idnits 2.17.1 draft-ietf-i2nsf-nsf-monitoring-data-model-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 16 instances of too long lines in the document, the longest one being 31 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1286 has weird spacing: '...rm-type enu...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (February 17, 2021) is 1157 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 3655, but no explicit reference was found in the text ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Unknown state RFC: RFC 956 ** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) ** Downref: Normative reference to an Informational RFC: RFC 3954 ** Downref: Normative reference to an Informational RFC: RFC 4949 ** Downref: Normative reference to an Historic RFC: RFC 6587 ** Downref: Normative reference to an Informational RFC: RFC 8329 == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-12 == Outdated reference: A later version (-29) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-10 == Outdated reference: A later version (-26) exists of draft-ietf-i2nsf-registration-interface-dm-09 == Outdated reference: A later version (-16) exists of draft-yang-i2nsf-security-policy-translation-07 Summary: 8 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong, Ed. 3 Internet-Draft P. Lingga 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: August 21, 2021 S. Hares 6 L. Xia 7 Huawei 8 H. Birkholz 9 Fraunhofer SIT 10 February 17, 2021 12 I2NSF NSF Monitoring YANG Data Model 13 draft-ietf-i2nsf-nsf-monitoring-data-model-05 15 Abstract 17 This document proposes an information model and the corresponding 18 YANG data model for monitoring Network Security Functions (NSFs) in 19 the Interface to Network Security Functions (I2NSF) framework. If 20 the monitoring of NSFs is performed in a comprehensive way, it is 21 possible to detect the indication of malicious activity, anomalous 22 behavior, the potential sign of denial of service attacks, or system 23 overload in a timely manner. This monitoring functionality is based 24 on the monitoring information that is generated by NSFs. Thus, this 25 document describes not only an information model for monitoring NSFs 26 along with a YANG data diagram, but also the corresponding YANG data 27 model for monitoring NSFs. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at https://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on August 21, 2021. 46 Copyright Notice 48 Copyright (c) 2021 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (https://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 66 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 67 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 68 4.2. Notifications and Events . . . . . . . . . . . . . . . . 7 69 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 7 70 4.4. I2NSF Monitoring Terminology for Retained Information . . 8 71 5. Conveyance of NSF Monitoring Information . . . . . . . . . . 9 72 5.1. Information Types and Acquisition Methods . . . . . . . . 10 73 6. Basic Information Model for All Monitoring Data . . . . . . . 10 74 7. Extended Information Model for Monitoring Data . . . . . . . 11 75 7.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 11 76 7.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 11 77 7.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 11 78 7.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12 79 7.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 12 80 7.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12 81 7.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13 82 7.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13 83 7.2.2. Configuration Change . . . . . . . . . . . . . . . . 13 84 7.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14 85 7.3.1. DDoS Event . . . . . . . . . . . . . . . . . . . . . 14 86 7.3.2. Session Table Event . . . . . . . . . . . . . . . . . 14 87 7.3.3. Virus Event . . . . . . . . . . . . . . . . . . . . . 15 88 7.3.4. Intrusion Event . . . . . . . . . . . . . . . . . . . 16 89 7.3.5. Botnet Event . . . . . . . . . . . . . . . . . . . . 16 90 7.3.6. Web Attack Event . . . . . . . . . . . . . . . . . . 17 91 7.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 18 92 7.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 18 93 7.4.2. Resource Utilization Log . . . . . . . . . . . . . . 19 94 7.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 19 95 7.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 20 96 7.5.1. DPI Log . . . . . . . . . . . . . . . . . . . . . . . 20 97 7.5.2. Vulnerability Scanning Log . . . . . . . . . . . . . 21 98 7.5.3. Web Attack Log . . . . . . . . . . . . . . . . . . . 22 99 7.6. System Counter . . . . . . . . . . . . . . . . . . . . . 22 100 7.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 22 101 7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 23 102 7.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 23 103 7.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 24 104 8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 25 105 9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 26 106 10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 33 107 11. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 71 108 12. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 72 109 12.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 72 110 12.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 73 111 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 75 112 14. Security Considerations . . . . . . . . . . . . . . . . . . . 76 113 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 77 114 16. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 77 115 17. References . . . . . . . . . . . . . . . . . . . . . . . . . 78 116 17.1. Normative References . . . . . . . . . . . . . . . . . . 78 117 17.2. Informative References . . . . . . . . . . . . . . . . . 81 118 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data- 119 model-04 . . . . . . . . . . . . . . . . . . . . . . 83 120 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 83 122 1. Introduction 124 According to [RFC8329], the interface provided by a Network Security 125 Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or Anti-Virus 126 function) to administrative entities (e.g., Security Controller) to 127 enable remote management (i.e., configuring and monitoring) is 128 referred to as an I2NSF NSF-Facing Interface 129 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. Monitoring procedures 130 intent to acquire vital types of data with respect to NSFs, (e.g., 131 alarms, records, and counters) via data in motion (e.g., queries, 132 notifications, and events). The monitoring of NSF plays an important 133 role in an overall security framework, if it is done in a timely and 134 comprehensive way. The monitoring information generated by an NSF 135 can be a good, early indication of anomalous behavior or malicious 136 activity, such as denial of service attacks (DoS). 138 This document defines a comprehensive NSF monitoring information 139 model that provides visibility for an NSF for an NSF data collector 140 (e.g., Security Controller and NSF Data Analyzer). Note that an NSF 141 data collector is defined as an entity to collect NSF monitoring data 142 from an NSF, such as Security Controller and NSF Data Analyzer. It 143 specifies the information and illustrates the methods that enable an 144 NSF to provide the information required in order to be monitored in a 145 scalable and efficient way via the NSF-Facing Interface. The 146 information model for monitoring presented in this document is a 147 complementary information model to the information model for the 148 security policy provisioning functionality of the NSF-Facing 149 Interface specified in [I-D.ietf-i2nsf-capability]. 151 This document also defines a YANG [RFC7950] data model for monitoring 152 NSFs, which is derived from the information model for NSF monitoring. 154 2. Terminology 156 This document uses the terminology described in [RFC8329]. 158 This document follows the guidelines of [RFC8407], uses the common 159 YANG types defined in [RFC6991], and adopts the Network Management 160 Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols 161 in tree diagrams is defined in [RFC8340]. 163 3. Use Cases for NSF Monitoring Data 165 As mentioned earlier, monitoring plays a critical role in an overall 166 security framework. The monitoring of the NSF provides very valuable 167 information to an NSF data collector (e.g., Security Controller and 168 NSF data analyzer) in maintaining the provisioned security posture. 169 Besides this, there are various other reasons to monitor the NSF as 170 listed below: 172 o The security administrator with I2NSF User can configure a policy 173 that is triggered on a specific event occurring in the NSF or the 174 network [RFC8329] [I-D.ietf-i2nsf-consumer-facing-interface-dm]. 175 If an NSF data collector detects the specified event, it 176 configures additional security functions as defined by policies. 178 o The events triggered by an NSF as a result of security policy 179 violation can be used by Security Information and Event Management 180 (SIEM) to detect any suspicious activity in a larger correlation 181 context. 183 o The events and activity logs from an NSF can be used to build 184 advanced analytics, such as behavior and predictive models to 185 improve security posture in large deployments. 187 o The NSF data collector can use events from the NSF for achieving 188 high availability. It can take corrective actions such as 189 restarting a failed NSF and horizontally scaling up the NSF. 191 o The events and activity logs from the NSF can aid in the root 192 cause analysis of an operational issue, so it can improve 193 debugging. 195 o The activity logs from the NSF can be used to build historical 196 data for operational and business reasons. 198 4. Classification of NSF Monitoring Data 200 In order to maintain a strong security posture, it is not only 201 necessary not only to configure an NSF's security policies but also 202 to continuously monitor the NSF by consuming acquirable and 203 observable information. This enables security administrators to 204 assess the state of the network topology in a timely fashion. It is 205 not possible to block all the internal and external threats based on 206 static security posture. A more practical approach is supported by 207 enabling dynamic security measures, for which continuous visibility 208 is required. This document defines a set of information elements 209 (and their scope) that can be acquired from an NSF and can be used as 210 NSF monitoring information. In essence, these types of monitoring 211 information can be leveraged to support constant visibility on 212 multiple levels of granularity and can be consumed by the 213 corresponding functions. 215 Three basic domains about the monitoring information originating from 216 a system entity [RFC4949] or an NSF are highlighted in this document. 218 o Retention and Emission 220 o Notifications and Events 222 o Unsolicited Poll and Solicited Push 224 The Alarm Management Framework in [RFC3877] defines an Event as 225 something that happens as a thing of of interest. It defines a fault 226 as a change in status, crossing a threshold, or an external input to 227 the system. In the I2NSF domain, I2NSF events are created and the 228 scope of the Alarm Management Framework's Events is still applicable 229 due to its broad definition. The model presented in this document 230 elaborates on the workflow of creating I2NSF events in the context of 231 NSF monitoring and on the way initial I2NSF events are created. 233 As with I2NSF components, every generic system entity can include a 234 set of capabilities that creates information about the context, 235 composition, configuration, state or behavior of that system entity. 236 This information is intended to be provided to other consumers of 237 information and in the scope of this document, which deals with NSF 238 information monitoring in an automated fashion. 240 4.1. Retention and Emission 242 Typically, a system entity populates standardized interface, such as 243 SNMP, NETCONF, RESTCONF or CoMI to provide and emit created 244 information directly via NSF-Facing Interface. Alternatively, the 245 created information is retained inside the system entity (or a 246 hierarchy of system entities in a composite device) via records or 247 counters that are not exposed directly via NSF-Facing Interfaces. 249 Information emitted via standardized interfaces can be consumed by an 250 I2NSF User that includes the capability to consume information not 251 only via an I2NSF Interface(e.g., 252 [I-D.ietf-i2nsf-consumer-facing-interface-dm]) but also via 253 interfaces complementary to the standardized interfaces a generic 254 system entity provides. 256 Information retained on a system entity requires a corresponding 257 I2NSF User to access aggregated records of information, typically in 258 the form of log-files or databases. There are ways to aggregate 259 records originating from different system entities over a network, 260 for examples via Syslog Protocol [RFC5424] or Syslog over TCP 261 [RFC6587]. But even if records are conveyed, the result is the same 262 kind of retention in form of a bigger aggregate of records on another 263 system entity. 265 An I2NSF User is required to process fresh [RFC4949] records created 266 by I2NSF Functions in order to provide them to other I2NSF Components 267 via the corresponding I2NSF Interfaces in a timely manner. This 268 process is effectively based on homogenizing functions, which can 269 access and convert specific kinds of records into information that 270 can be provided and emitted via I2NSF interfaces. 272 When retained or emitted, the information required to support 273 monitoring processes has to be processed by an I2NSF User at some 274 point in the workflow. Typical locations of these I2NSF Users are: 276 o a system entity that creates the information 278 o a system entity that retains an aggregation of records 280 o an I2NSF Component that includes the capabilities of using 281 standardized interfaces provided by other system entities that are 282 not I2NSF Components 284 o an I2NSF Component that creates the information 286 4.2. Notifications and Events 288 A specific task of I2NSF User is to process I2NSF Policy Rules. The 289 rules of a policy are composed of three clauses: Events, Conditions, 290 and Actions. In consequence, an I2NSF Event is specified to trigger 291 an I2NSF Policy Rule. Such an I2NSF Event is defined as any 292 important occurrence over time in the system being managed, and/or in 293 the environment of the system being managed, which aligns well with 294 the generic definition of Event from [RFC3877]. 