Provisions 1762 Relating to IETF Documents 1763 (http://trustee.ietf.org/license-info). 1765 This version of this YANG module is part of RFC 6087; see 1766 the RFC itself for full legal notices."; 1768 revision "2019-03-11" { 1769 description "First revision"; 1770 reference 1771 "RFC XXXX: I2NSF NSF Monitoring YANG Data Model"; 1772 } 1774 typedef severity { 1775 type enumeration { 1776 enum high { 1777 description 1778 "high-level"; 1779 } 1780 enum middle { 1781 description 1782 "middle-level"; 1783 } 1784 enum low { 1785 description 1786 "low-level"; 1787 } 1788 } 1789 description 1790 "An indicator representing severity"; 1791 } 1792 typedef log-action { 1793 type enumeration { 1794 enum allow { 1795 description 1796 "If action is allow"; 1797 } 1798 enum alert { 1799 description 1800 "If action is alert"; 1801 } 1802 enum block { 1803 description 1804 "If action is block"; 1805 } 1806 enum discard { 1807 description 1808 "If action is discard"; 1809 } 1810 enum declare { 1811 description 1812 "If action is declare"; 1813 } 1814 enum block-ip { 1815 description 1816 "If action is block-ip"; 1817 } 1818 enum block-service{ 1819 description 1820 "If action is block-service"; 1821 } 1822 } 1823 description 1824 "This is used for protocol"; 1825 } 1826 typedef dpi-type{ 1827 type enumeration { 1828 enum file-blocking{ 1829 description 1830 "DPI for blocking file"; 1831 } 1832 enum data-filtering{ 1833 description 1834 "DPI for filtering data"; 1835 } 1836 enum application-behavior-control{ 1837 description 1838 "DPI for controlling application behavior"; 1839 } 1840 } 1841 description 1842 "This is used for dpi type"; 1843 } 1844 typedef operation-type{ 1845 type enumeration { 1846 enum login{ 1847 description 1848 "Login operation"; 1849 } 1850 enum logout{ 1851 description 1852 "Logout operation"; 1853 } 1854 enum configuration{ 1855 description 1856 "Configuration operation"; 1857 } 1858 } 1859 description 1860 "An indicator representing operation-type"; 1861 } 1862 typedef login-mode{ 1863 type enumeration { 1864 enum root{ 1865 description 1866 "Root login-mode"; 1867 } 1868 enum user{ 1869 description 1870 "User login-mode"; 1871 } 1872 enum guest{ 1873 description 1874 "Guest login-mode"; 1875 } 1876 } 1877 description 1878 "An indicater representing login-mode"; 1879 } 1881 identity characteristics { 1882 description 1883 "Base identity for monitoring information 1884 characteristics"; 1885 } 1886 identity acquisition-method { 1887 base characteristics; 1888 description 1889 "The type of acquisition-method. Can be multiple 1890 types at once."; 1891 } 1892 identity subscription { 1893 base acquisition-method; 1894 description 1895 "The acquisition-method type is subscription"; 1896 } 1897 identity query { 1898 base acquisition-method; 1899 description 1900 "The acquisition-method type is query"; 1901 } 1902 identity emission-type { 1903 base characteristics; 1904 description 1905 "The type of emission-type."; 1906 } 1907 identity periodical { 1908 base emission-type; 1909 description 1910 "The emission-type type is periodical."; 1911 } 1912 identity on-change { 1913 base emission-type; 1914 description 1915 "The emission-type type is on-change."; 1916 } 1917 identity dampening-type { 1918 base characteristics; 1919 description 1920 "The type of dampening-type."; 1921 } 1922 identity no-dampening { 1923 base dampening-type; 1924 description 1925 "The dampening-type is no-dampening."; 1926 } 1927 identity on-repetition { 1928 base dampening-type; 1929 description 1930 "The dampening-type is on-repetition."; 1931 } 1932 identity none { 1933 base dampening-type; 1934 description 1935 "The dampening-type is none."; 1936 } 1938 identity authentication-mode { 1939 description 1940 "User authentication mode types: 1941 e.g., Local Authentication, 1942 Third-Party Server Authentication, 1943 Authentication Exemption, or Single Sign-On (SSO) 1944 Authentication."; 1945 } 1946 identity local-authentication { 1947 base authentication-mode; 1948 description 1949 "Authentication-mode : local authentication."; 1950 } 1951 identity third-party-server-authentication { 1952 base authentication-mode; 1953 description 1954 "If authentication-mode is 1955 third-part-server-authentication"; 1956 } 1957 identity exemption-authentication { 1958 base authentication-mode; 1959 description 1960 "If authentication-mode is 1961 exemption-authentication"; 1963 } 1964 identity sso-authentication { 1965 base authentication-mode; 1966 description 1967 "If authentication-mode is 1968 sso-authentication"; 1969 } 1971 identity alarm-type { 1972 description 1973 "Base identity for detectable alarm types"; 1974 } 1975 identity MEM-USAGE-ALARM { 1976 base alarm-type; 1977 description 1978 "A memory alarm is alerted"; 1979 } 1980 identity CPU-USAGE-ALARM { 1981 base alarm-type; 1982 description 1983 "A cpu alarm is alerted"; 1984 } 1985 identity DISK-USAGE-ALARM { 1986 base alarm-type; 1987 description 1988 "A disk alarm is alerted"; 1989 } 1990 identity HW-FAILURE-ALARM { 1991 base alarm-type; 1992 description 1993 "A hardware alarm is alerted"; 1994 } 1995 identity IFNET-STATE-ALARM { 1996 base alarm-type; 1997 description 1998 "An interface alarm is alerted"; 1999 } 2000 identity event-type { 2001 description 2002 "Base identity for detectable event types"; 2003 } 2004 identity ACCESS-DENIED { 2005 base event-type; 2006 description 2007 "The system event is access-denied."; 2008 } 2009 identity CONFIG-CHANGE { 2010 base event-type; 2011 description 2012 "The system event is config-change."; 2013 } 2015 identity flood-type { 2016 description 2017 "Base identity for detectable flood types"; 2018 } 2019 identity syn-flood { 2020 base flood-type; 2021 description 2022 "A SYN flood is detected"; 2023 } 2024 identity ack-flood { 2025 base flood-type; 2026 description 2027 "An ACK flood is detected"; 2028 } 2029 identity syn-ack-flood { 2030 base flood-type; 2031 description 2032 "An SYN-ACK flood is detected"; 2033 } 2034 identity fin-rst-flood { 2035 base flood-type; 2036 description 2037 "A