idnits 2.17.1 draft-ietf-i2nsf-nsf-monitoring-data-model-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (15 September 2021) is 952 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 3501 (Obsoleted by RFC 9051) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-14 == Outdated reference: A later version (-29) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-13 == Outdated reference: A later version (-26) exists of draft-ietf-i2nsf-registration-interface-dm-11 == Outdated reference: A later version (-16) exists of draft-yang-i2nsf-security-policy-translation-09 == Outdated reference: A later version (-28) exists of draft-ietf-tcpm-rfc793bis-25 Summary: 5 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong, Ed. 3 Internet-Draft P. Lingga 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: 19 March 2022 S. Hares 6 L. Xia 7 Huawei 8 H. Birkholz 9 Fraunhofer SIT 10 15 September 2021 12 I2NSF NSF Monitoring Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-monitoring-data-model-10 15 Abstract 17 This document proposes an information model and the corresponding 18 YANG data model of an interface for monitoring Network Security 19 Functions (NSFs) in the Interface to Network Security Functions 20 (I2NSF) framework. If the monitoring of NSFs is performed with the 21 NSF monitoring interface in a comprehensive way, it is possible to 22 detect the indication of malicious activity, anomalous behavior, the 23 potential sign of denial of service attacks, or system overload in a 24 timely manner. This monitoring functionality is based on the 25 monitoring information that is generated by NSFs. Thus, this 26 document describes not only an information model for the NSF 27 monitoring interface along with a YANG data diagram, but also the 28 corresponding YANG data model. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 19 March 2022. 47 Copyright Notice 49 Copyright (c) 2021 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Simplified BSD License text 58 as described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 66 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 67 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 68 4.2. Notifications, Events, and Records . . . . . . . . . . . 8 69 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8 70 5. Basic Information Model for Monitoring Data . . . . . . . . . 9 71 6. Extended Information Model for Monitoring Data . . . . . . . 9 72 6.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 10 73 6.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 10 74 6.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 11 75 6.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 11 76 6.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 11 77 6.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12 78 6.2. System Events . . . . . . . . . . . . . . . . . . . . . . 12 79 6.2.1. Access Violation . . . . . . . . . . . . . . . . . . 12 80 6.2.2. Configuration Change . . . . . . . . . . . . . . . . 13 81 6.2.3. Session Table Event . . . . . . . . . . . . . . . . . 13 82 6.2.4. Traffic Flows . . . . . . . . . . . . . . . . . . . . 14 83 6.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14 84 6.3.1. DDoS Detection . . . . . . . . . . . . . . . . . . . 14 85 6.3.2. Virus Event . . . . . . . . . . . . . . . . . . . . . 15 86 6.3.3. Intrusion Event . . . . . . . . . . . . . . . . . . . 16 87 6.3.4. Web Attack Event . . . . . . . . . . . . . . . . . . 16 88 6.3.5. VoIP/VoLTE Event . . . . . . . . . . . . . . . . . . 17 89 6.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 18 90 6.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 18 91 6.4.2. Resource Utilization Log . . . . . . . . . . . . . . 18 92 6.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 19 93 6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 20 94 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 20 96 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 20 97 6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21 98 6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22 99 6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22 100 6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 23 101 7. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24 102 8. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25 103 9. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 32 104 10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 77 105 11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 78 106 11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 78 107 11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 79 108 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80 109 13. Security Considerations . . . . . . . . . . . . . . . . . . . 81 110 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 82 111 15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 83 112 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 83 113 16.1. Normative References . . . . . . . . . . . . . . . . . . 