296 The model illustrated in this document introduces a complementary 297 type of information that can be a conveyed notification. 299 Notification: An occurrence of a change of context, composition, 300 configuration, state or behavior of a system entity that can be 301 directly or indirectly observed by an I2NSF User and can be used 302 as input for an event-clause in I2NSF Policy Rules. 304 A notification is similar to an I2NSF Event with the exception 305 that it is created by a system entity that is not an I2NSF 306 Component and that its importance is yet to be assessed. 307 Semantically, a notification is not an I2NSF Event in the context 308 of I2NSF, although they can potentially use the exact same 309 information or data model. In respect to [RFC3877], a 310 Notification is a specific subset of events, because they convey 311 information about something that happens as a thing of of 312 interest. In consequence, Notifications may contain information 313 with very low expressiveness or relevance. Hence, additional 314 post-processing functions, such as aggregation, correlation or 315 simple anomaly detection, might have to be employed to satisfy a 316 level of expressiveness that is required for an event-clause of an 317 I2NSF Policy Rule. 319 It is important to note that the consumer of a notification (the 320 observer) assesses the importance of a notification and not the 321 producer. The producer can include metadata in a notification that 322 supports the observer in assessing the importance (even metadata 323 about severity), but the deciding entity is an I2NSF User. 325 4.3. Unsolicited Poll and Solicited Push 327 The freshness of the monitored information depends on the acquisition 328 method. Ideally, an I2NSF User is accessing every relevant 329 information about the I2NSF Component and is emitting I2NSF Events to 330 an NSF data collector (e.g., Security Controller and NSF data 331 analyzer) in a timely manner. Publication of events via a pubsub/ 332 broker model, peer-2-peer meshes, or static defined channels are only 333 a few examples on how a solicited push of I2NSF Events can be 334 facilitated. The actual mechanic implemented by an I2NSF Component 335 is out of the scope of this document. 337 Often, the corresponding management interfaces have to be queried in 338 intervals or on-demand if required by an I2NSF Policy rule. In some 339 cases, a collection of information has to be conducted via login 340 mechanics provided by a system entity. Accessing records of 341 information via this kind of unsolicited polls can introduce a 342 significant latency in regard to the freshness of the monitored 343 information. The actual definition of intervals implemented by an 344 I2NSF Component is also out of scope of this document. 346 4.4. I2NSF Monitoring Terminology for Retained Information 348 Records: Unlike information emitted via notifications and events, 349 records do not require immediate attention from an analyst but may 350 be useful for visibility and retroactive cyber forensic. 351 Depending on the record format, there are different qualities in 352 regard to structure and detail. Records are typically stored in 353 log-files or databases on a system entity or NSF. Records in the 354 form of log-files usually include less structures but potentially 355 more detailed information in regard to the changes of a system 356 entity's characteristics. In contrast, databases often use more 357 strict schemas or data models, therefore enforcing a better 358 structure. However, they inhibit storing information that do not 359 match those models ("closed world assumption"). Records can be 360 continuously processed by I2NSF Agents that act as I2NSF Producer 361 and emit events via functions specifically tailored to a certain 362 type of record. Typically, records are information generated 363 either by an NSF or a system entity about operational and 364 informational data, or various changes in system characteristics, 365 such as user activities, network/traffic status, and network 366 activity. They are important for debugging, auditing and security 367 forensic. 369 Counters: A specific representation of continuous value changes of 370 information elements that potentially occur in high frequency. 371 Prominent example are network interface counters, e.g., PDU amount 372 or byte amount, drop counters, and error counters. Counters are 373 useful in debugging and visibility into operational behavior of an 374 NSF. An I2NSF Agent that observes the progression of counters can 375 act as an I2NSF Producer and emit events in respect to I2NSF 376 Policy Rules. 378 5. Conveyance of NSF Monitoring Information 380 As per the use cases of NSF monitoring data, information needs to be 381 conveyed to various I2NSF Consumers based on requirements imposed by 382 I2NSF Capabilities and workflows. There are multiple aspects to be 383 considered in regard to the emission of monitoring information to 384 requesting parties as listed below: 386 o Pull-Push Model: A set of data can be pushed by an NSF to a 387 requesting party or pulled by a requesting party from an NSF. 388 Specific types of information might need both the models at the 389 same time if there are multiple I2NSF Consumers with varying 390 requirements. In general, any I2NSF Event including a high 391 severity assessment is considered to be of great importance and 392 should be processed as soon as possible (push-model). Records, in 393 contrast, are typically not as critical (pull-model). The I2NSF 394 Architecture does not mandate a specific scheme for each type of 395 information and is therefore out of scope of this document. 397 o Pub-Sub Model: In order for an I2NSF Provider to push monitoring 398 information to multiple appropriate I2NSF Consumers, a 399 subscription can be maintained by both I2NSF Components. 400 Discovery of available monitoring information can be supported by 401 an I2NSF Controller that takes the role of a broker and therefore 402 includes I2NSF Capabilities that support registration. 404 o Export Frequency: Monitoring information can be emitted 405 immediately upon generation by an NSF to requesting I2NSF 406 Consumers or can be pushed periodically. The frequency of 407 exporting the data depends upon its size and timely usefulness. 408 It is out of the scope of I2NSF and left to each NSF 409 implementation. 411 o Authentication: There may be a need for authentication between an 412 I2NSF Producer of monitoring information and its corresponding 413 I2NSF Consumer to ensure that critical information remains 414 confidential. Authentication in the scope of I2NSF can also 415 require its corresponding content authorization. This may be 416 necessary, for example, if an NSF emits monitoring information to 417 an I2NSF Consumer outside its administrative domain. The I2NSF 418 Architecture does not mandate when and how specific authentication 419 has to be implemented. 421 o Data-Transfer Model: Monitoring information can be pushed by an 422 NSF using a connection-less model that does require a persistent 423 connection or streamed over a persistent connection. An 424 appropriate model depends on the I2NSF Consumer requirements and 425 the semantics of the information to be conveyed. 427 o Data Model and Interaction Model for Data in Motion: There are a 428 lot of transport mechanisms such as IP, UDP, and TCP. There are 429 also open source implementations for specific set of data such as 430 systems counter, e.g. IPFIX [RFC7011] and NetFlow [RFC3954]. The 431 I2NSF does not mandate any specific method for a given data set, 432 so it is up to each implementation. 434 5.1. Information Types and Acquisition Methods 436 In this document, most defined information types defined benefit from 437 high visibility with respect to value changes, e.g., alarms and 438 records. In contrast, values that change monotonically in a 439 continuous way do not benefit from this high visibility. On the 440 contrary, emitting each change would result in a useless amount of 441 value updates. Hence, values, such as counter, are best acquired in 442 periodic intervals. 444 The mechanisms provided by YANG Push [I-D.ietf-netconf-yang-push] and 445 YANG Subscribed Notifications 446 [I-D.ietf-netconf-subscribed-notifications] address exactly these set 447 of requirements. YANG also enables semantically well-structured 448 information, as well as subscriptions to datastores or event streams 449 - by changes or periodically. 451 In consequence, this information model in this document is intended 452 to support data models used in solicited or unsolicited event streams 453 that potentially are facilitated by a subscription mechanism. A 454 subset of information elements defined in the information model 455 address this domain of application. 457 6. Basic Information Model for All Monitoring Data 459 As explained in the above section, there is a wealth of data 460 available from the NSF that can be monitored. Firstly, there must be 461 some general information with each monitoring message sent from an 462 NSF that helps a consumer to identify meta data with that message, 463 which are listed as below: 465 o message_version: It indicates the version of the data format and 466 is a two-digit decimal numeral starting from 01. 468 o message_type: Event, Alert, Alarm, Log, Counter, etc. 470 o vendor_name: The name of the NSF vendor. 472 o NSF_name: The name (or IP) of the NSF generating the message. 474 o Severity: It indicates the severity level. There are total four 475 levels, from 0 to 3. The smaller the numeral is, the higher the 476 severity is. 478 7. Extended Information Model for Monitoring Data 480 This section covers the additional information associated with the 481 system messages. The extended information model is only for the 482 structured data such as alarm. Any unstructured data is specified 483 with basic information model only. 485 7.1. System Alarms 487 Characteristics: 489 o acquisition_method: subscription 491 o emission_type: on-change 493 o dampening_type: no-dampening 495 7.1.1. Memory Alarm 497 The following information should be included in a Memory Alarm: 499 o event_name: MEM_USAGE_ALARM 501 o usage: specifies the amount of memory used. 503 o threshold: The threshold triggering the alarm 505 o severity: The severity of the alarm such as critical, high, 506 medium, low 508 o message: The memory usage exceeded the threshold 510 7.1.2. CPU Alarm 512 The following information should be included in a CPU Alarm: 514 o event_name: CPU_USAGE_ALARM 516 o usage: Specifies the amount of CPU used. 518 o threshold: The threshold triggering the event 520 o severity: The severity of the alarm such as critical, high, 521 medium, low 523 o message: The CPU usage exceeded the threshold. 525 7.1.3. Disk Alarm 527 The following information should be included in a Disk Alarm: 529 o event_name: DISK_USAGE_ALARM 531 o usage: Specifies the amount of disk space used. 533 o threshold: The threshold triggering the event 535 o severity: The severity of the alarm such as critical, high, 536 medium, low 538 o message: The disk usage exceeded the threshold. 540 7.1.4. Hardware Alarm 542 The following information should be included in a Hardware Alarm: 544 o event_name: HW_FAILURE_ALARM 546 o component_name: It indicates the HW component responsible for 547 generating this alarm. 549 o severity: The severity of the alarm such as critical, high, 550 medium, low 552 o message: The HW component has failed or degraded. 554 7.1.5. Interface Alarm 556 The following information should be included in an Interface Alarm: 558 o event_name: IFNET_STATE_ALARM 560 o interface_Name: The name of interface 562 o interface_state: UP, DOWN, CONGESTED 564 o threshold: The threshold triggering the event 566 o severity: The severity of the alarm such as critical, high, 567 medium, low 569 o message: Current interface state 571 7.2. System Events 573 Characteristics: 575 o acquisition_method: subscription 577 o emission_type: on-change 579 o dampening_type: on-repetition 581 7.2.1. Access Violation 583 The following information should be included in this event: 585 o event_name: ACCESS_DENIED 587 o user: Name of a user 589 o group: Group to which a user belongs 591 o login_ip_address: Login IP address of a user 593 o authentication_mode: User authentication mode. e.g., Local 594 Authentication, Third-Party Server Authentication, Authentication 595 Exemption, Single Sign-On (SSO) Authentication 597 o message: access is denied. 599 7.2.2. Configuration Change 601 The following information should be included in this event: 603 o event_name: CONFIG_CHANGE 605 o user: Name of a user 607 o group: Group to which a user belongs 609 o login_ip_address: Login IP address of a user 611 o authentication_mode: User authentication mode. e.g., Local 612 Authentication, Third-Party Server Authentication, Authentication 613 Exemption, SSO Authentication 615 o message: Configuration is modified. 617 7.3. NSF Events 619 Characteristics: 621 o acquisition_method: subscription 623 o emission_type: on-change 625 o dampening_type: none 627 7.3.1. DDoS Event 629 The following information should be included in a DDoS Event: 631 o event_name: SEC_EVENT_DDoS 633 o sub_attack_type: Any one of SYN flood, ACK flood, SYN-ACK flood, 634 FIN/RST flood, TCP Connection flood, UDP flood, ICMP flood, HTTPS 635 flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood, 636 and etc. 638 o dst_ip: The IP address of a victim under attack 640 o dst_port: The port number that the attack traffic aims at. 642 o start_time: The time stamp indicating when the attack started 644 o end_time: The time stamp indicating when the attack ended. If the 645 attack is still undergoing when sending out the alarm, this field 646 can be empty. 648 o attack_rate: The PPS of attack traffic 650 o attack_speed: the bps of attack traffic 652 o rule_id: The ID of the rule being triggered 654 o rule_name: The name of the rule being triggered 656 o profile: Security profile that traffic matches. 658 7.3.2. Session Table Event 660 The following information should be included in a Session 661 Table Event: 663 o event_name: SESSION_USAGE_HIGH 664 o current: The number of concurrent sessions 666 o max: The maximum number of sessions that the session table can 667 support 669 o threshold: The threshold triggering the event 671 o message: The number of session table exceeded the threshold. 673 7.3.3. Virus Event 675 The following information should be included in a Virus Event: 677 o event_Name: SEC_EVENT_VIRUS 679 o virus_type: Type of the virus. e.g., trojan, worm, macro virus 680 type 682 o virus_name: Name of the virus 684 o dst_ip: The destination IP address of the packet where the virus 685 is found 687 o src_ip: The source IP address of the packet where the virus is 688 found 690 o src_port: The source port of the packet where the virus is found 692 o dst_port: The destination port of the packet where the virus is 693 found 695 o src_zone: The source security zone of the packet where the virus 696 is found 698 o dst_zone: The destination security zone of the packet where the 699 virus is found 701 o file_type: The type of the file where the virus is hided within 703 o file_name: The name of the file where the virus is hided within 705 o virus_info: The brief introduction of the virus 707 o raw_info: The information describing the packet triggering the 708 event. 