FIN-RST flood is detected"; 2038 } 2039 identity tcp-con-flood { 2040 base flood-type; 2041 description 2042 "A TCP connection flood is detected"; 2043 } 2044 identity udp-flood { 2045 base flood-type; 2046 description 2047 "A UDP flood is detected"; 2048 } 2049 identity icmp-flood { 2050 base flood-type; 2051 description 2052 "An ICMP flood is detected"; 2053 } 2054 identity https-flood { 2055 base flood-type; 2056 description 2057 "A HTTPS flood is detected"; 2058 } 2059 identity http-flood { 2060 base flood-type; 2061 description 2062 "A HTTP flood is detected"; 2063 } 2064 identity dns-reply-flood { 2065 base flood-type; 2066 description 2067 "A DNS reply flood is detected"; 2068 } 2069 identity dns-query-flood { 2070 base flood-type; 2071 description 2072 "A DNS query flood is detected"; 2073 } 2074 identity sip-flood { 2075 base flood-type; 2076 description 2077 "A SIP flood is detected"; 2078 } 2080 identity nsf-event-name { 2081 description 2082 "Base identity for detectable nsf event types"; 2083 } 2084 identity SEC-EVENT-DDOS { 2085 base nsf-event-name; 2086 description 2087 "The nsf event is sec-event-ddos."; 2088 } 2089 identity SESSION-USAGE-HIGH { 2090 base nsf-event-name; 2091 description 2092 "The nsf event is session-usage-high"; 2093 } 2094 identity SEC-EVENT-VIRUS { 2095 base nsf-event-name; 2096 description 2097 "The nsf event is sec-event-virus"; 2098 } 2099 identity SEC-EVENT-INTRUSION { 2100 base nsf-event-name; 2101 description 2102 "The nsf event is sec-event-intrusion"; 2103 } 2104 identity SEC-EVENT-BOTNET { 2105 base nsf-event-name; 2106 description 2107 "The nsf event is sec-event-botnet"; 2108 } 2109 identity SEC-EVENT-WEBATTACK { 2110 base nsf-event-name; 2111 description 2112 "The nsf event is sec-event-webattack"; 2113 } 2114 identity attack-type { 2115 description 2116 "The root ID of attack based notification 2117 in the notification taxonomy"; 2118 } 2119 identity system-attack-type { 2120 base attack-type; 2121 description 2122 "This ID is intended to be used 2123 in the context of system events"; 2124 } 2125 identity nsf-attack-type { 2126 base attack-type; 2127 description 2128 "This ID is intended to be used 2129 in the context of nsf event"; 2130 } 2131 identity botnet-attack-type { 2132 base nsf-attack-type; 2133 description 2134 "This is a ID stub limited to indicating 2135 that this attack type is botnet. 2136 The usual semantic and taxonomy is missing 2137 and name is used."; 2138 } 2139 identity virus-type { 2140 base nsf-attack-type; 2141 description 2142 "The type of virus. Can be multiple types at once. 2143 This attack type is associated with a detected 2144 system-log virus-attack"; 2145 } 2146 identity trojan { 2147 base virus-type; 2148 description 2149 "The detected virus type is trojan"; 2150 } 2151 identity worm { 2152 base virus-type; 2153 description 2154 "The detected virus type is worm"; 2156 } 2157 identity macro { 2158 base virus-type; 2159 description 2160 "The detected virus type is macro"; 2161 } 2162 identity intrusion-attack-type { 2163 base nsf-attack-type; 2164 description 2165 "The attack type is associatied with 2166 a detectedsystem-log intrusion"; 2167 } 2168 identity brute-force { 2169 base intrusion-attack-type; 2170 description 2171 "The intrusion type is brute-force"; 2172 } 2173 identity buffer-overflow { 2174 base intrusion-attack-type; 2175 description 2176 "The intrusion type is buffer-overflow"; 2177 } 2178 identity web-attack-type { 2179 base nsf-attack-type; 2180 description 2181 "The attack type associated with 2182 a detected system-log web-attack"; 2183 } 2184 identity command-injection { 2185 base web-attack-type; 2186 description 2187 "The detected web attack type is command injection"; 2188 } 2189 identity xss { 2190 base web-attack-type; 2191 description 2192 "The detected web attack type is XSS"; 2193 } 2194 identity csrf { 2195 base web-attack-type; 2196 description 2197 "The detected web attack type is CSRF"; 2198 } 2199 identity ddos-attack-type { 2200 base nsf-attack-type; 2201 description 2202 "The attack type is associated with a detected 2203 nsf-log event"; 2205 } 2207 identity req-method { 2208 description 2209 "A set of request types (if applicable). 2210 For instance, PUT or GET in HTTP"; 2211 } 2212 identity put-req { 2213 base req-method; 2214 description 2215 "The detected request type is PUT"; 2216 } 2217 identity get-req { 2218 base req-method; 2219 description 2220 "The detected request type is GET"; 2221 } 2223 identity filter-type { 2224 description 2225 "The type of filter used to detect, for example, 2226 a web-attack. Can be applicable to more than 2227 web-attacks. Can be more than one type."; 2228 } 2229 identity whitelist { 2230 base filter-type; 2231 description 2232 "The applied filter type is whitelist"; 2233 } 2234 identity blacklist { 2235 base filter-type; 2236 description 2237 "The applied filter type is blacklist"; 2238 } 2239 identity user-defined { 2240 base filter-type; 2241 description 2242 "The applied filter type is user-defined"; 2243 } 2244 identity balicious-category { 2245 base filter-type; 2246 description 2247 "The applied filter is balicious category"; 2248 } 2249 identity unknown-filter { 2250 base filter-type; 2251 description 2252 "The applied filter is unknown"; 2254 } 2256 identity access-mode { 2257 description 2258 "Base identity for detectable access mode."; 2259 } 2260 identity ppp { 2261 base access-mode; 2262 description 2263 "Access-mode : ppp"; 2264 } 2265 identity svn { 2266 base access-mode; 2267 description 2268 "Access-mode : svn"; 2269 } 2270 identity local { 2271 base access-mode; 2272 description 2273 "Access-mode : local"; 2274 } 2276 identity protocol-type { 2277 description 2278 "An identity used to enable type choices in leafs 2279 and leaflists wrt protocol metadata."; 2280 } 2281 identity tcp { 2282 base ipv4; 2283 base ipv6; 2284 description 2285 "TCP protocol type."; 2286 reference 2287 "RFC 793: Transmission Control Protocol"; 2288 } 2289 identity udp { 2290 base ipv4; 2291 base ipv6; 2292 description 