idnits 2.17.1 draft-ietf-i2nsf-nsf-monitoring-data-model-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 5 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 7, 2020) is 1327 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 3522, but no explicit reference was found in the text ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Unknown state RFC: RFC 956 ** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) ** Downref: Normative reference to an Informational RFC: RFC 3954 ** Downref: Normative reference to an Informational RFC: RFC 4949 ** Downref: Normative reference to an Historic RFC: RFC 6587 ** Downref: Normative reference to an Informational RFC: RFC 8329 == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-11 == Outdated reference: A later version (-29) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-10 == Outdated reference: A later version (-26) exists of draft-ietf-i2nsf-registration-interface-dm-09 == Outdated reference: A later version (-16) exists of draft-yang-i2nsf-security-policy-translation-06 Summary: 8 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong, Ed. 3 Internet-Draft P. Lingga 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: March 11, 2021 S. Hares 6 L. Xia 7 Huawei 8 H. Birkholz 9 Fraunhofer SIT 10 September 7, 2020 12 I2NSF NSF Monitoring YANG Data Model 13 draft-ietf-i2nsf-nsf-monitoring-data-model-04 15 Abstract 17 This document proposes an information model and the corresponding 18 YANG data model for monitoring Network Security Functions (NSFs) in 19 the Interface to Network Security Functions (I2NSF) framework. If 20 the monitoring of NSFs is performed in a comprehensive way, it is 21 possible to detect the indication of malicious activity, anomalous 22 behavior, the potential sign of denial of service attacks, or system 23 overload in a timely manner. This monitoring functionality is based 24 on the monitoring information that is generated by NSFs. Thus, this 25 document describes not only an information model for monitoring NSFs 26 along with a YANG data diagram, but also the corresponding YANG data 27 model for monitoring NSFs. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at https://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on March 11, 2021. 46 Copyright Notice 48 Copyright (c) 2020 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (https://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 66 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 67 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 68 4.2. Notifications and Events . . . . . . . . . . . . . . . . 7 69 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 7 70 4.4. I2NSF Monitoring Terminology for Retained Information . . 8 71 5. Conveyance of NSF Monitoring Information . . . . . . . . . . 9 72 5.1. Information Types and Acquisition Methods . . . . . . . . 10 73 6. Basic Information Model for All Monitoring Data . . . . . . . 10 74 7. Extended Information Model for Monitoring Data . . . . . . . 11 75 7.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 11 76 7.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 11 77 7.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 11 78 7.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12 79 7.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 12 80 7.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12 81 7.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13 82 7.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13 83 7.2.2. Configuration Change . . . . . . . . . . . . . . . . 13 84 7.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14 85 7.3.1. DDoS Event . . . . . . . . . . . . . . . . . . . . . 14 86 7.3.2. Session Table Event . . . . . . . . . . . . . . . . . 15 87 7.3.3. Virus Event . . . . . . . . . . . . . . . . . . . . . 15 88 7.3.4. Intrusion Event . . . . . . . . . . . . . . . . . . . 16 89 7.3.5. Botnet Event . . . . . . . . . . . . . . . . . . . . 17 90 7.3.6. Web Attack Event . . . . . . . . . . . . . . . . . . 18 91 7.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 18 92 7.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 19 93 7.4.2. Resource Utilization Log . . . . . . . . . . . . . . 19 94 7.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 20 95 7.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 20 96 7.5.1. DDoS Log . . . . . . . . . . . . . . . . . . . . . . 20 97 7.5.2. Virus Log . . . . . . . . . . . . . . . . . . . . . . 21 98 7.5.3. Intrusion Log . . . . . . . . . . . . . . . . . . . . 21 99 7.5.4. Botnet Log . . . . . . . . . . . . . . . . . . . . . 22 100 7.5.5. DPI Log . . . . . . . . . . . . . . . . . . . . . . . 22 101 7.5.6. Vulnerability Scanning Log . . . . . . . . . . . . . 23 102 7.5.7. Web Attack Log . . . . . . . . . . . . . . . . . . . 23 103 7.6. System Counter . . . . . . . . . . . . . . . . . . . . . 24 104 7.6.1. Interface counter . . . . . . . . . . . . . . . . . . 24 105 7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 25 106 7.7.1. Firewall counter . . . . . . . . . . . . . . . . . . 25 107 7.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 26 108 8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 27 109 9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 28 110 10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 36 111 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71 112 12. Security Considerations . . . . . . . . . . . . . . . . . . . 72 113 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 72 114 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 73 115 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 116 15.1. Normative References . . . . . . . . . . . . . . . . . . 74 117 15.2. Informative References . . . . . . . . . . . . . . . . . 77 118 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data- 119 model-03 . . . . . . . . . . . . . . . . . . . . . . 79 120 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 79 122 1. Introduction 124 According to [RFC8329], the interface provided by a Network Security 125 Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or Anti-Virus 126 function) to administrative entities (e.g., Security Controller) to 127 enable remote management (i.e., configuring and monitoring) is 128 referred to as an I2NSF NSF-Facing Interface 129 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. Monitoring procedures 130 intent to acquire vital types of data with respect to NSFs, (e.g., 131 alarms, records, and counters) via data in motion (e.g., queries, 132 notifications, and events). The monitoring of NSF plays an important 133 role in an overall security framework, if it is done in a timely and 134 comprehensive way. The monitoring information generated by an NSF 135 can be a good, early indication of anomalous behavior or malicious 136 activity, such as denial of service attacks (DoS). 138 This document defines a comprehensive NSF monitoring information 139 model that provides visibility for an NSF for Security Controller. 140 It specifies the information and illustrates the methods that enable 141 an NSF to provide the information required in order to be monitored 142 in a scalable and efficient way via the NSF-Facing Interface. The 143 information model for monitoring presented in this document is a 144 complementary information model to the information model for the 145 security policy provisioning functionality of the NSF-Facing 146 Interface specified in [I-D.ietf-i2nsf-capability]. 148 This document also defines a YANG [RFC7950] data model for monitoring 149 NSFs, which is derived from the information model for NSF monitoring. 151 2. Terminology 153 This document uses the terminology described in [RFC8329]. 155 This document follows the guidelines of [RFC8407], uses the common 156 YANG types defined in [RFC6991], and adopts the Network Management 157 Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols 158 in tree diagrams is defined in [RFC8340]. 160 3. Use Cases for NSF Monitoring Data 162 As mentioned earlier, monitoring plays a critical role in an overall 163 security framework. The monitoring of the NSF provides very valuable 164 information to the security controller in maintaining the provisioned 165 security posture. Besides this, there are various other reasons to 166 monitor the NSF as listed below: 168 o The security administrator with I2NSF User can configure a policy 169 that is triggered on a specific event occurring in the NSF or the 170 network [RFC8329] [I-D.ietf-i2nsf-consumer-facing-interface-dm]. 171 If a security controller detects the specified event, it 172 configures additional security functions as defined by policies. 174 o The events triggered by an NSF as a result of security policy 175 violation can be used by Security Information and Event Management 176 (SIEM) to detect any suspicious activity in a larger correlation 177 context. 179 o The events and activity logs from an NSF can be used to build 180 advanced analytics, such as behavior and predictive models to 181 improve security posture in large deployments. 183 o The security controller can use events from the NSF for achieving 184 high availability. It can take corrective actions such as 185 restarting a failed NSF and horizontally scaling up the NSF. 187 o The events and activity logs from the NSF can aid in the root 188 cause analysis of an operational issue, so it can improve 189 debugging. 191 o The activity logs from the NSF can be used to build historical 192 data for operational and business reasons. 194 4. Classification of NSF Monitoring Data 196 In order to maintain a strong security posture, it is not only 197 necessary not only to configure an NSF's security policies but also 198 to continuously monitor the NSF by consuming acquirable and 199 observable information. This enables security administrators to 200 assess the state of the network topology in a timely fashion. It is 201 not possible to block all the internal and external threats based on 202 static security posture. A more practical approach is supported by 203 enabling dynamic security measures, for which continuous visibility 204 is required. This document defines a set of information elements 205 (and their scope) that can be acquired from an NSF and can be used as 206 NSF monitoring information. In essence, these types of monitoring 207 information can be leveraged to support constant visibility on 208 multiple levels of granularity and can be consumed by the 209 corresponding functions. 211 Three basic domains about the monitoring information originating from 212 a system entity [RFC4949] or an NSF are highlighted in this document. 214 o Retention and Emission 216 o Notifications and Events 218 o Unsolicited Poll and Solicited Push 220 The Alarm Management Framework in [RFC3877] defines an Event as 221 something that happens which may be of interest. It defines a fault 222 as a change in status, crossing a threshold, or an external input to 223 the system. In the I2NSF domain, I2NSF events are created and the 224 scope of the Alarm Management Framework's Events is still applicable 225 due to its broad definition. The model presented in this document 226 elaborates on the workflow of creating I2NSF events in the context of 227 NSF monitoring and on the way initial I2NSF events are created. 229 As with I2NSF components, every generic system entity can include a 230 set of capabilities that creates information about the context, 231 composition, configuration, state or behavior of that system entity. 232 This information is intended to be provided to other consumers of 233 information and in the scope of this document, which deals with NSF 234 information monitoring in an automated fashion. 236 4.1. Retention and Emission 238 Typically, a system entity populates standardized interface, such as 239 SNMP, NETCONF, RESTCONF or CoMI to provide and emit created 240 information directly via NSF-Facing Interface. Alternatively, the 241 created information is retained inside the system entity (or a 242 hierarchy of system entities in a composite device) via records or 243 counters that are not exposed directly via NSF-Facing Interfaces. 245 Information emitted via standardized interfaces can be consumed by an 246 I2NSF User that includes the capability to consume information not 247 only via an I2NSF Interface(e.g., 248 [I-D.ietf-i2nsf-consumer-facing-interface-dm]) but also via 249 interfaces complementary to the standardized interfaces a generic 250 system entity provides. 252 Information retained on a system entity requires a corresponding 253 I2NSF User to access aggregated records of information, typically in 254 the form of log-files or databases. There are ways to aggregate 255 records originating from different system entities over a network, 256 for examples via Syslog Protocol [RFC5424] or Syslog over TCP 257 [RFC6587]. But even if records are conveyed, the result is the same 258 kind of retention in form of a bigger aggregate of records on another 259 system entity. 261 An I2NSF User is required to process fresh [RFC4949] records created 262 by I2NSF Functions in order to provide them to other I2NSF Components 263 via the corresponding I2NSF Interfaces in a timely manner. This 264 process is effectively based on homogenizing functions, which can 265 access and convert specific kinds of records into information that 266 can be provided and emitted via I2NSF interfaces. 268 When retained or emitted, the information required to support 269 monitoring processes has to be processed by an I2NSF User at some 270 point in the workflow. Typical locations of these I2NSF Users are: 272 o a system entity that creates the information 274 o a system entity that retains an aggregation of records 276 o an I2NSF Component that includes the capabilities of using 277 standardized interfaces provided by other system entities that are 278 not I2NSF Components 280 o an I2NSF Component that creates the information 282 4.2. Notifications and Events 284 A specific task of I2NSF User is to process I2NSF Policy Rules. The 285 rules of a policy are composed of three clauses: Events, Conditions, 286 and Actions. In consequence, an I2NSF Event is specified to trigger 287 an I2NSF Policy Rule. Such an I2NSF Event is defined as any 288 important occurrence over time in the system being managed, and/or in 289 the environment of the system being managed, which aligns well with 290 the generic definition of Event from [RFC3877]. 