710 o rule_id: The ID of the rule being triggered 711 o rule_name: The name of the rule being triggered 713 o profile: Security profile that traffic matches. 715 7.3.4. Intrusion Event 717 The following information should be included in an Intrusion Event: 719 o event_name: The name of event. e.g., SEC_EVENT_Intrusion 721 o sub_attack_type: Attack type, e.g., brutal force and buffer 722 overflow 724 o src_ip: The source IP address of the packet 726 o dst_ip: The destination IP address of the packet 728 o src_port:The source port number of the packet 730 o dst_port: The destination port number of the packet 732 o src_zone: The source security zone of the packet 734 o dst_zone: The destination security zone of the packet 736 o protocol: The employed transport layer protocol. e.g.,TCP and UDP 738 o app: The employed application layer protocol. e.g.,HTTP and FTP 740 o rule_id: The ID of the rule being triggered 742 o rule_name: The name of the rule being triggered 744 o profile: Security profile that traffic matches 746 o intrusion_info: Simple description of intrusion 748 o raw_info: The information describing the packet triggering the 749 event 751 7.3.5. Botnet Event 753 The following information should be included in a Botnet Event: 755 o event_name: The name of event. e.g., SEC_EVENT_Botnet 757 o botnet_name: The name of the detected botnet 758 o src_ip: The source IP address of the packet 760 o dst_ip: The destination IP address of the packet 762 o src_port: The source port number of the packet 764 o dst_port: The destination port number of the packet 766 o src_zone: The source security zone of the packet 768 o dst_zone: The destination security zone of the packet 770 o protocol: The employed transport layer protocol. e.g.,TCP and UDP 772 o app: The employed application layer protocol. e.g.,HTTP and FTP 774 o role: The role of the communicating parties within the botnet: 776 1. The packet from the zombie host to the attacker 778 2. The packet from the attacker to the zombie host 780 3. The packet from the IRC/WEB server to the zombie host 782 4. The packet from the zombie host to the IRC/WEB server 784 5. The packet from the attacker to the IRC/WEB server 786 6. The packet from the IRC/WEB server to the attacker 788 7. The packet from the zombie host to the victim 790 o botnet_info: Simple description of Botnet 792 o rule_id: The ID of the rule being triggered 794 o rule_name: The name of the rule being triggered 796 o profile: Security profile that traffic matches 798 o raw_info: The information describing the packet triggering the 799 event. 801 7.3.6. Web Attack Event 803 The following information should be included in a Web Attack Alarm: 805 o event_name: The name of event. e.g., SEC_EVENT_Web_Attack 806 o sub_attack_type: Concrete web attack type. e.g., SQL injection, 807 command injection, XSS, CSRF 809 o src_ip: The source IP address of the packet 811 o dst_ip: The destination IP address of the packet 813 o src_port: The source port number of the packet 815 o dst_port: The destination port number of the packet 817 o src_zone: The source security zone of the packet 819 o dst_zone: The destination security zone of the packet 821 o req_method: The method of requirement. For instance, "PUT" and 822 "GET" in HTTP 824 o req_url: Requested URL 826 o url_category: Matched URL category 828 o filtering_type: URL filtering type. e.g., Blacklist, Whitelist, 829 User-Defined, Predefined, Malicious Category, and Unknown 831 o rule_id: The ID of the rule being triggered 833 o rule_name: The name of the rule being triggered 835 o profile: Security profile that traffic matches 837 7.4. System Logs 839 Characteristics: 841 o acquisition_method: subscription 843 o emission_type: on-change 845 o dampening_type: on-repetition 847 7.4.1. Access Log 849 Access logs record administrators' login, logout, and operations on a 850 device. By analyzing them, security vulnerabilities can be 851 identified. The following information should be included in an 852 operation report: 854 o Administrator: Administrator that operates on the device 856 o login_ip_address: IP address used by an administrator to log in 858 o login_mode: Specifies the administrator logs in mode e.g. root, 859 user 861 o operation_type: The operation type that the administrator execute, 862 e.g., login, logout, and configuration. 864 o result: Command execution result 866 o content: Operation performed by an administrator after login. 868 7.4.2. Resource Utilization Log 870 Running reports record the device system's running status, which is 871 useful for device monitoring. The following information should be 872 included in running report: 874 o system_status: The current system's running status 876 o CPU_usage: Specifies the CPU usage. 878 o memory_usage: Specifies the memory usage. 880 o disk_usage: Specifies the disk usage. 882 o disk_left: Specifies the available disk space left. 884 o session_number: Specifies total concurrent sessions. 886 o process_number: Specifies total number of systems processes. 888 o in_traffic_rate: The total inbound traffic rate in pps 890 o out_traffic_rate: The total outbound traffic rate in pps 892 o in_traffic_speed: The total inbound traffic speed in bps 894 o out_traffic_speed: The total outbound traffic speed in bps 896 7.4.3. User Activity Log 898 User activity logs provide visibility into users' online records 899 (such as login time, online/lockout duration, and login IP addresses) 900 and the actions that users perform. User activity reports are 901 helpful to identify exceptions during a user's login and network 902 access activities. 904 o user: Name of a user 906 o group: Group to which a user belongs 908 o login_ip_address: Login IP address of a user 910 o authentication_mode: User authentication mode. e.g., Local 911 Authentication, Third-Party Server Authentication, Authentication 912 Exemption, SSO Authentication 914 o access_mode: User access mode. e.g., PPP, SVN, LOCAL 916 o online_duration: Online duration 918 o lockout_duration: Lockout duration 920 o type: User activities. e.g., Successful User Login, Failed Login 921 attempts, User Logout, Successful User Password Change, Failed 922 User Password Change, User Lockout, User Unlocking, Unknown 924 o cause: Cause of a failed user activity 926 7.5. NSF Logs 928 Characteristics: 930 o acquisition_method: subscription 932 o emission_type: on-change 934 o dampening_type: on_repetition 936 7.5.1. DPI Log 938 DPI Logs provide statistics on uploaded and downloaded files and 939 data, sent and received emails, and alert and block records on 940 websites. It is helpful to learn risky user behaviors and why access 941 to some URLs is blocked or allowed with an alert record. 943 o type: DPI action types. e.g., File Blocking, Data Filtering, and 944 Application Behavior Control 946 o file_name: The file name 948 o file_type: The file type 949 o src_zone: Source security zone of traffic 951 o dst_zone: Destination security zone of traffic 953 o src_region: Source region of traffic 955 o dst_region: Destination region of traffic 957 o src_ip: Source IP address of traffic 959 o src_user: User who generates traffic 961 o dst_ip: Destination IP address of traffic 963 o src_port: Source port of traffic 965 o dst_port: Destination port of traffic 967 o protocol: Protocol type of traffic 969 o app: Application type of traffic 971 o policy_id: Security policy id that traffic matches 973 o policy_name: Security policy name that traffic matches 975 o action: Action defined in the file blocking rule, data filtering 976 rule, or application behavior control rule that traffic matches. 978 7.5.2. Vulnerability Scanning Log 980 Vulnerability scanning logs record the victim host and its related 981 vulnerability information that should to be fixed. The following 982 information should be included in the report: 984 o victim_ip: IP address of the victim host which has vulnerabilities 986 o vulnerability_id: The vulnerability id 988 o vulnerability_level: The vulnerability level. e.g., high, middle, 989 and low 991 o OS: The operating system of the victim host 993 o service: The service which has vulnerability in the victim host 995 o protocol: The protocol type. e.g., TCP and UDP 996 o port: The port number 998 o vulnerability_info: The information about the vulnerability 1000 o fix_suggestion: The fix suggestion to the vulnerability. 1002 7.5.3. Web Attack Log 1004 Besides the fields in a Web Attack Alarm, the following information 1005 should be included in a Web Attack Report: 1007 o attack_type: Web Attack 1009 o rsp_code: Response code 1011 o req_clientapp: The client application 1013 o req_cookies: Cookies 1015 o req_host: The domain name of the requested host 1017 o raw_info: The information describing the packet triggering the 1018 event. 1020 7.6. System Counter 1022 Characteristics: 1024 o acquisition_method: subscription or query 1026 o emission_type: periodical 1028 o dampening_type: none 1030 7.6.1. Interface Counter 1032 Interface counters provide visibility into traffic into and out of an 1033 NSF, and bandwidth usage. 1035 o interface_name: Network interface name configured in NSF 1037 o in_total_traffic_pkts: Total inbound packets 1039 o out_total_traffic_pkts: Total outbound packets 1041 o in_total_traffic_bytes: Total inbound bytes 1043 o out_total_traffic_bytes: Total outbound bytes 1044 o in_drop_traffic_pkts: Total inbound drop packets 1046 o out_drop_traffic_pkts: Total outbound drop packets 1048 o in_drop_traffic_bytes: Total inbound drop bytes 1050 o out_drop_traffic_bytes: Total outbound drop bytes 1052 o in_traffic_ave_rate: Inbound traffic average rate in pps 1054 o in_traffic_peak_rate: Inbound traffic peak rate in pps 1056 o in_traffic_ave_speed: Inbound traffic average speed in bps 1058 o in_traffic_peak_speed: Inbound traffic peak speed in bps 1060 o out_traffic_ave_rate: Outbound traffic average rate in pps 1062 o out_traffic_peak_rate: Outbound traffic peak rate in pps 1064 o out_traffic_ave_speed: Outbound traffic average speed in bps 1066 o out_traffic_peak_speed: Outbound traffic peak speed in bps 1068 7.7. NSF Counters 1070 Characteristics: 1072 o acquisition_method: subscription or query 1074 o emission_type: periodical 1076 o dampening_type: none 1078 7.7.1. Firewall Counter 1080 Firewall counters provide visibility into traffic signatures, 1081 bandwidth usage, and how the configured security and bandwidth 1082 policies have been applied. 1084 o src_zone: Source security zone of traffic 1086 o dst_zone: Destination security zone of traffic 1088 o src_region: Source region of traffic 1090 o dst_region: Destination region of traffic 1091 o src_ip: Source IP address of traffic 1093 o src_user: User who generates traffic 1095 o dst_ip: Destination IP address of traffic 1097 o src_port: Source port of traffic 1099 o dst_port: Destination port of traffic 1101 o protocol: Protocol type of traffic 1103 o app: Application type of traffic 1105 o policy_id: Security policy id that traffic matches 1107 o policy_name: Security policy name that traffic matches 1109 o in_interface: Inbound interface of traffic 1111 o out_interface: Outbound interface of traffic 1113 o total_traffic: Total traffic volume 1115 o in_traffic_ave_rate: Inbound traffic average rate in pps 1117 o in_traffic_peak_rate: Inbound traffic peak rate in pps 1119 o in_traffic_ave_speed: Inbound traffic average speed in bps 1121 o in_traffic_peak_speed: Inbound traffic peak speed in bps 1123 o out_traffic_ave_rate: Outbound traffic average rate in pps 1125 o out_traffic_peak_rate: Outbound traffic peak rate in pps 1127 o out_traffic_ave_speed: Outbound traffic average speed in bps 1129 o out_traffic_peak_speed: Outbound traffic peak speed in bps. 1131 7.7.2. Policy Hit Counter 1133 Policy Hit Counters record the security policy that traffic matches 1134 and its hit count. It can check if policy configurations are 1135 correct. 1137 o src_zone: Source security zone of traffic 1138 o dst_zone: Destination security zone of traffic 1140 o src_region: Source region of the traffic 1142 o dst_region: Destination region of the traffic 1144 o src_ip: Source IP address of traffic 1146 o src_user: User who generates traffic 1148 o dst_ip: Destination IP address of traffic 1150 o src_port: Source port of traffic 1152 o dst_port: Destination port of traffic 1154 o protocol: Protocol type of traffic 1156 o app: Application type of traffic 1158 o policy_id: Security policy id that traffic matches 1160 o policy_name: Security policy name that traffic matches 1162 o hit_times: The hit times that the security policy matches the 1163 specified traffic. 1165 8. NSF Monitoring Management in I2NSF 1167 A standard model for monitoring data is required for an administrator 1168 to check the monitoring data generated by an NSF. The administrator 1169 can check the monitoring data through the following process. When 1170 the NSF monitoring data that is under the standard format is 1171 generated, the NSF forwards it to an NSF data collector. The NSF 1172 data collector delivers it to I2NSF Consumer or Developer's 1173 Management System (DMS) so that the administrator can know the state 1174 of the I2NSF framework. 1176 In order to communicate with other components, an I2NSF framework 1177 [RFC8329] requires the interfaces. The three main interfaces in 1178 I2NSF framework are used for sending monitoring data as follows: 1180 o I2NSF Consumer-Facing Interface 1181 [I-D.ietf-i2nsf-consumer-facing-interface-dm]: When an I2NSF User 1182 makes a security policy and forwards it to the Security Controller 1183 via Consumer-Facing Interface, it can specify the threat-feed for 1184 threat prevention, the custom list, the malicious code scan group, 1185 and the event map group. They can be used as an event to be 1186 monitored by an NSF. 1188 o I2NSF Registration Interface 1189 [I-D.ietf-i2nsf-registration-interface-dm]: The Network Functions 1190 Virtualization (NFV) architecture provides the lifecycle 1191 management of a Virtual Network Function (VNF) via the Ve-Vnfm 1192 interface. The role of Ve-Vnfm is to request VNF lifecycle 1193 management (e.g., the instantiation and de-instantiation of an 1194 NSF, and load balancing among NSFs), exchange configuration 1195 information, and exchange status information for a network 1196 service. In the I2NSF framework, the DMS manages data about 1197 resource states and network traffic for the lifecycle management 1198 of an NSF. Therefore, the generated monitoring data from NSFs are 1199 delivered from the NSF data collector to the DMS via either 1200 Registration Interface or a new interface. These data are 1201 delivered from the DMS to the VNF Manager in the Management and 1202 Orchestration (MANO) in the NFV system 1203 [I-D.ietf-i2nsf-applicability]. 