2293 "UDP protocol type."; 2294 reference 2295 "RFC 768: User Datagram Protocol"; 2296 } 2297 identity icmp { 2298 base ipv4; 2299 base ipv6; 2300 description 2301 "General ICMP protocol type."; 2302 reference 2303 "RFC 792: Internet Control Message Protocol"; 2304 } 2305 identity icmpv4 { 2306 base ipv4; 2307 description 2308 "ICMPv4 protocol type."; 2309 } 2310 identity icmpv6 { 2311 base ipv6; 2312 description 2313 "ICMPv6 protocol type."; 2314 } 2315 identity ip { 2316 base protocol-type; 2317 description 2318 "General IP protocol type."; 2319 reference 2320 "RFC 791: Internet Protocol 2321 RFC 2460: Internet Protocol, Version 6 (IPv6)"; 2322 } 2323 identity ipv4 { 2324 base ip; 2325 description 2326 "IPv4 protocol type."; 2327 reference 2328 "RFC 791: Internet Protocol"; 2329 } 2330 identity ipv6 { 2331 base ip; 2332 description 2333 "IPv6 protocol type."; 2334 reference 2335 "RFC 2460: Internet Protocol, Version 6 (IPv6)"; 2336 } 2337 identity http { 2338 base tcp; 2339 description 2340 "HTPP protocol type."; 2341 reference 2342 "RFC 2616: Hypertext Transfer Protocol"; 2343 } 2344 identity ftp { 2345 base tcp; 2346 description 2347 "FTP protocol type."; 2348 reference 2349 "RFC 959: File Transfer Protocol"; 2351 } 2352 grouping common-monitoring-data { 2353 description 2354 "The data set of common monitoring"; 2355 leaf message { 2356 type string; 2357 description 2358 "This is a freetext annotation of 2359 monitoring notification content"; 2360 } 2361 leaf time-stamp { 2362 type yang:date-and-time; 2363 description 2364 "Indicates the time of message generation"; 2365 } 2366 leaf vendor-name { 2367 type string; 2368 description 2369 "The name of the NSF vendor"; 2370 } 2371 leaf nsf-name { 2372 type string; 2373 description 2374 "The name (or IP) of the NSF 2375 generating the message"; 2376 } 2377 leaf module-name { 2378 type string; 2379 description 2380 "The module name outputting the message"; 2381 } 2382 leaf severity { 2383 type severity; 2384 description 2385 "The severity of the alarm such 2386 asvcritical, high, middle, low."; 2387 } 2388 } 2389 grouping characteristics{ 2390 description 2391 "A set of monitoring information characteristics"; 2392 leaf acquisition-method { 2393 type identityref { 2394 base acquisition-method; 2395 } 2396 description 2397 "The acquisition-method for characteristics"; 2398 } 2399 leaf emission-type { 2400 type identityref { 2401 base emission-type; 2402 } 2403 description 2404 "The emission-type for characteristics"; 2405 } 2406 leaf dampening-type { 2407 type identityref { 2408 base dampening-type; 2409 } 2410 description 2411 "The dampening-type for characteristics"; 2412 } 2413 } 2414 grouping i2nsf-system-alarm-type-content { 2415 description 2416 "A set of system alarm type contents"; 2417 leaf usage { 2418 type uint8; 2419 description 2420 "specifies the amount of usage"; 2421 } 2422 leaf threshold { 2423 type uint8; 2424 description 2425 "The threshold triggering the alarm or the event"; 2426 } 2427 } 2428 grouping i2nsf-system-event-type-content { 2429 description 2430 "System event metadata associated 2431 with system events caused by user activity."; 2432 leaf user { 2433 type string; 2434 mandatory true; 2435 description 2436 "Name of a user"; 2437 } 2438 leaf group { 2439 type string; 2440 mandatory true; 2441 description 2442 "Group to which a user belongs."; 2443 } 2444 leaf login-ip-addr { 2445 type inet:ipv4-address; 2446 mandatory true; 2447 description 2448 "Login IP address of a user."; 2449 } 2450 leaf authentication { 2451 type identityref { 2452 base authentication-mode; 2453 } 2454 description 2455 "The authentication-mode for authentication"; 2456 } 2457 } 2458 grouping i2nsf-nsf-event-type-content-extend { 2459 description 2460 "A set of common IPv4-related NSF event 2461 content elements"; 2462 leaf src-ip { 2463 type inet:ipv4-address; 2464 description 2465 "The source IP address of the packet"; 2466 } 2467 leaf dst-ip { 2468 type inet:ipv4-address; 2469 description 2470 "The destination IP address of the packet"; 2471 } 2472 leaf src-port { 2473 type inet:port-number; 2474 description 2475 "The source port of the packet"; 2476 } 2477 leaf dst-port { 2478 type inet:port-number; 2479 description 2480 "The destination port of the packet"; 2481 } 2482 leaf src-zone { 2483 type string; 2484 description 2485 "The source security zone of the packet"; 2486 } 2487 leaf dst-zone { 2488 type string; 2489 description 2490 "The destination security zone of the packet"; 2491 } 2492 leaf rule-id { 2493 type uint8; 2494 mandatory true; 2495 description 2496 "The ID of the rule being triggered"; 2497 } 2498 leaf rule-name { 2499 type string; 2500 mandatory true; 2501 description 2502 "The name of the rule being triggered"; 2503 } 2504 leaf profile { 2505 type string; 2506 description 2507 "Security profile that traffic matches."; 2508 } 2509 leaf raw-info { 2510 type string; 2511 description 2512 "The information describing the packet 2513 triggering the event."; 2514 } 2515 } 2516 grouping i2nsf-nsf-event-type-content { 2517 description 2518 "A set of common IPv4-related NSF event 2519 content elements"; 2520 leaf dst-ip { 2521 type inet:ipv4-address; 2522 description 2523 "The destination IP address of the packet"; 2524 } 2525 leaf dst-port { 2526 type inet:port-number; 2527 description 2528 "The destination port of the packet"; 2529 } 2530 leaf rule-id { 2531 type uint8; 2532 mandatory true; 2533 description 2534 "The ID of the rule being triggered"; 2535 } 2536 leaf rule-name { 2537 type string; 2538 mandatory true; 2539 description 2540 "The name of the rule being triggered"; 2541 } 2542 leaf profile { 2543 type string; 2544 description 2545 "Security profile that traffic matches."; 2546 } 2547 leaf raw-info { 2548 type string; 2549 description 2550 "The information describing the packet 2551 triggering the event."; 2552 } 2553 } 2554 grouping traffic-rates { 2555 description 2556 "A set of traffic rates 2557 for statistics data"; 2558 leaf total-traffic { 2559 type uint32; 2560 description 2561 "Total traffic"; 2562 } 2563 leaf in-traffic-ave-rate { 2564 type uint32; 2565 description 2566 "Inbound traffic average rate in pps"; 2567 } 2568 leaf in-traffic-peak-rate { 2569 type uint32; 2570 description 2571 "Inbound traffic peak rate in pps"; 2572 } 2573 leaf in-traffic-ave-speed { 2574 type uint32; 2575 description 2576 "Inbound traffic average speed in bps"; 2577 } 2578 leaf in-traffic-peak-speed { 2579 type uint32; 2580 description 2581 "Inbound traffic peak speed in bps"; 2582 } 2583 leaf out-traffic-ave-rate { 2584 type uint32; 2585 description 2586 "Outbound traffic average rate in pps"; 2587 } 2588 leaf out-traffic-peak-rate { 2589 type uint32; 2590 description 2591 "Outbound traffic peak rate in pps"; 2592 } 2593 leaf out-traffic-ave-speed { 2594 type uint32; 2595 description 2596 "Outbound traffic average speed in bps"; 2597 } 2598 leaf out-traffic-peak-speed { 2599 type uint32; 2600 description 2601 "Outbound traffic peak speed in bps"; 2602 } 2603 } 2604 grouping i2nsf-system-counter-type-content{ 2605 description 2606 "A set of system counter type contents"; 2607 leaf interface-name { 2608 type string; 2609 description 2610 "Network interface name configured in NSF"; 2611 } 2612 leaf in-total-traffic-pkts { 2613 type uint32; 2614 description 2615 "Total inbound packets"; 2616 } 2617 leaf out-total-traffic-pkts { 2618 type uint32; 2619 description 2620 "Total outbound packets"; 2621 } 2622 leaf in-total-traffic-bytes { 2623 type uint32; 2624 description 2625 "Total inbound bytes"; 2626 } 2627 leaf out-total-traffic-bytes { 2628 type uint32; 2629 description 2630 "Total outbound bytes"; 2631 } 2632 leaf in-drop-traffic-pkts { 2633 type uint32; 2634 description 2635 "Total inbound drop packets"; 2636 } 2637 leaf out-drop-traffic-pkts { 2638 type uint32; 2639 description 2640 "Total outbound drop packets"; 2641 } 2642 leaf in-drop-traffic-bytes { 2643 type uint32; 2644 description 2645 "Total inbound drop bytes"; 2646 } 2647 leaf out-drop-traffic-bytes { 2648 type uint32; 2649 description 2650 "Total outbound drop bytes"; 2651 } 2652 uses traffic-rates; 2653 } 2654 grouping i2nsf-nsf-counters-type-content{ 2655 description 2656 "A set of nsf counters type contents"; 2657 leaf src-ip { 2658 type inet:ipv4-address; 2659 description 2660 "The source IP address of the packet"; 2661 } 2662 leaf dst-ip { 2663 type inet:ipv4-address; 2664 description 2665 "The destination IP address of the packet"; 2666 } 2667 leaf src-port { 2668 type inet:port-number; 2669 description 2670 "The source port of the packet"; 2671 } 2672 leaf dst-port { 2673 type inet:port-number; 2674 description 2675 "The destination port of the packet"; 2676 } 2677 leaf src-zone { 2678 type string; 2679 description 2680 "The source security zone of the packet"; 2681 } 2682 leaf dst-zone { 2683 type string; 2684 description 2685 "The destination security zone of the packet"; 2686 } 2687 leaf src-region { 2688 type string; 2689 description 2690 "Source region of the traffic"; 2691 } 2692 leaf dst-region{ 2693 type string; 2694 description 2695 "Destination region of the traffic"; 2696 } 2697 leaf policy-id { 2698 type uint8; 2699 description 2700 "The ID of the policy being triggered"; 2701 } 2702 leaf policy-name { 2703 type string; 2704 description 2705 "The name of the policy being triggered"; 2706 } 2707 leaf src-user{ 2708 type string; 2709 description 2710 "User who generates traffic"; 2711 } 2712 leaf protocol { 2713 type identityref { 2714 base protocol-type; 2715 } 2716 description 2717 "Protocol type of traffic"; 2718 } 2719 leaf app { 2720 type string; 2721 description 2722 "Application type of traffic"; 2723 } 2724 } 2726 notification system-detection-alarm { 2727 description 2728 "This notification is sent, when a system alarm 2729 is detected."; 2730 leaf alarm-catagory { 2731 type identityref { 2732 base alarm-type; 2733 } 2734 description 2735 "The alarm catagory for 2736 system-detection-alarm notification"; 2737 } 2738 uses characteristics; 2739 uses i2nsf-system-alarm-type-content; 2740 uses common-monitoring-data; 2741 } 2742 notification system-detection-event { 2743 description 2744 "This notification is sent, when a security-sensitive 2745 authentication action fails."; 2746 leaf event-catagory { 2747 type identityref { 2748 base event-type; 2749 } 2750 description 2751 "The event catagory for system-detection-event"; 2752 } 2753 uses characteristics; 2754 uses i2nsf-system-event-type-content; 2755 uses common-monitoring-data; 2756 } 2757 notification nsf-detection-flood { 2758 description 2759 "This notification is sent, 2760 when a specific flood type is detected"; 2761 leaf event-name { 2762 type identityref { 2763 base SEC-EVENT-DDOS; 2764 } 2765 description 2766 "The event name for nsf-detection-flood"; 2767 } 2768 uses i2nsf-nsf-event-type-content; 2769 leaf sub-attack-type { 2770 type identityref { 2771 base flood-type; 2772 } 2773 description 2774 "Any one of Syn flood, ACK flood, SYN-ACK flood, 2775 FIN/RST flood, TCP Connection flood, UDP flood, 2776 Icmp flood, HTTPS flood, HTTP flood, DNS query flood, 2777 DNS reply flood, SIP flood, and etc."; 2778 } 2779 leaf start-time { 2780 type yang:date-and-time; 2781 mandatory true; 2782 description 2783 "The time stamp indicating when the attack started"; 2784 } 2785 leaf end-time { 2786 type yang:date-and-time; 2787 mandatory true; 2788 description 2789 "The time stamp indicating when the attack ended"; 2790 } 2791 leaf attack-rate { 2792 type uint32; 2793 description 2794 "The PPS rate of attack traffic"; 2795 } 2796 leaf attack-speed { 2797 type uint32; 2798 description 2799 "The BPS speed of attack traffic"; 2800 } 2801 uses common-monitoring-data; 2802 } 2803 notification nsf-detection-session-table { 2804 description 2805 "This notification is sent, when an a session table 2806 event is deteced"; 2807 leaf current-session { 2808 type uint8; 2809 description 2810 "The number of concurrent sessions"; 2811 } 2812 leaf maximum-session { 2813 type uint8; 2814 description 2815 "The maximum number of sessions