idnits 2.17.1 draft-ietf-i2nsf-nsf-monitoring-data-model-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (November 4, 2019) is 1628 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 4949 ** Downref: Normative reference to an Historic RFC: RFC 6587 == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-06 == Outdated reference: A later version (-29) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-07 == Outdated reference: A later version (-26) exists of draft-ietf-i2nsf-registration-interface-dm-05 == Outdated reference: A later version (-08) exists of draft-yang-i2nsf-nfv-architecture-05 == Outdated reference: A later version (-16) exists of draft-yang-i2nsf-security-policy-translation-04 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 2 errors (**), 0 flaws (~~), 7 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong 3 Internet-Draft C. Chung 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: May 7, 2020 S. Hares 6 L. Xia 7 Huawei 8 H. Birkholz 9 Fraunhofer SIT 10 November 4, 2019 12 I2NSF NSF Monitoring YANG Data Model 13 draft-ietf-i2nsf-nsf-monitoring-data-model-02 15 Abstract 17 This document proposes an information model and the corresponding 18 YANG data model for monitoring Network Security Functions (NSFs) in 19 the Interface to Network Security Functions (I2NSF) framework. If 20 the monitoring of NSFs is performed in a comprehensive way, it is 21 possible to detect the indication of malicious activity, anomalous 22 behavior or the potential sign of denial of service attacks in a 23 timely manner. This monitoring functionality is based on the 24 monitoring information that is generated by NSFs. Thus, this 25 document describes not only an information model for monitoring NSFs 26 along with a YANG data diagram, but also the corresponding YANG data 27 model for monitoring NSFs. 29 Editorial Note (To be removed by RFC Editor) 31 Please update these statements within the document with the RFC 32 number to be assigned to this document: 34 "This version of this YANG module is part of RFC 6087;" 36 "RFC XXXX: I2NSF NSF Monitoring YANG Data Model" 38 "reference: RFC 6087" 40 Please update the "revision" date of the YANG module. 42 Status of This Memo 44 This Internet-Draft is submitted in full conformance with the 45 provisions of BCP 78 and BCP 79. 47 Internet-Drafts are working documents of the Internet Engineering 48 Task Force (IETF). Note that other groups may also distribute 49 working documents as Internet-Drafts. The list of current Internet- 50 Drafts is at https://datatracker.ietf.org/drafts/current/. 52 Internet-Drafts are draft documents valid for a maximum of six months 53 and may be updated, replaced, or obsoleted by other documents at any 54 time. It is inappropriate to use Internet-Drafts as reference 55 material or to cite them other than as "work in progress." 57 This Internet-Draft will expire on May 7, 2020. 59 Copyright Notice 61 Copyright (c) 2019 IETF Trust and the persons identified as the 62 document authors. All rights reserved. 64 This document is subject to BCP 78 and the IETF Trust's Legal 65 Provisions Relating to IETF Documents 66 (https://trustee.ietf.org/license-info) in effect on the date of 67 publication of this document. Please review these documents 68 carefully, as they describe your rights and restrictions with respect 69 to this document. Code Components extracted from this document must 70 include Simplified BSD License text as described in Section 4.e of 71 the Trust Legal Provisions and are provided without warranty as 72 described in the Simplified BSD License. 74 Table of Contents 76 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 77 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 78 2.1. Requirements Notation . . . . . . . . . . . . . . . . . . 4 79 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 80 2.3. YANG . . . . . . . . . . . . . . . . . . . . . . . . . . 4 81 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 82 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 83 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 84 4.2. Notifications and Events . . . . . . . . . . . . . . . . 7 85 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8 86 4.4. I2NSF Monitoring Terminology for Retained Information . . 8 87 5. Conveyance of NSF Monitoring Information . . . . . . . . . . 9 88 5.1. Information Types and Acquisition Methods . . . . . . . . 10 89 6. Basic Information Model for All Monitoring Data . . . . . . . 11 90 7. Extended Information Model for Monitoring Data . . . . . . . 11 91 7.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 11 92 7.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 12 93 7.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 12 94 7.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12 95 7.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 13 96 7.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 13 98 7.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13 99 7.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13 100 7.2.2. Configuration Change . . . . . . . . . . . . . . . . 14 101 7.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14 102 7.3.1. DDoS Event . . . . . . . . . . . . . . . . . . . . . 14 103 7.3.2. Session Table Event . . . . . . . . . . . . . . . . . 15 104 7.3.3. Virus Event . . . . . . . . . . . . . . . . . . . . . 15 105 7.3.4. Intrusion Event . . . . . . . . . . . . . . . . . . . 16 106 7.3.5. Botnet Event . . . . . . . . . . . . . . . . . . . . 17 107 7.3.6. Web Attack Event . . . . . . . . . . . . . . . . . . 18 108 7.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 19 109 7.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 19 110 7.4.2. Resource Utilization Log . . . . . . . . . . . . . . 19 111 7.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 20 112 7.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 21 113 7.5.1. DDoS Log . . . . . . . . . . . . . . . . . . . . . . 21 114 7.5.2. Virus Log . . . . . . . . . . . . . . . . . . . . . . 21 115 7.5.3. Intrusion Log . . . . . . . . . . . . . . . . . . . . 22 116 7.5.4. Botnet Log . . . . . . . . . . . . . . . . . . . . . 22 117 7.5.5. DPI Log . . . . . . . . . . . . . . . . . . . . . . . 23 118 7.5.6. Vulnerability Scanning Log . . . . . . . . . . . . . 23 119 7.5.7. Web Attack Log . . . . . . . . . . . . . . . . . . . 24 120 7.6. System Counter . . . . . . . . . . . . . . . . . . . . . 24 121 7.6.1. Interface counter . . . . . . . . . . . . . . . . . . 25 122 7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 25 123 7.7.1. Firewall counter . . . . . . . . . . . . . . . . . . 26 124 7.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 27 125 8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 27 126 9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 28 127 10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 37 128 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 72 129 12. Security Considerations . . . . . . . . . . . . . . . . . . . 72 130 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 73 131 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 73 132 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 73 133 15.1. Normative References . . . . . . . . . . . . . . . . . . 73 134 15.2. Informative References . . . . . . . . . . . . . . . . . 75 135 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data- 136 model-01 . . . . . . . . . . . . . . . . . . . . . . 77 137 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 77 139 1. Introduction 141 According to [I-D.ietf-i2nsf-terminology], the interface provided by 142 a Network Security Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or 143 Anti-Virus function) to administrative entities (e.g., Security 144 Controller) to enable remote management (i.e., configuring and 145 monitoring) is referred to as an I2NSF NSF-Facing Interface 147 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. Monitoring procedures 148 intent to acquire vital types of data with respect to NSFs, (e.g., 149 alarms, records, and counters) via data in motion (e.g., queries, 150 notifications, and events). The monitoring of NSF plays an important 151 role in an overall security framework, if it is done in a timely and 152 comprehensive way. The monitoring information generated by an NSF 153 can be a good, early indication of anomalous behavior or malicious 154 activity, such as denial of service attacks (DoS). 156 This document defines a comprehensive NSF monitoring information 157 model that provides visibility for an NSF for Security Controller. 158 It specifies the information and illustrates the methods that enable 159 an NSF to provide the information required in order to be monitored 160 in a scalable and efficient way via the NSF-Facing Interface. The 161 information model for monitoring presented in this document is a 162 complementary information model to the information model for the 163 security policy provisioning functionality of the NSF-Facing 164 Interface specified in [I-D.ietf-i2nsf-capability]. 166 This document also defines a YANG [RFC7950] data model for monitoring 167 NSFs, which is derived from the information model for NSF monitoring. 169 2. Terminology 171 2.1. Requirements Notation 173 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 174 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 175 document are to be interpreted as described in [RFC2119] [RFC8174]. 177 2.2. Definitions 179 The terms, which are used in this document, are defined in the I2NSF 180 terminology document [I-D.ietf-i2nsf-terminology] [RFC8329]. 182 2.3. YANG 184 This document follows the guidelines of [RFC6087], uses the common 185 YANG types defined in [RFC6991], and adopts the Network Management 186 Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols 187 in tree diagrams is defined in [RFC8340]. 189 3. Use Cases for NSF Monitoring Data 191 As mentioned earlier, monitoring plays a critical role in an overall 192 security framework. The monitoring of the NSF provides very valuable 193 information to the security controller in maintaining the provisioned 194 security posture. Besides this, there are various other reasons to 195 monitor the NSF as listed below: 197 o The security administrator with I2NSF User can configure a policy 198 that is triggered on a specific event occurring in the NSF or the 199 network [RFC8329] [I-D.ietf-i2nsf-consumer-facing-interface-dm]. 200 If a security controller detects the specified event, it 201 configures additional security functions as defined by policies. 203 o The events triggered by an NSF as a result of security policy 204 violation can be used by Security Information and Event Management 205 (SIEM) to detect any suspicious activity in a larger correlation 206 context. 208 o The events and activity logs from an NSF can be used to build 209 advanced analytics, such as behavior and predictive models to 210 improve security posture in large deployments. 212 o The security controller can use events from the NSF for achieving 213 high availability. It can take corrective actions such as 214 restarting a failed NSF and horizontally scaling up the NSF. 216 o The events and activity logs from the NSF can aid in the root 217 cause analysis of an operational issue, so it can improve 218 debugging. 220 o The activity logs from the NSF can be used to build historical 221 data for operational and business reasons. 223 4. Classification of NSF Monitoring Data 225 In order to maintain a strong security posture, it is not only 226 necessary not only to configure an NSF's security policies but also 227 to continuously monitor the NSF by consuming acquirable and 228 observable information. This enables security administrators to 229 assess the state of the network topology in a timely fashion. It is 230 not possible to block all the internal and external threats based on 231 static security posture. A more practical approach is supported by 232 enabling dynamic security measures, for which continuous visibility 233 is required. This document defines a set of information elements 234 (and their scope) that can be acquired from an NSF and can be used as 235 NSF monitoring information. In essence, these types of monitoring 236 information can be leveraged to support constant visibility on 237 multiple levels of granularity and can be consumed by the 238 corresponding functions. 240 Three basic domains about the monitoring information originating from 241 a system entity [RFC4949] or an NSF are highlighted in this document. 243 o Retention and Emission 245 o Notifications and Events 247 o Unsolicited Poll and Solicited Push 249 The Alarm Management Framework in [RFC3877] defines an Event as 250 something that happens which may be of interest. It defines a fault 251 as a change in status, crossing a threshold, or an external input to 252 the system. In the I2NSF domain, I2NSF events 253 [I-D.ietf-i2nsf-terminology] are created and the scope of the Alarm 254 Management Framework's Events is still applicable due to its broad 255 definition. The model presented in this document elaborates on the 256 workflow of creating I2NSF events in the context of NSF monitoring 257 and on the way initial I2NSF events are created. 259 As with I2NSF components, every generic system entity can include a 260 set of capabilities [I-D.ietf-i2nsf-terminology] that creates 261 information about the context, composition, configuration, state or 262 behavior of that system entity. This information is intended to be 263 provided to other consumers of information and in the scope of this 264 document, which deals with NSF information monitoring in an automated 265 fashion. 267 4.1. Retention and Emission 269 Typically, a system entity populates standardized interface, such as 270 SNMP, NETCONF, RESTCONF or CoMI to provide and emit created 271 information directly via NSF-Facing Interface 272 [I-D.ietf-i2nsf-terminology]. Alternatively, the created information 273 is retained inside the system entity (or a hierarchy of system 274 entities in a composite device) via records or counters that are not 275 exposed directly via NSF-Facing Interfaces. 