292 The model illustrated in this document introduces a complementary 293 type of information that can be a conveyed notification. 295 Notification: An occurrence of a change of context, composition, 296 configuration, state or behavior of a system entity that can be 297 directly or indirectly observed by an I2NSF User and can be used 298 as input for an event-clause in I2NSF Policy Rules. 300 A notification is similar to an I2NSF Event with the exception 301 that it is created by a system entity that is not an I2NSF 302 Component and that its importance is yet to be assessed. 303 Semantically, a notification is not an I2NSF Event in the context 304 of I2NSF, although they can potentially use the exact same 305 information or data model. In respect to [RFC3877], a 306 Notification is a specific subset of events, because they convey 307 information about something that happens which may be of interest. 308 In consequence, Notifications may contain information with very 309 low expressiveness or relevance. Hence, additional post- 310 processing functions, such as aggregation, correlation or simple 311 anomaly detection, might have to be employed to satisfy a level of 312 expressiveness that is required for an event-clause of an I2NSF 313 Policy Rule. 315 It is important to note that the consumer of a notification (the 316 observer) assesses the importance of a notification and not the 317 producer. The producer can include metadata in a notification that 318 supports the observer in assessing the importance (even metadata 319 about severity), but the deciding entity is an I2NSF User. 321 4.3. Unsolicited Poll and Solicited Push 323 The freshness of the monitored information depends on the acquisition 324 method. Ideally, an I2NSF User is accessing every relevant 325 information about the I2NSF Component and is emitting I2NSF Events to 326 a monitor entity(e.g., Security Controller and I2NSF User) NSF 327 timely. Publication of events via a pubsub/broker model, peer-2-peer 328 meshes, or static defined channels are only a few examples on how a 329 solicited push of I2NSF Events can be facilitated. The actual 330 mechanic implemented by an I2NSF Component is out of the scope of 331 this document. 333 Often, the corresponding management interfaces have to be queried in 334 intervals or on-demand if required by an I2NSF Policy rule. In some 335 cases, a collection of information has to be conducted via login 336 mechanics provided by a system entity. Accessing records of 337 information via this kind of unsolicited polls can introduce a 338 significant latency in regard to the freshness of the monitored 339 information. The actual definition of intervals implemented by an 340 I2NSF Component is also out of scope of this document. 342 4.4. I2NSF Monitoring Terminology for Retained Information 344 Records: Unlike information emitted via notifications and events, 345 records do not require immediate attention from an analyst but may 346 be useful for visibility and retroactive cyber forensic. 347 Depending on the record format, there are different qualities in 348 regard to structure and detail. Records are typically stored in 349 log-files or databases on a system entity or NSF. Records in the 350 form of log-files usually include less structures but potentially 351 more detailed information in regard to the changes of a system 352 entity's characteristics. In contrast, databases often use more 353 strict schemas or data models, therefore enforcing a better 354 structure. However, they inhibit storing information that do not 355 match those models ("closed world assumption"). Records can be 356 continuously processed by I2NSF Agents that act as I2NSF Producer 357 and emit events via functions specifically tailored to a certain 358 type of record. Typically, records are information generated 359 either by an NSF or a system entity about operational and 360 informational data, or various changes in system characteristics, 361 such as user activities, network/traffic status, and network 362 activity. They are important for debugging, auditing and security 363 forensic. 365 Counters: A specific representation of continuous value changes of 366 information elements that potentially occur in high frequency. 367 Prominent example are network interface counters, e.g., PDU amount 368 or byte amount, drop counters, and error counters. Counters are 369 useful in debugging and visibility into operational behavior of an 370 NSF. An I2NSF Agent that observes the progression of counters can 371 act as an I2NSF Producer and emit events in respect to I2NSF 372 Policy Rules. 374 5. Conveyance of NSF Monitoring Information 376 As per the use cases of NSF monitoring data, information needs to be 377 conveyed to various I2NSF Consumers based on requirements imposed by 378 I2NSF Capabilities and workflows. There are multiple aspects to be 379 considered in regard to the emission of monitoring information to 380 requesting parties as listed below: 382 o Pull-Push Model: A set of data can be pushed by an NSF to a 383 requesting party or pulled by a requesting party from an NSF. 384 Specific types of information might need both the models at the 385 same time if there are multiple I2NSF Consumers with varying 386 requirements. In general, any I2NSF Event including a high 387 severity assessment is considered to be of great importance and 388 should be processed as soon as possible (push-model). Records, in 389 contrast, are typically not as critical (pull-model). The I2NSF 390 Architecture does not mandate a specific scheme for each type of 391 information and is therefore out of scope of this document. 393 o Pub-Sub Model: In order for an I2NSF Provider to push monitoring 394 information to multiple appropriate I2NSF Consumers, a 395 subscription can be maintained by both I2NSF Components. 396 Discovery of available monitoring information can be supported by 397 an I2NSF Controller that takes the role of a broker and therefore 398 includes I2NSF Capabilities that support registration. 400 o Export Frequency: Monitoring information can be emitted 401 immediately upon generation by an NSF to requesting I2NSF 402 Consumers or can be pushed periodically. The frequency of 403 exporting the data depends upon its size and timely usefulness. 404 It is out of the scope of I2NSF and left to each NSF 405 implementation. 407 o Authentication: There may be a need for authentication between an 408 I2NSF Producer of monitoring information and its corresponding 409 I2NSF Consumer to ensure that critical information remains 410 confidential. Authentication in the scope of I2NSF can also 411 require its corresponding content authorization. This may be 412 necessary, for example, if an NSF emits monitoring information to 413 an I2NSF Consumer outside its administrative domain. The I2NSF 414 Architecture does not mandate when and how specific authentication 415 has to be implemented. 417 o Data-Transfer Model: Monitoring information can be pushed by an 418 NSF using a connection-less model that does require a persistent 419 connection or streamed over a persistent connection. An 420 appropriate model depends on the I2NSF Consumer requirements and 421 the semantics of the information to be conveyed. 423 o Data Model and Interaction Model for Data in Motion: There are a 424 lot of transport mechanisms such as IP, UDP, and TCP. There are 425 also open source implementations for specific set of data such as 426 systems counter, e.g. IPFIX [RFC7011] and NetFlow [RFC3954]. The 427 I2NSF does not mandate any specific method for a given data set, 428 so it is up to each implementation. 430 5.1. Information Types and Acquisition Methods 432 In this document, most defined information types defined benefit from 433 high visibility with respect to value changes, e.g., alarms and 434 records. In contrast, values that change monotonically in a 435 continuous way do not benefit from this high visibility. On the 436 contrary, emitting each change would result in a useless amount of 437 value updates. Hence, values, such as counter, are best acquired in 438 periodic intervals. 440 The mechanisms provided by YANG Push [I-D.ietf-netconf-yang-push] and 441 YANG Subscribed Notifications 442 [I-D.ietf-netconf-subscribed-notifications] address exactly these set 443 of requirements. YANG also enables semantically well-structured 444 information, as well as subscriptions to datastores or event streams 445 - by changes or periodically. 447 In consequence, this information model in this document is intended 448 to support data models used in solicited or unsolicited event streams 449 that potentially are facilitated by a subscription mechanism. A 450 subset of information elements defined in the information model 451 address this domain of application. 453 6. Basic Information Model for All Monitoring Data 455 As explained in the above section, there is a wealth of data 456 available from the NSF that can be monitored. Firstly, there must be 457 some general information with each monitoring message sent from an 458 NSF that helps a consumer to identify meta data with that message, 459 which are listed as below: 461 o message_version: It indicates the version of the data format and 462 is a two-digit decimal numeral starting from 01. 464 o message_type: Event, Alert, Alarm, Log, Counter, etc. 466 o time_stamp: It indicates the time when the message is generated. 468 o vendor_name: The name of the NSF vendor. 470 o NSF_name: The name (or IP) of the NSF generating the message. 472 o Module_name: The module name outputting the message. 474 o Severity: It indicates the level of the logs. There are total 475 eight levels, from 0 to 7. The smaller the numeral is, the higher 476 the severity is. 478 7. Extended Information Model for Monitoring Data 480 This section covers the additional information associated with the 481 system messages. The extended information model is only for the 482 structured data such as alarm. Any unstructured data is specified 483 with basic information model only. 485 7.1. System Alarms 487 Characteristics: 489 o acquisition_method: subscription 491 o emission_type: on-change 493 o dampening_type: no-dampening 495 7.1.1. Memory Alarm 497 The following information should be included in a Memory Alarm: 499 o event_name: MEM_USAGE_ALARM 501 o module_name: It indicates the NSF module responsible for 502 generating this alarm. 504 o usage: specifies the amount of memory used. 506 o threshold: The threshold triggering the alarm 508 o severity: The severity of the alarm such as critical, high, 509 medium, low 511 o message: The memory usage exceeded the threshold 513 7.1.2. CPU Alarm 515 The following information should be included in a CPU Alarm: 517 o event_name: CPU_USAGE_ALARM 519 o usage: Specifies the amount of CPU used. 521 o threshold: The threshold triggering the event 523 o severity: The severity of the alarm such as critical, high, 524 medium, low 526 o message: The CPU usage exceeded the threshold. 528 7.1.3. Disk Alarm 530 The following information should be included in a Disk Alarm: 532 o event_name: DISK_USAGE_ALARM 534 o usage: Specifies the amount of disk space used. 536 o threshold: The threshold triggering the event 538 o severity: The severity of the alarm such as critical, high, 539 medium, low 541 o message: The disk usage exceeded the threshold. 543 7.1.4. Hardware Alarm 545 The following information should be included in a Hardware Alarm: 547 o event_name: HW_FAILURE_ALARM 549 o component_name: It indicates the HW component responsible for 550 generating this alarm. 552 o threshold: The threshold triggering the alarm 554 o severity: The severity of the alarm such as critical, high, 555 medium, low 557 o message: The HW component has failed or degraded. 559 7.1.5. Interface Alarm 561 The following information should be included in an Interface Alarm: 563 o event_name: IFNET_STATE_ALARM 565 o interface_Name: The name of interface 567 o interface_state: UP, DOWN, CONGESTED 568 o threshold: The threshold triggering the event 570 o severity: The severity of the alarm such as critical, high, 571 medium, low 573 o message: Current interface state 575 7.2. System Events 577 Characteristics: 579 o acquisition_method: subscription 581 o emission_type: on-change 583 o dampening_type: on-repetition 585 7.2.1. Access Violation 587 The following information should be included in this event: 589 o event_name: ACCESS_DENIED 591 o user: Name of a user 593 o group: Group to which a user belongs 595 o login_ip_address: Login IP address of a user 597 o authentication_mode: User authentication mode. e.g., Local 598 Authentication, Third-Party Server Authentication, Authentication 599 Exemption, Single Sign-On (SSO) Authentication 601 o message: access is denied. 603 7.2.2. Configuration Change 605 The following information should be included in this event: 607 o event_name: CONFIG_CHANGE 609 o user: Name of a user 611 o group: Group to which a user belongs 613 o login_ip_address: Login IP address of a user 614 o authentication_mode: User authentication mode. e.g., Local 615 Authentication, Third-Party Server Authentication, Authentication 616 Exemption, SSO Authentication 618 o message: Configuration is modified. 620 7.3. NSF Events 622 Characteristics: 624 o acquisition_method: subscription 626 o emission_type: on-change 628 o dampening_type: none 630 7.3.1. DDoS Event 632 The following information should be included in a DDoS Event: 634 o event_name: SEC_EVENT_DDoS 636 o sub_attack_type: Any one of SYN flood, ACK flood, SYN-ACK flood, 637 FIN/RST flood, TCP Connection flood, UDP flood, ICMP flood, HTTPS 638 flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood, 639 and etc. 641 o dst_ip: The IP address of a victim under attack 643 o dst_port: The port number that the attack traffic aims at. 645 o start_time: The time stamp indicating when the attack started 647 o end_time: The time stamp indicating when the attack ended. If the 648 attack is still undergoing when sending out the alarm, this field 649 can be empty. 