that the session 2816 table can support"; 2817 } 2818 leaf threshold { 2819 type uint8; 2820 description 2821 "The threshold triggering the event"; 2822 } 2823 uses common-monitoring-data; 2824 } 2825 notification nsf-detection-virus { 2826 description 2827 "This notification is sent, when a virus is detected"; 2828 uses i2nsf-nsf-event-type-content-extend; 2829 leaf virus { 2830 type identityref { 2831 base virus-type; 2832 } 2833 description 2834 "The virus type for nsf-detection-virus notification"; 2835 } 2836 leaf virus-name { 2837 type string; 2838 description 2839 "The name of the detected virus"; 2840 } 2842 leaf file-type { 2843 type string; 2844 description 2845 "The type of file virus code 2846 is found in (if appicable)."; 2847 } 2848 leaf file-name { 2849 type string; 2850 description 2851 "The name of file virus code 2852 is found in (if appicable)."; 2853 } 2854 uses common-monitoring-data; 2855 } 2856 notification nsf-detection-intrusion { 2857 description 2858 "This notification is send, when an intrusion event 2859 is detected."; 2860 uses i2nsf-nsf-event-type-content-extend; 2861 leaf protocol { 2862 type identityref { 2863 base protocol-type; 2864 } 2865 description 2866 "The protocol type for 2867 nsf-detection-intrusion notification"; 2868 } 2869 leaf app { 2870 type string; 2871 description 2872 "The employed application layer protocol"; 2873 } 2874 leaf sub-attack-type { 2875 type identityref { 2876 base intrusion-attack-type; 2877 } 2878 description 2879 "The sub attack type for intrusion attack"; 2880 } 2881 uses common-monitoring-data; 2882 } 2883 notification nsf-detection-botnet { 2884 description 2885 "This notification is send, when a botnet event is 2886 detected"; 2887 uses i2nsf-nsf-event-type-content-extend; 2888 leaf attack-type { 2889 type identityref { 2890 base botnet-attack-type; 2891 } 2892 description 2893 "The attack type for botnet attack"; 2894 } 2895 leaf protocol { 2896 type identityref { 2897 base protocol-type; 2898 } 2899 description 2900 "The protocol type for nsf-detection-botnet notification"; 2901 } 2902 leaf botnet-name { 2903 type string; 2904 description 2905 "The name of the detected botnet"; 2906 } 2907 leaf role { 2908 type string; 2909 description 2910 "The role of the communicating 2911 parties within the botnet"; 2912 } 2913 uses common-monitoring-data; 2914 } 2915 notification nsf-detection-web-attack { 2916 description 2917 "This notification is send, when an attack event is 2918 detected"; 2919 uses i2nsf-nsf-event-type-content-extend; 2920 leaf sub-attack-type { 2921 type identityref { 2922 base web-attack-type; 2923 } 2924 description 2925 "Concret web attack type, e.g., sql injection, 2926 command injection, XSS, CSRF"; 2928 } 2929 leaf request-method { 2930 type identityref { 2931 base req-method; 2932 } 2933 description 2934 "The method of requirement. For instance, PUT or 2935 GET in HTTP"; 2936 } 2937 leaf req-uri { 2938 type string; 2939 description 2940 "Requested URI"; 2941 } 2942 leaf uri-category { 2943 type string; 2944 description 2945 "Matched URI category"; 2946 } 2947 leaf-list filtering-type { 2948 type identityref { 2949 base filter-type; 2950 } 2951 description 2952 "URL filtering type, e.g., Blacklist, Whitelist, 2953 User-Defined, Predefined, Malicious Category, 2954 Unknown"; 2955 } 2956 uses common-monitoring-data; 2957 } 2958 notification system-access-log { 2959 description 2960 "The notification is send, if there is 2961 a new system log entry about 2962 a system access event"; 2963 leaf login-ip { 2964 type inet:ipv4-address; 2965 mandatory true; 2966 description 2967 "Login IP address of a user"; 2968 } 2969 leaf administrator { 2970 type string; 2971 description 2972 "Administrator that maintains the device"; 2973 } 2974 leaf login-mode { 2975 type login-mode; 2976 description 2977 "Specifies the administrator log-in mode"; 2978 } 2979 leaf operation-type { 2980 type operation-type; 2981 description 2982 "The operation type that the administrator execute"; 2983 } 2984 leaf result { 2985 type string; 2986 description 2987 "Command execution result"; 2988 } 2989 leaf content { 2990 type string; 2991 description 2992 "The Operation performed by an administrator 2993 after login"; 2994 } 2995 uses characteristics; 2996 } 2997 notification system-res-util-log { 2998 description 2999 "This notification is send, if there is 3000 a new log entry representing ressource 3001 utiliztation updates."; 3002 leaf system-status { 3003 type string; 3004 description 3005 "The current systems 3006 running status"; 3007 } 3008 leaf cpu-usage { 3009 type uint8; 3010 description 3011 "Specifies the relative amount of 3012 cpu usage wrt plattform ressources"; 3013 } 3014 leaf memory-usage { 3015 type uint8; 3016 description 3017 "Specifies the amount of memory usage"; 3018 } 3019 leaf disk-usage { 3020 type uint8; 3021 description 3022 "Specifies the amount of disk usage"; 3023 } 3024 leaf disk-left { 3025 type uint8; 3026 description 3027 "Specifies the amount of disk left"; 3028 } 3029 leaf session-num { 3030 type uint8; 3031 description 3032 "The total number of sessions"; 3033 } 3034 leaf process-num { 3035 type uint8; 3036 description 3037 "The total number of process"; 3038 } 3039 leaf in-traffic-rate { 3040 type uint32; 3041 description 3042 "The total inbound traffic rate in pps"; 3043 } 3044 leaf out-traffic-rate { 3045 type uint32; 3046 description 3047 "The total outbount traffic rate in pps"; 3048 } 3049 leaf in-traffic-speed { 3050 type uint32; 3051 description 3052 "The total inbound traffic speed in bps"; 3053 } 3054 leaf out-traffic-speed { 3055 type uint32; 3056 description 3057 "The total outbound traffic speed in bps"; 3058 } 3059 uses characteristics; 3060 } 3061 notification system-user-activity-log { 3062 description 3063 "This notification is send, if there is 3064 a new user activity log entry"; 3065 uses characteristics; 3066 uses i2nsf-system-event-type-content; 3067 leaf access { 3068 type identityref { 3069 base access-mode; 3070 } 3071 description 3072 "The