277 Information emitted via standardized interfaces can be consumed by an 278 I2NSF User [I-D.ietf-i2nsf-terminology] that includes the capability 279 to consume information not only via an I2NSF Interface(e.g., 280 [I-D.ietf-i2nsf-consumer-facing-interface-dm]) but also via 281 interfaces complementary to the standardized interfaces a generic 282 system entity provides. 284 Information retained on a system entity requires a corresponding 285 I2NSF User to access aggregated records of information, typically in 286 the form of log-files or databases. There are ways to aggregate 287 records originating from different system entities over a network, 288 for examples via Syslog Protocol [RFC5424] or Syslog over TCP 289 [RFC6587]. But even if records are conveyed, the result is the same 290 kind of retention in form of a bigger aggregate of records on another 291 system entity. 293 An I2NSF User is required to process fresh [RFC4949] records created 294 by I2NSF Functions in order to provide them to other I2NSF Components 295 via the corresponding I2NSF Interfaces in a timely manner. This 296 process is effectively based on homogenizing functions, which can 297 access and convert specific kinds of records into information that 298 can be provided and emitted via I2NSF interfaces. 300 When retained or emitted, the information required to support 301 monitoring processes has to be processed by an I2NSF User at some 302 point in the workflow. Typical locations of these I2NSF Users are: 304 o a system entity that creates the information 306 o a system entity that retains an aggregation of records 308 o an I2NSF Component that includes the capabilities of using 309 standardized interfaces provided by other system entities that are 310 not I2NSF Components 312 o an I2NSF Component that creates the information 314 4.2. Notifications and Events 316 A specific task of I2NSF User is to process I2NSF Policy Rules 317 [I-D.ietf-i2nsf-terminology]. The rules of a policy are composed of 318 three clauses: Events, Conditions, and Actions. In consequence, an 319 I2NSF Event is specified to trigger an I2NSF Policy Rule. Such an 320 I2NSF Event is defined as any important occurrence over time in the 321 system being managed, and/or in the environment of the system being 322 managed in [I-D.ietf-i2nsf-terminology], which aligns well with the 323 generic definition of Event from [RFC3877]. 325 The model illustrated in this document introduces a complementary 326 type of information that can be a conveyed notification. 328 Notification: An occurrence of a change of context, composition, 329 configuration, state or behavior of a system entity that can be 330 directly or indirectly observed by an I2NSF User and can be used 331 as input for an event-clause in I2NSF Policy Rules. 333 A notification is similar to an I2NSF Event with the exception 334 that it is created by a system entity that is not an I2NSF 335 Component and that its importance is yet to be assessed. 336 Semantically, a notification is not an I2NSF Event in the context 337 of I2NSF, although they can potentially use the exact same 338 information or data model. In respect to [RFC3877], a 339 Notification is a specific subset of events, because they convey 340 information about something that happens which may be of interest. 341 In consequence, Notifications may contain information with very 342 low expressiveness or relevance. Hence, additional post- 343 processing functions, such as aggregation, correlation or simple 344 anomaly detection, might have to be employed to satisfy a level of 345 expressiveness that is required for an event-clause of an I2NSF 346 Policy Rule. 348 It is important to note that the consumer of a notification (the 349 observer) assesses the importance of a notification and not the 350 producer. The producer can include metadata in a notification that 351 supports the observer in assessing the importance (even metadata 352 about severity), but the deciding entity is an I2NSF User. 354 4.3. Unsolicited Poll and Solicited Push 356 The freshness of the monitored information depends on the acquisition 357 method. Ideally, an I2NSF User is accessing every relevant 358 information about the I2NSF Component and is emitting I2NSF Events to 359 a monitor entity(e.g., Security Controller and I2NSF User) NSF 360 timely. Publication of events via a pubsub/broker model, peer-2-peer 361 meshes, or static defined channels are only a few examples on how a 362 solicited push of I2NSF Events can be facilitated. The actual 363 mechanic implemented by an I2NSF Component is out of the scope of 364 this document. 366 Often, the corresponding management interfaces have to be queried in 367 intervals or on-demand if required by an I2NSF Policy rule. In some 368 cases, a collection of information has to be conducted via login 369 mechanics provided by a system entity. Accessing records of 370 information via this kind of unsolicited polls can introduce a 371 significant latency in regard to the freshness of the monitored 372 information. The actual definition of intervals implemented by an 373 I2NSF Component is also out of scope of this document. 375 4.4. I2NSF Monitoring Terminology for Retained Information 377 Records: Unlike information emitted via notifications and events, 378 records do not require immediate attention from an analyst but may 379 be useful for visibility and retroactive cyber forensic. 380 Depending on the record format, there are different qualities in 381 regard to structure and detail. Records are typically stored in 382 log-files or databases on a system entity or NSF. Records in the 383 form of log-files usually include less structures but potentially 384 more detailed information in regard to the changes of a system 385 entity's characteristics. In contrast, databases often use more 386 strict schemas or data models, therefore enforcing a better 387 structure. However, they inhibit storing information that do not 388 match those models ("closed world assumption"). Records can be 389 continuously processed by I2NSF Agents that act as I2NSF Producer 390 and emit events via functions specifically tailored to a certain 391 type of record. Typically, records are information generated 392 either by an NSF or a system entity about operational and 393 informational data, or various changes in system characteristics, 394 such as user activities, network/traffic status, and network 395 activity. They are important for debugging, auditing and security 396 forensic. 398 Counters: A specific representation of continuous value changes of 399 information elements that potentially occur in high frequency. 400 Prominent example are network interface counters, e.g., PDU amount 401 or byte amount, drop counters, and error counters. Counters are 402 useful in debugging and visibility into operational behavior of an 403 NSF. An I2NSF Agent that observes the progression of counters can 404 act as an I2NSF Producer and emit events in respect to I2NSF 405 Policy Rules. 407 5. Conveyance of NSF Monitoring Information 409 As per the use cases of NSF monitoring data, information needs to be 410 conveyed to various I2NSF Consumers based on requirements imposed by 411 I2NSF Capabilities and workflows. There are multiple aspects to be 412 considered in regard to the emission of monitoring information to 413 requesting parties as listed below: 415 o Pull-Push Model: A set of data can be pushed by an NSF to a 416 requesting party or pulled by a requesting party from an NSF. 417 Specific types of information might need both the models at the 418 same time if there are multiple I2NSF Consumers with varying 419 requirements. In general, any I2NSF Event including a high 420 severity assessment is considered to be of great importance and 421 should be processed as soon as possible (push-model). Records, in 422 contrast, are typically not as critical (pull-model). The I2NSF 423 Architecture does not mandate a specific scheme for each type of 424 information and is therefore out of scope of this document. 426 o Pub-Sub Model: In order for an I2NSF Provider to push monitoring 427 information to multiple appropriate I2NSF Consumers, a 428 subscription can be maintained by both I2NSF Components. 429 Discovery of available monitoring information can be supported by 430 an I2NSF Controller that takes the role of a broker and therefore 431 includes I2NSF Capabilities that support registration. 433 o Export Frequency: Monitoring information can be emitted 434 immediately upon generation by an NSF to requesting I2NSF 435 Consumers or can be pushed periodically. The frequency of 436 exporting the data depends upon its size and timely usefulness. 437 It is out of the scope of I2NSF and left to each NSF 438 implementation. 440 o Authentication: There may be a need for authentication between an 441 I2NSF Producer of monitoring information and its corresponding 442 I2NSF Consumer to ensure that critical information remains 443 confidential. Authentication in the scope of I2NSF can also 444 require its corresponding content authorization. This may be 445 necessary, for example, if an NSF emits monitoring information to 446 an I2NSF Consumer outside its administrative domain. The I2NSF 447 Architecture does not mandate when and how specific authentication 448 has to be implemented. 450 o Data-Transfer Model: Monitoring information can be pushed by an 451 NSF using a connection-less model that does require a persistent 452 connection or streamed over a persistent connection. An 453 appropriate model depends on the I2NSF Consumer requirements and 454 the semantics of the information to be conveyed. 456 o Data Model and Interaction Model for Data in Motion: There are a 457 lot of transport mechanisms such as IP, UDP, and TCP. There are 458 also open source implementations for specific set of data such as 459 systems counter, e.g. IPFIX [RFC7011] and NetFlow [RFC3954]. The 460 I2NSF does not mandate any specific method for a given data set, 461 so it is up to each implementation. 463 5.1. Information Types and Acquisition Methods 465 In this document, most defined information types defined benefit from 466 high visibility with respect to value changes, e.g., alarms and 467 records. In contrast, values that change monotonically in a 468 continuous way do not benefit from this high visibility. On the 469 contrary, emitting each change would result in a useless amount of 470 value updates. Hence, values, such as counter, are best acquired in 471 periodic intervals. 473 The mechanisms provided by YANG Push [I-D.ietf-netconf-yang-push] and 474 YANG Subscribed Notifications 475 [I-D.ietf-netconf-subscribed-notifications] address exactly these set 476 of requirements. YANG also enables semantically well-structured 477 information, as well as subscriptions to datastores or event streams 478 - by changes or periodically. 480 In consequence, this information model in this document is intended 481 to support data models used in solicited or unsolicited event streams 482 that potentially are facilitated by a subscription mechanism. A 483 subset of information elements defined in the information model 484 address this domain of application. 486 6. Basic Information Model for All Monitoring Data 488 As explained in the above section, there is a wealth of data 489 available from the NSF that can be monitored. Firstly, there must be 490 some general information with each monitoring message sent from an 491 NSF that helps a consumer to identify meta data with that message, 492 which are listed as below: 494 o message_version: It indicates the version of the data format and 495 is a two-digit decimal numeral starting from 01. 497 o message_type: Event, Alert, Alarm, Log, Counter, etc. 499 o time_stamp: It indicates the time when the message is generated. 501 o vendor_name: The name of the NSF vendor. 503 o NSF_name: The name (or IP) of the NSF generating the message. 505 o Module_name: The module name outputting the message. 507 o Severity: It indicates the level of the logs. There are total 508 eight levels, from 0 to 7. The smaller the numeral is, the higher 509 the severity is. 511 7. Extended Information Model for Monitoring Data 513 This section covers the additional information associated with the 514 system messages. The extended information model is only for the 515 structured data such as alarm. Any unstructured data is specified 516 with basic information model only. 518 7.1. System Alarms 520 Characteristics: 522 o acquisition_method: subscription 524 o emission_type: on-change 526 o dampening_type: no-dampening 528 7.1.1. Memory Alarm 530 The following information should be included in a Memory Alarm: 532 o event_name: MEM_USAGE_ALARM 534 o module_name: It indicates the NSF module responsible for 535 generating this alarm. 537 o usage: specifies the amount of memory used. 539 o threshold: The threshold triggering the alarm 541 o severity: The severity of the alarm such as critical, high, 542 medium, low 544 o message: The memory usage exceeded the threshold 546 7.1.2. CPU Alarm 548 The following information should be included in a CPU Alarm: 550 o event_name: CPU_USAGE_ALARM 552 o usage: Specifies the amount of CPU used. 554 o threshold: The threshold triggering the event 556 o severity: The severity of the alarm such as critical, high, 557 medium, low 559 o message: The CPU usage exceeded the threshold. 561 7.1.3. Disk Alarm 563 The following information should be included in a Disk Alarm: 565 o event_name: DISK_USAGE_ALARM 567 o usage: Specifies the amount of disk space used. 569 o threshold: The threshold triggering the event 571 o severity: The severity of the alarm such as critical, high, 572 medium, low 574 o message: The disk usage exceeded the threshold. 576 7.1.4. Hardware Alarm 578 The following information should be included in a Hardware Alarm: 580 o event_name: HW_FAILURE_ALARM 582 o component_name: It indicates the HW component responsible for 583 generating this alarm. 