83 114 16.2. Informative References . . . . . . . . . . . . . . . . . 86 115 Appendix A. Changes from 116 draft-ietf-i2nsf-nsf-monitoring-data-model-09 . . . . . . 88 117 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 88 119 1. Introduction 121 According to [RFC8329], the interface provided by a Network Security 122 Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to 123 administrative entities (e.g., Security Controller) to enable remote 124 management (i.e., configuring and monitoring) is referred to as an 125 I2NSF Monitoring Interface. This interface enables the sharing of 126 vital data from the NSFs (e.g., alarms, records, and counters) to the 127 Security Controller through a variety of mechanisms (e.g., queries, 128 notifications, and events). The monitoring of NSF plays an important 129 role in an overall security framework, if it is done in a timely and 130 comprehensive way. The monitoring information generated by an NSF 131 can be a good, early indication of anomalous behavior or malicious 132 activity, such as denial of service attacks (DoS). 134 This document defines a comprehensive information model of an NSF 135 monitoring interface that provides visibility into an NSF for the NSF 136 data collector (e.g., Security Controller). Note that an NSF data 137 collector is defined as an entity to collect NSF monitoring data from 138 an NSF, such as Security Controller. It specifies the information 139 and illustrates the methods that enable an NSF to provide the 140 information required in order to be monitored in a scalable and 141 efficient way via the NSF Monitoring Interface. The information 142 model for the NSF monitoring interface presented in this document is 143 complementary for the security policy provisioning functionality of 144 the NSF-Facing Interface specified in 145 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. 147 This document also defines a YANG [RFC7950] data model for the NSF 148 monitoring interface, which is derived from the information model for 149 the NSF monitoring interface. 151 2. Terminology 153 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 154 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 155 "OPTIONAL" in this document are to be interpreted as described in BCP 156 14 [RFC2119] [RFC8174] when, and only when, they appear in all 157 capitals, as shown here. 159 This document uses the terminology described in [RFC8329]. 161 This document follows the guidelines of [RFC8407], uses the common 162 YANG types defined in [RFC6991], and adopts the Network Management 163 Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols 164 in tree diagrams is defined in [RFC8340]. 166 3. Use Cases for NSF Monitoring Data 168 As mentioned earlier, monitoring plays a critical role in an overall 169 security framework. The monitoring of the NSF provides very valuable 170 information to an NSF data collector (e.g., Security Controller) in 171 maintaining the provisioned security posture. Besides this, there 172 are various other reasons to monitor the NSF as listed below: 174 * The security administrator with I2NSF User can configure a policy 175 that is triggered on a specific event occurring in the NSF or the 176 network [RFC8329] [I-D.ietf-i2nsf-consumer-facing-interface-dm]. 177 If an NSF data collector detects the specified event, it 178 configures additional security functions as defined by policies. 180 * The events triggered by an NSF as a result of security policy 181 violation can be used by Security Information and Event Management 182 (SIEM) to detect any suspicious activity in a larger correlation 183 context. 185 * The information (i.e., events, records, and counters) from an NSF 186 can be used to build advanced analytics, such as behavior and 187 predictive models to improve security posture in large 188 deployments. 190 * The NSF data collector can use events from the NSF for achieving 191 high availability. It can take corrective actions such as 192 restarting a failed NSF and horizontally scaling up the NSF. 194 * The information (i.e., events, records, and counters) from the NSF 195 can aid in the root cause analysis of an operational issue, so it 196 can improve debugging. 198 * The records from the NSF can be used to build historical data for 199 operation and business reasons. 201 4. Classification of NSF Monitoring Data 203 In order to maintain a strong security posture, it is not only 204 necessary to configure an NSF's security policies but also to 205 continuously monitor the NSF by consuming acquirable and observable 206 data. This enables security administrators to assess the state of 207 the networks and in a timely fashion. It is not possible to block 208 all the internal and external threats based on static security 209 posture. A more practical approach is supported by enabling dynamic 210 security measures, for which continuous visibility is required. This 211 document defines a set of monitoring elements and their scopes that 212 can be acquired from an NSF and can be used as NSF monitoring data. 213 In essence, these types of monitoring data can be leveraged to 214 support constant visibility on multiple levels of granularity and can 215 be consumed by the corresponding functions. 