651 o attack_rate: The PPS of attack traffic 653 o attack_speed: the bps of attack traffic 655 o rule_id: The ID of the rule being triggered 657 o rule_name: The name of the rule being triggered 659 o profile: Security profile that traffic matches. 661 7.3.2. Session Table Event 663 The following information should be included in a Session 664 Table Event: 666 o event_name: SESSION_USAGE_HIGH 668 o current: The number of concurrent sessions 670 o max: The maximum number of sessions that the session table can 671 support 673 o threshold: The threshold triggering the event 675 o message: The number of session table exceeded the threshold. 677 7.3.3. Virus Event 679 The following information should be included in a Virus Event: 681 o event_Name: SEC_EVENT_VIRUS 683 o virus_type: Type of the virus. e.g., trojan, worm, macro virus 684 type 686 o virus_name: Name of the virus 688 o dst_ip: The destination IP address of the packet where the virus 689 is found 691 o src_ip: The source IP address of the packet where the virus is 692 found 694 o src_port: The source port of the packet where the virus is found 696 o dst_port: The destination port of the packet where the virus is 697 found 699 o src_zone: The source security zone of the packet where the virus 700 is found 702 o dst_zone: The destination security zone of the packet where the 703 virus is found 705 o file_type: The type of the file where the virus is hided within 707 o file_name: The name of the file where the virus is hided within 708 o virus_info: The brief introduction of the virus 710 o raw_info: The information describing the packet triggering the 711 event. 713 o rule_id: The ID of the rule being triggered 715 o rule_name: The name of the rule being triggered 717 o profile: Security profile that traffic matches. 719 7.3.4. Intrusion Event 721 The following information should be included in an Intrusion Event: 723 o event_name: The name of event. e.g., SEC_EVENT_Intrusion 725 o sub_attack_type: Attack type, e.g., brutal force and buffer 726 overflow 728 o src_ip: The source IP address of the packet 730 o dst_ip: The destination IP address of the packet 732 o src_port:The source port number of the packet 734 o dst_port: The destination port number of the packet 736 o src_zone: The source security zone of the packet 738 o dst_zone: The destination security zone of the packet 740 o protocol: The employed transport layer protocol. e.g.,TCP and UDP 742 o app: The employed application layer protocol. e.g.,HTTP and FTP 744 o rule_id: The ID of the rule being triggered 746 o rule_name: The name of the rule being triggered 748 o profile: Security profile that traffic matches 750 o intrusion_info: Simple description of intrusion 752 o raw_info: The information describing the packet triggering the 753 event 755 7.3.5. Botnet Event 757 The following information should be included in a Botnet Event: 759 o event_name: The name of event. e.g., SEC_EVENT_Botnet 761 o botnet_name: The name of the detected botnet 763 o src_ip: The source IP address of the packet 765 o dst_ip: The destination IP address of the packet 767 o src_port: The source port number of the packet 769 o dst_port: The destination port number of the packet 771 o src_zone: The source security zone of the packet 773 o dst_zone: The destination security zone of the packet 775 o protocol: The employed transport layer protocol. e.g.,TCP and UDP 777 o app: The employed application layer protocol. e.g.,HTTP and FTP 779 o role: The role of the communicating parties within the botnet: 781 1. The packet from the zombie host to the attacker 783 2. The packet from the attacker to the zombie host 785 3. The packet from the IRC/WEB server to the zombie host 787 4. The packet from the zombie host to the IRC/WEB server 789 5. The packet from the attacker to the IRC/WEB server 791 6. The packet from the IRC/WEB server to the attacker 793 7. The packet from the zombie host to the victim 795 o botnet_info: Simple description of Botnet 797 o rule_id: The ID of the rule being triggered 799 o rule_name: The name of the rule being triggered 801 o profile: Security profile that traffic matches 802 o raw_info: The information describing the packet triggering the 803 event. 805 7.3.6. Web Attack Event 807 The following information should be included in a Web Attack Alarm: 809 o event_name: The name of event. e.g., SEC_EVENT_Web_Attack 811 o sub_attack_type: Concrete web attack type. e.g., SQL injection, 812 command injection, XSS, CSRF 814 o src_ip: The source IP address of the packet 816 o dst_ip: The destination IP address of the packet 818 o src_port: The source port number of the packet 820 o dst_port: The destination port number of the packet 822 o src_zone: The source security zone of the packet 824 o dst_zone: The destination security zone of the packet 826 o req_method: The method of requirement. For instance, "PUT" and 827 "GET" in HTTP 829 o req_url: Requested URL 831 o url_category: Matched URL category 833 o filtering_type: URL filtering type. e.g., Blacklist, Whitelist, 834 User-Defined, Predefined, Malicious Category, and Unknown 836 o rule_id: The ID of the rule being triggered 838 o rule_name: The name of the rule being triggered 840 o profile: Security profile that traffic matches 842 7.4. System Logs 844 Characteristics: 846 o acquisition_method: subscription 848 o emission_type: on-change 849 o dampening_type: on-repetition 851 7.4.1. Access Log 853 Access logs record administrators' login, logout, and operations on a 854 device. By analyzing them, security vulnerabilities can be 855 identified. The following information should be included in an 856 operation report: 858 o Administrator: Administrator that operates on the device 860 o login_ip_address: IP address used by an administrator to log in 862 o login_mode: Specifies the administrator logs in mode e.g. root, 863 user 865 o operation_type: The operation type that the administrator execute, 866 e.g., login, logout, and configuration. 868 o result: Command execution result 870 o content: Operation performed by an administrator after login. 872 7.4.2. Resource Utilization Log 874 Running reports record the device system's running status, which is 875 useful for device monitoring. The following information should be 876 included in running report: 878 o system_status: The current system's running status 880 o CPU_usage: Specifies the CPU usage. 882 o memory_usage: Specifies the memory usage. 884 o disk_usage: Specifies the disk usage. 886 o disk_left: Specifies the available disk space left. 888 o session_number: Specifies total concurrent sessions. 890 o process_number: Specifies total number of systems processes. 892 o in_traffic_rate: The total inbound traffic rate in pps 894 o out_traffic_rate: The total outbound traffic rate in pps 896 o in_traffic_speed: The total inbound traffic speed in bps 897 o out_traffic_speed: The total outbound traffic speed in bps 899 7.4.3. User Activity Log 901 User activity logs provide visibility into users' online records 902 (such as login time, online/lockout duration, and login IP addresses) 903 and the actions that users perform. User activity reports are 904 helpful to identify exceptions during a user's login and network 905 access activities. 907 o user: Name of a user 909 o group: Group to which a user belongs 911 o login_ip_address: Login IP address of a user 913 o authentication_mode: User authentication mode. e.g., Local 914 Authentication, Third-Party Server Authentication, Authentication 915 Exemption, SSO Authentication 917 o access_mode: User access mode. e.g., PPP, SVN, LOCAL 919 o online_duration: Online duration 921 o lockout_duration: Lockout duration 923 o type: User activities. e.g., Successful User Login, Failed Login 924 attempts, User Logout, Successful User Password Change, Failed 925 User Password Change, User Lockout, User Unlocking, Unknown 927 o cause: Cause of a failed user activity 929 7.5. NSF Logs 931 Characteristics: 933 o acquisition_method: subscription 935 o emission_type: on-change 937 o dampening_type: on_repetition 939 7.5.1. DDoS Log 941 Besides the fields in a DDoS Alarm, the following information should 942 be included in a DDoS Logs: 944 o attack_type: DDoS 945 o attack_ave_rate: The average pps of the attack traffic within the 946 recorded time 948 o attack_ave_speed: The average bps of the attack traffic within the 949 recorded time 951 o attack_pkt_num: The number of attack packets within the recorded 952 time 954 o attack_src_ip: The source IP addresses of attack traffics. If 955 there are a large number of IP addresses, then pick a certain 956 number of resources according to different rules. 958 o action: Actions against DDoS attacks. e.g., Allow, Alert, Block, 959 Discard, Declare, Block-ip, and Block-service. 961 7.5.2. Virus Log 963 Besides the fields in a Virus Alarm, the following information should 964 be included in a Virus Logs: 966 o attack_type: Virus 968 o protocol: The transport layer protocol 970 o app: The name of the application layer protocol 972 o times: The time of detecting the virus 974 o action: The actions dealing with the virus. e.g., alert and block 976 o os: The OS that the virus will affect. e.g., all, android, ios, 977 unix, and windows 979 7.5.3. Intrusion Log 981 Besides the fields in an Intrusion Alarm, the following information 982 should be included in an Intrusion Logs: 984 o attack_type: Intrusion 986 o times: The times of intrusions happened in the recorded time 988 o os: The OS that the intrusion will affect. e.g., all, android, 989 ios, unix, and windows 991 o action: The actions dealing with the intrusions. e.g., Allow, 992 Alert, Block, Discard, Declare, Block-ip, and Block-service 994 o attack_rate: NUM the pps of attack traffic 996 o attack_speed: NUM the bps of attack traffic 998 7.5.4. Botnet Log 1000 Besides the fields in a Botnet Alarm, the following information 1001 should be included in a Botnet Logs: 1003 o attack_type: Botnet 1005 o botnet_pkt_num:The number of the packets sent to or from the 1006 detected botnet 1008 o action: The actions dealing with the detected packets. e.g., 1009 Allow, Alert, Block, Discard, Declare, Block-ip, and Block- 1010 service. 1012 o os: The OS that the attack aims at. e.g., all, android, ios, unix, 1013 and windows. 1015 7.5.5. DPI Log 1017 DPI Logs provide statistics on uploaded and downloaded files and 1018 data, sent and received emails, and alert and block records on 1019 websites. It is helpful to learn risky user behaviors and why access 1020 to some URLs is blocked or allowed with an alert record. 1022 o type: DPI action types. e.g., File Blocking, Data Filtering, and 1023 Application Behavior Control 1025 o file_name: The file name 1027 o file_type: The file type 1029 o src_zone: Source security zone of traffic 1031 o dst_zone: Destination security zone of traffic 1033 o src_region: Source region of traffic 1035 o dst_region: Destination region of traffic 1037 o src_ip: Source IP address of traffic 1039 o src_user: User who generates traffic 1041 o dst_ip: Destination IP address of traffic 1042 o src_port: Source port of traffic 1044 o dst_port: Destination port of traffic 1046 o protocol: Protocol type of traffic 1048 o app: Application type of traffic 1050 o policy_id: Security policy id that traffic matches 1052 o policy_name: Security policy name that traffic matches 1054 o action: Action defined in the file blocking rule, data filtering 1055 rule, or application behavior control rule that traffic matches. 1057 7.5.6. Vulnerability Scanning Log 1059 Vulnerability scanning logs record the victim host and its related 1060 vulnerability information that should to be fixed. The following 1061 information should be included in the report: 1063 o victim_ip: IP address of the victim host which has vulnerabilities 1065 o vulnerability_id: The vulnerability id 1067 o vulnerability_level: The vulnerability level. e.g., high, middle, 1068 and low 1070 o OS: The operating system of the victim host 1072 o service: The service which has vulnerability in the victim host 1074 o protocol: The protocol type. e.g., TCP and UDP 1076 o port: The port number 1078 o vulnerability_info: The information about the vulnerability 1080 o fix_suggestion: The fix suggestion to the vulnerability. 1082 7.5.7. Web Attack Log 1084 Besides the fields in a Web Attack Alarm, the following information 1085 should be included in a Web Attack Report: 1087 o attack_type: Web Attack 1089 o rsp_code: Response code 1090 o req_clientapp: The client application 1092 o req_cookies: Cookies 1094 o req_host: The domain name of the requested host 1096 o raw_info: The information describing the packet triggering the 1097 event. 1099 7.6. System Counter 1101 Characteristics: 1103 o acquisition_method: subscription or query 1105 o emission_type: periodical 1107 o dampening_type: none 1109 7.6.1. Interface counter 1111 Interface counters provide visibility into traffic into and out of an 1112 NSF, and bandwidth usage. 1114 o interface_name: Network interface name configured in NSF 1116 o in_total_traffic_pkts: Total inbound packets 1118 o out_total_traffic_pkts: Total outbound packets 1120 o in_total_traffic_bytes: Total inbound bytes 1122 o out_total_traffic_bytes: Total outbound bytes 1124 o in_drop_traffic_pkts: Total inbound drop packets 1126 o out_drop_traffic_pkts: Total outbound drop packets 1128 o in_drop_traffic_bytes: Total inbound drop bytes 1130 o out_drop_traffic_bytes: Total outbound drop bytes 1132 o in_traffic_ave_rate: Inbound traffic average rate in pps 1134 o in_traffic_peak_rate: Inbound traffic peak rate in pps 1136 o in_traffic_ave_speed: Inbound traffic average speed in bps 1137 o in_traffic_peak_speed: Inbound traffic peak speed in bps 1139 o out_traffic_ave_rate: Outbound traffic average rate in pps 1141 o out_traffic_peak_rate: Outbound traffic peak rate in pps 1143 o out_traffic_ave_speed: Outbound traffic average speed in bps 1145 o out_traffic_peak_speed: Outbound traffic peak speed in bps 1147 7.7. NSF Counters 1149 Characteristics: 1151 o acquisition_method: subscription or query 1153 o emission_type: periodical 1155 o dampening_type: none 1157 7.7.1. Firewall counter 1159 Firewall counters provide visibility into traffic signatures, 1160 bandwidth usage, and how the configured security and bandwidth 1161 policies have been applied. 