585 o threshold: The threshold triggering the alarm 587 o severity: The severity of the alarm such as critical, high, 588 medium, low 590 o message: The HW component has failed or degraded. 592 7.1.5. Interface Alarm 594 The following information should be included in an Interface Alarm: 596 o event_name: IFNET_STATE_ALARM 598 o interface_Name: The name of interface 600 o interface_state: UP, DOWN, CONGESTED 602 o threshold: The threshold triggering the event 604 o severity: The severity of the alarm such as critical, high, 605 medium, low 607 o message: Current interface state 609 7.2. System Events 611 Characteristics: 613 o acquisition_method: subscription 615 o emission_type: on-change 617 o dampening_type: on-repetition 619 7.2.1. Access Violation 621 The following information should be included in this event: 623 o event_name: ACCESS_DENIED 624 o user: Name of a user 626 o group: Group to which a user belongs 628 o login_ip_address: Login IP address of a user 630 o authentication_mode: User authentication mode. e.g., Local 631 Authentication, Third-Party Server Authentication, Authentication 632 Exemption, Single Sign-On (SSO) Authentication 634 o message: access is denied. 636 7.2.2. Configuration Change 638 The following information should be included in this event: 640 o event_name: CONFIG_CHANGE 642 o user: Name of a user 644 o group: Group to which a user belongs 646 o login_ip_address: Login IP address of a user 648 o authentication_mode: User authentication mode. e.g., Local 649 Authentication, Third-Party Server Authentication, Authentication 650 Exemption, SSO Authentication 652 o message: Configuration is modified. 654 7.3. NSF Events 656 Characteristics: 658 o acquisition_method: subscription 660 o emission_type: on-change 662 o dampening_type: none 664 7.3.1. DDoS Event 666 The following information should be included in a DDoS Event: 668 o event_name: SEC_EVENT_DDoS 670 o sub_attack_type: Any one of SYN flood, ACK flood, SYN-ACK flood, 671 FIN/RST flood, TCP Connection flood, UDP flood, ICMP flood, HTTPS 672 flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood, 673 and etc. 675 o dst_ip: The IP address of a victim under attack 677 o dst_port: The port number that the attack traffic aims at. 679 o start_time: The time stamp indicating when the attack started 681 o end_time: The time stamp indicating when the attack ended. If the 682 attack is still undergoing when sending out the alarm, this field 683 can be empty. 685 o attack_rate: The PPS of attack traffic 687 o attack_speed: the bps of attack traffic 689 o rule_id: The ID of the rule being triggered 691 o rule_name: The name of the rule being triggered 693 o profile: Security profile that traffic matches. 695 7.3.2. Session Table Event 697 The following information should be included in a Session 698 Table Event: 700 o event_name: SESSION_USAGE_HIGH 702 o current: The number of concurrent sessions 704 o max: The maximum number of sessions that the session table can 705 support 707 o threshold: The threshold triggering the event 709 o message: The number of session table exceeded the threshold. 711 7.3.3. Virus Event 713 The following information should be included in a Virus Event: 715 o event_Name: SEC_EVENT_VIRUS 717 o virus_type: Type of the virus. e.g., trojan, worm, macro virus 718 type 720 o virus_name: Name of the virus 722 o dst_ip: The destination IP address of the packet where the virus 723 is found 725 o src_ip: The source IP address of the packet where the virus is 726 found 728 o src_port: The source port of the packet where the virus is found 730 o dst_port: The destination port of the packet where the virus is 731 found 733 o src_zone: The source security zone of the packet where the virus 734 is found 736 o dst_zone: The destination security zone of the packet where the 737 virus is found 739 o file_type: The type of the file where the virus is hided within 741 o file_name: The name of the file where the virus is hided within 743 o virus_info: The brief introduction of the virus 745 o raw_info: The information describing the packet triggering the 746 event. 748 o rule_id: The ID of the rule being triggered 750 o rule_name: The name of the rule being triggered 752 o profile: Security profile that traffic matches. 754 7.3.4. Intrusion Event 756 The following information should be included in an Intrusion Event: 758 o event_name: The name of event. e.g., SEC_EVENT_Intrusion 760 o sub_attack_type: Attack type, e.g., brutal force and buffer 761 overflow 763 o src_ip: The source IP address of the packet 765 o dst_ip: The destination IP address of the packet 767 o src_port:The source port number of the packet 768 o dst_port: The destination port number of the packet 770 o src_zone: The source security zone of the packet 772 o dst_zone: The destination security zone of the packet 774 o protocol: The employed transport layer protocol. e.g.,TCP and UDP 776 o app: The employed application layer protocol. e.g.,HTTP and FTP 778 o rule_id: The ID of the rule being triggered 780 o rule_name: The name of the rule being triggered 782 o profile: Security profile that traffic matches 784 o intrusion_info: Simple description of intrusion 786 o raw_info: The information describing the packet triggering the 787 event 789 7.3.5. Botnet Event 791 The following information should be included in a Botnet Event: 793 o event_name: The name of event. e.g., SEC_EVENT_Botnet 795 o botnet_name: The name of the detected botnet 797 o src_ip: The source IP address of the packet 799 o dst_ip: The destination IP address of the packet 801 o src_port: The source port number of the packet 803 o dst_port: The destination port number of the packet 805 o src_zone: The source security zone of the packet 807 o dst_zone: The destination security zone of the packet 809 o protocol: The employed transport layer protocol. e.g.,TCP and UDP 811 o app: The employed application layer protocol. e.g.,HTTP and FTP 813 o role: The role of the communicating parties within the botnet: 815 1. The packet from the zombie host to the attacker 816 2. The packet from the attacker to the zombie host 818 3. The packet from the IRC/WEB server to the zombie host 820 4. The packet from the zombie host to the IRC/WEB server 822 5. The packet from the attacker to the IRC/WEB server 824 6. The packet from the IRC/WEB server to the attacker 826 7. The packet from the zombie host to the victim 828 o botnet_info: Simple description of Botnet 830 o rule_id: The ID of the rule being triggered 832 o rule_name: The name of the rule being triggered 834 o profile: Security profile that traffic matches 836 o raw_info: The information describing the packet triggering the 837 event. 839 7.3.6. Web Attack Event 841 The following information should be included in a Web Attack Alarm: 843 o event_name: The name of event. e.g., SEC_EVENT_WebAttack 845 o sub_attack_type: Concrete web attack type. e.g., SQL injection, 846 command injection, XSS, CSRF 848 o src_ip: The source IP address of the packet 850 o dst_ip: The destination IP address of the packet 852 o src_port: The source port number of the packet 854 o dst_port: The destination port number of the packet 856 o src_zone: The source security zone of the packet 858 o dst_zone: The destination security zone of the packet 860 o req_method: The method of requirement. For instance, "PUT" and 861 "GET" in HTTP 863 o req_url: Requested URL 864 o url_category: Matched URL category 866 o filtering_type: URL filtering type. e.g., Blacklist, Whitelist, 867 User-Defined, Predefined, Malicious Category, and Unknown 869 o rule_id: The ID of the rule being triggered 871 o rule_name: The name of the rule being triggered 873 o profile: Security profile that traffic matches 875 7.4. System Logs 877 Characteristics: 879 o acquisition_method: subscription 881 o emission_type: on-change 883 o dampening_type: on-repetition 885 7.4.1. Access Log 887 Access logs record administrators' login, logout, and operations on a 888 device. By analyzing them, security vulnerabilities can be 889 identified. The following information should be included in an 890 operation report: 892 o Administrator: Administrator that operates on the device 894 o login_ip_address: IP address used by an administrator to log in 896 o login_mode: Specifies the administrator logs in mode e.g. root, 897 user 899 o operation_type: The operation type that the administrator execute, 900 e.g., login, logout, and configuration. 902 o result: Command execution result 904 o content: Operation performed by an administrator after login. 906 7.4.2. Resource Utilization Log 908 Running reports record the device system's running status, which is 909 useful for device monitoring. The following information should be 910 included in running report: 912 o system_status: The current system's running status 914 o CPU_usage: Specifies the CPU usage. 916 o memory_usage: Specifies the memory usage. 918 o disk_usage: Specifies the disk usage. 920 o disk_left: Specifies the available disk space left. 922 o session_number: Specifies total concurrent sessions. 924 o process_number: Specifies total number of systems processes. 926 o in_traffic_rate: The total inbound traffic rate in pps 928 o out_traffic_rate: The total outbound traffic rate in pps 930 o in_traffic_speed: The total inbound traffic speed in bps 932 o out_traffic_speed: The total outbound traffic speed in bps 934 7.4.3. User Activity Log 936 User activity logs provide visibility into users' online records 937 (such as login time, online/lockout duration, and login IP addresses) 938 and the actions that users perform. User activity reports are 939 helpful to identify exceptions during a user's login and network 940 access activities. 942 o user: Name of a user 944 o group: Group to which a user belongs 946 o login_ip_address: Login IP address of a user 948 o authentication_mode: User authentication mode. e.g., Local 949 Authentication, Third-Party Server Authentication, Authentication 950 Exemption, SSO Authentication 952 o access_mode: User access mode. e.g., PPP, SVN, LOCAL 954 o online_duration: Online duration 956 o lockout_duration: Lockout duration 957 o type: User activities. e.g., Successful User Login, Failed Login 958 attempts, User Logout, Successful User Password Change, Failed 959 User Password Change, User Lockout, User Unlocking, Unknown 961 o cause: Cause of a failed user activity 963 7.5. NSF Logs 965 Characteristics: 967 o acquisition_method: subscription 969 o emission_type: on-change 971 o dampening_type: on_repetition 973 7.5.1. DDoS Log 975 Besides the fields in a DDoS Alarm, the following information should 976 be included in a DDoS Logs: 978 o attack_type: DDoS 980 o attack_ave_rate: The average pps of the attack traffic within the 981 recorded time 983 o attack_ave_speed: The average bps of the attack traffic within the 984 recorded time 986 o attack_pkt_num: The number of attack packets within the recorded 987 time 989 o attack_src_ip: The source IP addresses of attack traffics. If 990 there are a large number of IP addresses, then pick a certain 991 number of resources according to different rules. 993 o action: Actions against DDoS attacks. e.g., Allow, Alert, Block, 994 Discard, Declare, Block-ip, and Block-service. 996 7.5.2. Virus Log 998 Besides the fields in a Virus Alarm, the following information should 999 be included in a Virus Logs: 1001 o attack_type: Virus 1003 o protocol: The transport layer protocol 1004 o app: The name of the application layer protocol 1006 o times: The time of detecting the virus 1008 o action: The actions dealing with the virus. e.g., alert and block 1010 o os: The OS that the virus will affect. e.g., all, android, ios, 1011 unix, and windows 1013 7.5.3. Intrusion Log 1015 Besides the fields in an Intrusion Alarm, the following information 1016 should be included in an Intrusion Logs: 1018 o attack_type: Intrusion 1020 o times: The times of intrusions happened in the recorded time 1022 o os: The OS that the intrusion will affect. e.g., all, android, 1023 ios, unix, and windows 1025 o action: The actions dealing with the intrusions. e.g., Allow, 1026 Alert, Block, Discard, Declare, Block-ip, and Block-service 1028 o attack_rate: NUM the pps of attack traffic 1030 o attack_speed: NUM the bps of attack traffic 1032 7.5.4. Botnet Log 1034 Besides the fields in a Botnet Alarm, the following information 1035 should be included in a Botnet Logs: 1037 o attack_type: Botnet 1039 o botnet_pkt_num:The number of the packets sent to or from the 1040 detected botnet 1042 o action: The actions dealing with the detected packets. e.g., 1043 Allow, Alert, Block, Discard, Declare, Block-ip, and Block- 1044 service. 1046 o os: The OS that the attack aims at. e.g., all, android, ios, unix, 1047 and windows. 1049 7.5.5. DPI Log 1051 DPI Logs provide statistics on uploaded and downloaded files and 1052 data, sent and received emails, and alert and block records on 1053 websites. It is helpful to learn risky user behaviors and why access 1054 to some URLs is blocked or allowed with an alert record. 1056 o type: DPI action types. e.g., File Blocking, Data Filtering, and 1057 Application Behavior Control 1059 o file_name: The file name 1061 o file_type: The file type 1063 o src_zone: Source security zone of traffic 1065 o dst_zone: Destination security zone of traffic 1067 o src_region: Source region of traffic 1069 o dst_region: Destination region of traffic 1071 o src_ip: Source IP address of traffic 1073 o src_user: User who generates traffic 1075 o dst_ip: Destination IP address of traffic 1077 o src_port: Source port of traffic 1079 o dst_port: Destination port of traffic 1081 o protocol: Protocol type of traffic 1083 o app: Application type of traffic 1085 o policy_id: Security policy id that traffic matches 1087 o policy_name: Security policy name that traffic matches 1089 o action: Action defined in the file blocking rule, data filtering 1090 rule, or application behavior control rule that traffic matches. 