217 Three basic domains about the monitoring data originating from a 218 system entity [RFC4949], i.e., an NSF, are highlighted in this 219 document. 221 * Retention and Emission 223 * Notifications, Events, and Records 225 * Unsolicited Poll and Solicited Push 226 As with I2NSF components, every generic system entity can include a 227 set of capabilities that creates information about some context with 228 monitoring data (i.e., monitoring information), composition, 229 configuration, state or behavior of that system entity. This 230 information is intended to be provided to other consumers of 231 information and in the scope of this document, which deals with NSF 232 monitoring data in an automated fashion. 234 4.1. Retention and Emission 236 A system entity (e.g., NSF) first retains I2NSF monitoring data 237 inside its own system before emitting the information another I2NSF 238 component (e.g., NSF Data Collector). The I2NSF monitoring 239 information consist of I2NSF Event, I2NSF Record, and I2NSF Counter 240 as follows: 242 I2NSF Event: I2NSF Event is defined as an important occurrence over 243 time, that is, a change in the system being managed or a change in 244 the environment of the system being managed. An I2NSF Event 245 requires immediate attention and should be notified as soon as 246 possible. When used in the context of an (imperative) I2NSF 247 Policy Rule, an I2NSF Event is used to determine whether the 248 Condition clause of that Policy Rule can be evaluated or not. The 249 Alarm Management Framework in [RFC3877] defines an event as 250 something that happens which may be of interest. Examples for an 251 event are a fault, a change in status, crossing a threshold, or an 252 external input to the system. In the I2NSF domain, I2NSF events 253 are created following the definition of an event in the Alarm 254 Management Framework. 256 I2NSF Record: A record is defined as an item of information that is 257 kept to be looked at and used in the future. Unlike I2NSF Event, 258 records do not require immediate attention but may be useful for 259 visibility and retroactive cyber forensic. Depending on the 260 record format, there are different qualities in regard to 261 structure and detail. Records are typically stored in log-files 262 or databases on a system entity or NSF. Records in the form of 263 log-files usually include less structures but potentially more 264 detailed information in regard to the changes of a system entity's 265 characteristics. In contrast, databases often use more strict 266 schemas or data models, therefore enforcing a better structure. 267 However, they inhibit storing information that does not match 268 those models ("closed world assumption"). Records can be 269 continuously processed by a system entity as an I2NSF Producer and 270 emitted with a format tailored to a certain type of record. 271 Typically, records are information generated by a system entity 272 (e.g., NSF) that is based on operational and informational data, 273 that is, various changes in system characteristics. The examples 274 of records include as user activities, network/traffic status, and 275 network activity. They are important for debugging, auditing and 276 security forensic of a system entity or the network having the 277 system entity. 279 I2NSF Counter: An I2NSF Counter is defined as a specific 280 representation of continuous value changes of information elements 281 that occur very frequently. Prominent examples are network 282 interface counters for protocol data unit (PDU) amount, byte 283 amount, drop counters, and error counters. Counters are useful in 284 debugging and visibility into operational behavior of a system 285 entity (e.g., NSF). When an NSF data collector asks for the value 286 of a counter to it, a system entity emits 288 For the utilization of the storage space for accumulated NSF 289 monitoring data, all of the information MUST provide the general 290 information (e.g., timestamp) for purging existing records, which is 291 discussed in Section 5. This document provides a YANG data model in 292 Section 9 for the important I2NSF monitoring information that should 293 be retained. All of the information in the data model is considered 294 important and should be kept permanently as the information might be 295 useful in many circumstances in the future. The allowed cases for 296 removing some monitoring information include the following: 298 * When the system storage is full to create a fresh record 299 [RFC4949], the oldest record can be removed. 