1163 o src_zone: Source security zone of traffic 1165 o dst_zone: Destination security zone of traffic 1167 o src_region: Source region of traffic 1169 o dst_region: Destination region of traffic 1171 o src_ip: Source IP address of traffic 1173 o src_user: User who generates traffic 1175 o dst_ip: Destination IP address of traffic 1177 o src_port: Source port of traffic 1179 o dst_port: Destination port of traffic 1181 o protocol: Protocol type of traffic 1183 o app: Application type of traffic 1184 o policy_id: Security policy id that traffic matches 1186 o policy_name: Security policy name that traffic matches 1188 o in_interface: Inbound interface of traffic 1190 o out_interface: Outbound interface of traffic 1192 o total_traffic: Total traffic volume 1194 o in_traffic_ave_rate: Inbound traffic average rate in pps 1196 o in_traffic_peak_rate: Inbound traffic peak rate in pps 1198 o in_traffic_ave_speed: Inbound traffic average speed in bps 1200 o in_traffic_peak_speed: Inbound traffic peak speed in bps 1202 o out_traffic_ave_rate: Outbound traffic average rate in pps 1204 o out_traffic_peak_rate: Outbound traffic peak rate in pps 1206 o out_traffic_ave_speed: Outbound traffic average speed in bps 1208 o out_traffic_peak_speed: Outbound traffic peak speed in bps. 1210 7.7.2. Policy Hit Counter 1212 Policy Hit Counters record the security policy that traffic matches 1213 and its hit count. It can check if policy configurations are 1214 correct. 1216 o src_zone: Source security zone of traffic 1218 o dst_zone: Destination security zone of traffic 1220 o src_region: Source region of the traffic 1222 o dst_region: Destination region of the traffic 1224 o src_ip: Source IP address of traffic 1226 o src_user: User who generates traffic 1228 o dst_ip: Destination IP address of traffic 1230 o src_port: Source port of traffic 1231 o dst_port: Destination port of traffic 1233 o protocol: Protocol type of traffic 1235 o app: Application type of traffic 1237 o policy_id: Security policy id that traffic matches 1239 o policy_name: Security policy name that traffic matches 1241 o hit_times: The hit times that the security policy matches the 1242 specified traffic. 1244 8. NSF Monitoring Management in I2NSF 1246 A standard model for monitoring data is required for an administrator 1247 to check the monitoring data generated by an NSF. The administrator 1248 can check the monitoring data through the following process. When 1249 the NSF monitoring data that is under the standard format is 1250 generated, the NSF forwards it to the security controller. The 1251 security controller delivers it to I2NSF Consumer or Developer's 1252 Management System (DMS) so that the administrator can know the state 1253 of the I2NSF framework. 1255 In order to communicate with other components, an I2NSF framework 1256 [RFC8329] requires the interfaces. The three main interfaces in 1257 I2NSF framework are used for sending monitoring data as follows: 1259 o I2NSF Consumer-Facing Interface 1260 [I-D.ietf-i2nsf-consumer-facing-interface-dm]: When an I2NSF User 1261 makes a security policy and forwards it to the Security Controller 1262 via Consumer-Facing Interface, it can specify the threat-feed for 1263 threat prevention, the custom list, the malicious code scan group, 1264 and the event map group. They can be used as an event to be 1265 monitored by an NSF. 1267 o I2NSF Registration Interface 1268 [I-D.ietf-i2nsf-registration-interface-dm]: The Network Functions 1269 Virtualization (NFV) architecture provides the lifecycle 1270 management of a Virtual Network Function (VNF) via the Ve-Vnfm 1271 interface. The role of Ve-Vnfm is to request VNF lifecycle 1272 management (e.g., the instantiation and de-instantiation of an 1273 NSF, and load balancing among NSFs), exchange configuration 1274 information, and exchange status information for a network 1275 service. In the I2NSF framework, the DMS manages data about 1276 resource states and network traffic for the lifecycle management 1277 of an NSF. Therefore, the generated monitoring data from NSFs are 1278 delivered from the Security Controller to the DMS via Registration 1279 Interface. These data are delivered from the DMS to the VNF 1280 Manager in the Management and Orchestration (MANO) in the NFV 1281 system [I-D.ietf-i2nsf-applicability]. 1283 o I2NSF NSF-Facing Interface 1284 [I-D.ietf-i2nsf-nsf-facing-interface-dm]: After a high-level 1285 security policy from I2NSF User is translated by security policy 1286 translator [I-D.yang-i2nsf-security-policy-translation] in the 1287 Security Controller, the translated security policy (i.e., low- 1288 level policy) is applied to an NSF via NSF-Facing Interface. The 1289 monitoring data model specifies the list of events that can 1290 trigger Event-Condition-Action (ECA) policies via NSF-Facing 1291 Interface. 1293 9. Tree Structure 1295 The tree structure of the NSF monitoring YANG module is provided 1296 below: 1298 module: ietf-i2nsf-nsf-monitoring 1299 +--rw counters 1300 +--rw system-interface 1301 | +--rw acquisition-method? identityref 1302 | +--rw emission-type? identityref 1303 | +--rw dampening-type? identityref 1304 | +--rw interface-name? string 1305 | +--rw in-total-traffic-pkts? uint32 1306 | +--rw out-total-traffic-pkts? uint32 1307 | +--rw in-total-traffic-bytes? uint32 1308 | +--rw out-total-traffic-bytes? uint32 1309 | +--rw in-drop-traffic-pkts? uint32 1310 | +--rw out-drop-traffic-pkts? uint32 1311 | +--rw in-drop-traffic-bytes? uint32 1312 | +--rw out-drop-traffic-bytes? uint32 1313 | +--rw total-traffic? uint32 1314 | +--rw in-traffic-ave-rate? uint32 1315 | +--rw in-traffic-peak-rate? uint32 1316 | +--rw in-traffic-ave-speed? uint32 1317 | +--rw in-traffic-peak-speed? uint32 1318 | +--rw out-traffic-ave-rate? uint32 1319 | +--rw out-traffic-peak-rate? uint32 1320 | +--rw out-traffic-ave-speed? uint32 1321 | +--rw out-traffic-peak-speed? uint32 1322 | +--rw message? string 1323 | +--rw time-stamp? yang:date-and-time 1324 | +--rw vendor-name? string 1325 | +--rw nsf-name? string 1326 | +--rw module-name? string 1327 | +--rw severity? severity 1328 +--rw nsf-firewall 1329 | +--rw acquisition-method? identityref 1330 | +--rw emission-type? identityref 1331 | +--rw dampening-type? identityref 1332 | +--rw src-ip? inet:ip-address 1333 | +--rw dst-ip? inet:ip-address 1334 | +--rw src-port? inet:port-number 1335 | +--rw dst-port? inet:port-number 1336 | +--rw src-zone? string 1337 | +--rw dst-zone? string 1338 | +--rw src-region? string 1339 | +--rw dst-region? string 1340 | +--rw policy-id? uint8 1341 | +--rw policy-name? string 1342 | +--rw src-user? string 1343 | +--rw protocol? identityref 1344 | +--rw app? string 1345 | +--rw total-traffic? uint32 1346 | +--rw in-traffic-ave-rate? uint32 1347 | +--rw in-traffic-peak-rate? uint32 1348 | +--rw in-traffic-ave-speed? uint32 1349 | +--rw in-traffic-peak-speed? uint32 1350 | +--rw out-traffic-ave-rate? uint32 1351 | +--rw out-traffic-peak-rate? uint32 1352 | +--rw out-traffic-ave-speed? uint32 1353 | +--rw out-traffic-peak-speed? uint32 1354 +--rw nsf-policy-hits 1355 +--rw acquisition-method? identityref 1356 +--rw emission-type? identityref 1357 +--rw dampening-type? identityref 1358 +--rw src-ip? inet:ip-address 1359 +--rw dst-ip? inet:ip-address 1360 +--rw src-port? inet:port-number 1361 +--rw dst-port? inet:port-number 1362 +--rw src-zone? string 1363 +--rw dst-zone? string 1364 +--rw src-region? string 1365 +--rw dst-region? string 1366 +--rw policy-id? uint8 1367 +--rw policy-name? string 1368 +--rw src-user? string 1369 +--rw protocol? identityref 1370 +--rw app? string 1371 +--rw message? string 1372 +--rw time-stamp? yang:date-and-time 1373 +--rw vendor-name? string 1374 +--rw nsf-name? string 1375 +--rw module-name? string 1376 +--rw severity? severity 1377 +--rw hit-times? uint32 1379 notifications: 1380 +---n system-detection-alarm 1381 | +--ro alarm-category? identityref 1382 | +--ro acquisition-method? identityref 1383 | +--ro emission-type? identityref 1384 | +--ro dampening-type? identityref 1385 | +--ro usage? uint8 1386 | +--ro threshold? uint8 1387 | +--ro message? string 1388 | +--ro time-stamp? yang:date-and-time 1389 | +--ro vendor-name? string 1390 | +--ro nsf-name? string 1391 | +--ro module-name? string 1392 | +--ro severity? severity 1393 +---n system-detection-event 1394 | +--ro event-category? identityref 1395 | +--ro acquisition-method? identityref 1396 | +--ro emission-type? identityref 1397 | +--ro dampening-type? identityref 1398 | +--ro user string 1399 | +--ro group string 1400 | +--ro login-ip-addr inet:ip-address 1401 | +--ro authentication? identityref 1402 | +--ro message? string 1403 | +--ro time-stamp? yang:date-and-time 1404 | +--ro vendor-name? string 1405 | +--ro nsf-name? string 1406 | +--ro module-name? string 1407 | +--ro severity? severity 1408 +---n nsf-detection-flood 1409 | +--ro event-name? identityref 1410 | +--ro dst-ip? inet:ip-address 1411 | +--ro dst-port? inet:port-number 1412 | +--ro rule-id uint8 1413 | +--ro rule-name string 1414 | +--ro profile? string 1415 | +--ro raw-info? string 1416 | +--ro sub-attack-type? identityref 1417 | +--ro start-time yang:date-and-time 1418 | +--ro end-time yang:date-and-time 1419 | +--ro attack-rate? uint32 1420 | +--ro attack-speed? uint32 1421 | +--ro message? string 1422 | +--ro time-stamp? yang:date-and-time 1423 | +--ro vendor-name? string 1424 | +--ro nsf-name? string 1425 | +--ro module-name? string 1426 | +--ro severity? severity 1427 +---n nsf-detection-session-table 1428 | +--ro current-session? uint8 1429 | +--ro maximum-session? uint8 1430 | +--ro threshold? uint8 1431 | +--ro message? string 1432 | +--ro time-stamp? yang:date-and-time 1433 | +--ro vendor-name? string 1434 | +--ro nsf-name? string 1435 | +--ro module-name? string 1436 | +--ro severity? severity 1437 +---n nsf-detection-virus 1438 | +--ro src-ip? inet:ip-address 1439 | +--ro dst-ip? inet:ip-address 1440 | +--ro src-port? inet:port-number 1441 | +--ro dst-port? inet:port-number 1442 | +--ro src-zone? string 1443 | +--ro dst-zone? string 1444 | +--ro rule-id uint8 1445 | +--ro rule-name string 1446 | +--ro profile? string 1447 | +--ro raw-info? string 1448 | +--ro virus? identityref 1449 | +--ro virus-name? string 1450 | +--ro file-type? string 1451 | +--ro file-name? string 1452 | +--ro message? string 1453 | +--ro time-stamp? yang:date-and-time 1454 | +--ro vendor-name? string 1455 | +--ro nsf-name? string 1456 | +--ro module-name? string 1457 | +--ro severity? severity 1458 +---n nsf-detection-intrusion 1459 | +--ro src-ip? inet:ip-address 1460 | +--ro dst-ip? inet:ip-address 1461 | +--ro src-port? inet:port-number 1462 | +--ro dst-port? inet:port-number 1463 | +--ro src-zone? string 1464 | +--ro dst-zone? string 1465 | +--ro rule-id uint8 1466 | +--ro rule-name string 1467 | +--ro profile? string 1468 | +--ro raw-info? string 1469 | +--ro protocol? identityref 1470 | +--ro app? string 1471 | +--ro sub-attack-type? identityref 1472 | +--ro message? string 1473 | +--ro time-stamp? yang:date-and-time 1474 | +--ro vendor-name? string 1475 | +--ro nsf-name? string 1476 | +--ro module-name? string 1477 | +--ro severity? severity 1478 +---n nsf-detection-botnet 1479 | +--ro src-ip? inet:ip-address 1480 | +--ro dst-ip? inet:ip-address 1481 | +--ro src-port? inet:port-number 1482 | +--ro dst-port? inet:port-number 1483 | +--ro src-zone? string 1484 | +--ro dst-zone? string 1485 | +--ro rule-id uint8 1486 | +--ro rule-name string 1487 | +--ro profile? string 1488 | +--ro raw-info? string 1489 | +--ro attack-type? identityref 1490 | +--ro protocol? identityref 1491 | +--ro botnet-name? string 1492 | +--ro role? string 1493 | +--ro message? string 1494 | +--ro time-stamp? yang:date-and-time 1495 | +--ro vendor-name? string 1496 | +--ro nsf-name? string 1497 | +--ro module-name? string 1498 | +--ro severity? severity 1499 +---n nsf-detection-web-attack 1500 | +--ro src-ip? inet:ip-address 1501 | +--ro dst-ip? inet:ip-address 1502 | +--ro src-port? inet:port-number 1503 | +--ro dst-port? inet:port-number 1504 | +--ro src-zone? string 1505 | +--ro dst-zone? string 1506 | +--ro rule-id uint8 1507 | +--ro rule-name string 1508 | +--ro profile? string 1509 | +--ro raw-info? string 1510 | +--ro sub-attack-type? identityref 1511 | +--ro request-method? identityref 1512 | +--ro req-uri? string 1513 | +--ro uri-category? string 1514 | +--ro filtering-type* identityref 1515 | +--ro message? string 1516 | +--ro time-stamp? yang:date-and-time 1517 | +--ro vendor-name? string 1518 | +--ro nsf-name? string 1519 | +--ro module-name? string 1520 | +--ro severity? severity 1521 +---n system-access-log 1522 | +--ro login-ip inet:ip-address 1523 | +--ro administrator? string 1524 | +--ro login-mode? login-mode 1525 | +--ro operation-type? operation-type 1526 | +--ro result? string 1527 | +--ro content? string 1528 | +--ro acquisition-method? identityref 1529 | +--ro emission-type? identityref 1530 | +--ro dampening-type? identityref 1531 +---n system-res-util-log 1532 | +--ro system-status? string 1533 | +--ro cpu-usage? uint8 1534 | +--ro memory-usage? uint8 1535 | +--ro disk-usage? uint8 1536 | +--ro disk-left? uint8 1537 | +--ro session-num? uint8 1538 | +--ro process-num? uint8 1539 | +--ro in-traffic-rate? uint32 1540 | +--ro out-traffic-rate? uint32 1541 | +--ro in-traffic-speed? uint32 1542 | +--ro out-traffic-speed? uint32 1543 | +--ro acquisition-method? identityref 1544 | +--ro emission-type? identityref 1545 | +--ro dampening-type? identityref 1546 +---n system-user-activity-log 1547 | +--ro acquisition-method? identityref 1548 | +--ro emission-type? identityref 1549 | +--ro dampening-type? identityref 1550 | +--ro user string 1551 | +--ro group string 1552 | +--ro login-ip-addr inet:ip-address 1553 | +--ro authentication? identityref 1554 | +--ro access? identityref 1555 | +--ro online-duration? string 