1092 7.5.6. Vulnerability Scanning Log 1094 Vulnerability scanning logs record the victim host and its related 1095 vulnerability information that should to be fixed. The following 1096 information should be included in the report: 1098 o victim_ip: IP address of the victim host which has vulnerabilities 1100 o vulnerability_id: The vulnerability id 1102 o vulnerability_level: The vulnerability level. e.g., high, middle, 1103 and low 1105 o OS: The operating system of the victim host 1107 o service: The service which has vulnerability in the victim host 1109 o protocol: The protocol type. e.g., TCP and UDP 1111 o port: The port number 1113 o vulnerability_info: The information about the vulnerability 1115 o fix_suggestion: The fix suggestion to the vulnerability. 1117 7.5.7. Web Attack Log 1119 Besides the fields in a Web Attack Alarm, the following information 1120 should be included in a Web Attack Report: 1122 o attack_type: Web Attack 1124 o rsp_code: Response code 1126 o req_clientapp: The client application 1128 o req_cookies: Cookies 1130 o req_host: The domain name of the requested host 1132 o raw_info: The information describing the packet triggering the 1133 event. 1135 7.6. System Counter 1137 Characteristics: 1139 o acquisition_method: subscription or query 1141 o emission_type: periodical 1143 o dampening_type: none 1145 7.6.1. Interface counter 1147 Interface counters provide visibility into traffic into and out of an 1148 NSF, and bandwidth usage. 1150 o interface_name: Network interface name configured in NSF 1152 o in_total_traffic_pkts: Total inbound packets 1154 o out_total_traffic_pkts: Total outbound packets 1156 o in_total_traffic_bytes: Total inbound bytes 1158 o out_total_traffic_bytes: Total outbound bytes 1160 o in_drop_traffic_pkts: Total inbound drop packets 1162 o out_drop_traffic_pkts: Total outbound drop packets 1164 o in_drop_traffic_bytes: Total inbound drop bytes 1166 o out_drop_traffic_bytes: Total outbound drop bytes 1168 o in_traffic_ave_rate: Inbound traffic average rate in pps 1170 o in_traffic_peak_rate: Inbound traffic peak rate in pps 1172 o in_traffic_ave_speed: Inbound traffic average speed in bps 1174 o in_traffic_peak_speed: Inbound traffic peak speed in bps 1176 o out_traffic_ave_rate: Outbound traffic average rate in pps 1178 o out_traffic_peak_rate: Outbound traffic peak rate in pps 1180 o out_traffic_ave_speed: Outbound traffic average speed in bps 1182 o out_traffic_peak_speed: Outbound traffic peak speed in bps 1184 7.7. NSF Counters 1186 Characteristics: 1188 o acquisition_method: subscription or query 1190 o emission_type: periodical 1192 o dampening_type: none 1194 7.7.1. Firewall counter 1196 Firewall counters provide visibility into traffic signatures, 1197 bandwidth usage, and how the configured security and bandwidth 1198 policies have been applied. 1200 o src_zone: Source security zone of traffic 1202 o dst_zone: Destination security zone of traffic 1204 o src_region: Source region of traffic 1206 o dst_region: Destination region of traffic 1208 o src_ip: Source IP address of traffic 1210 o src_user: User who generates traffic 1212 o dst_ip: Destination IP address of traffic 1214 o src_port: Source port of traffic 1216 o dst_port: Destination port of traffic 1218 o protocol: Protocol type of traffic 1220 o app: Application type of traffic 1222 o policy_id: Security policy id that traffic matches 1224 o policy_name: Security policy name that traffic matches 1226 o in_interface: Inbound interface of traffic 1228 o out_interface: Outbound interface of traffic 1230 o total_traffic: Total traffic volume 1232 o in_traffic_ave_rate: Inbound traffic average rate in pps 1234 o in_traffic_peak_rate: Inbound traffic peak rate in pps 1236 o in_traffic_ave_speed: Inbound traffic average speed in bps 1238 o in_traffic_peak_speed: Inbound traffic peak speed in bps 1240 o out_traffic_ave_rate: Outbound traffic average rate in pps 1241 o out_traffic_peak_rate: Outbound traffic peak rate in pps 1243 o out_traffic_ave_speed: Outbound traffic average speed in bps 1245 o out_traffic_peak_speed: Outbound traffic peak speed in bps. 1247 7.7.2. Policy Hit Counter 1249 Policy Hit Counters record the security policy that traffic matches 1250 and its hit count. It can check if policy configurations are 1251 correct. 1253 o src_zone: Source security zone of traffic 1255 o dst_zone: Destination security zone of traffic 1257 o src_region: Source region of the traffic 1259 o dst_region: Destination region of the traffic 1261 o src_ip: Source IP address of traffic 1263 o src_user: User who generates traffic 1265 o dst_ip: Destination IP address of traffic 1267 o src_port: Source port of traffic 1269 o dst_port: Destination port of traffic 1271 o protocol: Protocol type of traffic 1273 o app: Application type of traffic 1275 o policy_id: Security policy id that traffic matches 1277 o policy_name: Security policy name that traffic matches 1279 o hit_times: The hit times that the security policy matches the 1280 specified traffic. 1282 8. NSF Monitoring Management in I2NSF 1284 A standard model for monitoring data is required for an administrator 1285 to check the monitoring data generated by an NSF. The administrator 1286 can check the monitoring data through the following process. When 1287 the NSF monitoring data that is under the standard format is 1288 generated, the NSF forwards it to the security controller. The 1289 security controller delivers it to I2NSF Consumer or Developer's 1290 Management System (DMS) so that the administrator can know the state 1291 of the I2NSF framework. 1293 In order to communicate with other components, an I2NSF framework 1294 [RFC8329] requires the interfaces. The three main interfaces in 1295 I2NSF framework are used for sending monitoring data as follows: 1297 o I2NSF Consumer-Facing Interface 1298 [I-D.ietf-i2nsf-consumer-facing-interface-dm]: When an I2NSF User 1299 makes a security policy and forwards it to the Security Controller 1300 via Consumer-Facing Interface, it can specify the threat-feed for 1301 threat prevention, the custom list, the malicious code scan group, 1302 and the event map group. They can be used as an event to be 1303 monitored by an NSF. 1305 o I2NSF Registration Interface 1306 [I-D.ietf-i2nsf-registration-interface-dm]: The Network Functions 1307 Virtualization (NFV) architecture provides the lifecycle 1308 management of a Virtual Network Function (VNF) via the Ve-Vnfm 1309 interface. The role of Ve-Vnfm is to request VNF lifecycle 1310 management (e.g., the instantiation and de-instantiation of an 1311 NSF, and load balancing among NSFs), exchange configuration 1312 information, and exchange status information for a network 1313 service. In the I2NSF framework, the DMS manages data about 1314 resource states and network traffic for the lifecycle management 1315 of an NSF. Therefore, the generated monitoring data from NSFs are 1316 delivered from the Security Controller to the DMS via Registration 1317 Interface. These data are delivered from the DMS to the VNF 1318 Manager in the Management and Orchestration (MANO) in the NFV 1319 system [I-D.yang-i2nsf-nfv-architecture]. 1321 o I2NSF NSF-Facing Interface 1322 [I-D.ietf-i2nsf-nsf-facing-interface-dm]: After a high-level 1323 security policy from I2NSF User is translated by security policy 1324 translator [I-D.yang-i2nsf-security-policy-translation] in the 1325 Security Controller, the translated security policy (i.e., low- 1326 level policy) is applied to an NSF via NSF-Facing Interface. The 1327 monitoring data model specifies the list of events that can 1328 trigger Event-Condition-Action (ECA) policies via NSF-Facing 1329 Interface. 1331 9. Tree Structure 1333 The tree structure of the NSF monitoring YANG module is provided 1334 below: 1336 module: ietf-i2nsf-monitor 1337 +--rw counters 1338 +--rw system-interface 1339 | +--rw acquisition-method? identityref 1340 | +--rw emission-type? identityref 1341 | +--rw dampening-type? identityref 1342 | +--rw interface-name? string 1343 | +--rw in-total-traffic-pkts? uint32 1344 | +--rw out-total-traffic-pkts? uint32 1345 | +--rw in-total-traffic-bytes? uint32 1346 | +--rw out-total-traffic-bytes? uint32 1347 | +--rw in-drop-traffic-pkts? uint32 1348 | +--rw out-drop-traffic-pkts? uint32 1349 | +--rw in-drop-traffic-bytes? uint32 1350 | +--rw out-drop-traffic-bytes? uint32 1351 | +--rw total-traffic? uint32 1352 | +--rw in-traffic-ave-rate? uint32 1353 | +--rw in-traffic-peak-rate? uint32 1354 | +--rw in-traffic-ave-speed? uint32 1355 | +--rw in-traffic-peak-speed? uint32 1356 | +--rw out-traffic-ave-rate? uint32 1357 | +--rw out-traffic-peak-rate? uint32 1358 | +--rw out-traffic-ave-speed? uint32 1359 | +--rw out-traffic-peak-speed? uint32 1360 | +--rw message? string 1361 | +--rw time-stamp? yang:date-and-time 1362 | +--rw vendor-name? string 1363 | +--rw nsf-name? string 1364 | +--rw module-name? string 1365 | +--rw severity? severity 1366 +--rw nsf-firewall 1367 | +--rw acquisition-method? identityref 1368 | +--rw emission-type? identityref 1369 | +--rw dampening-type? identityref 1370 | +--rw src-ip? inet:ipv4-address 1371 | +--rw dst-ip? inet:ipv4-address 1372 | +--rw src-port? inet:port-number 1373 | +--rw dst-port? inet:port-number 1374 | +--rw src-zone? string 1375 | +--rw dst-zone? string 1376 | +--rw src-region? string 1377 | +--rw dst-region? string 1378 | +--rw policy-id? uint8 1379 | +--rw policy-name? string 1380 | +--rw src-user? string 1381 | +--rw protocol? identityref 1382 | +--rw app? string 1383 | +--rw total-traffic? uint32 1384 | +--rw in-traffic-ave-rate? uint32 1385 | +--rw in-traffic-peak-rate? uint32 1386 | +--rw in-traffic-ave-speed? uint32 1387 | +--rw in-traffic-peak-speed? uint32 1388 | +--rw out-traffic-ave-rate? uint32 1389 | +--rw out-traffic-peak-rate? uint32 1390 | +--rw out-traffic-ave-speed? uint32 1391 | +--rw out-traffic-peak-speed? uint32 1392 +--rw nsf-policy-hits 1393 +--rw acquisition-method? identityref 1394 +--rw emission-type? identityref 1395 +--rw dampening-type? identityref 1396 +--rw src-ip? inet:ipv4-address 1397 +--rw dst-ip? inet:ipv4-address 1398 +--rw src-port? inet:port-number 1399 +--rw dst-port? inet:port-number 1400 +--rw src-zone? string 1401 +--rw dst-zone? string 1402 +--rw src-region? string 1403 +--rw dst-region? string 1404 +--rw policy-id? uint8 1405 +--rw policy-name? string 1406 +--rw src-user? string 1407 +--rw protocol? identityref 1408 +--rw app? string 1409 +--rw message? string 1410 +--rw time-stamp? yang:date-and-time 1411 +--rw vendor-name? string 1412 +--rw nsf-name? string 1413 +--rw module-name? string 1414 +--rw severity? severity 1415 +--rw hit-times? uint32 1417 notifications: 1418 +---n system-detection-alarm 1419 | +--ro alarm-category? identityref 1420 | +--ro acquisition-method? identityref 1421 | +--ro emission-type? identityref 1422 | +--ro dampening-type? identityref 1423 | +--ro usage? uint8 1424 | +--ro threshold? uint8 1425 | +--ro message? string 1426 | +--ro time-stamp? yang:date-and-time 1427 | +--ro vendor-name? string 1428 | +--ro nsf-name? string 1429 | +--ro module-name? string 1430 | +--ro severity? severity 1431 +---n system-detection-event 1432 | +--ro event-category? identityref 1433 | +--ro acquisition-method? identityref 1434 | +--ro emission-type? identityref 1435 | +--ro dampening-type? identityref 1436 | +--ro user string 1437 | +--ro group string 1438 | +--ro login-ip-addr inet:ipv4-address 1439 | +--ro authentication? identityref 1440 | +--ro message? string 1441 | +--ro time-stamp? yang:date-and-time 1442 | +--ro vendor-name? string 1443 | +--ro nsf-name? string 1444 | +--ro module-name? string 1445 | +--ro severity? severity 1446 +---n nsf-detection-flood 1447 | +--ro event-name? identityref 1448 | +--ro dst-ip? inet:ipv4-address 1449 | +--ro dst-port? inet:port-number 1450 | +--ro rule-id uint8 1451 | +--ro rule-name string 1452 | +--ro profile? string 1453 | +--ro raw-info? string 1454 | +--ro sub-attack-type? identityref 1455 | +--ro start-time yang:date-and-time 1456 | +--ro end-time yang:date-and-time 1457 | +--ro attack-rate? uint32 1458 | +--ro attack-speed? uint32 1459 | +--ro message? string 1460 | +--ro time-stamp? yang:date-and-time 1461 | +--ro vendor-name? string 1462 | +--ro nsf-name? string 1463 | +--ro module-name? string 1464 | +--ro severity? severity 1465 +---n nsf-detection-session-table 1466 | +--ro current-session? uint8 1467 | +--ro maximum-session? uint8 1468 | +--ro threshold? uint8 1469 | +--ro message? string 1470 | +--ro time-stamp? yang:date-and-time 1471 | +--ro vendor-name? string 1472 | +--ro nsf-name? string 1473 | +--ro module-name? string 1474 | +--ro severity? severity 1475 +---n nsf-detection-virus 1476 | +--ro src-ip? inet:ipv4-address 1477 | +--ro dst-ip? inet:ipv4-address 1478 | +--ro src-port? inet:port-number 1479 | +--ro dst-port? inet:port-number 1480 | +--ro src-zone? string 1481 | +--ro dst-zone? string 1482 | +--ro rule-id uint8 1483 | +--ro rule-name string 1484 | +--ro profile? string 1485 | +--ro raw-info? string 1486 | +--ro virus? identityref 1487 | +--ro virus-name? string 1488 | +--ro file-type? string 1489 | +--ro file-name? string 1490 | +--ro message? string 1491 | +--ro time-stamp? yang:date-and-time 1492 | +--ro vendor-name? string 1493 | +--ro nsf-name? string 1494 | +--ro module-name? string 1495 | +--ro severity? severity 1496 +---n nsf-detection-intrusion 1497 | +--ro src-ip? inet:ipv4-address 1498 | +--ro dst-ip? inet:ipv4-address 1499 | +--ro src-port? inet:port-number 1500 | +--ro dst-port? inet:port-number 1501 | +--ro src-zone? string 1502 | +--ro dst-zone? string 1503 | +--ro rule-id uint8 1504 | +--ro rule-name string 1505 | +--ro profile? string 1506 | +--ro raw-info? string 1507 | +--ro protocol? identityref 1508 | +--ro app? string 1509 | +--ro sub-attack-type? identityref 1510 | +--ro message? string 1511 | +--ro time-stamp? yang:date-and-time 1512 | +--ro vendor-name? string 1513 | +--ro nsf-name? string 1514 | +--ro module-name? string 1515 | +--ro severity? severity 1516 +---n nsf-detection-botnet 