301 * The administrator deletes existing records manually after 302 analyzing the information in them. 304 The I2NSF monitoring information retained on a system entity (e.g., 305 NSF) may be delivered to a corresponding I2NSF User via an NSF data 306 collector. The information consists of the aggregated records, 307 typically in the form of log-files or databases. For the NSF 308 Monitoring Interface to deliver the information to the NSF data 309 collector, the NSF needs to accommodate standardized delivery 310 protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. The NSF 311 data collector can forward the information to the I2NSF User through 312 one of standardized delivery protocols. The interface for this 313 delivery is out of the scope of this document. 315 4.2. Notifications, Events, and Records 317 A specific task of I2NSF User is to process I2NSF Policy Rules. The 318 rules of a policy are composed of three clauses: Event, Condition, 319 and Action clauses. In consequence, an I2NSF Event is specified to 320 trigger an I2NSF Policy Rule. Such an I2NSF Event is defined as any 321 important occurrence over time in the system being managed, and/or in 322 the environment of the system being managed, which aligns well with 323 the generic definition of Event from [RFC3877]. 325 Another role of the I2NSF Event is to trigger a notification for 326 monitoring the status of an NSF. A notification is defined in 327 [RFC3877] as an unsolicited transmission of management information. 328 System alarm (called alarm) is defined as a warning related to 329 service degradation in system hardware in Section 6.1. System event 330 (called alert) is defined as a warning about any changes of 331 configuration, any access violation, the information of sessions and 332 traffic flows in Section 6.2. Both an alarm and an alert are I2NSF 333 Events that can be delivered as a notification. The model 334 illustrated in this document introduces a complementary type of 335 information that can be a conveyed notification. 337 In I2NSF monitoring, a notification is used to deliver either an 338 event and a record via the I2NSF Monitoring Interface. The 339 difference between the event and record is the timing by which the 340 notifications are emitted. An event is emitted as soon as it happens 341 in order to notify an NSF Data Collector of the problem that needs 342 immediate attention. A record is not emitted immediately to the NSF 343 Data Collector, and it can be emitted periodically to the NSF Data 344 Collector every certain time interval. 346 It is important to note that an NSF Data Collector as a consumer 347 (i.e., observer) of a notification assesses the importance of the 348 notification rather than an NSF as a producer. The producer can 349 include metadata in a notification that supports the observer in 350 assessing its importance (e.g., severity). 352 4.3. Unsolicited Poll and Solicited Push 354 The freshness of the monitored information depends on the acquisition 355 method. Ideally, an I2NSF User is accessing every relevant 356 information about the I2NSF Component and is emitting I2NSF Events to 357 an NSF data collector (e.g., Security Controller) in a timely manner. 358 Publication of events via a pubsub/broker model, peer-2-peer meshes, 359 or static defined channels are only a few examples on how a solicited 360 push of I2NSF Events can be facilitated. The actual mechanism 361 implemented by an I2NSF Component is out of the scope of this 362 document. 364 Often, the corresponding management interfaces have to be queried in 365 intervals or on demand if required by an I2NSF Policy rule. In some 366 cases, the collection of information has to be conducted via a login 367 mechanism provided by a system entity. Accessing records of 368 information via this kind of unsolicited polls can introduce a 369 significant latency in regard to the freshness of the monitored 370 information. The actual definition of intervals implemented by an 371 I2NSF Component is also out of scope of this document. 373 5. Basic Information Model for Monitoring Data 375 As explained in the above section, there is a wealth of data 376 available from the NSF that can be monitored. Firstly, there must be 377 some general information with each monitoring message sent from an 378 NSF that helps a consumer to identify meta data with that message, 379 which are listed as below: 381 * message: The extra detail to give the context of the information. 383 * vendor-name: The name of the NSF vendor. 385 * nsf-name: The name or IP address of the NSF generating the 386 message. If the given nsf-name is not an IP address, the name can 387 be an arbitrary string including FQDN (Fully Qualified Domain 388 Name). The name MUST be unique for different NSFs to identify the 389 NSF that generates the message. 391 * severity: It indicates the severity level. There are total four 392 levels, i.e., critical, high, middle, and low. 394 * timestamp: Indicates the time when the message is generated. For 395 the notification operations (i.e., System Alarms, System Events, 396 NSF Events, System Logs, and NSF Logs), this is represented by the 397 eventTime of NETCONF event notification [RFC5277] For other 398 operations (i.e., System Counter and NSF Counter), the timestamp 399 MUST be provided separately. 