1556 | +--ro logout-duration? string 1557 | +--ro additional-info? string 1558 +---n nsf-log-ddos 1559 | +--ro attack-type? identityref 1560 | +--ro attack-ave-rate? uint32 1561 | +--ro attack-ave-speed? uint32 1562 | +--ro attack-pkt-num? uint32 1563 | +--ro attack-src-ip? inet:ip-address 1564 | +--ro action? log-action 1565 | +--ro acquisition-method? identityref 1566 | +--ro emission-type? identityref 1567 | +--ro dampening-type? identityref 1568 | +--ro message? string 1569 | +--ro time-stamp? yang:date-and-time 1570 | +--ro vendor-name? string 1571 | +--ro nsf-name? string 1572 | +--ro module-name? string 1573 | +--ro severity? severity 1574 +---n nsf-log-virus 1575 | +--ro attack-type? identityref 1576 | +--ro action? log-action 1577 | +--ro os? string 1578 | +--ro time yang:date-and-time 1579 | +--ro acquisition-method? identityref 1580 | +--ro emission-type? identityref 1581 | +--ro dampening-type? identityref 1582 | +--ro message? string 1583 | +--ro time-stamp? yang:date-and-time 1584 | +--ro vendor-name? string 1585 | +--ro nsf-name? string 1586 | +--ro module-name? string 1587 | +--ro severity? severity 1588 +---n nsf-log-intrusion 1589 | +--ro attack-type? identityref 1590 | +--ro action? log-action 1591 | +--ro time yang:date-and-time 1592 | +--ro attack-rate? uint32 1593 | +--ro attack-speed? uint32 1594 | +--ro acquisition-method? identityref 1595 | +--ro emission-type? identityref 1596 | +--ro dampening-type? identityref 1597 | +--ro message? string 1598 | +--ro time-stamp? yang:date-and-time 1599 | +--ro vendor-name? string 1600 | +--ro nsf-name? string 1601 | +--ro module-name? string 1602 | +--ro severity? severity 1603 +---n nsf-log-botnet 1604 | +--ro attack-type? identityref 1605 | +--ro action? log-action 1606 | +--ro botnet-pkt-num? uint8 1607 | +--ro os? string 1608 | +--ro acquisition-method? identityref 1609 | +--ro emission-type? identityref 1610 | +--ro dampening-type? identityref 1611 | +--ro message? string 1612 | +--ro time-stamp? yang:date-and-time 1613 | +--ro vendor-name? string 1614 | +--ro nsf-name? string 1615 | +--ro module-name? string 1616 | +--ro severity? severity 1617 +---n nsf-log-dpi 1618 | +--ro attack-type? dpi-type 1619 | +--ro acquisition-method? identityref 1620 | +--ro emission-type? identityref 1621 | +--ro dampening-type? identityref 1622 | +--ro src-ip? inet:ip-address 1623 | +--ro dst-ip? inet:ip-address 1624 | +--ro src-port? inet:port-number 1625 | +--ro dst-port? inet:port-number 1626 | +--ro src-zone? string 1627 | +--ro dst-zone? string 1628 | +--ro src-region? string 1629 | +--ro dst-region? string 1630 | +--ro policy-id? uint8 1631 | +--ro policy-name? string 1632 | +--ro src-user? string 1633 | +--ro protocol? identityref 1634 | +--ro app? string 1635 | +--ro message? string 1636 | +--ro time-stamp? yang:date-and-time 1637 | +--ro vendor-name? string 1638 | +--ro nsf-name? string 1639 | +--ro module-name? string 1640 | +--ro severity? severity 1641 +---n nsf-log-vuln-scan 1642 | +--ro vulnerability-id? uint8 1643 | +--ro victim-ip? inet:ip-address 1644 | +--ro protocol? identityref 1645 | +--ro port-num? inet:port-number 1646 | +--ro level? severity 1647 | +--ro os? string 1648 | +--ro vulnerability-info? string 1649 | +--ro fix-suggestion? string 1650 | +--ro service? string 1651 | +--ro acquisition-method? identityref 1652 | +--ro emission-type? identityref 1653 | +--ro dampening-type? identityref 1654 | +--ro message? string 1655 | +--ro time-stamp? yang:date-and-time 1656 | +--ro vendor-name? string 1657 | +--ro nsf-name? string 1658 | +--ro module-name? string 1659 | +--ro severity? severity 1660 +---n nsf-log-web-attack 1661 +--ro attack-type? identityref 1662 +--ro rsp-code? string 1663 +--ro req-clientapp? string 1664 +--ro req-cookies? string 1665 +--ro req-host? string 1666 +--ro raw-info? string 1667 +--ro acquisition-method? identityref 1668 +--ro emission-type? identityref 1669 +--ro dampening-type? identityref 1670 +--ro message? string 1671 +--ro time-stamp? yang:date-and-time 1672 +--ro vendor-name? string 1673 +--ro nsf-name? string 1674 +--ro module-name? string 1675 +--ro severity? severity 1677 Figure 1: Information Model for NSF Monitoring 1679 10. YANG Data Model 1681 This section describes a YANG module of I2NSF NSF Monitoring. This 1682 YANG module imports from [RFC6991], and makes references to [RFC0768] 1683 [RFC0791][RFC0792][RFC0793][RFC0956][RFC2616][RFC4443][RFC8200]. 1685 file "ietf-i2nsf-nsf-monitoring@2020-09-07.yang" 1686 module ietf-i2nsf-nsf-monitoring { 1687 yang-version 1.1; 1688 namespace 1689 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; 1690 prefix 1691 nsfmi; 1692 import ietf-inet-types{ 1693 prefix inet; 1694 reference 1695 "Section 4 of RFC 6991"; 1696 } 1697 import ietf-yang-types { 1698 prefix yang; 1699 reference 1700 "Section 3 of RFC 6991"; 1701 } 1702 organization 1703 "IETF I2NSF (Interface to Network Security Functions) 1704 Working Group"; 1705 contact 1706 "WG Web: 1707 WG List: 1709 Editor: Jaehoon Paul Jeong 1710 1712 Editor: Patrick Lingga 1713 "; 1715 description 1716 "This module is a YANG module for I2NSF NSF Monitoring. 1718 Copyright (c) 2020 IETF Trust and the persons identified as 1719 authors of the code. All rights reserved. 1721 Redistribution and use in source and binary forms, with or 1722 without modification, is permitted pursuant to, and subject 1723 to the license terms contained in, the Simplified BSD License 1724 set forth in Section 4.c of the IETF Trust's Legal Provisions 1725 Relating to IETF Documents 1726 http://trustee.ietf.org/license-info). 1728 This version of this YANG module is part of RFC XXXX; see 1729 the RFC itself for full legal notices."; 1731 // RFC Ed.: replace XXXX with an actual RFC number and remove 1732 // this note. 1734 revision "2020-09-07" { 1735 description "Initial revision"; 1736 reference 1737 "RFC XXXX: I2NSF NSF Monitoring YANG Data Model"; 1739 // RFC Ed.: replace XXXX with an actual RFC number and remove 1740 // this note. 1742 } 1744 typedef severity { 1745 type enumeration { 1746 enum high { 1747 description 1748 "high-level"; 1749 } 1750 enum middle { 1751 description 1752 "middle-level"; 1753 } 1754 enum low { 1755 description 1756 "low-level"; 1757 } 1759 } 1760 description 1761 "An indicator representing severity"; 1762 } 1763 typedef log-action { 1764 type enumeration { 1765 enum allow { 1766 description 1767 "If action is allowed"; 1768 } 1769 enum alert { 1770 description 1771 "If action is alert"; 1772 } 1773 enum block { 1774 description 1775 "If action is block"; 1776 } 1777 enum discard { 1778 description 1779 "If action is discarded"; 1780 } 1781 enum declare { 1782 description 1783 "If action is declared"; 1784 } 1785 enum block-ip { 1786 description 1787 "If action is block-ip"; 1788 } 1789 enum block-service{ 1790 description 1791 "If action is block-service"; 1792 } 1793 } 1794 description 1795 "This is used for protocol"; 1796 } 1797 typedef dpi-type{ 1798 type enumeration { 1799 enum file-blocking{ 1800 description 1801 "DPI for blocking file"; 1802 } 1803 enum data-filtering{ 1804 description 1805 "DPI for filtering data"; 1806 } 1807 enum application-behavior-control{ 1808 description 1809 "DPI for controlling application behavior"; 1810 } 1811 } 1812 description 1813 "This is used for DPI type"; 1814 } 1815 typedef operation-type{ 1816 type enumeration { 1817 enum login{ 1818 description 1819 "Login operation"; 1820 } 1821 enum logout{ 1822 description 1823 "Logout operation"; 1824 } 1825 enum configuration{ 1826 description 1827 "Configuration operation"; 1828 } 1829 } 1830 description 1831 "An indicator representing operation-type"; 1832 } 1833 typedef login-mode{ 1834 type enumeration { 1835 enum root{ 1836 description 1837 "Root login-mode"; 1838 } 1839 enum user{ 1840 description 1841 "User login-mode"; 1842 } 1843 enum guest{ 1844 description 1845 "Guest login-mode"; 1846 } 1847 } 1848 description 1849 "An indicator representing login-mode"; 1850 } 1852 identity characteristics { 1853 description 1854 "Base identity for monitoring information 1855 characteristics"; 1856 } 1857 identity acquisition-method { 1858 base characteristics; 1859 description 1860 "The type of acquisition-method. It can be multiple 1861 types at once."; 1862 } 1863 identity subscription { 1864 base acquisition-method; 1865 description 1866 "The acquisition-method type is subscription."; 1867 } 1868 identity query { 1869 base acquisition-method; 1870 description 1871 "The acquisition-method type is query."; 1872 } 1873 identity emission-type { 1874 base characteristics; 1875 description 1876 "The type of emission-type."; 1877 } 1878 identity periodical { 1879 base emission-type; 1880 description 1881 "The emission-type type is periodical."; 1882 } 1883 identity on-change { 1884 base emission-type; 1885 description 1886 "The emission-type type is on-change."; 1887 } 1888 identity dampening-type { 1889 base characteristics; 1890 description 1891 "The type of dampening-type."; 1892 } 1893 identity no-dampening { 1894 base dampening-type; 1895 description 1896 "The dampening-type is no-dampening."; 1897 } 1898 identity on-repetition { 1899 base dampening-type; 1900 description 1901 "The dampening-type is on-repetition."; 1902 } 1903 identity none { 1904 base dampening-type; 1905 description 1906 "The dampening-type is none."; 1907 } 1909 identity authentication-mode { 1910 description 1911 "User authentication mode types: 1912 e.g., Local Authentication, 1913 Third-Party Server Authentication, 1914 Authentication Exemption, or Single Sign-On (SSO) 1915 Authentication."; 1916 } 1917 identity local-authentication { 1918 base authentication-mode; 1919 description 1920 "Authentication-mode : local authentication."; 1921 } 1922 identity third-party-server-authentication { 1923 base authentication-mode; 1924 description 1925 "If authentication-mode is 1926 third-part-server-authentication"; 1927 } 1928 identity exemption-authentication { 1929 base authentication-mode; 1930 description 1931 "If authentication-mode is 1932 exemption-authentication"; 1933 } 1934 identity sso-authentication { 1935 base authentication-mode; 1936 description 1937 "If authentication-mode is 1938 sso-authentication"; 1939 } 1940 identity alarm-type { 1941 description 1942 "Base identity for detectable alarm types"; 1943 } 1944 identity MEM-USAGE-ALARM { 1945 base alarm-type; 1946 description 1947 "A memory alarm is alerted."; 1948 } 1949 identity CPU-USAGE-ALARM { 1950 base alarm-type; 1951 description 1952 "A CPU alarm is alerted."; 1953 } 1954 identity DISK-USAGE-ALARM { 1955 base alarm-type; 1956 description 1957 "A disk alarm is alerted."; 1958 } 1959 identity HW-FAILURE-ALARM { 1960 base alarm-type; 1961 description 1962 "A hardware alarm is alerted."; 1963 } 1964 identity IFNET-STATE-ALARM { 1965 base alarm-type; 1966 description 1967 "An interface alarm is alerted."; 1968 } 1969 identity event-type { 1970 description 1971 "Base identity for detectable event types"; 1972 } 1973 identity ACCESS-DENIED { 1974 base event-type; 1975 description 1976 "The system event is access-denied."; 1977 } 1978 identity CONFIG-CHANGE { 1979 base event-type; 1980 description 1981 "The system event is config-change."; 1982 } 1984 identity flood-type { 1985 description 1986 "Base identity for detectable flood types"; 1987 } 1988 identity syn-flood { 1989 base flood-type; 1990 description 1991 "A SYN flood is detected."; 1992 } 1993 identity ack-flood { 1994 base flood-type; 1995 description 1996 "An ACK flood is detected."; 1997 } 1998 identity syn-ack-flood { 1999 base flood-type; 2000 description 2001 "A SYN-ACK flood is detected."; 2002 } 2003 identity fin-rst-flood { 2004 base flood-type; 2005 description 2006 "A FIN-RST flood is detected."; 2007 } 2008 identity tcp-con-flood { 2009 base flood-type; 2010 description 2011 "A TCP connection flood is detected."; 2012 } 2013 identity udp-flood { 2014 base flood-type; 2015 description 2016 "A UDP flood is detected."; 2017 } 2018 identity icmp-flood { 2019 base flood-type; 2020 description 2021 "Either an ICMPv4 or ICMPv6 flood is detected."; 2022 } 2023 identity icmpv4-flood { 2024 base flood-type; 2025 description 2026 "An ICMPv4 flood is detected."; 2027 } 2028 identity icmpv6-flood { 2029 base flood-type; 2030 description 2031 "An ICMPv6 flood is detected."; 2032 } 2033 identity http-flood { 2034 base flood-type; 2035 description 2036 "An HTTP flood is detected."; 2037 } 2038 identity https-flood { 2039 base flood-type; 2040 description 2041 "An HTTPS flood is detected."; 2042 } 2043 identity dns-query-flood { 2044 base flood-type; 2045 description 2046 "A DNS query flood is detected."; 2048 } 2049 identity dns-reply-flood { 2050 base flood-type; 2051 description 2052 "A DNS reply flood is detected."; 2053 } 2054 identity sip-flood { 2055 base flood-type; 2056 description 2057 "An SIP flood is detected."; 2058 } 2059 identity nsf-event-name { 2060 description 2061 "Base identity for detectable NSF event types"; 2062 } 2063 identity SEC-EVENT-DDOS { 2064 base nsf-event-name; 2065 description 2066 "The NSF event is sec-event-ddos."; 2067 } 2068 identity SESSION-USAGE-HIGH { 2069 base nsf-event-name; 2070 description 2071 "The NSF event is session-usage-high."; 2072 } 2073 identity SEC-EVENT-VIRUS { 2074 base nsf-event-name; 2075 description 2076 "The NSF event is sec-event-virus."; 2077 } 2078 identity SEC-EVENT-INTRUSION { 2079 base nsf-event-name; 2080 description 2081 "The NSF event is sec-event-intrusion."; 2082 } 2083 identity SEC-EVENT-BOTNET { 2084 base nsf-event-name; 2085 description 2086 "The NSF event is sec-event-botnet."; 2087 } 2088 identity SEC-EVENT-WEB-ATTACK { 2089 base nsf-event-name; 2090 description 2091 "The NSF event is sec-event-web-attack."; 2092 } 2093 identity attack-type { 2094 description 2095 "The root ID of attack-based notification 2096 in the notification taxonomy"; 2097 } 2098 identity system-attack-type { 2099 base attack-type; 2100 description 2101 "This ID is intended to be used 2102 in the context of system events."; 2103 } 2104 identity nsf-attack-type { 2105 base attack-type; 2106 description 2107 "This ID is intended to be used 2108 in the context of NSF event."; 2109 } 2110 identity botnet-attack-type { 2111 base nsf-attack-type; 2112 description 2113 "This indicates that this attack type is botnet. 