1205 o I2NSF NSF-Facing Interface 1206 [I-D.ietf-i2nsf-nsf-facing-interface-dm]: After a high-level 1207 security policy from I2NSF User is translated by security policy 1208 translator [I-D.yang-i2nsf-security-policy-translation] in the 1209 Security Controller, the translated security policy (i.e., low- 1210 level policy) is applied to an NSF via NSF-Facing Interface. The 1211 monitoring data model specifies the list of events that can 1212 trigger Event-Condition-Action (ECA) policies via NSF-Facing 1213 Interface. 1215 9. Tree Structure 1217 The tree structure of the NSF monitoring YANG module is provided 1218 below: 1220 module: ietf-i2nsf-nsf-monitoring 1221 +--ro i2nsf-counters 1222 | +--ro system-interface* [interface-name] 1223 | | +--ro acquisition-method? identityref 1224 | | +--ro emission-type? identityref 1225 | | +--ro dampening-type? identityref 1226 | | +--ro interface-name string 1227 | | +--ro in-total-traffic-pkts? yang:counter32 1228 | | +--ro out-total-traffic-pkts? yang:counter32 1229 | | +--ro in-total-traffic-bytes? uint64 1230 | | +--ro out-total-traffic-bytes? uint64 1231 | | +--ro in-drop-traffic-pkts? yang:counter32 1232 | | +--ro out-drop-traffic-pkts? yang:counter32 1233 | | +--ro in-drop-traffic-bytes? uint64 1234 | | +--ro out-drop-traffic-bytes? uint64 1235 | | +--ro total-traffic? yang:counter32 1236 | | +--ro in-traffic-ave-rate? uint32 1237 | | +--ro in-traffic-peak-rate? uint32 1238 | | +--ro in-traffic-ave-speed? uint32 1239 | | +--ro in-traffic-peak-speed? uint32 1240 | | +--ro out-traffic-ave-rate? uint32 1241 | | +--ro out-traffic-peak-rate? uint32 1242 | | +--ro out-traffic-ave-speed? uint32 1243 | | +--ro out-traffic-peak-speed? uint32 1244 | | +--ro message? string 1245 | | +--ro vendor-name? string 1246 | | +--ro nsf-name? string 1247 | | +--ro component-name? string 1248 | | +--ro severity? severity 1249 | +--ro nsf-firewall* [policy-name] 1250 | | +--ro acquisition-method? identityref 1251 | | +--ro emission-type? identityref 1252 | | +--ro dampening-type? identityref 1253 | | +--ro policy-name -> /nsfi:i2nsf-security-policy/system-policy/system-policy-name 1254 | | +--ro src-user? string 1255 | | +--ro total-traffic? yang:counter32 1256 | | +--ro in-traffic-ave-rate? uint32 1257 | | +--ro in-traffic-peak-rate? uint32 1258 | | +--ro in-traffic-ave-speed? uint32 1259 | | +--ro in-traffic-peak-speed? uint32 1260 | | +--ro out-traffic-ave-rate? uint32 1261 | | +--ro out-traffic-peak-rate? uint32 1262 | | +--ro out-traffic-ave-speed? uint32 1263 | | +--ro out-traffic-peak-speed? uint32 1264 | | +--ro message? string 1265 | | +--ro vendor-name? string 1266 | | +--ro nsf-name? string 1267 | | +--ro component-name? string 1268 | | +--ro severity? severity 1269 | +--ro nsf-policy-hits* [policy-name] 1270 | +--ro acquisition-method? identityref 1271 | +--ro emission-type? identityref 1272 | +--ro dampening-type? identityref 1273 | +--ro policy-name -> /nsfi:i2nsf-security-policy/system-policy/system-policy-name 1274 | +--ro src-user? string 1275 | +--ro message? string 1276 | +--ro vendor-name? string 1277 | +--ro nsf-name? string 1278 | +--ro component-name? string 1279 | +--ro severity? severity 1280 | +--ro hit-times? yang:counter32 1281 +--rw i2nsf-monitoring-configuration 1282 +--rw i2nsf-system-detection-alarm-configuration 1283 {i2nsf-system-detection-alarm}? 1284 | +--rw enabled? boolean 1285 | +--rw system-alarm* [alarm-type] 1286 | +--rw alarm-type enumeration 1287 | +--rw threshold? uint8 1288 +--rw i2nsf-system-detection-event-configuration 1289 {i2nsf-system-detection-event}? 1290 | +--rw enabled? boolean 1291 +--rw i2nsf-nsf-detection-ddos-configuration 1292 {i2nsf-nsf-detection-ddos}? 1293 | +--rw enabled? boolean 1294 +--rw i2nsf-nsf-detection-session-table-configuration 1295 {i2nsf-nsf-detection-session-table}? 1296 | +--rw enabled? boolean 1297 +--rw i2nsf-nsf-detection-virus-configuration 1298 {i2nsf-nsf-detection-virus}? 1299 | +--rw enabled? boolean 1300 +--rw i2nsf-nsf-detection-intrusion-configuration 1301 {i2nsf-nsf-detection-intrusion}? 1302 | +--rw enabled? boolean 1303 +--rw i2nsf-nsf-detection-botnet-configuration 1304 {i2nsf-nsf-detection-botnet}? 1305 | +--rw enabled? boolean 1306 +--rw i2nsf-nsf-detection-web-attack-configuration 1307 {i2nsf-nsf-detection-web-attack}? 1308 | +--rw enabled? boolean 1309 +--rw i2nsf-nsf-system-access-log-configuration 1310 {i2nsf-nsf-system-access-log}? 1311 | +--rw enabled? boolean 1312 +--rw i2nsf-system-res-util-log-configuration 1313 {i2nsf-system-res-util-log}? 1314 | +--rw enabled? boolean 1315 +--rw i2nsf-system-user-activity-log-configuration 1316 {i2nsf-system-user-activity-log}? 1317 | +--rw enabled? boolean 1318 +--rw i2nsf-nsf-log-dpi-configuration {i2nsf-nsf-log-dpi}? 1319 | +--rw enabled? boolean 1320 +--rw i2nsf-nsf-log-vuln-scan-configuration 1321 {i2nsf-nsf-log-vuln-scan}? 1322 | +--rw enabled? boolean 1323 +--rw i2nsf-counter-configuration 1324 +--rw period? uint16 1326 notifications: 1327 +---n i2nsf-system-detection-alarm {i2nsf-system-detection-alarm}? 1328 | +--ro alarm-category? identityref 1329 | +--ro acquisition-method? identityref 1330 | +--ro emission-type? identityref 1331 | +--ro dampening-type? identityref 1332 | +--ro usage? uint8 1333 | +--ro threshold? uint8 1334 | +--ro message? string 1335 | +--ro vendor-name? string 1336 | +--ro nsf-name? string 1337 | +--ro component-name? string 1338 | +--ro severity? severity 1339 +---n i2nsf-system-detection-event {i2nsf-system-detection-event}? 1340 | +--ro event-category? identityref 1341 | +--ro acquisition-method? identityref 1342 | +--ro emission-type? identityref 1343 | +--ro dampening-type? identityref 1344 | +--ro user string 1345 | +--ro group string 1346 | +--ro login-ip-addr inet:ip-address 1347 | +--ro authentication? identityref 1348 | +--ro message? string 1349 | +--ro vendor-name? string 1350 | +--ro nsf-name? string 1351 | +--ro component-name? string 1352 | +--ro severity? severity 1353 +---n i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}? 1354 | +--ro event-name? identityref 1355 | +--ro dst-ip? inet:ip-address 1356 | +--ro dst-port? inet:port-number 1357 | +--ro rule-name 1358 -> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name 1359 | +--ro raw-info? string 1360 | +--ro attack-type? identityref 1361 | +--ro start-time yang:date-and-time 1362 | +--ro end-time yang:date-and-time 1363 | +--ro attack-src-ip? inet:ip-address 1364 | +--ro attack-rate? uint32 1365 | +--ro attack-speed? uint32 1366 | +--ro action? log-action 1367 | +--ro acquisition-method? identityref 1368 | +--ro emission-type? identityref 1369 | +--ro dampening-type? identityref 1370 | +--ro message? string 1371 | +--ro vendor-name? string 1372 | +--ro nsf-name? string 1373 | +--ro component-name? string 1374 | +--ro severity? severity 1375 +---n i2nsf-nsf-detection-session-table 1376 {i2nsf-nsf-detection-session-table}? 1378 | +--ro current-session? uint32 1379 | +--ro maximum-session? uint32 1380 | +--ro threshold? uint32 1381 | +--ro message? string 1382 | +--ro vendor-name? string 1383 | +--ro nsf-name? string 1384 | +--ro component-name? string 1385 | +--ro severity? severity 1386 +---n i2nsf-nsf-detection-virus {i2nsf-nsf-detection-virus}? 1387 | +--ro dst-ip? inet:ip-address 1388 | +--ro dst-port? inet:port-number 1389 | +--ro rule-name 1390 -> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name 1391 | +--ro raw-info? string 1392 | +--ro src-ip? inet:ip-address 1393 | +--ro src-port? inet:port-number 1394 | +--ro src-zone? string 1395 | +--ro dst-zone? string 1396 | +--ro virus? identityref 1397 | +--ro virus-name? string 1398 | +--ro file-type? string 1399 | +--ro file-name? string 1400 | +--ro os? string 1401 | +--ro action? log-action 1402 | +--ro acquisition-method? identityref 1403 | +--ro emission-type? identityref 1404 | +--ro dampening-type? identityref 1405 | +--ro message? string 1406 | +--ro vendor-name? string 1407 | +--ro nsf-name? string 1408 | +--ro component-name? string 1409 | +--ro severity? severity 1410 +---n i2nsf-nsf-detection-intrusion {i2nsf-nsf-detection-intrusion}? 1411 | +--ro dst-ip? inet:ip-address 1412 | +--ro dst-port? inet:port-number 1413 | +--ro rule-name 1414 -> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name 1415 | +--ro raw-info? string 1416 | +--ro src-ip? inet:ip-address 1417 | +--ro src-port? inet:port-number 1418 | +--ro src-zone? string 1419 | +--ro dst-zone? string 1420 | +--ro protocol? identityref 1421 | +--ro app? string 1422 | +--ro attack-type? identityref 1423 | +--ro action? log-action 1424 | +--ro attack-rate? uint32 1425 | +--ro attack-speed? uint32 1426 | +--ro acquisition-method? identityref 1427 | +--ro emission-type? identityref 1428 | +--ro dampening-type? identityref 1429 | +--ro message? string 1430 | +--ro vendor-name? string 1431 | +--ro nsf-name? string 1432 | +--ro component-name? string 1433 | +--ro severity? severity 1434 +---n i2nsf-nsf-detection-botnet {i2nsf-nsf-detection-botnet}? 1435 | +--ro dst-ip? inet:ip-address 1436 | +--ro dst-port? inet:port-number 1437 | +--ro rule-name 1438 -> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name 1439 | +--ro raw-info? string 1440 | +--ro src-ip? inet:ip-address 1441 | +--ro src-port? inet:port-number 1442 | +--ro src-zone? string 1443 | +--ro dst-zone? string 1444 | +--ro attack-type? identityref 1445 | +--ro protocol? identityref 1446 | +--ro botnet-name? string 1447 | +--ro role? string 1448 | +--ro action? log-action 1449 | +--ro botnet-pkt-num? uint8 1450 | +--ro os? string 1451 | +--ro acquisition-method? identityref 1452 | +--ro emission-type? identityref 1453 | +--ro dampening-type? identityref 1454 | +--ro message? string 1455 | +--ro vendor-name? string 1456 | +--ro nsf-name? string 1457 | +--ro component-name? string 1458 | +--ro severity? severity 1459 +---n i2nsf-nsf-detection-web-attack 1460 {i2nsf-nsf-detection-web-attack}? 1461 | +--ro dst-ip? inet:ip-address 1462 | +--ro dst-port? inet:port-number 1463 | +--ro rule-name 1464 -> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name 1465 | +--ro raw-info? string 1466 | +--ro src-ip? inet:ip-address 1467 | +--ro src-port? inet:port-number 1468 | +--ro src-zone? string 1469 | +--ro dst-zone? string 1470 | +--ro attack-type? identityref 1471 | +--ro request-method? identityref 1472 | +--ro req-uri? string 1473 | +--ro uri-category? string 1474 | +--ro filtering-type* identityref 1475 | +--ro rsp-code? string 1476 | +--ro req-clientapp? string 1477 | +--ro req-cookies? string 1478 | +--ro req-host? string 1479 | +--ro acquisition-method? identityref 1480 | +--ro emission-type? identityref 1481 | +--ro dampening-type? identityref 1482 | +--ro action? log-action 1483 | +--ro message? string 1484 | +--ro vendor-name? string 1485 | +--ro nsf-name? string 1486 | +--ro component-name? string 1487 | +--ro severity? severity 1488 +---n i2nsf-nsf-system-access-log {i2nsf-nsf-system-access-log}? 1489 | +--ro login-ip inet:ip-address 1490 | +--ro administrator? string 1491 | +--ro login-mode? login-mode 1492 | +--ro operation-type? operation-type 1493 | +--ro result? string 1494 | +--ro content? string 1495 | +--ro acquisition-method? identityref 1496 | +--ro emission-type? identityref 1497 | +--ro dampening-type? identityref 1498 +---n i2nsf-system-res-util-log {i2nsf-system-res-util-log}? 1499 | +--ro system-status? string 1500 | +--ro cpu-usage? uint8 1501 | +--ro memory-usage? uint8 1502 | +--ro disk-usage? uint8 1503 | +--ro disk-left? uint8 1504 | +--ro session-num? uint8 1505 | +--ro process-num? uint8 1506 | +--ro in-traffic-rate? uint32 1507 | +--ro out-traffic-rate? uint32 1508 | +--ro in-traffic-speed? uint32 1509 | +--ro out-traffic-speed? uint32 1510 | +--ro acquisition-method? identityref 1511 | +--ro emission-type? identityref 1512 | +--ro dampening-type? identityref 1513 +---n i2nsf-system-user-activity-log {i2nsf-system-user-activity-log}? 1514 | +--ro acquisition-method? identityref 1515 | +--ro emission-type? identityref 1516 | +--ro dampening-type? identityref 1517 | +--ro user string 1518 | +--ro group string 1519 | +--ro login-ip-addr inet:ip-address 1520 | +--ro authentication? identityref 1521 | +--ro access? identityref 1522 | +--ro online-duration? string 1523 | +--ro logout-duration? string 1524 | +--ro additional-info? string 1525 +---n i2nsf-nsf-log-dpi {i2nsf-nsf-log-dpi}? 1526 | +--ro attack-type? dpi-type 1527 | +--ro acquisition-method? identityref 1528 | +--ro emission-type? identityref 1529 | +--ro dampening-type? identityref 1530 | +--ro policy-name 1531 -> /nsfi:i2nsf-security-policy/system-policy/system-policy-name 1532 | +--ro src-user? string 1533 | +--ro message? string 1534 | +--ro vendor-name? string 1535 | +--ro nsf-name? string 1536 | +--ro component-name? string 1537 | +--ro severity? severity 1538 +---n i2nsf-nsf-log-vuln-scan {i2nsf-nsf-log-vuln-scan}? 1539 +--ro vulnerability-id? uint8 1540 +--ro victim-ip? inet:ip-address 1541 +--ro protocol? identityref 1542 +--ro port-num? inet:port-number 1543 +--ro level? severity 1544 +--ro os? string 1545 +--ro vulnerability-info? string 1546 +--ro fix-suggestion? string 1547 +--ro service? string 1548 +--ro acquisition-method? identityref 1549 +--ro emission-type? identityref 1550 +--ro dampening-type? identityref 1551 +--ro message? string 1552 +--ro vendor-name? string 1553 +--ro nsf-name? string 1554 +--ro component-name? string 1555 +--ro severity? severity 1557 Figure 1: Information Model for NSF Monitoring 1559 10. YANG Data Model 1561 This section describes a YANG module of I2NSF NSF Monitoring. This 1562 YANG module imports from [RFC6991], and makes references to [RFC0768] 1563 [RFC0791][RFC0792][RFC0793][RFC0956][RFC2616][RFC4443][RFC8200]. 1565 file "ietf-i2nsf-nsf-monitoring@2021-02-17.yang" 1567 module ietf-i2nsf-nsf-monitoring { 1568 yang-version 1.1; 1569 namespace 1570 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; 1571 prefix 1572 nsfmi; 1573 import ietf-inet-types{ 1574 prefix inet; 1575 reference 1576 "Section 4 of RFC 6991"; 1577 } 1578 import ietf-yang-types { 1579 prefix yang; 1580 reference 1581 "Section 3 of RFC 6991"; 1582 } 1583 import ietf-i2nsf-policy-rule-for-nsf { 1584 prefix nsfi; 1585 } 1586 organization 1587 "IETF I2NSF (Interface to Network Security Functions) 1588 Working Group"; 1589 contact 1590 "WG Web: 1591 WG List: 1593 Editor: Jaehoon Paul Jeong 1594 1596 Editor: Patrick Lingga 1597 "; 1599 description 1600 "This module is a YANG module for I2NSF NSF Monitoring. 1602 Copyright (c) 2021 IETF Trust and the persons identified as 1603 authors of the code. All rights reserved. 