access type for 3073 system-user-activity-log notification"; 3074 } 3075 leaf online-duration { 3076 type string; 3077 description 3078 "Online duration"; 3079 } 3080 leaf logout-duration { 3081 type string; 3082 description 3083 "Lockout duration"; 3084 } 3085 leaf addtional-info { 3086 type string; 3087 description 3088 "User activities. e.g., Successful 3089 User Login, Failed Login attempts, 3090 User Logout, Successful User 3091 Password Change, Failed User 3092 Password Change, User Lockout, 3093 User Unlocking, Unknown"; 3094 } 3095 } 3096 notification nsf-log-ddos { 3097 description 3098 "This notification is send, if there is 3099 a new DDoS event log entry in the nsf log"; 3100 leaf attack-type { 3101 type identityref { 3102 base ddos-attack-type; 3103 } 3104 description 3105 "The ddos attack type for 3106 nsf-log-ddos notification"; 3107 } 3108 leaf attack-ave-rate { 3109 type uint32; 3110 description 3111 "The ave PPS of attack traffic"; 3112 } 3113 leaf attack-ave-speed { 3114 type uint32; 3115 description 3116 "the ave bps of attack traffic"; 3117 } 3118 leaf attack-pkt-num { 3119 type uint32; 3120 description 3121 "the number of attack packets"; 3122 } 3123 leaf attack-src-ip { 3124 type inet:ipv4-address; 3125 description 3126 "The source IP addresses of attack 3127 traffics. If there are a large 3128 amount of IP addresses, then 3129 pick a certain number of resources 3130 according to different rules."; 3131 } 3132 leaf action { 3133 type log-action; 3134 description 3135 "Action type: allow, alert, 3136 block, discard, declare, 3137 block-ip, block-service"; 3138 } 3139 uses characteristics; 3140 uses common-monitoring-data; 3141 } 3142 notification nsf-log-virus { 3143 description 3144 "This notification is send, If there is 3145 a new virus event log enry in the nsf log"; 3146 leaf attack-type { 3147 type identityref { 3148 base virus-type; 3149 } 3150 description 3151 "The virus type for nsf-log-virus notification"; 3152 } 3153 leaf action { 3154 type log-action; 3155 description 3156 "Action type: allow, alert, 3157 block, discard, declare, 3158 block-ip, block-service"; 3159 } 3160 leaf os{ 3161 type string; 3162 description 3163 "simple os information"; 3164 } 3165 leaf time { 3166 type yang:date-and-time; 3167 mandatory true; 3168 description 3169 "Indicate the time when the message 3170 is generated"; 3171 } 3172 uses characteristics; 3173 uses common-monitoring-data; 3174 } 3175 notification nsf-log-intrusion { 3176 description 3177 "This notification is send, if there is 3178 a new intrusion event log entry in the nsf log"; 3179 leaf attack-type { 3180 type identityref { 3181 base intrusion-attack-type; 3182 } 3183 description 3184 "The intrusion attack type for 3185 nsf-log-intrusion notification"; 3186 } 3187 leaf action { 3188 type log-action; 3189 description 3190 "Action type: allow, alert, 3191 block, discard, declare, 3192 block-ip, block-service"; 3193 } 3194 leaf time { 3195 type yang:date-and-time; 3196 mandatory true; 3197 description 3198 "Indicate the time when the message 3199 is generated"; 3200 } 3201 leaf attack-rate { 3202 type uint32; 3203 description 3204 "The PPS of attack traffic"; 3205 } 3206 leaf attack-speed { 3207 type uint32; 3208 description 3209 "The bps of attack traffic"; 3210 } 3211 uses characteristics; 3212 uses common-monitoring-data; 3213 } 3214 notification nsf-log-botnet { 3215 description 3216 "This noticiation is send, if there is 3217 a new botnet event log in the nsf log"; 3218 leaf attack-type { 3219 type identityref { 3220 base botnet-attack-type; 3221 } 3222 description 3223 "The botnet attack type for 3224 nsf-log-botnet notification"; 3225 } 3226 leaf action { 3227 type log-action; 3228 description 3229 "Action type: allow, alert, 3230 block, discard, declare, 3231 block-ip, block-service"; 3232 } 3233 leaf botnet-pkt-num{ 3234 type uint8; 3235 description 3236 "The number of the packets sent to 3237 or from the detected botnet"; 3238 } 3239 leaf os{ 3240 type string; 3241 description 3242 "simple os information"; 3243 } 3244 uses characteristics; 3245 uses common-monitoring-data; 3246 } 3247 notification nsf-log-dpi { 3248 description 3249 "This notification is send, if there is 3250 a new dpi event in the nsf log"; 3251 leaf attack-type { 3252 type dpi-type; 3253 description 3254 "The type of the dpi"; 3255 } 3256 uses characteristics; 3257 uses i2nsf-nsf-counters-type-content; 3258 uses common-monitoring-data; 3259 } 3260 notification nsf-log-vuln-scan { 3261 description 3262 "This notification is send, if there is 3263 a new vulnerability-scan report in the nsf log"; 3265 leaf vulnerability-id { 3266 type uint8; 3267 description 3268 "The vulnerability id"; 3269 } 3270 leaf victim-ip { 3271 type inet:ipv4-address; 3272 description 3273 "IP address of the victim host 3274 which has vulnerabilities"; 3275 } 3276 leaf protocol { 3277 type identityref { 3278 base protocol-type; 3279 } 3280 description 3281 "The protocol type for 3282 nsf-log-vuln-scan notification"; 3283 } 3284 leaf port-num { 3285 type inet:port-number; 3286 description 3287 "The port number"; 3288 } 3289 leaf level { 3290 type severity; 3291 description 3292 "The vulnerability severity"; 3293 } 3294 leaf os { 3295 type string; 3296 description 3297 "simple os information"; 3298 } 3299 leaf vulnerability-info { 3300 type string; 3301 description 3302 "The information about the vulnerability"; 3303 } 3304 leaf fix-suggestion { 3305 type string; 3306 description 3307 "The fix suggestion to the vulnerability"; 3308 } 3309 leaf service { 3310 type string; 3311 description 3312 "The service which has vulnerabillity in the victim host"; 3314 } 3315 uses characteristics; 3316 uses common-monitoring-data; 3317 } 3318 notification nsf-log-web-attack { 3319 description 3320 "This notificatio is send, if there is 3321 a new web-attack event in the nsf log"; 3322 leaf attack-type { 3323 type identityref { 3324 base web-attack-type; 3325 } 3326 description 3327 "The web attack type for 3328 nsf-log-web-attack notification"; 3329 } 3330 leaf rsp-code { 3331 type string; 3332 description 3333 "Response code"; 3334 } 3335 leaf req-clientapp { 3336 type string; 3337 description 3338 "The client application"; 3339 } 3340 leaf req-cookies { 3341 type string; 3342 description 3343 "Cookies"; 3344 } 3345 leaf req-host { 3346 type string; 3347 description 3348 "The domain name of the requested host"; 3349 } 3350 leaf raw-info { 3351 type string; 3352 description 3353 "The information describing 3354 the packet triggering the event."; 3355 } 3356 uses characteristics; 3357 uses common-monitoring-data; 3358 } 3359 container counters { 3360 description 3361 "This is probably better covered by an import 3362 as this will not be notifications. 