2114 The usual semantic and taxonomy is missing 2115 and a name is used."; 2116 } 2117 identity virus-type { 2118 base nsf-attack-type; 2119 description 2120 "The type of virus. It caan be multiple types at once. 2121 This attack type is associated with a detected 2122 system-log virus-attack."; 2123 } 2124 identity trojan { 2125 base virus-type; 2126 description 2127 "The detected virus type is trojan."; 2128 } 2129 identity worm { 2130 base virus-type; 2131 description 2132 "The detected virus type is worm."; 2133 } 2134 identity macro { 2135 base virus-type; 2136 description 2137 "The detected virus type is macro."; 2138 } 2139 identity intrusion-attack-type { 2140 base nsf-attack-type; 2141 description 2142 "The attack type is associated with a detected 2143 system-log intrusion."; 2145 } 2146 identity brute-force { 2147 base intrusion-attack-type; 2148 description 2149 "The intrusion type is brute-force."; 2150 } 2151 identity buffer-overflow { 2152 base intrusion-attack-type; 2153 description 2154 "The intrusion type is buffer-overflow."; 2155 } 2156 identity web-attack-type { 2157 base nsf-attack-type; 2158 description 2159 "The attack type is associated with a detected 2160 system-log web-attack."; 2161 } 2162 identity command-injection { 2163 base web-attack-type; 2164 description 2165 "The detected web attack type is command injection."; 2166 } 2167 identity xss { 2168 base web-attack-type; 2169 description 2170 "The detected web attack type is XSS."; 2171 } 2172 identity csrf { 2173 base web-attack-type; 2174 description 2175 "The detected web attack type is CSRF."; 2176 } 2177 identity ddos-attack-type { 2178 base nsf-attack-type; 2179 description 2180 "The attack type is associated with a detected 2181 nsf-log event."; 2182 } 2184 identity req-method { 2185 description 2186 "A set of request types (if applicable). 2187 For instance, PUT or GET in HTTP."; 2188 } 2189 identity put-req { 2190 base req-method; 2191 description 2192 "The detected request type is PUT."; 2194 } 2195 identity get-req { 2196 base req-method; 2197 description 2198 "The detected request type is GET."; 2199 } 2200 identity filter-type { 2201 description 2202 "The type of filter used to detect an attack, 2203 for example, a web-attack. It can be applicable to 2204 more than web-attacks. It can be more than one type."; 2205 } 2206 identity whitelist { 2207 base filter-type; 2208 description 2209 "The applied filter type is whitelist."; 2210 } 2211 identity blacklist { 2212 base filter-type; 2213 description 2214 "The applied filter type is blacklist."; 2215 } 2216 identity user-defined { 2217 base filter-type; 2218 description 2219 "The applied filter type is user-defined."; 2220 } 2221 identity balicious-category { 2222 base filter-type; 2223 description 2224 "The applied filter is balicious category."; 2225 } 2226 identity unknown-filter { 2227 base filter-type; 2228 description 2229 "The applied filter is unknown."; 2230 } 2232 identity access-mode { 2233 description 2234 "Base identity for detectable access mode."; 2235 } 2236 identity ppp { 2237 base access-mode; 2238 description 2239 "Access-mode: ppp"; 2240 } 2241 identity svn { 2242 base access-mode; 2243 description 2244 "Access-mode: svn"; 2245 } 2246 identity local { 2247 base access-mode; 2248 description 2249 "Access-mode: local"; 2250 } 2252 identity protocol-type { 2253 description 2254 "An identity used to enable type choices in leaves 2255 and leaflists with respect to protocol metadata."; 2256 } 2257 identity tcp { 2258 base ipv4; 2259 base ipv6; 2260 description 2261 "TCP protocol type."; 2262 reference 2263 "RFC 793: Transmission Control Protocol"; 2264 } 2265 identity udp { 2266 base ipv4; 2267 base ipv6; 2268 description 2269 "UDP protocol type."; 2270 reference 2271 "RFC 768: User Datagram Protocol"; 2272 } 2273 identity icmp { 2274 base ipv4; 2275 base ipv6; 2276 description 2277 "General ICMP protocol type."; 2278 reference 2279 "RFC 792: Internet Control Message Protocol 2280 RFC 4443: Internet Control Message Protocol 2281 (ICMPv6) for the Internet Protocol Version 6 2282 (IPv6) Specification"; 2283 } 2284 identity icmpv4 { 2285 base ipv4; 2286 description 2287 "ICMPv4 protocol type."; 2288 reference 2289 "RFC 791: Internet Protocol 2290 RFC 792: Internet Control Message Protocol"; 2291 } 2292 identity icmpv6 { 2293 base ipv6; 2294 description 2295 "ICMPv6 protocol type."; 2296 reference 2297 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2298 RFC 4443: Internet Control Message Protocol (ICMPv6) 2299 for the Internet Protocol Version 6 (IPv6) 2300 Specification"; 2301 } 2302 identity ip { 2303 base protocol-type; 2304 description 2305 "General IP protocol type."; 2306 reference 2307 "RFC 791: Internet Protocol 2308 RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2309 } 2310 identity ipv4 { 2311 base ip; 2312 description 2313 "IPv4 protocol type."; 2314 reference 2315 "RFC 791: Internet Protocol"; 2316 } 2317 identity ipv6 { 2318 base ip; 2319 description 2320 "IPv6 protocol type."; 2321 reference 2322 "RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2323 } 2324 identity http { 2325 base tcp; 2326 description 2327 "HTPP protocol type."; 2328 reference 2329 "RFC 2616: Hypertext Transfer Protocol"; 2330 } 2331 identity ftp { 2332 base tcp; 2333 description 2334 "FTP protocol type."; 2335 reference 2336 "RFC 959: File Transfer Protocol"; 2337 } 2338 grouping common-monitoring-data { 2339 description 2340 "The data set of common monitoring"; 2341 leaf message { 2342 type string; 2343 description 2344 "This is a freetext annotation for 2345 monitoring a notification's content."; 2346 } 2347 leaf time-stamp { 2348 type yang:date-and-time; 2349 description 2350 "It indicates the time of a message's generation."; 2351 } 2352 leaf vendor-name { 2353 type string; 2354 description 2355 "The name of the NSF vendor"; 2356 } 2357 leaf nsf-name { 2358 type string; 2359 description 2360 "The name (or IP) of the NSF generating the message."; 2361 } 2362 leaf module-name { 2363 type string; 2364 description 2365 "The module name outputting the message."; 2366 } 2367 leaf severity { 2368 type severity; 2369 description 2370 "The severity of the alarm such as critical, high, 2371 middle, low."; 2372 } 2373 } 2374 grouping characteristics{ 2375 description 2376 "A set of monitoring information characteristics"; 2377 leaf acquisition-method { 2378 type identityref { 2379 base acquisition-method; 2380 } 2381 description 2382 "The acquisition-method for characteristics"; 2383 } 2384 leaf emission-type { 2385 type identityref { 2386 base emission-type; 2387 } 2388 description 2389 "The emission-type for characteristics"; 2390 } 2391 leaf dampening-type { 2392 type identityref { 2393 base dampening-type; 2394 } 2395 description 2396 "The dampening-type for characteristics"; 2397 } 2398 } 2399 grouping i2nsf-system-alarm-type-content { 2400 description 2401 "A set of system alarm type contents"; 2402 leaf usage { 2403 type uint8; 2404 description 2405 "specifies the amount of usage"; 2406 } 2407 leaf threshold { 2408 type uint8; 2409 description 2410 "The threshold triggering the alarm or the event"; 2411 } 2412 } 2413 grouping i2nsf-system-event-type-content { 2414 description 2415 "System event metadata associated with system events 2416 caused by user activity."; 2417 leaf user { 2418 type string; 2419 mandatory true; 2420 description 2421 "The name of a user"; 2422 } 2423 leaf group { 2424 type string; 2425 mandatory true; 2426 description 2427 "The group to which a user belongs."; 2428 } 2429 leaf login-ip-addr { 2430 type inet:ip-address; 2431 mandatory true; 2432 description 2433 "Th login IPv4 (or IPv6) address of a user."; 2435 } 2436 leaf authentication { 2437 type identityref { 2438 base authentication-mode; 2439 } 2440 description 2441 "The authentication-mode for authentication"; 2442 } 2443 } 2444 grouping i2nsf-nsf-event-type-content-extend { 2445 description 2446 "A set of common IPv4-related NSF event content 2447 elements"; 2448 leaf src-ip { 2449 type inet:ip-address; 2450 description 2451 "The source IPv4 (or IPv6) address of the packet"; 2452 } 2453 leaf dst-ip { 2454 type inet:ip-address; 2455 description 2456 "The destination IPv4 (or IPv6) address of the 2457 packet"; 2458 } 2459 leaf src-port { 2460 type inet:port-number; 2461 description 2462 "The source port of the packet"; 2463 } 2464 leaf dst-port { 2465 type inet:port-number; 2466 description 2467 "The destination port of the packet"; 2468 } 2469 leaf src-zone { 2470 type string; 2471 description 2472 "The source security zone of the packet"; 2473 } 2474 leaf dst-zone { 2475 type string; 2476 description 2477 "The destination security zone of the packet"; 2478 } 2479 leaf rule-id { 2480 type uint8; 2481 mandatory true; 2482 description 2483 "The ID of the rule being triggered"; 2484 } 2485 leaf rule-name { 2486 type string; 2487 mandatory true; 2488 description 2489 "The name of the rule being triggered"; 2490 } 2491 leaf profile { 2492 type string; 2493 description 2494 "Security profile that traffic matches."; 2495 } 2496 leaf raw-info { 2497 type string; 2498 description 2499 "The information describing the packet triggering 2500 the event."; 2501 } 2502 } 2503 grouping i2nsf-nsf-event-type-content { 2504 description 2505 "A set of common IPv4 (or IPv6)-related NSF event 2506 content elements"; 2507 leaf dst-ip { 2508 type inet:ip-address; 2509 description 2510 "The destination IPv4 (IPv6) address of the packet"; 2511 } 2512 leaf dst-port { 2513 type inet:port-number; 2514 description 2515 "The destination port of the packet"; 2516 } 2517 leaf rule-id { 2518 type uint8; 2519 mandatory true; 2520 description 2521 "The ID of the rule being triggered"; 2522 } 2523 leaf rule-name { 2524 type string; 2525 mandatory true; 2526 description 2527 "The name of the rule being triggered"; 2528 } 2529 leaf profile { 2530 type string; 2531 description 2532 "Security profile that traffic matches"; 2533 } 2534 leaf raw-info { 2535 type string; 2536 description 2537 "The information describing the packet 2538 triggering the event"; 2539 } 2540 } 2541 grouping traffic-rates { 2542 description 2543 "A set of traffic rates for statistics data"; 2544 leaf total-traffic { 2545 type uint32; 2546 description 2547 "Total traffic"; 2548 } 2549 leaf in-traffic-ave-rate { 2550 type uint32; 2551 description 2552 "Inbound traffic average rate in pps"; 2553 } 2554 leaf in-traffic-peak-rate { 2555 type uint32; 2556 description 2557 "Inbound traffic peak rate in pps"; 2558 } 2559 leaf in-traffic-ave-speed { 2560 type uint32; 2561 description 2562 "Inbound traffic average speed in bps"; 2563 } 2564 leaf in-traffic-peak-speed { 2565 type uint32; 2566 description 2567 "Inbound traffic peak speed in bps"; 2568 } 2569 leaf out-traffic-ave-rate { 2570 type uint32; 2571 description 2572 "Outbound traffic average rate in pps"; 2573 } 2574 leaf out-traffic-peak-rate { 2575 type uint32; 2576 description 2577 "Outbound traffic peak rate in pps"; 2578 } 2579 leaf out-traffic-ave-speed { 2580 type uint32; 2581 description 2582 "Outbound traffic average speed in bps"; 2583 } 2584 leaf out-traffic-peak-speed { 2585 type uint32; 2586 description 2587 "Outbound traffic peak speed in bps"; 2588 } 2589 } 2590 grouping i2nsf-system-counter-type-content{ 2591 description 2592 "A set of system counter type contents"; 2593 leaf interface-name { 2594 type string; 2595 description 2596 "Network interface name configured in an NSF"; 2597 } 2598 leaf in-total-traffic-pkts { 2599 type uint32; 2600 description 2601 "Total inbound packets"; 2602 } 2603 leaf out-total-traffic-pkts { 2604 type uint32; 2605 description 2606 "Total outbound packets"; 2607 } 2608 leaf in-total-traffic-bytes { 2609 type uint32; 2610 description 2611 "Total inbound bytes"; 2612 } 2613 leaf out-total-traffic-bytes { 2614 type uint32; 2615 description 2616 "Total outbound bytes"; 2617 } 2618 leaf in-drop-traffic-pkts { 2619 type uint32; 2620 description 2621 "Total inbound drop packets"; 2622 } 2623 leaf out-drop-traffic-pkts { 2624 type uint32; 2625 description 2626 "Total outbound drop packets"; 2628 } 2629 leaf in-drop-traffic-bytes { 2630 type uint32; 2631 description 2632 "Total inbound drop bytes"; 2633 } 2634 leaf out-drop-traffic-bytes { 2635 type uint32; 2636 description 2637 "Total outbound drop bytes"; 2638 } 2639 uses traffic-rates; 2640 } 2641 grouping i2nsf-nsf-counters-type-content{ 2642 description 2643 "A set of NSF counters type contents"; 2644 leaf src-ip { 2645 type inet:ip-address; 2646 description 2647 "The source IPv4 (or IPv6) address of the packet"; 2648 } 2649 leaf dst-ip { 2650 type inet:ip-address; 2651 description 2652 "The destination IPv4 (or IPv6) address of the 2653 packet"; 2654 } 2655 leaf src-port { 2656 type inet:port-number; 2657 description 2658 "The source port of the packet"; 2659 } 2660 leaf dst-port { 2661 type inet:port-number; 2662 description 2663 "The destination port of the packet"; 2664 } 2665 leaf src-zone { 2666 type string; 2667 description 2668 "The source security zone of the packet"; 2669 } 2670 leaf dst-zone { 2671 type string; 2672 description 2673 "The destination security zone of the packet"; 2674 } 2675 leaf src-region { 2676 type string; 2677 description 2678 "Source region of the traffic"; 2679 } 2680 leaf dst-region{ 2681 type string; 2682 description 2683 "Destination region of the traffic"; 2684 } 2685 leaf policy-id { 2686 type uint8; 2687 description 2688 "The ID of the policy being triggered"; 2689 } 2690 leaf policy-name { 2691 type string; 2692 description 2693 "The name of the policy being triggered"; 2694 } 2695 leaf src-user{ 2696 type string; 2697 description 2698 "User who generates traffic"; 2699 } 2700 leaf protocol { 2701 type identityref { 2702 base protocol-type; 2703 } 2704 description 2705 "Protocol type of traffic"; 2706 } 2707 leaf app { 2708 type string; 2709 description 2710 "Application type of traffic"; 2711 } 2712 } 2714 notification system-detection-alarm { 2715 description 2716 "This notification