1517 | +--ro src-ip? inet:ipv4-address 1518 | +--ro dst-ip? inet:ipv4-address 1519 | +--ro src-port? inet:port-number 1520 | +--ro dst-port? inet:port-number 1521 | +--ro src-zone? string 1522 | +--ro dst-zone? string 1523 | +--ro rule-id uint8 1524 | +--ro rule-name string 1525 | +--ro profile? string 1526 | +--ro raw-info? string 1527 | +--ro attack-type? identityref 1528 | +--ro protocol? identityref 1529 | +--ro botnet-name? string 1530 | +--ro role? string 1531 | +--ro message? string 1532 | +--ro time-stamp? yang:date-and-time 1533 | +--ro vendor-name? string 1534 | +--ro nsf-name? string 1535 | +--ro module-name? string 1536 | +--ro severity? severity 1537 +---n nsf-detection-web-attack 1538 | +--ro src-ip? inet:ipv4-address 1539 | +--ro dst-ip? inet:ipv4-address 1540 | +--ro src-port? inet:port-number 1541 | +--ro dst-port? inet:port-number 1542 | +--ro src-zone? string 1543 | +--ro dst-zone? string 1544 | +--ro rule-id uint8 1545 | +--ro rule-name string 1546 | +--ro profile? string 1547 | +--ro raw-info? string 1548 | +--ro sub-attack-type? identityref 1549 | +--ro request-method? identityref 1550 | +--ro req-uri? string 1551 | +--ro uri-category? string 1552 | +--ro filtering-type* identityref 1553 | +--ro message? string 1554 | +--ro time-stamp? yang:date-and-time 1555 | +--ro vendor-name? string 1556 | +--ro nsf-name? string 1557 | +--ro module-name? string 1558 | +--ro severity? severity 1559 +---n system-access-log 1560 | +--ro login-ip inet:ipv4-address 1561 | +--ro administrator? string 1562 | +--ro login-mode? login-mode 1563 | +--ro operation-type? operation-type 1564 | +--ro result? string 1565 | +--ro content? string 1566 | +--ro acquisition-method? identityref 1567 | +--ro emission-type? identityref 1568 | +--ro dampening-type? identityref 1569 +---n system-res-util-log 1570 | +--ro system-status? string 1571 | +--ro cpu-usage? uint8 1572 | +--ro memory-usage? uint8 1573 | +--ro disk-usage? uint8 1574 | +--ro disk-left? uint8 1575 | +--ro session-num? uint8 1576 | +--ro process-num? uint8 1577 | +--ro in-traffic-rate? uint32 1578 | +--ro out-traffic-rate? uint32 1579 | +--ro in-traffic-speed? uint32 1580 | +--ro out-traffic-speed? uint32 1581 | +--ro acquisition-method? identityref 1582 | +--ro emission-type? identityref 1583 | +--ro dampening-type? identityref 1584 +---n system-user-activity-log 1585 | +--ro acquisition-method? identityref 1586 | +--ro emission-type? identityref 1587 | +--ro dampening-type? identityref 1588 | +--ro user string 1589 | +--ro group string 1590 | +--ro login-ip-addr inet:ipv4-address 1591 | +--ro authentication? identityref 1592 | +--ro access? identityref 1593 | +--ro online-duration? string 1594 | +--ro logout-duration? string 1595 | +--ro additional-info? string 1596 +---n nsf-log-ddos 1597 | +--ro attack-type? identityref 1598 | +--ro attack-ave-rate? uint32 1599 | +--ro attack-ave-speed? uint32 1600 | +--ro attack-pkt-num? uint32 1601 | +--ro attack-src-ip? inet:ipv4-address 1602 | +--ro action? log-action 1603 | +--ro acquisition-method? identityref 1604 | +--ro emission-type? identityref 1605 | +--ro dampening-type? identityref 1606 | +--ro message? string 1607 | +--ro time-stamp? yang:date-and-time 1608 | +--ro vendor-name? string 1609 | +--ro nsf-name? string 1610 | +--ro module-name? string 1611 | +--ro severity? severity 1612 +---n nsf-log-virus 1613 | +--ro attack-type? identityref 1614 | +--ro action? log-action 1615 | +--ro os? string 1616 | +--ro time yang:date-and-time 1617 | +--ro acquisition-method? identityref 1618 | +--ro emission-type? identityref 1619 | +--ro dampening-type? identityref 1620 | +--ro message? string 1621 | +--ro time-stamp? yang:date-and-time 1622 | +--ro vendor-name? string 1623 | +--ro nsf-name? string 1624 | +--ro module-name? string 1625 | +--ro severity? severity 1626 +---n nsf-log-intrusion 1627 | +--ro attack-type? identityref 1628 | +--ro action? log-action 1629 | +--ro time yang:date-and-time 1630 | +--ro attack-rate? uint32 1631 | +--ro attack-speed? uint32 1632 | +--ro acquisition-method? identityref 1633 | +--ro emission-type? identityref 1634 | +--ro dampening-type? identityref 1635 | +--ro message? string 1636 | +--ro time-stamp? yang:date-and-time 1637 | +--ro vendor-name? string 1638 | +--ro nsf-name? string 1639 | +--ro module-name? string 1640 | +--ro severity? severity 1641 +---n nsf-log-botnet 1642 | +--ro attack-type? identityref 1643 | +--ro action? log-action 1644 | +--ro botnet-pkt-num? uint8 1645 | +--ro os? string 1646 | +--ro acquisition-method? identityref 1647 | +--ro emission-type? identityref 1648 | +--ro dampening-type? identityref 1649 | +--ro message? string 1650 | +--ro time-stamp? yang:date-and-time 1651 | +--ro vendor-name? string 1652 | +--ro nsf-name? string 1653 | +--ro module-name? string 1654 | +--ro severity? severity 1655 +---n nsf-log-dpi 1656 | +--ro attack-type? dpi-type 1657 | +--ro acquisition-method? identityref 1658 | +--ro emission-type? identityref 1659 | +--ro dampening-type? identityref 1660 | +--ro src-ip? inet:ipv4-address 1661 | +--ro dst-ip? inet:ipv4-address 1662 | +--ro src-port? inet:port-number 1663 | +--ro dst-port? inet:port-number 1664 | +--ro src-zone? string 1665 | +--ro dst-zone? string 1666 | +--ro src-region? string 1667 | +--ro dst-region? string 1668 | +--ro policy-id? uint8 1669 | +--ro policy-name? string 1670 | +--ro src-user? string 1671 | +--ro protocol? identityref 1672 | +--ro app? string 1673 | +--ro message? string 1674 | +--ro time-stamp? yang:date-and-time 1675 | +--ro vendor-name? string 1676 | +--ro nsf-name? string 1677 | +--ro module-name? string 1678 | +--ro severity? severity 1679 +---n nsf-log-vuln-scan 1680 | +--ro vulnerability-id? uint8 1681 | +--ro victim-ip? inet:ipv4-address 1682 | +--ro protocol? identityref 1683 | +--ro port-num? inet:port-number 1684 | +--ro level? severity 1685 | +--ro os? string 1686 | +--ro vulnerability-info? string 1687 | +--ro fix-suggestion? string 1688 | +--ro service? string 1689 | +--ro acquisition-method? identityref 1690 | +--ro emission-type? identityref 1691 | +--ro dampening-type? identityref 1692 | +--ro message? string 1693 | +--ro time-stamp? yang:date-and-time 1694 | +--ro vendor-name? string 1695 | +--ro nsf-name? string 1696 | +--ro module-name? string 1697 | +--ro severity? severity 1698 +---n nsf-log-web-attack 1699 +--ro attack-type? identityref 1700 +--ro rsp-code? string 1701 +--ro req-clientapp? string 1702 +--ro req-cookies? string 1703 +--ro req-host? string 1704 +--ro raw-info? string 1705 +--ro acquisition-method? identityref 1706 +--ro emission-type? identityref 1707 +--ro dampening-type? identityref 1708 +--ro message? string 1709 +--ro time-stamp? yang:date-and-time 1710 +--ro vendor-name? string 1711 +--ro nsf-name? string 1712 +--ro module-name? string 1713 +--ro severity? severity 1715 Figure 1: Information Model for NSF Monitoring 1717 10. YANG Data Model 1719 This section introduces a YANG data model for the information model 1720 of the NSF monitoring information model. 1722 file "ietf-i2nsf-monitor@2019-11-04.yang" 1723 module ietf-i2nsf-monitor { 1724 yang-version 1.1; 1725 namespace 1726 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor"; 1727 prefix 1728 iim; 1729 import ietf-inet-types{ 1730 prefix inet; 1731 reference 1732 "Section 4 of RFC 6991"; 1733 } 1734 import ietf-yang-types { 1735 prefix yang; 1736 reference 1737 "Section 3 of RFC 6991"; 1738 } 1739 organization 1740 "IETF I2NSF (Interface to Network Security Functions) 1741 Working Group"; 1742 contact 1743 "WG Web: 1744 WG List: 1746 WG Chair: Linda Dunbar 1747 1749 Editor: Jaehoon Paul Jeong 1750 1752 Editor: Chaehong Chung 1753 "; 1755 description 1756 "This module is a YANG module for monitoring NSFs. 1758 Copyright (c) 2018 IETF Trust and the persons identified as 1759 authors of the code. All rights reserved. 1761 Redistribution and use in source and binary forms, with or 1762 without modification, is permitted pursuant to, and subject 1763 to the license terms contained in, the Simplified BSD License 1764 set forth in Section 4.c of the IETF Trust's Legal Provisions 1765 Relating to IETF Documents 1766 (http://trustee.ietf.org/license-info). 1768 This version of this YANG module is part of RFC 6087; see 1769 the RFC itself for full legal notices."; 1771 revision "2019-11-04" { 1772 description "The third revision"; 1773 reference 1774 "RFC XXXX: I2NSF NSF Monitoring YANG Data Model"; 1775 } 1777 typedef severity { 1778 type enumeration { 1779 enum high { 1780 description 1781 "high-level"; 1782 } 1783 enum middle { 1784 description 1785 "middle-level"; 1786 } 1787 enum low { 1788 description 1789 "low-level"; 1790 } 1791 } 1792 description 1793 "An indicator representing severity"; 1794 } 1795 typedef log-action { 1796 type enumeration { 1797 enum allow { 1798 description 1799 "If action is allowed"; 1800 } 1801 enum alert { 1802 description 1803 "If action is alert"; 1804 } 1805 enum block { 1806 description 1807 "If action is block"; 1808 } 1809 enum discard { 1810 description 1811 "If action is discarded"; 1813 } 1814 enum declare { 1815 description 1816 "If action is declared"; 1817 } 1818 enum block-ip { 1819 description 1820 "If action is block-ip"; 1821 } 1822 enum block-service{ 1823 description 1824 "If action is block-service"; 1825 } 1826 } 1827 description 1828 "This is used for protocol"; 1829 } 1830 typedef dpi-type{ 1831 type enumeration { 1832 enum file-blocking{ 1833 description 1834 "DPI for blocking file"; 1835 } 1836 enum data-filtering{ 1837 description 1838 "DPI for filtering data"; 1839 } 1840 enum application-behavior-control{ 1841 description 1842 "DPI for controlling application behavior"; 1843 } 1844 } 1845 description 1846 "This is used for dpi type"; 1847 } 1848 typedef operation-type{ 1849 type enumeration { 1850 enum login{ 1851 description 1852 "Login operation"; 1853 } 1854 enum logout{ 1855 description 1856 "Logout operation"; 1857 } 1858 enum configuration{ 1859 description 1860 "Configuration operation"; 1862 } 1863 } 1864 description 1865 "An indicator representing operation-type"; 1866 } 1867 typedef login-mode{ 1868 type enumeration { 1869 enum root{ 1870 description 1871 "Root login-mode"; 1872 } 1873 enum user{ 1874 description 1875 "User login-mode"; 1876 } 1877 enum guest{ 1878 description 1879 "Guest login-mode"; 1880 } 1881 } 1882 description 1883 "An indicator representing login-mode"; 1884 } 1886 identity characteristics { 1887 description 1888 "Base identity for monitoring information 1889 characteristics"; 1890 } 1891 identity acquisition-method { 1892 base characteristics; 1893 description 1894 "The type of acquisition-method. Can be multiple 1895 types at once."; 1896 } 1897 identity subscription { 1898 base acquisition-method; 1899 description 1900 "The acquisition-method type is subscription"; 1901 } 1902 identity query { 1903 base acquisition-method; 1904 description 1905 "The acquisition-method type is query"; 1906 } 1907 identity emission-type { 1908 base characteristics; 1909 description 1910 "The type of emission-type."; 1911 } 1912 identity periodical { 1913 base emission-type; 1914 description 1915 "The emission-type type is periodical."; 1916 } 1917 identity on-change { 1918 base emission-type; 1919 description 1920 "The emission-type type is on-change."; 1921 } 1922 identity dampening-type { 1923 base characteristics; 1924 description 1925 "The type of dampening-type."; 1926 } 1927 identity no-dampening { 1928 base dampening-type; 1929 description 1930 "The dampening-type is no-dampening."; 1931 } 1932 identity on-repetition { 1933 base dampening-type; 1934 description 1935 "The dampening-type is on-repetition."; 1936 } 1937 identity none { 1938 base dampening-type; 1939 description 1940 "The dampening-type is none."; 1941 } 1943 identity authentication-mode { 1944 description 1945 "User authentication mode types: 1946 e.g., Local Authentication, 1947 Third-Party Server Authentication, 1948 Authentication Exemption, or Single Sign-On (SSO) 1949 Authentication."; 1950 } 1951 identity local-authentication { 1952 base authentication-mode; 1953 description 1954 "Authentication-mode : local authentication."; 1955 } 1956 identity third-party-server-authentication { 1957 base authentication-mode; 1958 description 1959 "If authentication-mode is 1960 third-part-server-authentication"; 1961 } 1962 identity exemption-authentication { 1963 base authentication-mode; 1964 description 1965 "If authentication-mode is 1966 exemption-authentication"; 1967 } 1968 identity sso-authentication { 1969 base authentication-mode; 1970 description 1971 "If authentication-mode is 1972 sso-authentication"; 1973 } 1975 identity alarm-type { 1976 description 1977 "Base identity for detectable alarm types"; 1978 } 1979 identity MEM-USAGE-ALARM { 1980 base alarm-type; 1981 description 1982 "A memory alarm is alerted"; 1983 } 1984 identity CPU-USAGE-ALARM { 1985 base alarm-type; 1986 description 1987 "A CPU alarm is alerted"; 1988 } 1989 identity DISK-USAGE-ALARM { 1990 base alarm-type; 1991 description 1992 "A disk alarm is alerted"; 1993 } 1994 identity HW-FAILURE-ALARM { 1995 base alarm-type; 1996 description 1997 "A hardware alarm is alerted"; 1998 } 1999 identity IFNET-STATE-ALARM { 2000 base alarm-type; 2001 description 2002 "An interface alarm is alerted"; 2003 } 2004 identity event-type { 2005 description 2006 "Base identity for detectable event types"; 2007 } 2008 identity ACCESS-DENIED { 2009 base event-type; 2010 description 2011 "The system event is access-denied."; 2012 } 2013 identity CONFIG-CHANGE { 2014 base event-type; 2015 description 2016 "The system event is config-change."; 2017 } 2019 identity flood-type { 2020 description 2021 "Base identity for detectable flood types"; 2022 } 2023 identity syn-flood { 2024 base flood-type; 2025 description 2026 "A SYN flood is detected"; 2027 } 2028 identity ack-flood { 2029 base flood-type; 2030 description 2031 "An ACK flood is detected"; 2032 } 2033 identity syn-ack-flood { 2034 base flood-type; 2035 description 2036 "An SYN-ACK flood is