1605 Redistribution and use in source and binary forms, with or 1606 without modification, is permitted pursuant to, and subject 1607 to the license terms contained in, the Simplified BSD License 1608 set forth in Section 4.c of the IETF Trust's Legal Provisions 1609 Relating to IETF Documents 1610 http://trustee.ietf.org/license-info). 1612 This version of this YANG module is part of RFC XXXX; see 1613 the RFC itself for full legal notices."; 1615 // RFC Ed.: replace XXXX with an actual RFC number and remove 1616 // this note. 1618 revision "2021-02-17" { 1619 description "Initial revision"; 1620 reference 1621 "RFC XXXX: I2NSF NSF Monitoring YANG Data Model"; 1623 // RFC Ed.: replace XXXX with an actual RFC number and remove 1624 // this note. 1626 } 1628 /* 1629 * Typedefs 1630 */ 1632 typedef severity { 1633 type enumeration { 1634 enum critical { 1635 description 1636 "The 'critical' severity level indicates that 1637 an immediate corrective action is required. 1638 A 'critical' severity is reported when a service 1639 becomes totally out of service and must be restored."; 1640 } 1641 enum high { 1642 description 1643 "The 'high' severity level indicates that 1644 an urgent corrective action is required. 1645 A 'high' severity is reported when there is 1646 a severe degradation in the capability of the 1647 service and its full capability must be restored."; 1648 } 1649 enum middle { 1650 description 1651 "The 'middle' severity level indicates the 1652 existence of a non-service-affecting fault 1653 condition and corrective action should be done 1654 to prevent a more serious fault. The 'middle' 1655 severity is reported when the detected problem 1656 is not degrading the capability of the service but 1657 might happen if not prevented."; 1658 } 1659 enum low { 1660 description 1661 "The 'low' severity level indicates the detection 1662 of a potential fault before any effect is felt. 1663 The 'low' severity is reported when an action should 1664 be done before a fault happen."; 1665 } 1667 } 1668 description 1669 "An indicator representing severity level. The severity level 1670 starting from the highest are critical, high, middle, and 1671 low."; 1672 reference 1673 "RFC 8632: A YANG Data Model for Alarm Management - 1674 The severity levels are defined."; 1676 } 1677 typedef log-action { 1678 type enumeration { 1679 enum allow { 1680 description 1681 "If action is allowed"; 1682 } 1683 enum alert { 1684 description 1685 "If action is alert"; 1686 } 1687 enum block { 1688 description 1689 "If action is block"; 1690 } 1691 enum discard { 1692 description 1693 "If action is discarded"; 1694 } 1695 enum declare { 1696 description 1697 "If action is declared"; 1698 } 1699 enum block-ip { 1700 description 1701 "If action is block-ip"; 1702 } 1703 enum block-service{ 1704 description 1705 "If action is block-service"; 1706 } 1707 } 1708 description 1709 "The type representing action for logging."; 1710 } 1711 typedef dpi-type{ 1712 type enumeration { 1713 enum file-blocking{ 1714 description 1715 "DPI for blocking file"; 1716 } 1717 enum data-filtering{ 1718 description 1719 "DPI for filtering data"; 1720 } 1721 enum application-behavior-control{ 1722 description 1723 "DPI for controlling application behavior"; 1724 } 1725 } 1726 description 1727 "The type of deep packet inspection."; 1728 } 1729 typedef operation-type{ 1730 type enumeration { 1731 enum login{ 1732 description 1733 "Login operation"; 1734 } 1735 enum logout{ 1736 description 1737 "Logout operation"; 1738 } 1739 enum configuration{ 1740 description 1741 "Configuration operation"; 1742 } 1743 } 1744 description 1745 "The type of operation done by a user 1746 during a session."; 1747 } 1748 typedef login-mode{ 1749 type enumeration { 1750 enum root{ 1751 description 1752 "Root login-mode"; 1753 } 1754 enum user{ 1755 description 1756 "User login-mode"; 1757 } 1758 enum guest{ 1759 description 1760 "Guest login-mode"; 1761 } 1763 } 1764 description 1765 "The authorization login-mode done by a user."; 1766 } 1767 /* 1768 * Identity 1769 */ 1770 identity characteristics { 1771 description 1772 "Base identity for monitoring information 1773 characteristics"; 1774 } 1775 identity acquisition-method { 1776 base characteristics; 1777 description 1778 "The type of acquisition-method. It can be multiple 1779 types at once."; 1780 } 1781 identity subscription { 1782 base acquisition-method; 1783 description 1784 "The acquisition-method type is subscription."; 1785 } 1786 identity query { 1787 base acquisition-method; 1788 description 1789 "The acquisition-method type is query."; 1790 } 1791 identity emission-type { 1792 base characteristics; 1793 description 1794 "The type of emission-type."; 1795 } 1796 identity periodical { 1797 base emission-type; 1798 description 1799 "The emission-type type is periodical."; 1800 } 1801 identity on-change { 1802 base emission-type; 1803 description 1804 "The emission-type type is on-change."; 1805 } 1806 identity dampening-type { 1807 base characteristics; 1808 description 1809 "The type of dampening-type."; 1810 } 1811 identity no-dampening { 1812 base dampening-type; 1813 description 1814 "The dampening-type is no-dampening."; 1815 } 1816 identity on-repetition { 1817 base dampening-type; 1818 description 1819 "The dampening-type is on-repetition."; 1820 } 1821 identity none { 1822 base dampening-type; 1823 description 1824 "The dampening-type is none."; 1825 } 1826 identity authentication-mode { 1827 description 1828 "User authentication mode types: 1829 e.g., Local Authentication, 1830 Third-Party Server Authentication, 1831 Authentication Exemption, or Single Sign-On (SSO) 1832 Authentication."; 1833 } 1834 identity local-authentication { 1835 base authentication-mode; 1836 description 1837 "Authentication-mode : local authentication."; 1838 } 1839 identity third-party-server-authentication { 1840 base authentication-mode; 1841 description 1842 "If authentication-mode is 1843 third-part-server-authentication"; 1844 } 1845 identity exemption-authentication { 1846 base authentication-mode; 1847 description 1848 "If authentication-mode is 1849 exemption-authentication"; 1850 } 1851 identity sso-authentication { 1852 base authentication-mode; 1853 description 1854 "If authentication-mode is 1855 sso-authentication"; 1856 } 1857 identity alarm-type { 1858 description 1859 "Base identity for detectable alarm types"; 1860 } 1861 identity MEM-USAGE-ALARM { 1862 base alarm-type; 1863 description 1864 "A memory alarm is alerted."; 1865 } 1866 identity CPU-USAGE-ALARM { 1867 base alarm-type; 1868 description 1869 "A CPU alarm is alerted."; 1870 } 1871 identity DISK-USAGE-ALARM { 1872 base alarm-type; 1873 description 1874 "A disk alarm is alerted."; 1875 } 1876 identity HW-FAILURE-ALARM { 1877 base alarm-type; 1878 description 1879 "A hardware alarm is alerted."; 1880 } 1881 identity IFNET-STATE-ALARM { 1882 base alarm-type; 1883 description 1884 "An interface alarm is alerted."; 1885 } 1886 identity event-type { 1887 description 1888 "Base identity for detectable event types"; 1889 } 1890 identity ACCESS-DENIED { 1891 base event-type; 1892 description 1893 "The system event is access-denied."; 1894 } 1895 identity CONFIG-CHANGE { 1896 base event-type; 1897 description 1898 "The system event is config-change."; 1899 } 1901 identity nsf-event-name { 1902 description 1903 "Base identity for detectable NSF event types"; 1904 } 1905 identity SEC-EVENT-DDOS { 1906 base nsf-event-name; 1907 description 1908 "The NSF event is sec-event-ddos."; 1909 } 1910 identity SESSION-USAGE-HIGH { 1911 base nsf-event-name; 1912 description 1913 "The NSF event is session-usage-high."; 1914 } 1915 identity SEC-EVENT-VIRUS { 1916 base nsf-event-name; 1917 description 1918 "The NSF event is sec-event-virus."; 1919 } 1920 identity SEC-EVENT-INTRUSION { 1921 base nsf-event-name; 1922 description 1923 "The NSF event is sec-event-intrusion."; 1924 } 1925 identity SEC-EVENT-BOTNET { 1926 base nsf-event-name; 1927 description 1928 "The NSF event is sec-event-botnet."; 1929 } 1930 identity SEC-EVENT-WEB-ATTACK { 1931 base nsf-event-name; 1932 description 1933 "The NSF event is sec-event-web-attack."; 1934 } 1935 identity attack-type { 1936 description 1937 "The root ID of attack-based notification 1938 in the notification taxonomy"; 1939 } 1940 identity system-attack-type { 1941 base attack-type; 1942 description 1943 "This ID is intended to be used 1944 in the context of system events."; 1945 } 1946 identity nsf-attack-type { 1947 base attack-type; 1948 description 1949 "This ID is intended to be used 1950 in the context of NSF event."; 1951 } 1952 identity botnet-attack-type { 1953 base nsf-attack-type; 1954 description 1955 "This indicates that this attack type is botnet. 1956 The usual semantic and taxonomy is missing 1957 and a name is used."; 1958 } 1959 identity virus-type { 1960 base nsf-attack-type; 1961 description 1962 "The type of virus. It caan be multiple types at once. 1963 This attack type is associated with a detected 1964 system-log virus-attack."; 1965 } 1966 identity trojan { 1967 base virus-type; 1968 description 1969 "The detected virus type is trojan."; 1970 } 1971 identity worm { 1972 base virus-type; 1973 description 1974 "The detected virus type is worm."; 1975 } 1976 identity macro { 1977 base virus-type; 1978 description 1979 "The detected virus type is macro."; 1980 } 1981 identity intrusion-attack-type { 1982 base nsf-attack-type; 1983 description 1984 "The attack type is associated with a detected 1985 system-log intrusion."; 1986 } 1987 identity brute-force { 1988 base intrusion-attack-type; 1989 description 1990 "The intrusion type is brute-force."; 1991 } 1992 identity buffer-overflow { 1993 base intrusion-attack-type; 1994 description 1995 "The intrusion type is buffer-overflow."; 1996 } 1997 identity web-attack-type { 1998 base nsf-attack-type; 1999 description 2000 "The attack type is associated with a detected 2001 system-log web-attack."; 2002 } 2003 identity command-injection { 2004 base web-attack-type; 2005 description 2006 "The detected web attack type is command injection."; 2007 } 2008 identity xss { 2009 base web-attack-type; 2010 description 2011 "The detected web attack type is XSS."; 2012 } 2013 identity csrf { 2014 base web-attack-type; 2015 description 2016 "The detected web attack type is CSRF."; 2017 } 2018 identity flood-type { 2019 base nsf-attack-type; 2020 description 2021 "Base identity for detectable flood types"; 2022 } 2023 identity syn-flood { 2024 base flood-type; 2025 description 2026 "A SYN flood is detected."; 2027 } 2028 identity ack-flood { 2029 base flood-type; 2030 description 2031 "An ACK flood is detected."; 2032 } 2033 identity syn-ack-flood { 2034 base flood-type; 2035 description 2036 "A SYN-ACK flood is detected."; 2037 } 2038 identity fin-rst-flood { 2039 base flood-type; 2040 description 2041 "A FIN-RST flood is detected."; 2042 } 2043 identity tcp-con-flood { 2044 base flood-type; 2045 description 2046 "A TCP connection flood is detected."; 2047 } 2048 identity udp-flood { 2049 base flood-type; 2050 description 2051 "A UDP flood is detected."; 2052 } 2053 identity icmp-flood { 2054 base flood-type; 2055 description 2056 "Either an ICMPv4 or ICMPv6 flood is detected."; 2057 } 2058 identity icmpv4-flood { 2059 base flood-type; 2060 description 2061 "An ICMPv4 flood is detected."; 2062 } 2063 identity icmpv6-flood { 2064 base flood-type; 2065 description 2066 "An ICMPv6 flood is detected."; 2067 } 2068 identity http-flood { 2069 base flood-type; 2070 description 2071 "An HTTP flood is detected."; 2072 } 2073 identity https-flood { 2074 base flood-type; 2075 description 2076 "An HTTPS flood is detected."; 2077 } 2078 identity dns-query-flood { 2079 base flood-type; 2080 description 2081 "A DNS query flood is detected."; 2082 } 2083 identity dns-reply-flood { 2084 base flood-type; 2085 description 2086 "A DNS reply flood is detected."; 2087 } 2088 identity sip-flood { 2089 base flood-type; 2090 description 2091 "An SIP flood is detected."; 2092 } 2094 identity req-method { 2095 description 2096 "A set of request types (if applicable). 2097 For instance, PUT or GET in HTTP."; 2098 } 2099 identity put-req { 2100 base req-method; 2101 description 2102 "The detected request type is PUT."; 2103 } 2104 identity get-req { 2105 base req-method; 2106 description 2107 "The detected request type is GET."; 2108 } 2109 identity filter-type { 2110 description 2111 "The type of filter used to detect an attack, 2112 for example, a web-attack. It can be applicable to 2113 more than web-attacks. It can be more than one type."; 2114 } 2115 identity whitelist { 2116 base filter-type; 2117 description 2118 "The applied filter type is whitelist."; 2119 } 2120 identity blacklist { 2121 base filter-type; 2122 description 2123 "The applied filter type is blacklist."; 2124 } 2125 identity user-defined { 2126 base filter-type; 2127 description 2128 "The applied filter type is user-defined."; 2129 } 2130 identity balicious-category { 2131 base filter-type; 2132 description 2133 "The applied filter is balicious category."; 2134 } 2135 identity unknown-filter { 2136 base filter-type; 2137 description 2138 "The applied filter is unknown."; 2139 } 2141 identity access-mode { 2142 description 2143 "Base identity for detectable access mode."; 2144 } 2145 identity ppp { 2146 base access-mode; 2147 description 2148 "Access-mode: ppp"; 2149 } 2150 identity svn { 2151 base access-mode; 2152 description 2153 "Access-mode: svn"; 2154 } 2155 identity local { 2156 base access-mode; 2157 description 2158 "Access-mode: local"; 2159 } 2161 identity protocol-type { 2162 description 2163 "An identity used to enable type choices in leaves 2164 and leaflists with respect to protocol metadata."; 2165 } 2166 identity tcp { 2167 base ipv4; 2168 base ipv6; 2169 description 2170 "TCP protocol type."; 2171 reference 2172 "RFC 793: Transmission Control Protocol"; 2173 } 2174 identity udp { 2175 base ipv4; 2176 base ipv6; 2177 description 2178 "UDP protocol type."; 2179 reference 2180 "RFC 768: User Datagram Protocol"; 2181 } 2182 identity icmp { 2183 base ipv4; 2184 base ipv6; 2185 description 2186 "General ICMP protocol type."; 2187 reference 2188 "RFC 792: Internet Control Message Protocol 2189 RFC 4443: Internet Control Message Protocol 2190 (ICMPv6) for the Internet Protocol Version 6 2191 (IPv6) Specification"; 2192 } 2193 identity icmpv4 { 2194 base ipv4; 2195 description 2196 "ICMPv4 protocol type."; 2197 reference 2198 "RFC 791: Internet Protocol 2199 RFC 792: Internet Control Message Protocol"; 2200 } 2201 identity icmpv6 { 2202 base ipv6; 2203 description 2204 "ICMPv6 protocol type."; 2205 reference 2206 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2207 RFC 4443: Internet Control Message Protocol (ICMPv6) 2208 for the Internet Protocol Version 6 (IPv6) 2209 Specification"; 2210 } 2211 identity ip { 2212 base protocol-type; 2213 description 2214 "General IP protocol type."; 2215 reference 2216 "RFC 791: Internet Protocol 2217 RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2218 } 2219 identity ipv4 { 2220 base ip; 2221 description 2222 "IPv4 protocol type."; 2223 reference 2224 "RFC 791: Internet Protocol"; 2225 } 2226 identity ipv6 { 2227 base ip; 2228 description 2229 "IPv6 protocol type."; 2230 reference 2231 "RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2232 } 2233 identity http { 2234 base tcp; 2235 description 2236 "HTPP protocol type."; 2237 reference 2238 "RFC 2616: Hypertext Transfer Protocol"; 2239 } 2240 identity ftp { 2241 base tcp; 2242 description 2243 "FTP protocol type."; 2244 reference 2245 "RFC 959: File Transfer Protocol"; 2246 } 2248 /* 2249 * Grouping 2250 */ 2252 grouping common-monitoring-data { 2253 description 2254 "A set of common monitoring data that is needed 2255 as the basic information."; 2256 leaf message { 2257 type string; 2258 description 2259 "This is a freetext annotation for 2260 monitoring a notification's content."; 2261 } 2262 leaf vendor-name { 2263 type string; 2264 description 2265 "The name of the NSF vendor"; 2266 } 2267 leaf nsf-name { 2268 type string; 2269 description 2270 "The name (or IP) of the NSF generating the message."; 2271 } 2272 leaf component-name { 2273 type string; 2274 description 2275 "The hardware component responsible for generating 2276 the message."; 2277 } 2278 leaf severity { 2279 type severity; 2280 description 2281 "The severity of the alarm such as critical, high, 2282 middle, low."; 2283 } 2284 } 2285 grouping characteristics { 2286 description 2287 "A set of characteristics of a notification."; 2288 leaf acquisition-method { 2289 type identityref { 2290 base acquisition-method; 2292 } 2293 description 2294 "The acquisition-method for characteristics"; 2295 } 2296 leaf emission-type { 2297 type identityref { 2298 base emission-type; 2299 } 2300 description 2301 "The emission-type for characteristics"; 2302 } 2303 leaf dampening-type { 2304 type identityref { 2305 base dampening-type; 2306 } 2307 description 2308 "The dampening-type for characteristics"; 2309 } 2310 } 2311 grouping i2nsf-system-alarm-type-content { 2312 description 2313 "A set of contents for alarm type notification."; 2314 leaf usage { 2315 type uint8 { 2316 range "0..100"; 2317 } 2318 units "percent"; 2319 description 2320 "Specifies the used percentage"; 2321 } 2322 leaf threshold { 2323 type uint8 { 2324 range "0..100"; 2325 } 2326 units "percent"; 2327 description 2328 "The threshold percentage triggering the alarm or 2329 the event"; 2330 } 2331 } 2332 grouping i2nsf-system-event-type-content { 2333 description 2334 "System event metadata associated with system events 2335 caused by user activity."; 2336 leaf user { 2337 type string; 2338 mandatory true; 2339 description 2340 "The name of a user"; 2341 } 2342 leaf group { 2343 type string; 2344 mandatory true; 2345 description 2346 "The group to which a user belongs."; 2347 } 2348 leaf login-ip-addr { 2349 type inet:ip-address; 2350 mandatory true; 2351 description 2352 "The login IPv4 (or IPv6) address of a user."; 2353 } 2354 leaf authentication { 2355 type identityref { 2356 base authentication-mode; 2357 } 2358 description 2359 "The authentication-mode for authentication"; 2360 } 2361 } 2362 grouping i2nsf-nsf-event-type-content { 2363 description 2364 "A set of common IPv4 (or IPv6)-related NSF event 2365 content elements"; 2366 leaf dst-ip { 2367 type inet:ip-address; 2368 description 2369 "The destination IPv4 (IPv6) address of the packet"; 2370 } 2371 leaf dst-port { 2372 type inet:port-number; 2373 description 2374 "The destination port of the packet"; 2375 } 2376 leaf rule-name { 2377 type leafref { 2378 path 2379 "/nsfi:i2nsf-security-policy/nsfi:system-policy/nsfi:rules/nsfi:rule-name"; 2380 } 2381 mandatory true; 2382 description 2383 "The name of the rule being triggered"; 2384 } 2385 leaf raw-info { 2386 type string; 2387 description 2388 "The information describing the packet 2389 triggering the event."; 2390 } 2391 } 2392 grouping i2nsf-nsf-event-type-content-extend { 2393 description 2394 "A set of extended common IPv4 (or IPv6)-related NSF 2395 event content elements"; 2396 uses i2nsf-nsf-event-type-content; 2397 leaf src-ip { 2398 type inet:ip-address; 2399 description 2400 "The source IPv4 (or IPv6) address of the packet"; 2401 } 2402 leaf src-port { 2403 type inet:port-number; 2404 description 2405 "The source port of the packet"; 2406 } 2407 leaf src-zone { 2408 type string { 2409 length "1..100"; 2410 pattern "[0-9a-zA-Z ]*"; 2411 } 2412 description 2413 "The source security zone of the packet"; 2414 } 2415 leaf dst-zone { 2416 type string { 2417 length "1..100"; 2418 pattern "[0-9a-zA-Z ]*"; 2419 } 2420 description 2421 "The destination security zone of the packet"; 2422 } 2423 } 2424 grouping log-action { 2425 description 2426 "A grouping for logging action."; 2427 leaf action { 2428 type log-action; 2429 description 2430 "Action type: allow, alert, block, discard, declare, 2431 block-ip, block-service"; 2432 } 2433 } 2434 grouping attack-rates { 2435 description 2436 "A set of traffic rates for monitoring attack traffic 2437 data"; 2438 leaf attack-rate { 2439 type uint32; 2440 units "pps"; 2441 description 2442 "The PPS rate of attack traffic"; 2443 } 2444 leaf attack-speed { 2445 type uint32; 2446 units "bps"; 2447 description 2448 "The BPS speed of attack traffic"; 2449 } 2450 } 2451 grouping traffic-rates { 2452 description 2453 "A set of traffic rates for statistics data"; 2454 leaf total-traffic { 2455 type yang:counter32; 2456 description 2457 "Total traffic"; 2458 } 2459 leaf in-traffic-ave-rate { 2460 type uint32; 2461 units "pps"; 2462 description 2463 "Inbound traffic average rate in packets per pecond (pps)"; 2464 } 2465 leaf in-traffic-peak-rate { 2466 type uint32; 2467 units "pps"; 2468 description 2469 "Inbound traffic peak rate in packets per Second (pps)"; 2470 } 2471 leaf in-traffic-ave-speed { 2472 type uint32; 2473 units "bps"; 2474 description 2475 "Inbound traffic average speed in bits per second (bps)"; 2476 } 2477 leaf in-traffic-peak-speed { 2478 type uint32; 2479 units "bps"; 2480 description 2481 "Inbound traffic peak speed in bits per second (bps)"; 2482 } 2483 leaf out-traffic-ave-rate { 2484 type uint32; 2485 units "pps"; 2486 description 2487 "Outbound traffic average rate in packets per Second (pps)"; 2488 } 2489 leaf out-traffic-peak-rate { 2490 type uint32; 2491 units "pps"; 2492 description 2493 "Outbound traffic peak rate in packets per Second (pps)"; 2494 } 2495 leaf out-traffic-ave-speed { 2496 type uint32; 2497 units "bps"; 2498 description 2499 "Outbound traffic average speed in bits per second (bps)"; 2500 } 2501 leaf out-traffic-peak-speed { 2502 type uint32; 2503 units "bps"; 2504 description 2505 "Outbound traffic peak speed in bits per second (bps)"; 2506 } 2507 } 2508 grouping i2nsf-system-counter-type-content{ 2509 description 2510 "A set of counters for an interface traffic data."; 2511 leaf interface-name { 2512 type string; 2513 description 2514 "Network interface name configured in an NSF"; 2515 } 2516 leaf in-total-traffic-pkts { 2517 type yang:counter32; 2518 description 2519 "Total inbound packets"; 2520 } 2521 leaf out-total-traffic-pkts { 2522 type yang:counter32; 2523 description 2524 "Total outbound packets"; 2525 } 2526 leaf in-total-traffic-bytes { 2527 type uint64; 2528 units "bytes"; 2529 description 2530 "Total inbound bytes"; 2531 } 2532 leaf out-total-traffic-bytes { 2533 type uint64; 2534 units "bytes"; 2535 description 2536 "Total outbound bytes"; 2537 } 2538 leaf in-drop-traffic-pkts { 2539 type yang:counter32; 2540 description 2541 "Total inbound drop packets"; 2542 } 2543 leaf out-drop-traffic-pkts { 2544 type yang:counter32; 2545 description 2546 "Total outbound drop packets"; 2547 } 2548 leaf in-drop-traffic-bytes { 2549 type uint64; 2550 units "bytes"; 2551 description 2552 "Total inbound drop bytes"; 2553 } 2554 leaf out-drop-traffic-bytes { 2555 type uint64; 2556 units "bytes"; 2557 description 2558 "Total outbound drop bytes"; 2559 } 2560 uses traffic-rates; 2561 } 2562 grouping i2nsf-nsf-counters-type-content{ 2563 description 2564 "A set of contents of a policy in an NSF."; 2565 leaf policy-name { 2566 type leafref { 2567 path 2568 "/nsfi:i2nsf-security-policy/nsfi:system-policy/nsfi:system-policy-name"; 2569 } 2570 mandatory true; 2571 description 2572 "The name of the policy being triggered"; 2573 } 2574 leaf src-user{ 2575 type string; 2576 description 2577 "User who generates the policy"; 2578 } 2579 } 2580 grouping enable-notification { 2581 leaf enabled { 2582 description 2583 "Enables or Disables the notification. 2584 If 'true', then the notification is enabled. 2585 If 'false, then the notification is disabled."; 2586 type boolean; 2587 default "true"; 2588 } 2589 } 2591 /* 2592 * Feature Nodes 2593 */ 2595 feature i2nsf-system-detection-alarm { 2596 description 2597 "This feature means it supports I2NSF system-detection-alarm 2598 notification"; 2599 } 2600 feature i2nsf-system-detection-event { 2601 description 2602 "This feature means it supports I2NSF system-detection-event 2603 notification"; 2604 } 2605 feature i2nsf-nsf-detection-ddos { 2606 description 2607 "This feature means it supports I2NSF nsf-detection-flood 2608 notification"; 2609 } 2610 feature i2nsf-nsf-detection-session-table { 2611 description 2612 "This feature means it supports I2NSF nsf-detection-session-table 2613 notification"; 2614 } 2615 feature i2nsf-nsf-detection-virus { 2616 description 2617 "This feature means it supports I2NSF nsf-detection-virus 2618 notification"; 2619 } 2620 feature i2nsf-nsf-detection-intrusion { 2621 description 2622 "This feature means it supports I2NSF nsf-detection-intrusion 2623 notification"; 2624 } 2625 feature i2nsf-nsf-detection-botnet { 2626 description 2627 "This feature means it supports I2NSF nsf-detection-botnet 2628 notification"; 2629 } 2630 feature i2nsf-nsf-detection-web-attack { 2631 description 2632 "This feature means it supports I2NSF nsf-detection-web-attack 2633 notification"; 2634 } 2635 feature i2nsf-nsf-system-access-log { 2636 description 2637 "This feature means it supports I2NSF system-access-log 2638 notification"; 2639 } 2640 feature i2nsf-system-res-util-log { 2641 description 2642 "This feature means it supports I2NSF system-res-util-log 2643 notification"; 2644 } 2645 feature i2nsf-system-user-activity-log { 2646 description 2647 "This feature means it supports I2NSF system-user-activity-log 2648 notification"; 2649 } 2650 feature i2nsf-nsf-log-dpi { 2651 description 2652 "This feature means it supports I2NSF nsf-log-dpi 2653 notification"; 2654 } 2655 feature i2nsf-nsf-log-vuln-scan { 2656 description 2657 "This feature means it supports I2NSF nsf-log-vuln-scan 2658 notification"; 2659 } 2661 /* 2662 * Notification nodes 2663 */ 2665 notification i2nsf-system-detection-alarm { 2666 description 2667 "This notification is sent, when a system alarm 2668 is detected."; 2669 if-feature "i2nsf-system-detection-alarm"; 2670 leaf alarm-category { 2671 type identityref { 2672 base alarm-type; 2673 } 2674 description 2675 "The alarm category for 2676 system-detection-alarm notification"; 2677 } 2678 uses characteristics; 2679 uses i2nsf-system-alarm-type-content; 2680 uses common-monitoring-data; 2681 } 2682 notification i2nsf-system-detection-event { 2683 description 2684 "This notification is sent, when a security-sensitive 2685 authentication action fails."; 2686 if-feature "i2nsf-system-detection-event"; 2687 leaf event-category { 2688 type identityref { 2689 base event-type; 2690 } 2691 description 2692 "The event category for system-detection-event"; 2693 } 2694 uses characteristics; 2695 uses i2nsf-system-event-type-content; 2696 uses common-monitoring-data; 2697 } 2698 notification i2nsf-nsf-detection-ddos { 2699 description 2700 "This notification is sent, when a specific flood type 2701 is detected."; 2702 if-feature "i2nsf-nsf-detection-ddos"; 2703 leaf event-name { 2704 type identityref { 2705 base SEC-EVENT-DDOS; 2706 } 2707 description 2708 "The event name for nsf-detection-flood"; 2709 } 2710 uses i2nsf-nsf-event-type-content; 2711 leaf attack-type { 2712 type identityref { 2713 base flood-type; 2714 } 2715 description 2716 "Any one of Syn flood, ACK flood, SYN-ACK flood, 2717 FIN/RST flood, TCP Connection flood, UDP flood, 2718 ICMP (i.e., ICMPv4 or ICMPv6)cmp flood, HTTP flood, 2719 HTTPS flood, DNS query flood, DNS reply flood, SIP 2720 flood, etc."; 2721 } 2722 leaf start-time { 2723 type yang:date-and-time; 2724 mandatory true; 2725 description 2726 "The time stamp indicating when the attack started"; 2727 } 2728 leaf end-time { 2729 type yang:date-and-time; 2730 mandatory true; 2731 description 2732 "The time stamp indicating when the attack ended"; 2733 } 2734 leaf attack-src-ip { 2735 type inet:ip-address; 2736 description 2737 "The source IPv4 (or IPv6) addresses of attack 2738 traffic. If there are a large amount of IPv4 2739 (or IPv6) addresses, then pick a certain number 2740 of resources according to different rules."; 2741 } 2742 uses attack-rates; 2743 uses log-action; 2744 uses characteristics; 2745 uses common-monitoring-data; 2746 } 2747 notification i2nsf-nsf-detection-session-table { 2748 description 2749 "This notification is sent, when a session table 2750 event is detected."; 2751 if-feature "i2nsf-nsf-detection-session-table"; 2752 leaf current-session { 2753 type uint32; 2754 description 2755 "The number of concurrent sessions"; 2756 } 2757 leaf maximum-session { 2758 type uint32; 2759 description 2760 "The maximum number of sessions that the session 2761 table can support"; 2762 } 2763 leaf threshold { 2764 type uint32; 2765 description 2766 "The threshold triggering the event"; 2767 } 2768 uses common-monitoring-data; 2769 } 2770 notification i2nsf-nsf-detection-virus { 2771 description 2772 "This notification is sent, when a virus is detected."; 2773 if-feature "i2nsf-nsf-detection-virus"; 2774 uses i2nsf-nsf-event-type-content-extend; 2775 leaf virus { 2776 type identityref { 2777 base virus-type; 2778 } 2779 description 2780 "The virus type for nsf-detection-virus notification"; 2781 } 2782 leaf virus-name { 2783 type string; 2784 description 2785 "The name of the detected virus"; 2786 } 2787 leaf file-type { 2788 type string; 2789 description 2790 "The type of file virus code is found in (if 2791 applicable)."; 2792 } 2793 leaf file-name { 2794 type string; 2795 description 2796 "The name of file virus code is found in (if 2797 applicable)."; 2798 } 2799 leaf os { 2800 type string; 2801 description 2802 "Simple OS information"; 2803 } 2804 uses log-action; 2805 uses characteristics; 2806 uses common-monitoring-data; 2807 } 2808 notification i2nsf-nsf-detection-intrusion { 2809 description 2810 "This notification is sent, when an intrusion event 2811 is detected."; 2812 if-feature "i2nsf-nsf-detection-intrusion"; 2813 uses