is sent, when a system alarm 2717 is detected."; 2718 leaf alarm-category { 2719 type identityref { 2720 base alarm-type; 2721 } 2722 description 2723 "The alarm category for 2724 system-detection-alarm notification"; 2725 } 2726 uses characteristics; 2727 uses i2nsf-system-alarm-type-content; 2728 uses common-monitoring-data; 2729 } 2730 notification system-detection-event { 2731 description 2732 "This notification is sent, when a security-sensitive 2733 authentication action fails."; 2734 leaf event-category { 2735 type identityref { 2736 base event-type; 2737 } 2738 description 2739 "The event category for system-detection-event"; 2740 } 2741 uses characteristics; 2742 uses i2nsf-system-event-type-content; 2743 uses common-monitoring-data; 2744 } 2745 notification nsf-detection-flood { 2746 description 2747 "This notification is sent, when a specific flood type 2748 is detected."; 2749 leaf event-name { 2750 type identityref { 2751 base SEC-EVENT-DDOS; 2752 } 2753 description 2754 "The event name for nsf-detection-flood"; 2755 } 2756 uses i2nsf-nsf-event-type-content; 2757 leaf sub-attack-type { 2758 type identityref { 2759 base flood-type; 2760 } 2761 description 2762 "Any one of Syn flood, ACK flood, SYN-ACK flood, 2763 FIN/RST flood, TCP Connection flood, UDP flood, 2764 ICMP (i.e., ICMPv4 or ICMPv6)cmp flood, HTTP flood, 2765 HTTPS flood, DNS query flood, DNS reply flood, SIP 2766 flood, etc."; 2767 } 2768 leaf start-time { 2769 type yang:date-and-time; 2770 mandatory true; 2771 description 2772 "The time stamp indicating when the attack started"; 2773 } 2774 leaf end-time { 2775 type yang:date-and-time; 2776 mandatory true; 2777 description 2778 "The time stamp indicating when the attack ended"; 2779 } 2780 leaf attack-rate { 2781 type uint32; 2782 description 2783 "The PPS rate of attack traffic"; 2784 } 2785 leaf attack-speed { 2786 type uint32; 2787 description 2788 "The BPS speed of attack traffic"; 2789 } 2790 uses common-monitoring-data; 2791 } 2792 notification nsf-detection-session-table { 2793 description 2794 "This notification is sent, when a session table 2795 event is detected."; 2796 leaf current-session { 2797 type uint8; 2798 description 2799 "The number of concurrent sessions"; 2800 } 2801 leaf maximum-session { 2802 type uint8; 2803 description 2804 "The maximum number of sessions that the session 2805 table can support"; 2806 } 2807 leaf threshold { 2808 type uint8; 2809 description 2810 "The threshold triggering the event"; 2811 } 2812 uses common-monitoring-data; 2813 } 2814 notification nsf-detection-virus { 2815 description 2816 "This notification is sent, when a virus is detected."; 2817 uses i2nsf-nsf-event-type-content-extend; 2818 leaf virus { 2819 type identityref { 2820 base virus-type; 2821 } 2822 description 2823 "The virus type for nsf-detection-virus notification"; 2824 } 2825 leaf virus-name { 2826 type string; 2827 description 2828 "The name of the detected virus"; 2829 } 2831 leaf file-type { 2832 type string; 2833 description 2834 "The type of file virus code is found in (if 2835 applicable)."; 2836 } 2837 leaf file-name { 2838 type string; 2839 description 2840 "The name of file virus code is found in (if 2841 applicable)."; 2842 } 2843 uses common-monitoring-data; 2844 } 2845 notification nsf-detection-intrusion { 2846 description 2847 "This notification is sent, when an intrusion event 2848 is detected."; 2849 uses i2nsf-nsf-event-type-content-extend; 2850 leaf protocol { 2851 type identityref { 2852 base protocol-type; 2853 } 2854 description 2855 "The protocol type for nsf-detection-intrusion 2856 notification"; 2857 } 2858 leaf app { 2859 type string; 2860 description 2861 "The employed application layer protocol"; 2862 } 2863 leaf sub-attack-type { 2864 type identityref { 2865 base intrusion-attack-type; 2866 } 2867 description 2868 "The sub attack type for intrusion attack"; 2869 } 2870 uses common-monitoring-data; 2871 } 2872 notification nsf-detection-botnet { 2873 description 2874 "This notification is sent, when a botnet event is 2875 detected."; 2876 uses i2nsf-nsf-event-type-content-extend; 2877 leaf attack-type { 2878 type identityref { 2879 base botnet-attack-type; 2880 } 2881 description 2882 "The attack type for botnet attack"; 2883 } 2884 leaf protocol { 2885 type identityref { 2886 base protocol-type; 2887 } 2888 description 2889 "The protocol type for nsf-detection-botnet notification"; 2890 } 2891 leaf botnet-name { 2892 type string; 2893 description 2894 "The name of the detected botnet"; 2895 } 2896 leaf role { 2897 type string; 2898 description 2899 "The role of the communicating 2900 parties within the botnet"; 2901 } 2902 uses common-monitoring-data; 2903 } 2904 notification nsf-detection-web-attack { 2905 description 2906 "This notification is sent, when an attack event is 2907 detected."; 2908 uses i2nsf-nsf-event-type-content-extend; 2909 leaf sub-attack-type { 2910 type identityref { 2911 base web-attack-type; 2912 } 2913 description 2914 "Concrete web attack type, e.g., SQL injection, 2915 command injection, XSS, and CSRF."; 2917 } 2918 leaf request-method { 2919 type identityref { 2920 base req-method; 2921 } 2922 description 2923 "The method of requirement. For instance, PUT or 2924 GET in HTTP."; 2925 } 2926 leaf req-uri { 2927 type string; 2928 description 2929 "Requested URI"; 2930 } 2931 leaf uri-category { 2932 type string; 2933 description 2934 "Matched URI category"; 2935 } 2936 leaf-list filtering-type { 2937 type identityref { 2938 base filter-type; 2939 } 2940 description 2941 "URL filtering type, e.g., Blacklist, Whitelist, 2942 User-Defined, Predefined, Malicious Category, 2943 and Unknown"; 2944 } 2945 uses common-monitoring-data; 2946 } 2947 notification system-access-log { 2948 description 2949 "The notification is sent, if there is a new system 2950 log entry about a system access event."; 2951 leaf login-ip { 2952 type inet:ip-address; 2953 mandatory true; 2954 description 2955 "Login IP address of a user"; 2956 } 2957 leaf administrator { 2958 type string; 2959 description 2960 "Administrator that maintains the device"; 2961 } 2962 leaf login-mode { 2963 type login-mode; 2964 description 2965 "Specifies the administrator log-in mode"; 2966 } 2967 leaf operation-type { 2968 type operation-type; 2969 description 2970 "The operation type that the administrator executes"; 2971 } 2972 leaf result { 2973 type string; 2974 description 2975 "Command execution result"; 2976 } 2977 leaf content { 2978 type string; 2979 description 2980 "The Operation performed by an administrator after 2981 login"; 2982 } 2983 uses characteristics; 2984 } 2985 notification system-res-util-log { 2986 description 2987 "This notification is sent, if there is a new log 2988 entry representing resource utilization updates."; 2989 leaf system-status { 2990 type string; 2991 description 2992 "The current systems running status"; 2993 } 2994 leaf cpu-usage { 2995 type uint8; 2996 description 2997 "Specifies the relative amount of CPU usage with 2998 respect to platform resources"; 2999 } 3000 leaf memory-usage { 3001 type uint8; 3002 description 3003 "Specifies the amount of memory usage."; 3004 } 3005 leaf disk-usage { 3006 type uint8; 3007 description 3008 "Specifies the amount of disk usage"; 3009 } 3010 leaf disk-left { 3011 type uint8; 3012 description 3013 "Specifies the amount of disk left"; 3014 } 3015 leaf session-num { 3016 type uint8; 3017 description 3018 "The total number of sessions"; 3019 } 3020 leaf process-num { 3021 type uint8; 3022 description 3023 "The total number of process"; 3024 } 3025 leaf in-traffic-rate { 3026 type uint32; 3027 description 3028 "The total inbound traffic rate in pps"; 3029 } 3030 leaf out-traffic-rate { 3031 type uint32; 3032 description 3033 "The total outbound traffic rate in pps"; 3034 } 3035 leaf in-traffic-speed { 3036 type uint32; 3037 description 3038 "The total inbound traffic speed in bps"; 3039 } 3040 leaf out-traffic-speed { 3041 type uint32; 3042 description 3043 "The total outbound traffic speed in bps"; 3044 } 3045 uses characteristics; 3046 } 3047 notification system-user-activity-log { 3048 description 3049 "This notification is sent, if there is a new user 3050 activity log entry."; 3051 uses characteristics; 3052 uses i2nsf-system-event-type-content; 3053 leaf access { 3054 type identityref { 3055 base access-mode; 3056 } 3057 description 3058 "The access type for system-user-activity-log 3059 notification"; 3060 } 3061 leaf online-duration { 3062 type string; 3063 description 3064 "Online duration"; 3065 } 3066 leaf logout-duration { 3067 type string; 3068 description 3069 "Lockout duration"; 3070 } 3071 leaf additional-info { 3072 type string; 3073 description 3074 "User activities, e.g., Successful User Login, 3075 Failed Login attempts, User Logout, Successful User 3076 Password Change, Failed User Password Change, User 3077 Lockout, User Unlocking, and Unknown."; 3078 } 3079 } 3080 notification nsf-log-ddos { 3081 description 3082 "This notification is sent, if there is a new DDoS 3083 event log entry in the NSF log."; 3084 leaf attack-type { 3085 type identityref { 3086 base ddos-attack-type; 3087 } 3088 description 3089 "The DDoS attack type for nsf-log-ddos notification"; 3090 } 3091 leaf attack-ave-rate { 3092 type uint32; 3093 description 3094 "The average PPS of attack traffic"; 3095 } 3096 leaf attack-ave-speed { 3097 type uint32; 3098 description 3099 "the average bps of attack traffic"; 3100 } 3101 leaf attack-pkt-num { 3102 type uint32; 3103 description 3104 "the number of attack packets"; 3105 } 3106 leaf attack-src-ip { 3107 type inet:ip-address; 3108 description 3109 "The source IPv4 (or IPv6) addresses of attack 3110 traffic. If there are a large amount of IPv4 3111 (or IPv6) addresses, then pick a certain number 3112 of resources according to different rules."; 3113 } 3114 leaf action { 3115 type log-action; 3116 description 3117 "Action type: allow, alert, block, discard, declare, 3118 block-ip, block-service"; 3119 } 3120 uses characteristics; 3121 uses common-monitoring-data; 3122 } 3123 notification nsf-log-virus { 3124 description 3125 "This notification is sent, if there is a new virus 3126 event log entry in the NSF log."; 3127 leaf attack-type { 3128 type identityref { 3129 base virus-type; 3130 } 3131 description 3132 "The virus type for nsf-log-virus notification"; 3133 } 3134 leaf action { 3135 type log-action; 3136 description 3137 "Action type: allow, alert, block, discard, declare, 3138 block-ip, block-service"; 3139 } 3140 leaf os{ 3141 type string; 3142 description 3143 "simple OS information"; 3144 } 3145 leaf time { 3146 type yang:date-and-time; 3147 mandatory true; 3148 description 3149 "It is the time when the message is generated."; 3150 } 3151 uses characteristics; 3152 uses common-monitoring-data; 3153 } 3154 notification nsf-log-intrusion { 3155 description 3156 "This notification is sent, if there is a new 3157 intrusion event log entry in the NSF log."; 3158 leaf attack-type { 3159 type identityref { 3160 base intrusion-attack-type; 3161 } 3162 description 3163 "The intrusion attack type for nsf-log-intrusion 3164 notification"; 3165 } 3166 leaf action { 3167 type log-action; 3168 description 3169 "Action type: allow, alert, block, discard, declare, 3170 block-ip, block-service"; 3171 } 3172 leaf time { 3173 type yang:date-and-time; 3174 mandatory true; 3175 description 3176 "It is the time when the message is generated."; 3177 } 3178 leaf attack-rate { 3179 type uint32; 3180 description 3181 "The PPS of attack traffic"; 3182 } 3183 leaf attack-speed { 3184 type uint32; 3185 description 3186 "The bps of attack traffic"; 3187 } 3188 uses characteristics; 3189 uses common-monitoring-data; 3190 } 3191 notification nsf-log-botnet { 3192 description 3193 "This notification is sent, if there is a new botnet 3194 event log in the NSF log."; 3195 leaf attack-type { 3196 type identityref { 3197 base botnet-attack-type; 3198 } 3199 description 3200 "The botnet attack type for nsf-log-botnet notification"; 3201 } 3202 leaf action { 3203 type log-action; 3204 description 3205 "Action type: allow, alert, block, discard, declare, 3206 block-ip, block-service"; 3207 } 3208 leaf botnet-pkt-num{ 3209 type uint8; 3210 description 3211 "The number of the packets sent to or from the detected botnet"; 3212 } 3213 leaf os{ 3214 type string; 3215 description 3216 "simple OS information"; 3217 } 3218 uses characteristics; 3219 uses common-monitoring-data; 3220 } 3221 notification nsf-log-dpi { 3222 description 3223 "This notification is sent, if there is a new DPI 3224 event in the NSF log."; 3225 leaf attack-type { 3226 type dpi-type; 3227 description 3228 "The type of the DPI"; 3229 } 3230 uses characteristics; 3231 uses i2nsf-nsf-counters-type-content; 3232 uses common-monitoring-data; 3233 } 3234 notification nsf-log-vuln-scan { 3235 description 3236 "This notification is sent, if there is a new 3237 vulnerability-scan report in the NSF log."; 3238 leaf vulnerability-id { 3239 type uint8; 3240 description 3241 "The vulnerability ID"; 3242 } 3243 leaf victim-ip { 3244 type inet:ip-address; 3245 description 3246 "IPv4 (or IPv6) address of the victim host which 3247 has vulnerabilities"; 3248 } 3249 leaf protocol { 3250 type identityref { 3251 base protocol-type; 3252 } 3253 description 3254 "The protocol type for nsf-log-vuln-scan 3255 notification"; 3256 } 3257 leaf port-num { 3258 type inet:port-number; 3259 description 3260 "The port number"; 3261 } 3262 leaf level { 3263 type severity; 3264 description 3265 "The vulnerability severity"; 3266 } 3267 leaf os { 3268 type string; 3269 description 3270 "simple OS information"; 3271 } 3272 leaf vulnerability-info { 3273 type string; 3274 description 3275 "The information about the vulnerability"; 3276 } 3277 leaf fix-suggestion { 3278 type string; 3279 description 3280 "The fix suggestion to the vulnerability"; 3281 } 3282 leaf service { 3283 type string; 3284 description 3285 "The service which has vulnerability in the victim 3286 host"; 3287 } 3288 uses characteristics; 3289 uses common-monitoring-data; 3290 } 3291 notification nsf-log-web-attack { 3292 description 3293 "This notification