detected"; 2037 } 2038 identity fin-rst-flood { 2039 base flood-type; 2040 description 2041 "A FIN-RST flood is detected"; 2042 } 2043 identity tcp-con-flood { 2044 base flood-type; 2045 description 2046 "A TCP connection flood is detected"; 2047 } 2048 identity udp-flood { 2049 base flood-type; 2050 description 2051 "A UDP flood is detected"; 2052 } 2053 identity icmp-flood { 2054 base flood-type; 2055 description 2056 "An ICMP flood is detected"; 2057 } 2058 identity https-flood { 2059 base flood-type; 2060 description 2061 "A HTTPS flood is detected"; 2062 } 2063 identity http-flood { 2064 base flood-type; 2065 description 2066 "A HTTP flood is detected"; 2067 } 2068 identity dns-reply-flood { 2069 base flood-type; 2070 description 2071 "A DNS reply flood is detected"; 2072 } 2073 identity dns-query-flood { 2074 base flood-type; 2075 description 2076 "A DNS query flood is detected"; 2077 } 2078 identity sip-flood { 2079 base flood-type; 2080 description 2081 "A SIP flood is detected"; 2082 } 2084 identity nsf-event-name { 2085 description 2086 "Base identity for detectable nsf event types"; 2087 } 2088 identity SEC-EVENT-DDOS { 2089 base nsf-event-name; 2090 description 2091 "The nsf event is sec-event-ddos."; 2092 } 2093 identity SESSION-USAGE-HIGH { 2094 base nsf-event-name; 2095 description 2096 "The nsf event is session-usage-high"; 2097 } 2098 identity SEC-EVENT-VIRUS { 2099 base nsf-event-name; 2100 description 2101 "The nsf event is sec-event-virus"; 2103 } 2104 identity SEC-EVENT-INTRUSION { 2105 base nsf-event-name; 2106 description 2107 "The nsf event is sec-event-intrusion"; 2108 } 2109 identity SEC-EVENT-BOTNET { 2110 base nsf-event-name; 2111 description 2112 "The nsf event is sec-event-botnet"; 2113 } 2114 identity SEC-EVENT-WEBATTACK { 2115 base nsf-event-name; 2116 description 2117 "The nsf event is sec-event-webattack"; 2118 } 2119 identity attack-type { 2120 description 2121 "The root ID of attack-based notification 2122 in the notification taxonomy"; 2123 } 2124 identity system-attack-type { 2125 base attack-type; 2126 description 2127 "This ID is intended to be used 2128 in the context of system events"; 2129 } 2130 identity nsf-attack-type { 2131 base attack-type; 2132 description 2133 "This ID is intended to be used 2134 in the context of nsf event"; 2135 } 2136 identity botnet-attack-type { 2137 base nsf-attack-type; 2138 description 2139 "This is an ID stub limited to indicating 2140 that this attack type is botnet. 2141 The usual semantic and taxonomy is missing 2142 and name is used."; 2143 } 2144 identity virus-type { 2145 base nsf-attack-type; 2146 description 2147 "The type of virus. Can be multiple types at once. 2148 This attack type is associated with a detected 2149 system-log virus-attack"; 2150 } 2151 identity trojan { 2152 base virus-type; 2153 description 2154 "The detected virus type is trojan"; 2155 } 2156 identity worm { 2157 base virus-type; 2158 description 2159 "The detected virus type is worm"; 2160 } 2161 identity macro { 2162 base virus-type; 2163 description 2164 "The detected virus type is macro"; 2165 } 2166 identity intrusion-attack-type { 2167 base nsf-attack-type; 2168 description 2169 "The attack type is associated with 2170 a detected system-log intrusion"; 2171 } 2172 identity brute-force { 2173 base intrusion-attack-type; 2174 description 2175 "The intrusion type is brute-force"; 2176 } 2177 identity buffer-overflow { 2178 base intrusion-attack-type; 2179 description 2180 "The intrusion type is buffer-overflow"; 2181 } 2182 identity web-attack-type { 2183 base nsf-attack-type; 2184 description 2185 "The attack type associated with 2186 a detected system-log web-attack"; 2187 } 2188 identity command-injection { 2189 base web-attack-type; 2190 description 2191 "The detected web attack type is command injection"; 2192 } 2193 identity xss { 2194 base web-attack-type; 2195 description 2196 "The detected web attack type is XSS"; 2197 } 2198 identity csrf { 2199 base web-attack-type; 2200 description 2201 "The detected web attack type is CSRF"; 2202 } 2203 identity ddos-attack-type { 2204 base nsf-attack-type; 2205 description 2206 "The attack type is associated with a detected 2207 nsf-log event"; 2208 } 2210 identity req-method { 2211 description 2212 "A set of request types (if applicable). 2213 For instance, PUT or GET in HTTP"; 2214 } 2215 identity put-req { 2216 base req-method; 2217 description 2218 "The detected request type is PUT"; 2219 } 2220 identity get-req { 2221 base req-method; 2222 description 2223 "The detected request type is GET"; 2224 } 2226 identity filter-type { 2227 description 2228 "The type of filter used to detect, for example, 2229 a web-attack. Can be applicable to more than 2230 web-attacks. Can be more than one type."; 2231 } 2232 identity whitelist { 2233 base filter-type; 2234 description 2235 "The applied filter type is whitelist"; 2236 } 2237 identity blacklist { 2238 base filter-type; 2239 description 2240 "The applied filter type is blacklist"; 2241 } 2242 identity user-defined { 2243 base filter-type; 2244 description 2245 "The applied filter type is user-defined"; 2246 } 2247 identity balicious-category { 2248 base filter-type; 2249 description 2250 "The applied filter is balicious category"; 2251 } 2252 identity unknown-filter { 2253 base filter-type; 2254 description 2255 "The applied filter is unknown"; 2256 } 2258 identity access-mode { 2259 description 2260 "Base identity for detectable access mode."; 2261 } 2262 identity ppp { 2263 base access-mode; 2264 description 2265 "Access-mode : ppp"; 2266 } 2267 identity svn { 2268 base access-mode; 2269 description 2270 "Access-mode : svn"; 2271 } 2272 identity local { 2273 base access-mode; 2274 description 2275 "Access-mode : local"; 2276 } 2278 identity protocol-type { 2279 description 2280 "An identity used to enable type choices in leaves 2281 and leaflists wrt protocol metadata."; 2282 } 2283 identity tcp { 2284 base ipv4; 2285 base ipv6; 2286 description 2287 "TCP protocol type."; 2288 reference 2289 "RFC 793: Transmission Control Protocol"; 2290 } 2291 identity udp { 2292 base ipv4; 2293 base ipv6; 2294 description 2295 "UDP protocol type."; 2296 reference 2297 "RFC 768: User Datagram Protocol"; 2298 } 2299 identity icmp { 2300 base ipv4; 2301 base ipv6; 2302 description 2303 "General ICMP protocol type."; 2304 reference 2305 "RFC 792: Internet Control Message Protocol"; 2306 } 2307 identity icmpv4 { 2308 base ipv4; 2309 description 2310 "ICMPv4 protocol type."; 2311 } 2312 identity icmpv6 { 2313 base ipv6; 2314 description 2315 "ICMPv6 protocol type."; 2316 } 2317 identity ip { 2318 base protocol-type; 2319 description 2320 "General IP protocol type."; 2321 reference 2322 "RFC 791: Internet Protocol 2323 RFC 2460: Internet Protocol, Version 6 (IPv6)"; 2324 } 2325 identity ipv4 { 2326 base ip; 2327 description 2328 "IPv4 protocol type."; 2329 reference 2330 "RFC 791: Internet Protocol"; 2331 } 2332 identity ipv6 { 2333 base ip; 2334 description 2335 "IPv6 protocol type."; 2336 reference 2337 "RFC 2460: Internet Protocol, Version 6 (IPv6)"; 2338 } 2339 identity http { 2340 base tcp; 2341 description 2342 "HTPP protocol type."; 2343 reference 2344 "RFC 2616: Hypertext Transfer Protocol"; 2345 } 2346 identity ftp { 2347 base tcp; 2348 description 2349 "FTP protocol type."; 2350 reference 2351 "RFC 959: File Transfer Protocol"; 2352 } 2353 grouping common-monitoring-data { 2354 description 2355 "The data set of common monitoring"; 2356 leaf message { 2357 type string; 2358 description 2359 "This is a freetext annotation of 2360 monitoring notification content"; 2361 } 2362 leaf time-stamp { 2363 type yang:date-and-time; 2364 description 2365 "Indicates the time of message generation"; 2366 } 2367 leaf vendor-name { 2368 type string; 2369 description 2370 "The name of the NSF vendor"; 2371 } 2372 leaf nsf-name { 2373 type string; 2374 description 2375 "The name (or IP) of the NSF 2376 generating the message"; 2377 } 2378 leaf module-name { 2379 type string; 2380 description 2381 "The module name outputting the message"; 2382 } 2383 leaf severity { 2384 type severity; 2385 description 2386 "The severity of the alarm such 2387 as critical, high, middle, low."; 2388 } 2389 } 2390 grouping characteristics{ 2391 description 2392 "A set of monitoring information characteristics"; 2393 leaf acquisition-method { 2394 type identityref { 2395 base acquisition-method; 2396 } 2397 description 2398 "The acquisition-method for characteristics"; 2399 } 2400 leaf emission-type { 2401 type identityref { 2402 base emission-type; 2403 } 2404 description 2405 "The emission-type for characteristics"; 2406 } 2407 leaf dampening-type { 2408 type identityref { 2409 base dampening-type; 2410 } 2411 description 2412 "The dampening-type for characteristics"; 2413 } 2414 } 2415 grouping i2nsf-system-alarm-type-content { 2416 description 2417 "A set of system alarm type contents"; 2418 leaf usage { 2419 type uint8; 2420 description 2421 "specifies the amount of usage"; 2422 } 2423 leaf threshold { 2424 type uint8; 2425 description 2426 "The threshold triggering the alarm or the event"; 2427 } 2428 } 2429 grouping i2nsf-system-event-type-content { 2430 description 2431 "System event metadata associated 2432 with system events caused by user activity."; 2433 leaf user { 2434 type string; 2435 mandatory true; 2436 description 2437 "Name of a user"; 2438 } 2439 leaf group { 2440 type string; 2441 mandatory true; 2442 description 2443 "Group to which a user belongs."; 2444 } 2445 leaf login-ip-addr { 2446 type inet:ipv4-address; 2447 mandatory true; 2448 description 2449 "Login IP address of a user."; 2450 } 2451 leaf authentication { 2452 type identityref { 2453 base authentication-mode; 2454 } 2455 description 2456 "The authentication-mode for authentication"; 2457 } 2458 } 2459 grouping i2nsf-nsf-event-type-content-extend { 2460 description 2461 "A set of common IPv4-related NSF event 2462 content elements"; 2463 leaf src-ip { 2464 type inet:ipv4-address; 2465 description 2466 "The source IP address of the packet"; 2467 } 2468 leaf dst-ip { 2469 type inet:ipv4-address; 2470 description 2471 "The destination IP address of the packet"; 2472 } 2473 leaf src-port { 2474 type inet:port-number; 2475 description 2476 "The source port of the packet"; 2477 } 2478 leaf dst-port { 2479 type inet:port-number; 2480 description 2481 "The destination port of the packet"; 2482 } 2483 leaf src-zone { 2484 type string; 2485 description 2486 "The source security zone of the packet"; 2488 } 2489 leaf dst-zone { 2490 type string; 2491 description 2492 "The destination security zone of the packet"; 2493 } 2494 leaf rule-id { 2495 type uint8; 2496 mandatory true; 2497 description 2498 "The ID of the rule being triggered"; 2499 } 2500 leaf rule-name { 2501 type string; 2502 mandatory true; 2503 description 2504 "The name of the rule being triggered"; 2505 } 2506 leaf profile { 2507 type string; 2508 description 2509 "Security profile that traffic matches."; 2510 } 2511 leaf raw-info { 2512 type string; 2513 description 2514 "The information describing the packet 2515 triggering the event."; 2516 } 2517 } 2518 grouping i2nsf-nsf-event-type-content { 2519 description 2520 "A set of common IPv4-related NSF event 2521 content elements"; 2522 leaf dst-ip { 2523 type inet:ipv4-address; 2524 description 2525 "The destination IP address of the packet"; 2526 } 2527 leaf dst-port { 2528 type inet:port-number; 2529 description 2530 "The destination port of the packet"; 2531 } 2532 leaf rule-id { 2533 type uint8; 2534 mandatory true; 2535 description 2536 "The ID of the rule being triggered"; 2537 } 2538 leaf rule-name { 2539 type string; 2540 mandatory true; 2541 description 2542 "The name of the rule being triggered"; 2543 } 2544 leaf profile { 2545 type string; 2546 description 2547 "Security profile that traffic matches."; 2548 } 2549 leaf raw-info { 2550 type string; 2551 description 2552 "The information describing the packet 2553 triggering the event."; 2554 } 2555 } 2556 grouping traffic-rates { 2557 description 2558 "A set of traffic rates 2559 for statistics data"; 2560 leaf total-traffic { 2561 type uint32; 2562 description 2563 "Total traffic"; 2564 } 2565 leaf in-traffic-ave-rate { 2566 type uint32; 2567 description 2568 "Inbound traffic average rate in pps"; 2569 } 2570 leaf in-traffic-peak-rate { 2571 type uint32; 2572 description 2573 "Inbound traffic peak rate in pps"; 2574 } 2575 leaf in-traffic-ave-speed { 2576 type uint32; 2577 description 2578 "Inbound traffic average speed in bps"; 2579 } 2580 leaf in-traffic-peak-speed { 2581 type uint32; 2582 description 2583 "Inbound traffic peak speed in bps"; 2585 } 2586 leaf out-traffic-ave-rate { 2587 type uint32; 2588 description 2589 "Outbound traffic average rate in pps"; 2590 } 2591 leaf out-traffic-peak-rate { 2592 type uint32; 2593 description 2594 "Outbound traffic peak rate in pps"; 2595 } 2596 leaf out-traffic-ave-speed { 2597 type uint32; 2598 description 2599 "Outbound traffic average speed in bps"; 2600 } 2601 leaf out-traffic-peak-speed { 2602 type uint32; 2603 description 2604 "Outbound traffic peak speed in bps"; 2605 } 2606 } 2607 grouping i2nsf-system-counter-type-content{ 2608 description 2609 "A set of system counter type contents"; 2610 leaf interface-name { 2611 type string; 2612 description 2613 "Network interface name configured in NSF"; 2614 } 2615 leaf in-total-traffic-pkts { 2616 type uint32; 2617 description 2618 "Total inbound packets"; 2619 } 2620 leaf out-total-traffic-pkts { 2621 type uint32; 2622 description 2623 "Total outbound packets"; 2624 } 2625 leaf in-total-traffic-bytes { 2626 type uint32; 2627 description 2628 "Total inbound bytes"; 2629 } 2630 leaf out-total-traffic-bytes { 2631 type uint32; 2632 description 2633 "Total outbound bytes"; 2634 } 2635 leaf in-drop-traffic-pkts { 2636 type uint32; 2637 description 2638 "Total inbound drop packets"; 2639 } 2640 leaf out-drop-traffic-pkts { 2641 type uint32; 2642 description 2643 "Total outbound drop packets"; 2644 } 2645 leaf