i2nsf-nsf-event-type-content-extend; 2814 leaf protocol { 2815 type identityref { 2816 base protocol-type; 2817 } 2818 description 2819 "The protocol type for nsf-detection-intrusion 2820 notification"; 2821 } 2822 leaf app { 2823 type string; 2824 description 2825 "The employed application layer protocol"; 2826 } 2827 leaf attack-type { 2828 type identityref { 2829 base intrusion-attack-type; 2830 } 2831 description 2832 "The sub attack type for intrusion attack"; 2833 } 2834 uses log-action; 2835 uses attack-rates; 2836 uses characteristics; 2837 uses common-monitoring-data; 2838 } 2839 notification i2nsf-nsf-detection-botnet { 2840 description 2841 "This notification is sent, when a botnet event is 2842 detected."; 2843 if-feature "i2nsf-nsf-detection-botnet"; 2844 uses i2nsf-nsf-event-type-content-extend; 2845 leaf attack-type { 2846 type identityref { 2847 base botnet-attack-type; 2848 } 2849 description 2850 "The attack type for botnet attack"; 2851 } 2852 leaf protocol { 2853 type identityref { 2854 base protocol-type; 2855 } 2856 description 2857 "The protocol type for nsf-detection-botnet notification"; 2858 } 2859 leaf botnet-name { 2860 type string; 2861 description 2862 "The name of the detected botnet"; 2863 } 2864 leaf role { 2865 type string; 2866 description 2867 "The role of the communicating 2868 parties within the botnet"; 2869 } 2870 uses log-action; 2871 leaf botnet-pkt-num{ 2872 type uint8; 2873 description 2874 "The number of the packets sent to or from the detected botnet"; 2875 } 2876 leaf os{ 2877 type string; 2878 description 2879 "Simple OS information"; 2880 } 2881 uses characteristics; 2882 uses common-monitoring-data; 2883 } 2884 notification i2nsf-nsf-detection-web-attack { 2885 description 2886 "This notification is sent, when an attack event is 2887 detected."; 2888 uses i2nsf-nsf-event-type-content-extend; 2889 if-feature "i2nsf-nsf-detection-web-attack"; 2890 leaf attack-type { 2891 type identityref { 2892 base web-attack-type; 2893 } 2894 description 2895 "Concrete web attack type, e.g., SQL injection, 2896 command injection, XSS, and CSRF."; 2897 } 2898 leaf request-method { 2899 type identityref { 2900 base req-method; 2901 } 2902 description 2903 "The method of requirement. For instance, PUT or 2904 GET in HTTP."; 2905 } 2906 leaf req-uri { 2907 type string; 2908 description 2909 "Requested URI"; 2910 } 2911 leaf uri-category { 2912 type string; 2913 description 2914 "Matched URI category"; 2915 } 2916 leaf-list filtering-type { 2917 type identityref { 2918 base filter-type; 2919 } 2920 description 2921 "URL filtering type, e.g., Blacklist, Whitelist, 2922 User-Defined, Predefined, Malicious Category, 2923 and Unknown"; 2924 } 2925 leaf rsp-code { 2926 type string; 2927 description 2928 "Response code"; 2929 } 2930 leaf req-clientapp { 2931 type string; 2932 description 2933 "The client application"; 2934 } 2935 leaf req-cookies { 2936 type string; 2937 description 2938 "Cookies"; 2939 } 2940 leaf req-host { 2941 type string; 2942 description 2943 "The domain name of the requested host"; 2944 } 2945 uses characteristics; 2946 uses log-action; 2947 uses common-monitoring-data; 2948 } 2949 notification i2nsf-nsf-system-access-log { 2950 description 2951 "The notification is sent, if there is a new system 2952 log entry about a system access event."; 2953 if-feature "i2nsf-nsf-system-access-log"; 2954 leaf login-ip { 2955 type inet:ip-address; 2956 mandatory true; 2957 description 2958 "Login IP address of a user"; 2959 } 2960 leaf administrator { 2961 type string; 2962 description 2963 "Administrator that maintains the device"; 2964 } 2965 leaf login-mode { 2966 type login-mode; 2967 description 2968 "Specifies the administrator log-in mode"; 2969 } 2970 leaf operation-type { 2971 type operation-type; 2972 description 2973 "The operation type that the administrator executes"; 2974 } 2975 leaf result { 2976 type string; 2977 description 2978 "Command execution result"; 2979 } 2980 leaf content { 2981 type string; 2982 description 2983 "The Operation performed by an administrator after 2984 login"; 2985 } 2986 uses characteristics; 2987 } 2988 notification i2nsf-system-res-util-log { 2989 description 2990 "This notification is sent, if there is a new log 2991 entry representing resource utilization updates."; 2992 if-feature "i2nsf-system-res-util-log"; 2993 leaf system-status { 2994 type string; 2995 description 2996 "The current systems running status"; 2997 } 2998 leaf cpu-usage { 2999 type uint8; 3000 description 3001 "Specifies the relative amount of CPU usage with 3002 respect to platform resources"; 3003 } 3004 leaf memory-usage { 3005 type uint8; 3006 description 3007 "Specifies the amount of memory usage."; 3008 } 3009 leaf disk-usage { 3010 type uint8; 3011 description 3012 "Specifies the amount of disk usage"; 3013 } 3014 leaf disk-left { 3015 type uint8; 3016 description 3017 "Specifies the amount of disk left"; 3018 } 3019 leaf session-num { 3020 type uint8; 3021 description 3022 "The total number of sessions"; 3023 } 3024 leaf process-num { 3025 type uint8; 3026 description 3027 "The total number of process"; 3028 } 3029 leaf in-traffic-rate { 3030 type uint32; 3031 units "pps"; 3032 description 3033 "The total inbound traffic rate in pps"; 3034 } 3035 leaf out-traffic-rate { 3036 type uint32; 3037 units "pps"; 3038 description 3039 "The total outbound traffic rate in pps"; 3040 } 3041 leaf in-traffic-speed { 3042 type uint32; 3043 units "bps"; 3044 description 3045 "The total inbound traffic speed in bps"; 3046 } 3047 leaf out-traffic-speed { 3048 type uint32; 3049 units "bps"; 3050 description 3051 "The total outbound traffic speed in bps"; 3052 } 3053 uses characteristics; 3054 } 3055 notification i2nsf-system-user-activity-log { 3056 description 3057 "This notification is sent, if there is a new user 3058 activity log entry."; 3059 if-feature "i2nsf-system-user-activity-log"; 3060 uses characteristics; 3061 uses i2nsf-system-event-type-content; 3062 leaf access { 3063 type identityref { 3064 base access-mode; 3065 } 3066 description 3067 "The access type for system-user-activity-log 3068 notification"; 3069 } 3070 leaf online-duration { 3071 type string; 3072 description 3073 "Online duration"; 3074 } 3075 leaf logout-duration { 3076 type string; 3077 description 3078 "Lockout duration"; 3079 } 3080 leaf additional-info { 3081 type string; 3082 description 3083 "User activities, e.g., Successful User Login, 3084 Failed Login attempts, User Logout, Successful User 3085 Password Change, Failed User Password Change, User 3086 Lockout, User Unlocking, and Unknown."; 3087 } 3088 } 3089 notification i2nsf-nsf-log-dpi { 3090 description 3091 "This notification is sent, if there is a new DPI 3092 event in the NSF log."; 3093 if-feature "i2nsf-nsf-log-dpi"; 3094 leaf attack-type { 3095 type dpi-type; 3096 description 3097 "The type of the DPI"; 3098 } 3099 uses characteristics; 3100 uses i2nsf-nsf-counters-type-content; 3101 uses common-monitoring-data; 3102 } 3103 notification i2nsf-nsf-log-vuln-scan { 3104 description 3105 "This notification is sent, if there is a new 3106 vulnerability-scan report in the NSF log."; 3107 if-feature "i2nsf-nsf-log-vuln-scan"; 3108 leaf vulnerability-id { 3109 type uint8; 3110 description 3111 "The vulnerability ID"; 3112 } 3113 leaf victim-ip { 3114 type inet:ip-address; 3115 description 3116 "IPv4 (or IPv6) address of the victim host which 3117 has vulnerabilities"; 3118 } 3119 leaf protocol { 3120 type identityref { 3121 base protocol-type; 3122 } 3123 description 3124 "The protocol type for nsf-log-vuln-scan 3125 notification"; 3126 } 3127 leaf port-num { 3128 type inet:port-number; 3129 description 3130 "The port number"; 3131 } 3132 leaf level { 3133 type severity; 3134 description 3135 "The vulnerability severity"; 3136 } 3137 leaf os { 3138 type string; 3139 description 3140 "simple OS information"; 3141 } 3142 leaf vulnerability-info { 3143 type string; 3144 description 3145 "The information about the vulnerability"; 3146 } 3147 leaf fix-suggestion { 3148 type string; 3149 description 3150 "The fix suggestion to the vulnerability"; 3151 } 3152 leaf service { 3153 type string; 3154 description 3155 "The service which has vulnerability in the victim 3156 host"; 3157 } 3158 uses characteristics; 3159 uses common-monitoring-data; 3160 } 3162 /* 3163 * Data nodes 3164 */ 3165 container i2nsf-counters { 3166 description 3167 "This is probably better covered by an import as this 3168 will not be notifications. Counters are not very 3169 suitable as telemetry, maybe via periodic 3170 subscriptions, which would still violate the principle 3171 of least surprise."; 3172 config false; 3173 list system-interface { 3174 description 3175 "Interface counters provide the visibility of traffic into and 3176 out of an NSF, and bandwidth usage."; 3177 key interface-name; 3178 uses characteristics; 3179 uses i2nsf-system-counter-type-content; 3180 uses common-monitoring-data; 3181 } 3182 list nsf-firewall { 3183 description 3184 "Firewall counters provide the visibility of traffic signatures, 3185 bandwidth usage, and how the configured security and bandwidth 3186 policies have been applied."; 3187 key policy-name; 3188 uses characteristics; 3189 uses i2nsf-nsf-counters-type-content; 3190 uses traffic-rates; 3191 uses common-monitoring-data; 3192 } 3193 list nsf-policy-hits { 3194 description 3195 "Policy Hit Counters record the number of hits that traffic 3196 packets match a security policy. It can check if policy 3197 configurations are correct or not."; 3198 key policy-name; 3199 uses characteristics; 3200 uses i2nsf-nsf-counters-type-content; 3201 uses common-monitoring-data; 3202 leaf hit-times { 3203 type yang:counter32; 3204 description 3205 "The number of times a policy is hit"; 3206 } 3207 } 3208 } 3210 container i2nsf-monitoring-configuration { 3211 container i2nsf-system-detection-alarm-configuration { 3212 if-feature "i2nsf-system-detection-alarm"; 3213 description 3214 "The container for configuring I2NSF system-detection-alarm 3215 notification"; 3216 uses enable-notification; 3217 list system-alarm { 3218 description 3219 "Configuration for system alarm (i.e., CPU, Memory, 3220 and Disk Usage)"; 3221 key alarm-type; 3222 leaf alarm-type { 3223 type enumeration { 3224 enum CPU { 3225 description 3226 "To configure the CPU usage threshold to trigger the 3227 CPU-USAGE-ALARM"; 3228 } 3229 enum Memory { 3230 description 3231 "To configure the Memory usage threshold to trigger the 3232 MEM-USAGE-ALARM"; 3233 } 3234 enum Disk { 3235 description 3236 "To configure the Disk (storage) usage threshold to 3237 trigger the DISK-USAGE-ALARM"; 3238 } 3239 } 3240 description 3241 "Type of alarm to be configured"; 3242 } 3243 leaf threshold { 3244 type uint8 { 3245 range "0..100"; 3246 } 3247 units "percent"; 3248 description 3249 "The configuration for threshold percentage to trigger 3250 the alarm."; 3251 } 3252 } 3253 } 3254 container i2nsf-system-detection-event-configuration { 3255 if-feature "i2nsf-system-detection-event"; 3256 description 3257 "The container for configuring I2NSF system-detection-event 3258 notification"; 3259 uses enable-notification; 3260 } 3261 container i2nsf-nsf-detection-ddos-configuration { 3262 if-feature "i2nsf-nsf-detection-ddos"; 3263 description 3264 "The container for configuring I2NSF nsf-detection-flood 3265 notification"; 3266 uses enable-notification; 3267 } 3268 container i2nsf-nsf-detection-session-table-configuration { 3269 if-feature "i2nsf-nsf-detection-session-table"; 3270 description 3271 "The container for configuring I2NSF nsf-detection-session-table 3272 notification"; 3273 uses enable-notification; 3274 } 3275 container i2nsf-nsf-detection-virus-configuration { 3276 if-feature "i2nsf-nsf-detection-virus"; 3277 description 3278 "The container for configuring I2NSF nsf-detection-virus 3279 notification"; 3280 uses enable-notification; 3281 } 3282 container i2nsf-nsf-detection-intrusion-configuration { 3283 if-feature "i2nsf-nsf-detection-intrusion"; 3284 description 3285 "The container for configuring I2NSF nsf-detection-intrusion 3286 notification"; 3287 uses enable-notification; 3288 } 3289 container i2nsf-nsf-detection-botnet-configuration { 3290 if-feature "i2nsf-nsf-detection-botnet"; 3291 description 3292 "The container for configuring I2NSF nsf-detection-botnet 3293 notification"; 3294 uses enable-notification; 3295 } 3296 container i2nsf-nsf-detection-web-attack-configuration { 3297 if-feature "i2nsf-nsf-detection-web-attack"; 3298 description 3299 "The container for configuring I2NSF nsf-detection-web-attack 3300 notification"; 3301 uses enable-notification; 3302 } 3303 container i2nsf-nsf-system-access-log-configuration { 3304 if-feature "i2nsf-nsf-system-access-log"; 3305 description 3306 "The container for configuring I2NSF system-access-log 3307 notification"; 3308 uses enable-notification; 3309 } 3310 container i2nsf-system-res-util-log-configuration { 3311 if-feature "i2nsf-system-res-util-log"; 3312 description 3313 "The container for configuring I2NSF system-res-util-log 3314 notification"; 3315 uses enable-notification; 3316 } 3317 container i2nsf-system-user-activity-log-configuration { 3318 if-feature "i2nsf-system-user-activity-log"; 3319 description 3320 "The container for configuring I2NSF system-user-activity-log 3321 notification"; 3322 uses enable-notification; 3323 } 3324 container i2nsf-nsf-log-dpi-configuration { 3325 if-feature "i2nsf-nsf-log-dpi"; 3326 description 3327 "The container for configuring I2NSF nsf-log-dpi 3328 notification"; 3329 uses enable-notification; 3330 } 3331 container i2nsf-nsf-log-vuln-scan-configuration { 3332 if-feature "i2nsf-nsf-log-vuln-scan"; 3333 description 3334 "The container for configuring I2NSF nsf-log-vuln-scan 3335 notification"; 3336 uses enable-notification; 3337 } 3338 container i2nsf-counter-configuration { 3339 description 3340 "This is used to configure the counters 3341 for monitoring an NSF"; 3342 leaf period { 3343 description 3344 "The configuration for the period interval of reporting 3345 the counter. If 0, then the counter period is disabled. 3347 If value is not 0, then the counter will be reported 3348 following the period value."; 3349 type uint16; 3350 units "minutes"; 3351 default 0; 3352 } 3353 } 3354 } 3355 } 3356 3358 Figure 2: Data Model of Monitoring 3360 11. I2NSF Event Stream 3362 This section discusses the NETCONF event stream for I2NSF NSF 3363 Monitoring subscription. The YANG module in this document supports 3364 "ietf-subscribed-notifications" YANG module [RFC8639] for 3365 subscription. The reserved event stream name for this document is 3366 "I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support 3367 "I2NSF-Monitoring" event stream for an NSF data collector (e.g., 3368 Security Controller and NSF data analyzer). The "I2NSF-Monitoring" 3369 event stream contains all I2NSF events described in this document. 