3363 Counter are not very suitable as telemetry, maybe 3364 via periodic subscriptions, which would still 3365 violate principle of least surprise."; 3366 container system-interface { 3367 description 3368 "The system counter type is interface counter"; 3369 uses characteristics; 3370 uses i2nsf-system-counter-type-content; 3371 uses common-monitoring-data; 3372 } 3373 container nsf-firewall { 3374 description 3375 "The nsf counter type is firewall counter"; 3376 uses characteristics; 3377 uses i2nsf-nsf-counters-type-content; 3378 uses traffic-rates; 3379 } 3380 container nsf-policy-hits { 3381 description 3382 "The counters of policy hit"; 3383 uses characteristics; 3384 uses i2nsf-nsf-counters-type-content; 3385 uses common-monitoring-data; 3386 leaf hit-times { 3387 type uint32; 3388 description 3389 "The hit times for policy"; 3390 } 3391 } 3392 } 3393 } 3394 3396 Figure 2: Data Model of Monitoring 3398 11. IANA Considerations 3400 This document requests IANA to register the following URI in the 3401 "IETF XML Registry" [RFC3688]: 3403 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor 3404 Registrant Contact: The IESG. 3405 XML: N/A; the requested URI is an XML namespace. 3407 This document requests IANA to register the following YANG module in 3408 the "YANG Module Names" registry [RFC7950]. 3410 name: ietf-i2nsf-monitor 3411 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor 3412 prefix: iim 3413 reference: RFC XXXX 3415 12. Security Considerations 3417 The YANG module described in this document defines a schema for data 3418 that is designed to be accessed via network management protocols such 3419 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 3420 is the secure transport layer, and the mandatory-to-implement secure 3421 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 3422 is HTTPS, and the mandatory-to-implement secure transport is TLS 3423 [RFC8446]. 3425 The NETCONF access control model [RFC8341] provides the means to 3426 restrict access for particular NETCONF or RESTCONF users to a 3427 preconfigured subset of all available NETCONF or RESTCONF protocol 3428 operations and content. 3430 All data nodes defined in the YANG module which can be created, 3431 modified and deleted (i.e., config true, which is the default) are 3432 considered sensitive. Write operations (e.g., edit-config) applied 3433 to these data nodes without proper protection can negatively affect 3434 framework operations. The monitoring YANG module should be protected 3435 by the secure communication channel, to ensure its confidentiality 3436 and integrity. In another side, the NSF and security controller can 3437 all be faked, which lead to undesireable results, i.e., leakage of an 3438 NSF's important operational information, faked NSF sending false 3439 information to mislead security controller. The mutual 3440 authentication is essential to protected against this kind of attack. 3441 The current mainstream security technologies (i.e., TLS, DTLS, IPSEC, 3442 X.509 PKI) can be employed approriately to provide the above security 3443 functions. 3445 In addition, to defend against the DDoS attack caused by a lot of 3446 NSFs sending massive notifications to the security controller, the 3447 rate limiting or similar mechanisms should be considered in an NSF 3448 and security controller, whether in advance or just in the process of 3449 DDoS attack. 3451 13. References 3453 13.1. Normative References 3455 [I-D.ietf-netconf-subscribed-notifications] 3456 Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and 3457 A. Tripathy, "Subscription to YANG Event Notifications", 3458 draft-ietf-netconf-subscribed-notifications-23 (work in 3459 progress), February 2019. 3461 [I-D.ietf-netconf-yang-push] 3462 Clemm, A., Voit, E., Prieto, A., Tripathy, A., Nilsen- 3463 Nygaard, E., Bierman, A., and B. Lengyel, "Subscription to 3464 YANG Datastores", draft-ietf-netconf-yang-push-22 (work in 3465 progress), February 2019. 3467 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3468 Requirement Levels", BCP 14, RFC 2119, 3469 DOI 10.17487/RFC2119, March 1997, 3470 . 3472 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3473 DOI 10.17487/RFC3688, January 2004, 3474 . 3476 [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management 3477 Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, 3478 September 2004, . 3480 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 3481 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 3482 . 3484 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, 3485 DOI 10.17487/RFC5424, March 2009, 3486 . 3488 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3489 and A. Bierman, Ed., "Network Configuration Protocol 3490 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3491 . 3493 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3494 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3495 . 3497 [RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog 3498 Messages over TCP", RFC 6587, DOI 10.17487/RFC6587, April 3499 2012, . 3501 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3502 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3503 . 3505 [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, 3506 "Specification of the IP Flow Information Export (IPFIX) 3507 Protocol for the Exchange of Flow Information", STD 77, 3508 RFC 7011, DOI 10.17487/RFC7011, September 2013, 3509 . 