in-drop-traffic-bytes { 2646 type uint32; 2647 description 2648 "Total inbound drop bytes"; 2649 } 2650 leaf out-drop-traffic-bytes { 2651 type uint32; 2652 description 2653 "Total outbound drop bytes"; 2654 } 2655 uses traffic-rates; 2656 } 2657 grouping i2nsf-nsf-counters-type-content{ 2658 description 2659 "A set of nsf counters type contents"; 2660 leaf src-ip { 2661 type inet:ipv4-address; 2662 description 2663 "The source IP address of the packet"; 2664 } 2665 leaf dst-ip { 2666 type inet:ipv4-address; 2667 description 2668 "The destination IP address of the packet"; 2669 } 2670 leaf src-port { 2671 type inet:port-number; 2672 description 2673 "The source port of the packet"; 2674 } 2675 leaf dst-port { 2676 type inet:port-number; 2677 description 2678 "The destination port of the packet"; 2679 } 2680 leaf src-zone { 2681 type string; 2682 description 2683 "The source security zone of the packet"; 2684 } 2685 leaf dst-zone { 2686 type string; 2687 description 2688 "The destination security zone of the packet"; 2689 } 2690 leaf src-region { 2691 type string; 2692 description 2693 "Source region of the traffic"; 2694 } 2695 leaf dst-region{ 2696 type string; 2697 description 2698 "Destination region of the traffic"; 2699 } 2700 leaf policy-id { 2701 type uint8; 2702 description 2703 "The ID of the policy being triggered"; 2704 } 2705 leaf policy-name { 2706 type string; 2707 description 2708 "The name of the policy being triggered"; 2709 } 2710 leaf src-user{ 2711 type string; 2712 description 2713 "User who generates traffic"; 2714 } 2715 leaf protocol { 2716 type identityref { 2717 base protocol-type; 2718 } 2719 description 2720 "Protocol type of traffic"; 2721 } 2722 leaf app { 2723 type string; 2724 description 2725 "Application type of traffic"; 2726 } 2727 } 2728 notification system-detection-alarm { 2729 description 2730 "This notification is sent, when a system alarm 2731 is detected."; 2732 leaf alarm-category { 2733 type identityref { 2734 base alarm-type; 2735 } 2736 description 2737 "The alarm category for 2738 system-detection-alarm notification"; 2739 } 2740 uses characteristics; 2741 uses i2nsf-system-alarm-type-content; 2742 uses common-monitoring-data; 2743 } 2744 notification system-detection-event { 2745 description 2746 "This notification is sent, when a security-sensitive 2747 authentication action fails."; 2748 leaf event-category { 2749 type identityref { 2750 base event-type; 2751 } 2752 description 2753 "The event category for system-detection-event"; 2754 } 2755 uses characteristics; 2756 uses i2nsf-system-event-type-content; 2757 uses common-monitoring-data; 2758 } 2759 notification nsf-detection-flood { 2760 description 2761 "This notification is sent, 2762 when a specific flood type is detected"; 2763 leaf event-name { 2764 type identityref { 2765 base SEC-EVENT-DDOS; 2766 } 2767 description 2768 "The event name for nsf-detection-flood"; 2769 } 2770 uses i2nsf-nsf-event-type-content; 2771 leaf sub-attack-type { 2772 type identityref { 2773 base flood-type; 2774 } 2775 description 2776 "Any one of Syn flood, ACK flood, SYN-ACK flood, 2777 FIN/RST flood, TCP Connection flood, UDP flood, 2778 Icmp flood, HTTPS flood, HTTP flood, DNS query flood, 2779 DNS reply flood, SIP flood, etc."; 2780 } 2781 leaf start-time { 2782 type yang:date-and-time; 2783 mandatory true; 2784 description 2785 "The time stamp indicating when the attack started"; 2786 } 2787 leaf end-time { 2788 type yang:date-and-time; 2789 mandatory true; 2790 description 2791 "The time stamp indicating when the attack ended"; 2792 } 2793 leaf attack-rate { 2794 type uint32; 2795 description 2796 "The PPS rate of attack traffic"; 2797 } 2798 leaf attack-speed { 2799 type uint32; 2800 description 2801 "The BPS speed of attack traffic"; 2802 } 2803 uses common-monitoring-data; 2804 } 2805 notification nsf-detection-session-table { 2806 description 2807 "This notification is sent, when a session table 2808 event is detected"; 2809 leaf current-session { 2810 type uint8; 2811 description 2812 "The number of concurrent sessions"; 2813 } 2814 leaf maximum-session { 2815 type uint8; 2816 description 2817 "The maximum number of sessions that the session 2818 table can support"; 2819 } 2820 leaf threshold { 2821 type uint8; 2822 description 2823 "The threshold triggering the event"; 2825 } 2826 uses common-monitoring-data; 2827 } 2828 notification nsf-detection-virus { 2829 description 2830 "This notification is sent, when a virus is detected"; 2831 uses i2nsf-nsf-event-type-content-extend; 2832 leaf virus { 2833 type identityref { 2834 base virus-type; 2835 } 2836 description 2837 "The virus type for nsf-detection-virus notification"; 2838 } 2839 leaf virus-name { 2840 type string; 2841 description 2842 "The name of the detected virus"; 2843 } 2845 leaf file-type { 2846 type string; 2847 description 2848 "The type of file virus code 2849 is found in (if applicable)."; 2850 } 2851 leaf file-name { 2852 type string; 2853 description 2854 "The name of file virus code 2855 is found in (if applicable)."; 2856 } 2857 uses common-monitoring-data; 2858 } 2859 notification nsf-detection-intrusion { 2860 description 2861 "This notification is sent, when an intrusion event 2862 is detected."; 2863 uses i2nsf-nsf-event-type-content-extend; 2864 leaf protocol { 2865 type identityref { 2866 base protocol-type; 2867 } 2868 description 2869 "The protocol type for 2870 nsf-detection-intrusion notification"; 2871 } 2872 leaf app { 2873 type string; 2874 description 2875 "The employed application layer protocol"; 2876 } 2877 leaf sub-attack-type { 2878 type identityref { 2879 base intrusion-attack-type; 2880 } 2881 description 2882 "The sub attack type for intrusion attack"; 2883 } 2884 uses common-monitoring-data; 2885 } 2886 notification nsf-detection-botnet { 2887 description 2888 "This notification is sent, when a botnet event is 2889 detected"; 2890 uses i2nsf-nsf-event-type-content-extend; 2891 leaf attack-type { 2892 type identityref { 2893 base botnet-attack-type; 2894 } 2895 description 2896 "The attack type for botnet attack"; 2897 } 2898 leaf protocol { 2899 type identityref { 2900 base protocol-type; 2901 } 2902 description 2903 "The protocol type for nsf-detection-botnet notification"; 2904 } 2905 leaf botnet-name { 2906 type string; 2907 description 2908 "The name of the detected botnet"; 2909 } 2910 leaf role { 2911 type string; 2912 description 2913 "The role of the communicating 2914 parties within the botnet"; 2915 } 2916 uses common-monitoring-data; 2917 } 2918 notification nsf-detection-web-attack { 2919 description 2920 "This notification is sent, when an attack event is 2921 detected"; 2922 uses i2nsf-nsf-event-type-content-extend; 2923 leaf sub-attack-type { 2924 type identityref { 2925 base web-attack-type; 2926 } 2927 description 2928 "Concrete web attack type, e.g., sql injection, 2929 command injection, XSS, CSRF"; 2930 } 2931 leaf request-method { 2932 type identityref { 2933 base req-method; 2934 } 2935 description 2936 "The method of requirement. For instance, PUT or 2937 GET in HTTP"; 2938 } 2939 leaf req-uri { 2940 type string; 2941 description 2942 "Requested URI"; 2943 } 2944 leaf uri-category { 2945 type string; 2946 description 2947 "Matched URI category"; 2948 } 2949 leaf-list filtering-type { 2950 type identityref { 2951 base filter-type; 2952 } 2953 description 2954 "URL filtering type, e.g., Blacklist, Whitelist, 2955 User-Defined, Predefined, Malicious Category, 2956 Unknown"; 2957 } 2958 uses common-monitoring-data; 2959 } 2960 notification system-access-log { 2961 description 2962 "The notification is sent, if there is 2963 a new system log entry about 2964 a system access event"; 2965 leaf login-ip { 2966 type inet:ipv4-address; 2967 mandatory true; 2968 description 2969 "Login IP address of a user"; 2970 } 2971 leaf administrator { 2972 type string; 2973 description 2974 "Administrator that maintains the device"; 2975 } 2976 leaf login-mode { 2977 type login-mode; 2978 description 2979 "Specifies the administrator log-in mode"; 2980 } 2981 leaf operation-type { 2982 type operation-type; 2983 description 2984 "The operation type that the administrator executes"; 2985 } 2986 leaf result { 2987 type string; 2988 description 2989 "Command execution result"; 2990 } 2991 leaf content { 2992 type string; 2993 description 2994 "The Operation performed by an administrator 2995 after login"; 2996 } 2997 uses characteristics; 2998 } 2999 notification system-res-util-log { 3000 description 3001 "This notification is sent, if there is 3002 a new log entry representing resource 3003 utilization updates."; 3004 leaf system-status { 3005 type string; 3006 description 3007 "The current systems 3008 running status"; 3009 } 3010 leaf cpu-usage { 3011 type uint8; 3012 description 3013 "Specifies the relative amount of 3014 cpu usage wrt platform resources"; 3015 } 3016 leaf memory-usage { 3017 type uint8; 3018 description 3019 "Specifies the amount of memory usage"; 3020 } 3021 leaf disk-usage { 3022 type uint8; 3023 description 3024 "Specifies the amount of disk usage"; 3025 } 3026 leaf disk-left { 3027 type uint8; 3028 description 3029 "Specifies the amount of disk left"; 3030 } 3031 leaf session-num { 3032 type uint8; 3033 description 3034 "The total number of sessions"; 3035 } 3036 leaf process-num { 3037 type uint8; 3038 description 3039 "The total number of process"; 3040 } 3041 leaf in-traffic-rate { 3042 type uint32; 3043 description 3044 "The total inbound traffic rate in pps"; 3045 } 3046 leaf out-traffic-rate { 3047 type uint32; 3048 description 3049 "The total outbound traffic rate in pps"; 3050 } 3051 leaf in-traffic-speed { 3052 type uint32; 3053 description 3054 "The total inbound traffic speed in bps"; 3055 } 3056 leaf out-traffic-speed { 3057 type uint32; 3058 description 3059 "The total outbound traffic speed in bps"; 3060 } 3061 uses characteristics; 3062 } 3063 notification system-user-activity-log { 3064 description 3065 "This notification is sent, if there is 3066 a new user activity log entry"; 3067 uses characteristics; 3068 uses i2nsf-system-event-type-content; 3069 leaf access { 3070 type identityref { 3071 base access-mode; 3072 } 3073 description 3074 "The access type for 3075 system-user-activity-log notification"; 3076 } 3077 leaf online-duration { 3078 type string; 3079 description 3080 "Online duration"; 3081 } 3082 leaf logout-duration { 3083 type string; 3084 description 3085 "Lockout duration"; 3086 } 3087 leaf additional-info { 3088 type string; 3089 description 3090 "User activities. e.g., Successful 3091 User Login, Failed Login attempts, 3092 User Logout, Successful User 3093 Password Change, Failed User 3094 Password Change, User Lockout, 3095 User Unlocking, Unknown"; 3096 } 3097 } 3098 notification nsf-log-ddos { 3099 description 3100 "This notification is sent, if there is 3101 a new DDoS event log entry in the nsf log"; 3102 leaf attack-type { 3103 type identityref { 3104 base ddos-attack-type; 3105 } 3106 description 3107 "The ddos attack type for 3108 nsf-log-ddos notification"; 3109 } 3110 leaf attack-ave-rate { 3111 type uint32; 3112 description 3113 "The ave PPS of attack traffic"; 3114 } 3115 leaf attack-ave-speed { 3116 type uint32; 3117 description 3118 "the ave bps of attack traffic"; 3119 } 3120 leaf attack-pkt-num { 3121 type uint32; 3122 description 3123 "the number of attack packets"; 3124 } 3125 leaf attack-src-ip { 3126 type inet:ipv4-address; 3127 description 3128 "The source IP addresses of attack 3129 traffics. If there are a large 3130 amount of IP addresses, then 3131 pick a certain number of resources 3132 according to different rules."; 3133 } 3134 leaf action { 3135 type log-action; 3136 description 3137 "Action type: allow, alert, 3138 block, discard, declare, 3139 block-ip, block-service"; 3140 } 3141 uses characteristics; 3142 uses common-monitoring-data; 3143 } 3144 notification nsf-log-virus { 3145 description 3146 "This notification is sent, if there is 3147 a new virus event log entry in the nsf log"; 3148 leaf attack-type { 3149 type identityref { 3150 base virus-type; 3151 } 3152 description 3153 "The virus type for nsf-log-virus notification"; 3154 } 3155 leaf action { 3156 type log-action; 3157 description 3158 "Action type: allow, alert, 3159 block, discard, declare, 3160 block-ip, block-service"; 3162 } 3163 leaf os{ 3164 type string; 3165 description 3166 "simple os information"; 3167 } 3168 leaf time { 3169 type yang:date-and-time; 3170 mandatory true; 3171 description 3172 "Indicate the time when the message 3173 is generated"; 3174 } 3175 uses characteristics; 3176 uses common-monitoring-data; 3177 } 3178 notification nsf-log-intrusion { 3179 description 3180 "This notification is sent, if there is 3181 a new intrusion event log entry in the nsf log"; 3182 leaf attack-type { 3183 type identityref { 3184 base intrusion-attack-type; 3185 } 3186 description 3187 "The intrusion attack type for 3188 nsf-log-intrusion notification"; 3189 } 3190 leaf action { 3191 type log-action; 3192 description 3193 "Action type: allow, alert, 3194 block, discard, declare, 3195 block-ip, block-service"; 3196 } 3197 leaf time { 3198 type yang:date-and-time; 3199 mandatory true; 3200 description 3201 "Indicate the time when the message 3202 is generated"; 3203 } 3204 leaf attack-rate { 3205 type uint32; 3206 description 3207 "The PPS of attack traffic"; 3208 } 3209 leaf attack-speed { 3210 type uint32; 3211 description 3212 "The bps of attack traffic"; 3213 } 3214 uses characteristics; 3215 uses common-monitoring-data; 3216 } 3217 notification nsf-log-botnet { 3218 description 3219 "This notification is sent, if there is 3220 a new botnet event log in the nsf log"; 3221 leaf attack-type { 3222 type identityref { 3223 base botnet-attack-type; 3224 } 3225 description 3226 "The botnet attack type for 3227 nsf-log-botnet notification"; 3228 } 3229 leaf action { 3230 type log-action; 3231 description 3232 "Action type: allow, alert, 3233 block, discard, declare, 3234 block-ip, block-service"; 3235 } 3236 