401 6. Extended Information Model for Monitoring Data 403 This section covers the additional information associated with the 404 system messages. The extended information model is only for the 405 structured data such as events, record, and counters. Any 406 unstructured data is specified with the basic information model only. 408 Each information has characteristics as follows: 410 * Acquisition method: The method to obtain the message. It can be a 411 "query" or a "subscription". A "query" is a request-based method 412 to acquire the solicited information. A "subscription" is a 413 subscribe-based method to acquire the unsolicited information. 415 * Emission type: The cause type for the message to be emitted. It 416 can be "on-change" or "periodic". An "on-change" message is 417 emitted when an important event happens in the NSF. A "periodic" 418 message is emitted at a certain time interval. The time to 419 periodically emit the message is configurable. 421 * Dampening type: The type of message dampening to stop the rapid 422 transmission of messages. The dampening types are "on-repetition" 423 and "no-dampening". The "on-repetition" type limits the 424 transmitted "on-change" message to one message at a certain 425 interval. This interval is defined as dampening-period in 426 [RFC8641]. The dampening-period is configurable. The "no- 427 dampening" type does not limit the transmission for the messages 428 of the same type. In short, "on-repetition" means that the 429 dampening is active and "no-dampening" is inactive. It is 430 recommended to activate the dampening for an "on-change" type of 431 message to reduce the number of messages generated. 433 6.1. System Alarms 435 System alarms have the following characteristics: 437 * acquisition-method: subscription 439 * emission-type: on-change 441 * dampening-type: on-repetition 443 6.1.1. Memory Alarm 445 The memory is the hardware to store information temporarily or for a 446 short period, i.e., Random Access Memory (RAM). The memory-alarm is 447 emitted when the RAM usage exceeds the threshold. The following 448 information should be included in a Memory Alarm: 450 * event-name: memory-alarm. 452 * usage: specifies the size of memory used. 454 * threshold: The threshold triggering the alarm 456 * severity: The severity of the alarm such as critical, high, 457 medium, and low. 459 * message: Simple information such as "The memory usage exceeded the 460 threshold" or with extra information. 462 6.1.2. CPU Alarm 464 CPU is the Central Processing Unit that executes basic operations of 465 the system. The cpu-alarm is emitted when the CPU usage exceeds the 466 threshold. The following information should be included in a CPU 467 Alarm: 469 * event-name: cpu-alarm. 471 * usage: Specifies the size of CPU used. 473 * threshold: The threshold triggering the event. 475 * severity: The severity of the alarm such as critical, high, 476 medium, and low. 478 * message: Simple information such as "The CPU usage exceeded the 479 threshold" or with extra information. 481 6.1.3. Disk Alarm 483 Disk is the hardware to store information for a long period, i.e., 484 Hard Disk or Solid-State Drive. The disk-alarm is emitted when the 485 Disk usage exceeds the threshold. The following information should 486 be included in a Disk Alarm: 488 * event-name: disk-alarm. 490 * usage: Specifies the size of disk space used. 492 * threshold: The threshold triggering the event. 494 * severity: The severity of the alarm such as critical, high, 495 medium, and low. 497 * message: Simple information such as "The disk usage exceeded the 498 threshold" or with extra information. 500 6.1.4. Hardware Alarm 502 The hardware-alarm is emitted when a hardware, e.g., CPU, memory, 503 disk, or interface, problem is detected. The following information 504 should be included in a Hardware Alarm: 506 * event-name: hardware-alarm. 508 * component-name: It indicates the hardware component responsible 509 for generating this alarm. 511 * severity: The severity of the alarm such as critical, high, 512 medium, and low. 514 * message: Simple information such as "The hardware component has 515 failed or degraded" or with extra information. 517 6.1.5. Interface Alarm 519 Interface is the network interface for connecting a device with the 520 network. The interface-alarm is emitted when the state of the 521 interface is changed. The following information should be included 522 in an Interface Alarm: 524 * event-name: interface-alarm. 526 * interface-name: The name of the interface. 528 * interface-state: down, up (not congested), congested (up but 529 congested). 531 * severity: The severity of the alarm such as critical, high, 532 medium, and low. 534 * message: Simple information such as "The interface is 'interface- 535 state'" or with extra information. 537 6.2. System Events 539 System events (as alerts) have the following characteristics: 541 * acquisition-method: subscription 543 * emission-type: on-change 545 * dampening-type: on-repetition 547 6.2.1. Access Violation 549 The access-violation system event is an event when a user tries to 550 access (read or write) any information above their privilege. The 551 following information should be included in this event: 553 * event-name: access-denied. 