3511 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3512 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3513 . 3515 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3516 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3517 . 3519 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 3520 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 3521 May 2017, . 3523 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3524 Access Control Model", STD 91, RFC 8341, 3525 DOI 10.17487/RFC8341, March 2018, 3526 . 3528 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 3529 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 3530 . 3532 13.2. Informative References 3534 [I-D.ietf-i2nsf-capability] 3535 Xia, L., Strassner, J., Basile, C., and D. Lopez, 3536 "Information Model of NSFs Capabilities", draft-ietf- 3537 i2nsf-capability-04 (work in progress), October 2018. 3539 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 3540 Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, 3541 "I2NSF Consumer-Facing Interface YANG Data Model", draft- 3542 ietf-i2nsf-consumer-facing-interface-dm-02 (work in 3543 progress), November 2018. 3545 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 3546 Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q. 3547 Lin, "I2NSF Network Security Function-Facing Interface 3548 YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface- 3549 dm-02 (work in progress), November 2018. 3551 [I-D.ietf-i2nsf-registration-interface-dm] 3552 Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK, 3553 "I2NSF Registration Interface YANG Data Model", draft- 3554 ietf-i2nsf-registration-interface-dm-01 (work in 3555 progress), November 2018. 3557 [I-D.ietf-i2nsf-terminology] 3558 Hares, S., Strassner, J., Lopez, D., Xia, L., and H. 3559 Birkholz, "Interface to Network Security Functions (I2NSF) 3560 Terminology", draft-ietf-i2nsf-terminology-07 (work in 3561 progress), January 2019. 3563 [I-D.yang-i2nsf-nfv-architecture] 3564 Yang, H., Kim, Y., Jeong, J., and J. Kim, "I2NSF on the 3565 NFV Reference Architecture", draft-yang-i2nsf-nfv- 3566 architecture-04 (work in progress), November 2018. 3568 [I-D.yang-i2nsf-security-policy-translation] 3569 Yang, J., Jeong, J., and J. Kim, "Security Policy 3570 Translation in Interface to Network Security Functions", 3571 draft-yang-i2nsf-security-policy-translation-02 (work in 3572 progress), October 2018. 3574 [RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export 3575 Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004, 3576 . 3578 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 3579 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 3580 January 2011, . 3582 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 3583 Kumar, "Framework for Interface to Network Security 3584 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 3585 . 3587 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3588 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3589 . 3591 Appendix A. Changes from draft-hong-i2nsf-nsf-monitoring-data-model-06 3593 The following changes are made from draft-hong-i2nsf-nsf-monitoring- 3594 data-model-06: 3596 o This version has reflected the comments from Tom Petch as follows. 3598 o In Editorial Note, RFC XXXX: I2NSF NSF Monitoring YANG Data Model 3599 is mentioned. 3601 o In Section 2, Requirements Language and Terminology are integrated 3602 and the explain for YANG Data Diagrams is moved to Terminology. 3604 o In Section 2.3, NMDA conformance is mentioned. 3606 o In Section 2.1, the reference [RFC8174] is added. 3608 o In Section 2.3, the reference [RFC8340] that specifies the format 3609 for tree diagrams is added for the tree diagrams. 3611 o In Section 10, the copyright of the YANG Module is added in 3612 description. 3614 o In Section 10, the YANG import statements includes reference 3615 statements. 3617 o In Section 10, the YANG Module includes RFC XXX to notify the RFC 3618 from which it comes. 3620 o In Section 10, the the identity for protocols includes reference 3621 statements. 3623 o In Section 11, for the YANG Module Names and URI in the IETF XML 3624 Registry, the section is added. 3626 o In Section 12, 3628 Appendix B. Acknowledgments 3630 This work was supported by Institute for Information & communications 3631 Technology Promotion (IITP) grant funded by the Korea government 3632 (MSIP) (R-20160222-002755, Cloud based Security Intelligence 3633 Technology Development for the Customized Security Service 3634 Provisioning). 3636 Appendix C. Contributors 3638 This document is made by the group effort of I2NSF working group. 3639 Many people actively contributed to this document. The following are 3640 considered co-authors: 3642 o Jinyong Tim Kim (Sungkyunkwan University) 3644 o Dongjin Hong (Sungkyunkwan University) 3646 o Dacheng Zhang (Huawei) 3648 o Yi Wu (Aliababa Group) 3650 o Rakesh Kumar (Juniper Networks) 3652 o Anil Lohiya (Juniper Networks) 3654 Authors' Addresses 3656 Jaehoon Paul Jeong 3657 Department of Software 3658 Sungkyunkwan University 3659 2066 Seobu-Ro, Jangan-Gu 3660 Suwon, Gyeonggi-Do 16419 3661 Republic of Korea 3663 Phone: +82 31 299 4957 3664 Fax: +82 31 290 7996 3665 EMail: pauljeong@skku.edu 3666 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 3668 Chaehong Chung 3669 Department of Computer Engineering 3670 Sungkyunkwan University 3671 2066 Seobu-Ro, Jangan-Gu 3672 Suwon, Gyeonggi-Do 16419 3673 Republic of Korea 3675 Phone: +82 10 8541 7158 3676 EMail: darkhong@skku.edu 3677 Susan Hares 3678 Huawei 3679 7453 Hickory Hill 3680 Saline, MI 48176 3681 USA 3683 Phone: +1-734-604-0332 3684 EMail: shares@ndzh.com 3686 Liang Xia (Frank) 3687 Huawei 3688 101 Software Avenue, Yuhuatai District 3689 Nanjing, Jiangsu 3690 China 3692 EMail: Frank.xialiang@huawei.com 3694 Henk Birkholz 3695 Fraunhofer Institute for Secure Information Technology 3696 Rheinstrasse 75 3697 Darmstadt 64295 3698 Germany 3700 EMail: henk.birkholz@sit.fraunhofer.de