leaf botnet-pkt-num{ 3237 type uint8; 3238 description 3239 "The number of the packets sent to 3240 or from the detected botnet"; 3241 } 3242 leaf os{ 3243 type string; 3244 description 3245 "simple os information"; 3246 } 3247 uses characteristics; 3248 uses common-monitoring-data; 3249 } 3250 notification nsf-log-dpi { 3251 description 3252 "This notification is sent, if there is 3253 a new dpi event in the nsf log"; 3254 leaf attack-type { 3255 type dpi-type; 3256 description 3257 "The type of the dpi"; 3259 } 3260 uses characteristics; 3261 uses i2nsf-nsf-counters-type-content; 3262 uses common-monitoring-data; 3263 } 3264 notification nsf-log-vuln-scan { 3265 description 3266 "This notification is sent, if there is 3267 a new vulnerability-scan report in the nsf log"; 3268 leaf vulnerability-id { 3269 type uint8; 3270 description 3271 "The vulnerability id"; 3272 } 3273 leaf victim-ip { 3274 type inet:ipv4-address; 3275 description 3276 "IP address of the victim host 3277 which has vulnerabilities"; 3278 } 3279 leaf protocol { 3280 type identityref { 3281 base protocol-type; 3282 } 3283 description 3284 "The protocol type for 3285 nsf-log-vuln-scan notification"; 3286 } 3287 leaf port-num { 3288 type inet:port-number; 3289 description 3290 "The port number"; 3291 } 3292 leaf level { 3293 type severity; 3294 description 3295 "The vulnerability severity"; 3296 } 3297 leaf os { 3298 type string; 3299 description 3300 "simple os information"; 3301 } 3302 leaf vulnerability-info { 3303 type string; 3304 description 3305 "The information about the vulnerability"; 3306 } 3307 leaf fix-suggestion { 3308 type string; 3309 description 3310 "The fix suggestion to the vulnerability"; 3311 } 3312 leaf service { 3313 type string; 3314 description 3315 "The service which has vulnerability in the victim host"; 3316 } 3317 uses characteristics; 3318 uses common-monitoring-data; 3319 } 3320 notification nsf-log-web-attack { 3321 description 3322 "This notification is sent, if there is 3323 a new web-attack event in the nsf log"; 3324 leaf attack-type { 3325 type identityref { 3326 base web-attack-type; 3327 } 3328 description 3329 "The web attack type for 3330 nsf-log-web-attack notification"; 3331 } 3332 leaf rsp-code { 3333 type string; 3334 description 3335 "Response code"; 3336 } 3337 leaf req-clientapp { 3338 type string; 3339 description 3340 "The client application"; 3341 } 3342 leaf req-cookies { 3343 type string; 3344 description 3345 "Cookies"; 3346 } 3347 leaf req-host { 3348 type string; 3349 description 3350 "The domain name of the requested host"; 3351 } 3352 leaf raw-info { 3353 type string; 3354 description 3355 "The information describing 3356 the packet triggering the event."; 3357 } 3358 uses characteristics; 3359 uses common-monitoring-data; 3360 } 3361 container counters { 3362 description 3363 "This is probably better covered by an import 3364 as this will not be notifications. 3365 Counter are not very suitable as telemetry, maybe 3366 via periodic subscriptions, which would still 3367 violate principle of least surprise."; 3368 container system-interface { 3369 description 3370 "The system counter type is interface counter"; 3371 uses characteristics; 3372 uses i2nsf-system-counter-type-content; 3373 uses common-monitoring-data; 3374 } 3375 container nsf-firewall { 3376 description 3377 "The nsf counter type is firewall counter"; 3378 uses characteristics; 3379 uses i2nsf-nsf-counters-type-content; 3380 uses traffic-rates; 3381 } 3382 container nsf-policy-hits { 3383 description 3384 "The counters of policy hit"; 3385 uses characteristics; 3386 uses i2nsf-nsf-counters-type-content; 3387 uses common-monitoring-data; 3388 leaf hit-times { 3389 type uint32; 3390 description 3391 "The hit times for policy"; 3392 } 3393 } 3394 } 3395 } 3396 3398 Figure 2: Data Model of Monitoring 3400 11. IANA Considerations 3402 This document requests IANA to register the following URI in the 3403 "IETF XML Registry" [RFC3688]: 3405 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor 3406 Registrant Contact: The IESG. 3407 XML: N/A; the requested URI is an XML namespace. 3409 This document requests IANA to register the following YANG module in 3410 the "YANG Module Names" registry [RFC6020][RFC7950]. 3412 name: ietf-i2nsf-monitor 3413 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor 3414 prefix: iim 3415 reference: RFC XXXX 3417 12. Security Considerations 3419 The YANG module described in this document defines a schema for data 3420 that is designed to be accessed via network management protocols such 3421 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 3422 is the secure transport layer, and the mandatory-to-implement secure 3423 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 3424 is HTTPS, and the mandatory-to-implement secure transport is TLS 3425 [RFC8446]. 3427 The NETCONF access control model [RFC8341] provides the means to 3428 restrict access for particular NETCONF or RESTCONF users to a 3429 preconfigured subset of all available NETCONF or RESTCONF protocol 3430 operations and content. 3432 All data nodes defined in the YANG module which can be created, 3433 modified and deleted (i.e., config true, which is the default) are 3434 considered sensitive. Write operations (e.g., edit-config) applied 3435 to these data nodes without proper protection can negatively affect 3436 framework operations. The monitoring YANG module should be protected 3437 by the secure communication channel, to ensure its confidentiality 3438 and integrity. In another side, the NSF and security controller can 3439 all be faked, which lead to undesirable results (i.e., leakage of an 3440 NSF's important operational information, and faked NSF sending false 3441 information to mislead security controller). The mutual 3442 authentication is essential to protected against this kind of attack. 3443 The current mainstream security technologies (i.e., TLS, DTLS, IPSEC, 3444 and X.509 PKI) can be employed appropriately to provide the above 3445 security functions. 3447 In addition, to defend against the DDoS attack caused by a lot of 3448 NSFs sending massive notifications to the security controller, the 3449 rate limiting or similar mechanisms should be considered in an NSF 3450 and security controller, whether in advance or just in the process of 3451 DDoS attack. 3453 13. Acknowledgments 3455 This work was supported by Institute of Information & Communications 3456 Technology Planning & Evaluation (IITP) grant funded by the Ministry 3457 of Science and ICT (MSIT), Korea, (R-20160222-002755, Cloud based 3458 Security Intelligence Technology Development for the Customized 3459 Security Service Provisioning). 3461 This work was supported in part by the MSIT under the Information 3462 Technology Research Center (ITRC) support program (IITP- 3463 2019-2017-0-01633) supervised by the IITP. 3465 14. Contributors 3467 This document is made by the group effort of I2NSF working group. 3468 Many people actively contributed to this document. The following are 3469 considered co-authors: 3471 o Jinyong Tim Kim (Sungkyunkwan University) 3473 o Dongjin Hong (Sungkyunkwan University) 3475 o Dacheng Zhang (Huawei) 3477 o Yi Wu (Aliababa Group) 3479 o Rakesh Kumar (Juniper Networks) 3481 o Anil Lohiya (Juniper Networks) 3483 15. References 3485 15.1. Normative References 3487 [I-D.ietf-netconf-subscribed-notifications] 3488 Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and 3489 A. Tripathy, "Subscription to YANG Event Notifications", 3490 draft-ietf-netconf-subscribed-notifications-26 (work in 3491 progress), May 2019. 3493 [I-D.ietf-netconf-yang-push] 3494 Clemm, A. and E. Voit, "Subscription to YANG Datastores", 3495 draft-ietf-netconf-yang-push-25 (work in progress), May 3496 2019. 3498 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3499 Requirement Levels", BCP 14, RFC 2119, 3500 DOI 10.17487/RFC2119, March 1997, 3501 . 3503 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3504 DOI 10.17487/RFC3688, January 2004, 3505 . 3507 [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management 3508 Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, 3509 September 2004, . 3511 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 3512 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 3513 . 3515 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, 3516 DOI 10.17487/RFC5424, March 2009, 3517 . 3519 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 3520 the Network Configuration Protocol (NETCONF)", RFC 6020, 3521 DOI 10.17487/RFC6020, October 2010, 3522 . 3524 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3525 and A. Bierman, Ed., "Network Configuration Protocol 3526 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3527 . 3529 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3530 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3531 . 3533 [RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog 3534 Messages over TCP", RFC 6587, DOI 10.17487/RFC6587, April 3535 2012, . 3537 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3538 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3539 . 3541 [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, 3542 "Specification of the IP Flow Information Export (IPFIX) 3543 Protocol for the Exchange of Flow Information", STD 77, 3544 RFC 7011, DOI 10.17487/RFC7011, September 2013, 3545 . 3547 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3548 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3549 . 3551 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3552 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3553 . 3555 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 3556 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 3557 May 2017, . 3559 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3560 Access Control Model", STD 91, RFC 8341, 3561 DOI 10.17487/RFC8341, March 2018, 3562 . 3564 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 3565 and R. Wilton, "Network Management Datastore Architecture 3566 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 3567 . 3569 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 3570 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 3571 . 3573 15.2. Informative References 3575 [I-D.ietf-i2nsf-capability] 3576 Xia, L., Strassner, J., Basile, C., and D. Lopez, 3577 "Information Model of NSFs Capabilities", draft-ietf- 3578 i2nsf-capability-05 (work in progress), April 2019. 3580 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 3581 Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, 3582 "I2NSF Consumer-Facing Interface YANG Data Model", draft- 3583 ietf-i2nsf-consumer-facing-interface-dm-06 (work in 3584 progress), July 2019. 3586 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 3587 Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q. 3588 Lin, "I2NSF Network Security Function-Facing Interface 3589 YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface- 3590 dm-07 (work in progress), July 2019. 3592 [I-D.ietf-i2nsf-registration-interface-dm] 3593 Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK, 3594 "I2NSF Registration Interface YANG Data Model", draft- 3595 ietf-i2nsf-registration-interface-dm-05 (work in 3596 progress), July 2019. 3598 [I-D.ietf-i2nsf-terminology] 3599 Hares, S., Strassner, J., Lopez, D., Xia, L., and H. 3600 Birkholz, "Interface to Network Security Functions (I2NSF) 3601 Terminology", draft-ietf-i2nsf-terminology-08 (work in 3602 progress), July 2019. 3604 [I-D.yang-i2nsf-nfv-architecture] 3605 Yang, H., Kim, Y., Jeong, J., and J. Kim, "I2NSF on the 3606 NFV Reference Architecture", draft-yang-i2nsf-nfv- 3607 architecture-05 (work in progress), July 2019. 3609 [I-D.yang-i2nsf-security-policy-translation] 3610 Jeong, J., Yang, J., Chung, C., and J. Kim, "Security 3611 Policy Translation in Interface to Network Security 3612 Functions", draft-yang-i2nsf-security-policy- 3613 translation-04 (work in progress), July 2019. 3615 [RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export 3616 Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004, 3617 . 3619 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 3620 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 3621 January 2011, . 3623 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 3624 Kumar, "Framework for Interface to Network Security 3625 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 3626 . 3628 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3629 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3630 . 3632 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-01 3634 The following changes are made from draft-ietf-i2nsf-nsf-monitoring- 3635 data-model-01: 3637 o Section 7 is reorganized such that the subsections for the 3638 monitored objects (i.e., event, log, and counter) of System and 3639 NSF are listed up pairwisely with a pair of System and NSF except 3640 alarm because alarm is a monitored object to only System. 3642 Authors' Addresses 3644 Jaehoon Paul Jeong 3645 Department of Computer Science and Engineering 3646 Sungkyunkwan University 3647 2066 Seobu-Ro, Jangan-Gu 3648 Suwon, Gyeonggi-Do 16419 3649 Republic of Korea 3651 Phone: +82 31 299 4957 3652 Fax: +82 31 290 7996 3653 EMail: pauljeong@skku.edu 3654 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 3656 Chaehong Chung 3657 Department of Electronic, Electrical and Computer Engineering 3658 Sungkyunkwan University 3659 2066 Seobu-Ro, Jangan-Gu 3660 Suwon, Gyeonggi-Do 16419 3661 Republic of Korea 3663 Phone: +82 31 299 4957 3664 EMail: darkhong@skku.edu 3666 Susan Hares 3667 Huawei 3668 7453 Hickory Hill 3669 Saline, MI 48176 3670 USA 3672 Phone: +1-734-604-0332 3673 EMail: shares@ndzh.com 3674 Liang Xia (Frank) 3675 Huawei 3676 101 Software Avenue, Yuhuatai District 3677 Nanjing, Jiangsu 3678 China 3680 EMail: Frank.xialiang@huawei.com 3682 Henk Birkholz 3683 Fraunhofer Institute for Secure Information Technology 3684 Rheinstrasse 75 3685 Darmstadt 64295 3686 Germany 3688 EMail: henk.birkholz@sit.fraunhofer.de