555 * user: Name of a user. 557 * group: Group(s) to which a user belongs. A user can belong to 558 multiple groups. 560 * ip-address: The IP address of the user that triggered the event. 562 * authentication: The method to verify the valid user, i.e., pre- 563 configured-key and certificate-authority. 565 * message: The message to give the context of the event, such as 566 "Access is denied". 568 6.2.2. Configuration Change 570 A configuration change is a system event when a new configuration is 571 added or an existing configuration is modified. The following 572 information should be included in this event: 574 * event-name: config-change. 576 * user: Name of a user. 578 * group: Group(s) to which a user belongs. A user can belong to 579 multiple groups. 581 * ip-address: The IP address of the user that triggered the event. 583 * authentication: The method to verify the valid user, i.e., pre- 584 configured-key and certificate-authority. 586 * message: The message to give the context of the event, such as 587 "Configuration is modified" or "New configuration is added". 589 6.2.3. Session Table Event 591 The following information should be included in a Session 592 Table Event: 594 * event-name: session-table. 596 * current-session: The number of concurrent sessions. 598 * maximum-session: The maximum number of sessions that the session 599 table can support. 601 * threshold: The threshold triggering the event. 603 * message: The message to give the context of the event, such as 604 "The number of session table exceeded the threshold". 606 6.2.4. Traffic Flows 608 Traffic flows need to be monitored because they might be used for 609 security attacks to the network. The following information should be 610 included in this event: 612 * src-ip: The source IPv4 or IPv6 address of the traffic flow. 614 * dst-ip: The destination IPv4 or IPv6 address of the traffic flow. 616 * src-port: The source port of the traffic flow. 618 * dst-port: The destination port of the traffic flow. 620 * protocol: The protocol of the traffic flow. 622 * arrival-rate: Arrival rate of packets of the traffic flow. 624 6.3. NSF Events 626 NSF events have the following characteristics: 628 * acquisition-method: subscription 630 * emission-type: on-change 632 * dampening-type: on-repetition 634 6.3.1. DDoS Detection 636 The following information should be included in a DDoS Event: 638 * event-name: detection-ddos. 640 * attack-type: Any one of SYN flood, ACK flood, SYN-ACK flood, FIN/ 641 RST flood, TCP Connection flood, UDP flood, ICMP flood, HTTPS 642 flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood, 643 SSL flood, and NTP amplification flood. 645 * attack-src-ip: The IP address of the source of the DDoS attack. 647 * attack-dst-ip: The network prefix with a network mask (for IPv4) 648 or prefix length (for IPv6) of a victim under DDoS attack. 650 * dst-port: The port number that the attack traffic aims at. 652 * start-time: The time stamp indicating when the attack started. 654 * end-time: The time stamp indicating when the attack ended. If the 655 attack is still undergoing when sending out the alarm, this field 656 can be empty. 658 * attack-rate: The packets per second of attack traffic. 660 * attack-speed: the bits per second of attack traffic. 662 * rule-name: The name of the I2NSF Policy Rule being triggered. 663 Note that rule-name is used to match a detected NSF event with a 664 policy rule in [I-D.ietf-i2nsf-nsf-facing-interface-dm], and also 665 that there is no rule-name in a system event. 667 6.3.2. Virus Event 669 The following information should be included in a Virus Event: 671 * event-name: detection-virus. 673 * virus: Type of the virus. e.g., trojan, worm, macro virus type. 675 * virus-name: Name of the virus. 677 * dst-ip: The destination IP address of the packet where the virus 678 is found. 680 * src-ip: The source IP address of the packet where the virus is 681 found. 683 * src-port: The source port of the packet where the virus is found. 685 * dst-port: The destination port of the packet where the virus is 686 found. 688 * src-location: The source geographical location (e.g., country and 689 city) of the virus. 691 * dst-location: The destination geographical location (e.g., country 692 and city) of the virus. 694 * file-type: The type of the file where the virus is hided within. 696 * file-name: The name of the file where the virus is hided within. 698 * raw-info: The information describing the packet triggering the 699 event. 701 * rule-name: The name of the rule being triggered. 703 6.3.3. Intrusion Event 705 The following information should be included in an Intrusion Event: 707 * event-name: The name of the event. e.g., detection-intrusion. 709 * attack-type: Attack type, e.g., brutal force and buffer overflow. 