is sent, if there is a new 3294 web-attack event in the NSF log."; 3295 leaf attack-type { 3296 type identityref { 3297 base web-attack-type; 3298 } 3299 description 3300 "The web attack type for nsf-log-web-attack 3301 notification"; 3302 } 3303 leaf rsp-code { 3304 type string; 3305 description 3306 "Response code"; 3307 } 3308 leaf req-clientapp { 3309 type string; 3310 description 3311 "The client application"; 3312 } 3313 leaf req-cookies { 3314 type string; 3315 description 3316 "Cookies"; 3317 } 3318 leaf req-host { 3319 type string; 3320 description 3321 "The domain name of the requested host"; 3322 } 3323 leaf raw-info { 3324 type string; 3325 description 3326 "The information describing the packet triggering 3327 the event."; 3328 } 3329 uses characteristics; 3330 uses common-monitoring-data; 3331 } 3332 container counters { 3333 description 3334 "This is probably better covered by an import as this 3335 will not be notifications. Counters are not very 3336 suitable as telemetry, maybe via periodic 3337 subscriptions, which would still violate the principle 3338 of least surprise."; 3339 container system-interface { 3340 description 3341 "The system counter type is interface counter."; 3342 uses characteristics; 3343 uses i2nsf-system-counter-type-content; 3344 uses common-monitoring-data; 3345 } 3346 container nsf-firewall { 3347 description 3348 "The NSF counter type is firewall counter."; 3350 uses characteristics; 3351 uses i2nsf-nsf-counters-type-content; 3352 uses traffic-rates; 3353 } 3354 container nsf-policy-hits { 3355 description 3356 "The counters of policy hit"; 3357 uses characteristics; 3358 uses i2nsf-nsf-counters-type-content; 3359 uses common-monitoring-data; 3360 leaf hit-times { 3361 type uint32; 3362 description 3363 "The hit times for policy"; 3364 } 3365 } 3366 } 3367 } 3368 3370 Figure 2: Data Model of Monitoring 3372 11. IANA Considerations 3374 This document requests IANA to register the following URI in the 3375 "IETF XML Registry" [RFC3688]: 3377 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 3378 Registrant Contact: The IESG. 3379 XML: N/A; the requested URI is an XML namespace. 3381 This document requests IANA to register the following YANG module in 3382 the "YANG Module Names" registry [RFC7950][RFC8525]: 3384 name: ietf-i2nsf-nsf-monitoring 3385 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 3386 prefix: nsfmi 3387 reference: RFC XXXX 3389 // RFC Ed.: replace XXXX with an actual RFC number and remove 3390 // this note. 3392 12. Security Considerations 3394 The YANG module described in this document defines a schema for data 3395 that is designed to be accessed via network management protocols such 3396 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 3397 is the secure transport layer, and the mandatory-to-implement secure 3398 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 3399 is HTTPS, and the mandatory-to-implement secure transport is TLS 3400 [RFC8446]. 3402 The NETCONF access control model [RFC8341] provides the means to 3403 restrict access for particular NETCONF or RESTCONF users to a 3404 preconfigured subset of all available NETCONF or RESTCONF protocol 3405 operations and content. 3407 All data nodes defined in the YANG module which can be created, 3408 modified and deleted (i.e., config true, which is the default) are 3409 considered sensitive. Write operations (e.g., edit-config) applied 3410 to these data nodes without proper protection can negatively affect 3411 framework operations. The monitoring YANG module should be protected 3412 by the secure communication channel, to ensure its confidentiality 3413 and integrity. In another side, the NSF and security controller can 3414 all be faked, which lead to undesirable results (i.e., leakage of an 3415 NSF's important operational information, and faked NSF sending false 3416 information to mislead security controller). The mutual 3417 authentication is essential to protected against this kind of attack. 3418 The current mainstream security technologies (i.e., TLS, DTLS, IPsec, 3419 and X.509 PKI) can be employed appropriately to provide the above 3420 security functions. 3422 In addition, to defend against the DDoS attack caused by a lot of 3423 NSFs sending massive notifications to the security controller, the 3424 rate limiting or similar mechanisms should be considered in an NSF 3425 and security controller, whether in advance or just in the process of 3426 DDoS attack. 3428 13. Acknowledgments 3430 This work was supported by Institute of Information & Communications 3431 Technology Planning & Evaluation (IITP) grant funded by the Korea 3432 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 3433 Security Intelligence Technology Development for the Customized 3434 Security Service Provisioning). This work was supported in part by 3435 the IITP (2020-0-00395, Standard Development of Blockchain based 3436 Network Management Automation Technology). This work was supported 3437 in part by the MSIT under the Information Technology Research Center 3438 (ITRC) support program (IITP-2020-2017-0-01633) supervised by the 3439 IITP. 3441 14. Contributors 3443 This document is made by the group effort of I2NSF working group. 3444 Many people actively contributed to this document. The authors 3445 sincerely appreciate their contributions. 3447 The following are co-authors of this document: 3449 Chaehong Chung 3450 Department of Electronic, Electrical and Computer Engineering 3451 Sungkyunkwan University 3452 2066 Seo-ro Jangan-gu 3453 Suwon, Gyeonggi-do 16419 3454 Republic of Korea 3456 EMail: darkhong@skku.edu 3458 Jinyong Tim Kim 3459 Department of Electronic, Electrical and Computer Engineering 3460 Sungkyunkwan University 3461 2066 Seo-ro Jangan-gu 3462 Suwon, Gyeonggi-do 16419 3463 Republic of Korea 3465 EMail: timkim@skku.edu 3467 Dongjin Hong 3468 Department of Electronic, Electrical and Computer Engineering 3469 Sungkyunkwan University 3470 2066 Seo-ro Jangan-gu 3471 Suwon, Gyeonggi-do 16419 3472 Republic of Korea 3474 EMail: dong.jin@skku.edu 3476 Dacheng Zhang 3477 Huawei 3479 EMail: dacheng.zhang@huawei.com 3481 Yi Wu 3482 Aliababa Group 3484 EMail: anren.wy@alibaba-inc.com 3485 Rakesh Kumar 3486 Juniper Networks 3487 1133 Innovation Way 3488 Sunnyvale, CA 94089 3489 USA 3491 EMail: rkkumar@juniper.net 3493 Anil Lohiya 3494 Juniper Networks 3496 EMail: alohiya@juniper.net 3498 15. References 3500 15.1. Normative References 3502 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 3503 DOI 10.17487/RFC0768, August 1980, 3504 . 3506 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 3507 DOI 10.17487/RFC0791, September 1981, 3508 . 3510 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 3511 RFC 792, DOI 10.17487/RFC0792, September 1981, 3512 . 3514 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 3515 RFC 793, DOI 10.17487/RFC0793, September 1981, 3516 . 3518 [RFC0956] Mills, D., "Algorithms for synchronizing network clocks", 3519 RFC 956, DOI 10.17487/RFC0956, September 1985, 3520 . 3522 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3523 Requirement Levels", BCP 14, RFC 2119, 3524 DOI 10.17487/RFC2119, March 1997, 3525 . 3527 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 3528 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 3529 Transfer Protocol -- HTTP/1.1", RFC 2616, 3530 DOI 10.17487/RFC2616, June 1999, 3531 . 3533 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3534 DOI 10.17487/RFC3688, January 2004, 3535 . 3537 [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management 3538 Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, 3539 September 2004, . 3541 [RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export 3542 Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004, 3543 . 3545 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 3546 Control Message Protocol (ICMPv6) for the Internet 3547 Protocol Version 6 (IPv6) Specification", STD 89, 3548 RFC 4443, DOI 10.17487/RFC4443, March 2006, 3549 . 3551 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 3552 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 3553 . 3555 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, 3556 DOI 10.17487/RFC5424, March 2009, 3557 . 3559 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3560 and A. Bierman, Ed., "Network Configuration Protocol 3561 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3562 . 3564 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3565 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3566 . 3568 [RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog 3569 Messages over TCP", RFC 6587, DOI 10.17487/RFC6587, April 3570 2012, . 3572 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3573 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3574 . 3576 [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, 3577 "Specification of the IP Flow Information Export (IPFIX) 3578 Protocol for the Exchange of Flow Information", STD 77, 3579 RFC 7011, DOI 10.17487/RFC7011, September 2013, 3580 . 3582 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3583 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3584 . 3586 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3587 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3588 . 3590 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 3591 (IPv6) Specification", STD 86, RFC 8200, 3592 DOI 10.17487/RFC8200, July 2017, 3593 . 3595 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 3596 Kumar, "Framework for Interface to Network Security 3597 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 3598 . 3600 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3601 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3602 . 3604 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3605 Access Control Model", STD 91, RFC 8341, 3606 DOI 10.17487/RFC8341, March 2018, 3607 . 3609 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 3610 and R. Wilton, "Network Management Datastore Architecture 3611 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 3612 . 3614 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 3615 Documents Containing YANG Data Models", BCP 216, RFC 8407, 3616 DOI 10.17487/RFC8407, October 2018, 3617 . 3619 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 3620 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 3621 . 3623 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 3624 and R. Wilton, "YANG Library", RFC 8525, 3625 DOI 10.17487/RFC8525, March 2019, 3626 . 3628 15.2. Informative References 3630 [I-D.ietf-i2nsf-applicability] 3631 Jeong, J., Hyun, S., Ahn, T., Hares, S., and D. Lopez, 3632 "Applicability of Interfaces to Network Security Functions 3633 to Network-Based Security Services", draft-ietf-i2nsf- 3634 applicability-18 (work in progress), September 2019. 3636 [I-D.ietf-i2nsf-capability] 3637 Xia, L., Strassner, J., Basile, C., and D. Lopez, 3638 "Information Model of NSFs Capabilities", draft-ietf- 3639 i2nsf-capability-05 (work in progress), April 2019. 3641 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 3642 Jeong, J., Chung, C., Ahn, T., Kumar, R., and S. Hares, 3643 "I2NSF Consumer-Facing Interface YANG Data Model", draft- 3644 ietf-i2nsf-consumer-facing-interface-dm-11 (work in 3645 progress), September 2020. 3647 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 3648 Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q. 3649 Lin, "I2NSF Network Security Function-Facing Interface 3650 YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface- 3651 dm-10 (work in progress), August 2020. 3653 [I-D.ietf-i2nsf-registration-interface-dm] 3654 Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK, 3655 "I2NSF Registration Interface YANG Data Model", draft- 3656 ietf-i2nsf-registration-interface-dm-09 (work in 3657 progress), August 2020. 3659 [I-D.ietf-netconf-subscribed-notifications] 3660 Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and 3661 A. Tripathy, "Subscription to YANG Event Notifications", 3662 draft-ietf-netconf-subscribed-notifications-26 (work in 3663 progress), May 2019. 3665 [I-D.ietf-netconf-yang-push] 3666 Clemm, A. and E. Voit, "Subscription to YANG Datastores", 3667 draft-ietf-netconf-yang-push-25 (work in progress), May 3668 2019. 3670 [I-D.yang-i2nsf-security-policy-translation] 3671 Jeong, J., Yang, J., Chung, C., and J. Kim, "Security 3672 Policy Translation in Interface to Network Security 3673 Functions", draft-yang-i2nsf-security-policy- 3674 translation-06 (work in progress), May 2020. 3676 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-03 3678 The following changes are made from draft-ietf-i2nsf-nsf-monitoring- 3679 data-model-03: 3681 o This version updates the author list by replacing Chaehong Chung 3682 with with Patrick Lingga as an active co-author for the YANG 3683 module update. 3685 o This version updates the YANG module name, prefix, and 3686 descriptions in the YANG module. 3688 o This updated YANG module supports both IPv4 and IPv6. 3690 o This version updates the version numbers of the referenced RFCs 3691 and drafts. 3693 Authors' Addresses 3695 Jaehoon Paul Jeong (editor) 3696 Department of Computer Science and Engineering 3697 Sungkyunkwan University 3698 2066 Seobu-Ro, Jangan-Gu 3699 Suwon, Gyeonggi-Do 16419 3700 Republic of Korea 3702 Phone: +82 31 299 4957 3703 Fax: +82 31 290 7996 3704 EMail: pauljeong@skku.edu 3705 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 3707 Patrick Lingga 3708 Department of Electronic, Electrical and Computer Engineering 3709 Sungkyunkwan University 3710 2066 Seobu-Ro, Jangan-Gu 3711 Suwon, Gyeonggi-Do 16419 3712 Republic of Korea 3714 Phone: +82 31 299 4957 3715 EMail: patricklink@skku.edu 3716 Susan Hares 3717 Huawei 3718 7453 Hickory Hill 3719 Saline, MI 48176 3720 USA 3722 Phone: +1-734-604-0332 3723 EMail: shares@ndzh.com 3725 Liang Xia (Frank) 3726 Huawei 3727 101 Software Avenue, Yuhuatai District 3728 Nanjing, Jiangsu 3729 China 3731 EMail: Frank.xialiang@huawei.com 3733 Henk Birkholz 3734 Fraunhofer Institute for Secure Information Technology 3735 Rheinstrasse 75 3736 Darmstadt 64295 3737 Germany 3739 EMail: henk.birkholz@sit.fraunhofer.de