3370 The following example shows the capabilities of the event streams of 3371 an NSF (e.g., "NETCONF" and "I2NSF-Monitoring" event streams) by the 3372 subscription of an NSF data collector; note that this example XML 3373 file is delivered by an NSF to an NSF data collector: 3375 3376 3377 3378 3379 3380 3381 NETCONF 3382 Default NETCONF Event Stream 3383 false 3384 3385 3386 I2NSF-Monitoring 3387 I2NSF Monitoring Event Stream 3388 true 3389 2021-02-17T09:37:39+00:00 3390 3391 3392 3393 3394 3396 Figure 3: Example of NETCONF Server supporting I2NSF-Monitoring event 3397 stream 3399 12. XML Examples for I2NSF NSF Monitoring 3401 This section shows the XML examples of I2NSF NSF Monitoring data 3402 delivered via Monitoring Interface from an NSF. 3404 12.1. I2NSF System Detection Alarm 3406 The following example shows an alarm triggered by Memory Usage of the 3407 server; note that this example XML file is delivered by an NSF to an 3408 NSF data collector: 3410 3411 3412 2021-02-17T06:23:05.025179+00:00 3413 3414 3415 nsfmi:MEM-USAGE-ALARM 3416 3417 3418 nsfmi:subscription 3419 3420 3421 nsfmi:on-change 3422 3423 91 3424 90 3425 time_based_firewall 3426 critical 3427 3428 3430 Figure 4: Example of I2NSF system detection alarm triggered by memory 3431 usage 3433 The XML data above shows: 3435 1. The NSF that sends the information is named 3436 "time_based_firewall". 3438 2. The memory usage of the NSF triggered the alarm. 3440 3. The monitoring information is received by subscription method. 3442 4. The monitoring information is emitted "on-change". 3444 5. The memory usage of the NSF is 91 percent. 3446 6. The memory threshold to trigger the alarm is 90 percent. 3448 7. The severity level of the notification is high. 3450 12.2. I2NSF Interface Counters 3452 To get the I2NSF system interface counters information by query, 3453 NETCONF Client (e.g., NSF data collector) needs to initiate GET 3454 connection with NETCONF Server (e.g., NSF). The following XML file 3455 can be used to get the state data and filter the information. 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3468 Figure 5: XML Example for NETCONF GET with System Interface Filter 3470 The following XML file shows the reply from the NETCONF Server (e.g., 3471 NSF): 3473 3474 3475 3476 3477 3478 ens3 3479 3480 nsfmi:query 3481 3482 549050 3483 814956 3484 0 3485 5078 3486 time_based_firewall 3487 3488 3489 lo 3490 3491 nsfmi:query 3492 3493 48487 3494 48487 3495 0 3496 0 3497 time_based_firewall 3498 3499 3500 3501 3503 Figure 6: Example of I2NSF System Interface Counters XML Information 3505 13. IANA Considerations 3507 This document requests IANA to register the following URI in the 3508 "IETF XML Registry" [RFC3688]: 3510 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 3511 Registrant Contact: The IESG. 3512 XML: N/A; the requested URI is an XML namespace. 3514 This document requests IANA to register the following YANG module in 3515 the "YANG Module Names" registry [RFC7950][RFC8525]: 3517 name: ietf-i2nsf-nsf-monitoring 3518 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 3519 prefix: nsfmi 3520 reference: RFC XXXX 3522 // RFC Ed.: replace XXXX with an actual RFC number and remove 3523 // this note. 3525 14. Security Considerations 3527 The YANG module described in this document defines a schema for data 3528 that is designed to be accessed via network management protocols such 3529 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 3530 is the secure transport layer, and the mandatory-to-implement secure 3531 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 3532 is HTTPS, and the mandatory-to-implement secure transport is TLS 3533 [RFC8446]. 3535 The NETCONF access control model [RFC8341] provides the means to 3536 restrict access for particular NETCONF or RESTCONF users to a 3537 preconfigured subset of all available NETCONF or RESTCONF protocol 3538 operations and content. 3540 All data nodes defined in the YANG module which can be created, 3541 modified and deleted (i.e., config true, which is the default) are 3542 considered sensitive. Write operations (e.g., edit-config) applied 3543 to these data nodes without proper protection can negatively affect 3544 framework operations. The monitoring YANG module should be protected 3545 by the secure communication channel, to ensure its confidentiality 3546 and integrity. In another side, the NSF and NSF data collector can 3547 all be faked, which lead to undesirable results (i.e., leakage of an 3548 NSF's important operational information, and faked NSF sending false 3549 information to mislead the NSF data collector). The mutual 3550 authentication is essential to protected against this kind of attack. 3551 The current mainstream security technologies (i.e., TLS, DTLS, IPsec, 3552 and X.509 PKI) can be employed appropriately to provide the above 3553 security functions. 3555 In addition, to defend against the DDoS attack caused by a lot of 3556 NSFs sending massive notifications to the NSF data collector, the 3557 rate limiting or similar mechanisms should be considered in both an 3558 NSF and NSF data collector, whether in advance or just in the process 3559 of DDoS attack. 3561 15. Acknowledgments 3563 This work was supported by Institute of Information & Communications 3564 Technology Planning & Evaluation (IITP) grant funded by the Korea 3565 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 3566 Security Intelligence Technology Development for the Customized 3567 Security Service Provisioning). This work was supported in part by 3568 the IITP (2020-0-00395, Standard Development of Blockchain based 3569 Network Management Automation Technology). This work was supported 3570 in part by the MSIT under the Information Technology Research Center 3571 (ITRC) support program (IITP-2020-2017-0-01633) supervised by the 3572 IITP. 3574 16. Contributors 3576 This document is made by the group effort of I2NSF working group. 3577 Many people actively contributed to this document. The authors 3578 sincerely appreciate their contributions. 3580 The following are co-authors of this document: 3582 Chaehong Chung 3583 Department of Electronic, Electrical and Computer Engineering 3584 Sungkyunkwan University 3585 2066 Seo-ro Jangan-gu 3586 Suwon, Gyeonggi-do 16419 3587 Republic of Korea 3589 EMail: darkhong@skku.edu 3591 Jinyong Tim Kim 3592 Department of Electronic, Electrical and Computer Engineering 3593 Sungkyunkwan University 3594 2066 Seo-ro Jangan-gu 3595 Suwon, Gyeonggi-do 16419 3596 Republic of Korea 3598 EMail: timkim@skku.edu 3600 Dongjin Hong 3601 Department of Electronic, Electrical and Computer Engineering 3602 Sungkyunkwan University 3603 2066 Seo-ro Jangan-gu 3604 Suwon, Gyeonggi-do 16419 3605 Republic of Korea 3606 EMail: dong.jin@skku.edu 3608 Dacheng Zhang 3609 Huawei 3611 EMail: dacheng.zhang@huawei.com 3613 Yi Wu 3614 Aliababa Group 3616 EMail: anren.wy@alibaba-inc.com 3618 Rakesh Kumar 3619 Juniper Networks 3620 1133 Innovation Way 3621 Sunnyvale, CA 94089 3622 USA 3624 EMail: rkkumar@juniper.net 3626 Anil Lohiya 3627 Juniper Networks 3629 EMail: alohiya@juniper.net 3631 17. References 3633 17.1. Normative References 3635 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 3636 DOI 10.17487/RFC0768, August 1980, 3637 . 3639 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 3640 DOI 10.17487/RFC0791, September 1981, 3641 . 3643 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 3644 RFC 792, DOI 10.17487/RFC0792, September 1981, 3645 . 3647 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 3648 RFC 793, DOI 10.17487/RFC0793, September 1981, 3649 . 3651 [RFC0956] Mills, D., "Algorithms for synchronizing network clocks", 3652 RFC 956, DOI 10.17487/RFC0956, September 1985, 3653 . 3655 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3656 Requirement Levels", BCP 14, RFC 2119, 3657 DOI 10.17487/RFC2119, March 1997, 3658 . 3660 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 3661 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 3662 Transfer Protocol -- HTTP/1.1", RFC 2616, 3663 DOI 10.17487/RFC2616, June 1999, 3664 . 3666 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3667 DOI 10.17487/RFC3688, January 2004, 3668 . 3670 [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management 3671 Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, 3672 September 2004, . 3674 [RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export 3675 Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004, 3676 . 3678 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 3679 Control Message Protocol (ICMPv6) for the Internet 3680 Protocol Version 6 (IPv6) Specification", STD 89, 3681 RFC 4443, DOI 10.17487/RFC4443, March 2006, 3682 . 3684 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 3685 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 3686 . 3688 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, 3689 DOI 10.17487/RFC5424, March 2009, 3690 . 3692 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3693 and A. Bierman, Ed., "Network Configuration Protocol 3694 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3695 . 3697 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3698 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3699 . 3701 [RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog 3702 Messages over TCP", RFC 6587, DOI 10.17487/RFC6587, April 3703 2012, . 3705 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3706 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3707 . 3709 [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, 3710 "Specification of the IP Flow Information Export (IPFIX) 3711 Protocol for the Exchange of Flow Information", STD 77, 3712 RFC 7011, DOI 10.17487/RFC7011, September 2013, 3713 . 3715 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3716 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3717 . 3719 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3720 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3721 . 3723 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 3724 (IPv6) Specification", STD 86, RFC 8200, 3725 DOI 10.17487/RFC8200, July 2017, 3726 . 3728 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 3729 Kumar, "Framework for Interface to Network Security 3730 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 3731 . 3733 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3734 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3735 . 3737 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3738 Access Control Model", STD 91, RFC 8341, 3739 DOI 10.17487/RFC8341, March 2018, 3740 . 3742 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 3743 and R. Wilton, "Network Management Datastore Architecture 3744 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 3745 . 3747 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 3748 Documents Containing YANG Data Models", BCP 216, RFC 8407, 3749 DOI 10.17487/RFC8407, October 2018, 3750 . 3752 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 3753 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 3754 . 3756 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 3757 and R. Wilton, "YANG Library", RFC 8525, 3758 DOI 10.17487/RFC8525, March 2019, 3759 . 3761 [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, 3762 E., and A. Tripathy, "Subscription to YANG Notifications", 3763 RFC 8639, DOI 10.17487/RFC8639, September 2019, 3764 . 3766 17.2. Informative References 3768 [I-D.ietf-i2nsf-applicability] 3769 Jeong, J., Hyun, S., Ahn, T., Hares, S., and D. Lopez, 3770 "Applicability of Interfaces to Network Security Functions 3771 to Network-Based Security Services", draft-ietf-i2nsf- 3772 applicability-18 (work in progress), September 2019. 3774 [I-D.ietf-i2nsf-capability] 3775 Xia, L., Strassner, J., Basile, C., and D. Lopez, 3776 "Information Model of NSFs Capabilities", draft-ietf- 3777 i2nsf-capability-05 (work in progress), April 2019. 3779 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 3780 Jeong, J., Chung, C., Ahn, T., Kumar, R., and S. Hares, 3781 "I2NSF Consumer-Facing Interface YANG Data Model", draft- 3782 ietf-i2nsf-consumer-facing-interface-dm-12 (work in 3783 progress), September 2020. 3785 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 3786 Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q. 3787 Lin, "I2NSF Network Security Function-Facing Interface 3788 YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface- 3789 dm-10 (work in progress), August 2020. 3791 [I-D.ietf-i2nsf-registration-interface-dm] 3792 Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK, 3793 "I2NSF Registration Interface YANG Data Model", draft- 3794 ietf-i2nsf-registration-interface-dm-09 (work in 3795 progress), August 2020. 3797 [I-D.ietf-netconf-subscribed-notifications] 3798 Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and 3799 A. Tripathy, "Subscription to YANG Event Notifications", 3800 draft-ietf-netconf-subscribed-notifications-26 (work in 3801 progress), May 2019. 3803 [I-D.ietf-netconf-yang-push] 3804 Clemm, A. and E. Voit, "Subscription to YANG Datastores", 3805 draft-ietf-netconf-yang-push-25 (work in progress), May 3806 2019. 3808 [I-D.yang-i2nsf-security-policy-translation] 3809 Jeong, J., Yang, J., Chung, C., and J. Kim, "Security 3810 Policy Translation in Interface to Network Security 3811 Functions", draft-yang-i2nsf-security-policy- 3812 translation-07 (work in progress), November 2020. 3814 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-04 3816 The following changes are made from draft-ietf-i2nsf-nsf-monitoring- 3817 data-model-04: 3819 o This version is revised according to the comments of Andy Bierman 3820 who is a YANG doctor. 3822 o An NSF data collector is defined as an entity to collect NSF 3823 monitoring data from an NSF, such as Security Controller and NSF 3824 Data Analyzer. 3826 Authors' Addresses 3828 Jaehoon Paul Jeong (editor) 3829 Department of Computer Science and Engineering 3830 Sungkyunkwan University 3831 2066 Seobu-Ro, Jangan-Gu 3832 Suwon, Gyeonggi-Do 16419 3833 Republic of Korea 3835 Phone: +82 31 299 4957 3836 Fax: +82 31 290 7996 3837 EMail: pauljeong@skku.edu 3838 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 3840 Patrick Lingga 3841 Department of Electronic, Electrical and Computer Engineering 3842 Sungkyunkwan University 3843 2066 Seobu-Ro, Jangan-Gu 3844 Suwon, Gyeonggi-Do 16419 3845 Republic of Korea 3847 Phone: +82 31 299 4957 3848 EMail: patricklink@skku.edu 3850 Susan Hares 3851 Huawei 3852 7453 Hickory Hill 3853 Saline, MI 48176 3854 USA 3856 Phone: +1-734-604-0332 3857 EMail: shares@ndzh.com 3858 Liang Xia (Frank) 3859 Huawei 3860 101 Software Avenue, Yuhuatai District 3861 Nanjing, Jiangsu 3862 China 3864 EMail: Frank.xialiang@huawei.com 3866 Henk Birkholz 3867 Fraunhofer Institute for Secure Information Technology 3868 Rheinstrasse 75 3869 Darmstadt 64295 3870 Germany 3872 EMail: henk.birkholz@sit.fraunhofer.de