711 * src-ip: The source IP address of the flow. 713 * dst-ip: The destination IP address of the flow. 715 * src-port:The source port number of the flow. 717 * dst-port: The destination port number of the flow 719 * src-location: The source geographical location (e.g., country and 720 city) of the flow. 722 * dst-location: The destination geographical location (e.g., country 723 and city) of the flow. 725 * protocol: The employed transport layer protocol. e.g., TCP and 726 UDP. 728 * app: The employed application layer protocol. e.g., HTTP and FTP. 730 * rule-name: The name of the I2NSF Policy Rule being triggered. 732 * raw-info: The information describing the flow triggering the 733 event. 735 6.3.4. Web Attack Event 737 The following information should be included in a Web Attack Alarm: 739 * event-name: The name of event. e.g., detection-web-attack. 741 * attack-type: Concrete web attack type. e.g., SQL injection, 742 command injection, XSS, CSRF. 744 * src-ip: The source IP address of the packet. 746 * dst-ip: The destination IP address of the packet. 748 * src-port: The source port number of the packet. 750 * dst-port: The destination port number of the packet. 752 * src-location: The source geographical location (e.g., country and 753 city) of the packet. 755 * dst-location: The destination geographical location (e.g., country 756 and city) of the packet. 758 * request-method: The method of requirement. For instance, "PUT" 759 and "GET" in HTTP. 761 * req-uri: Requested URI. 763 * response-code: The HTTP Response code. 765 * req-user-agent: The HTTP request user agent header field. 767 * req-cookies: The HTTP Cookie previously sent by the server with 768 Set-Cookie. 770 * req-host: The domain name of the requested host. 772 * uri-category: Matched URI category. 774 * filtering-type: URL filtering type. e.g., deny-list, allow-list, 775 and unknown. 777 * rule-name: The name of the I2NSF Policy Rule being triggered. 779 6.3.5. VoIP/VoLTE Event 781 The following information should be included in a VoIP/VoLTE Event: 783 * source-voice-id: The detected source voice Call ID for VoIP and 784 VoLTE that violates the policy. 786 * destination-voice-id: The destination voice Call ID for VoIP and 787 VoLTE that violates the policy. 789 * user-agent: The user agent for VoIP and VoLTE that violates the 790 policy. 792 * src-ip: The source IP address of the VoIP/VoLTE. 794 * dst-ip: The destination IP address of the VoIP/VoLTE. 796 * src-port: The source port number of the VoIP/VoLTE. 798 * dst-port: The destination port number of VoIP/VoLTE. 800 * src-location: The source geographical location (e.g., country and 801 city) of the VoIP/VoLTE. 803 * dst-location: The destination geographical location (e.g., country 804 and city) of the VoIP/VoLTE. 806 * rule-name: The name of the I2NSF Policy Rule being triggered. 808 6.4. System Logs 810 System log is a record that is used to monitor the activity of the 811 user on the NSF and the status of the NSF. System logs have the 812 following characteristics: 814 * acquisition-method: subscription 816 * emission-type: on-change or periodic 818 * dampening-type: on-repetition 820 6.4.1. Access Log 822 Access logs record administrators' login, logout, and operations on a 823 device. By analyzing them, security vulnerabilities can be 824 identified. The following information should be included in an 825 operation report: 827 * username: The username that operates on the device. 829 * login-ip: IP address used by an administrator to log in. 831 * login-mode: Specifies the administrator logs in mode e.g. 832 administrator, user, and guest. 834 * operation-type: The operation type that the administrator execute, 835 e.g., login, logout, configuration, and other. 837 * input: The operation performed by a user after login. The 838 operation is a command given by a user. 840 * output: The result after executing the input. 842 6.4.2. Resource Utilization Log 844 Running reports record the device system's running status, which is 845 useful for device monitoring. The following information should be 846 included in running report: 848 * system-status: The current system's running status. 850 * cpu-usage: Specifies the aggregated CPU usage. 852 * memory-usage: Specifies the memory usage. 854 * disk-id: Specifies the disk ID to identify the storage disk. 856 * disk-usage: Specifies the disk usage of disk-id. 858 * disk-left: Specifies the available disk space left of disk-id. 860 * session-number: Specifies total concurrent sessions. 862 * process-number: Specifies total number of systems processes. 864 * interface-id: Specifies the interface ID to identify the network 865 interface. 867 * in-traffic-rate: The total inbound traffic rate in packets per 868 second. 870 * out-traffic-rate: The total outbound traffic rate in packets per 871 second. 873 * in-traffic-speed: The total inbound traffic speed in bits per 874 second. 876 * out-traffic-speed: The total outbound traffic speed in bits per 877 second. 879 6.4.3. User Activity Log 881 User activity logs provide visibility into users' online records 882 (such as login time, online/lockout duration, and login IP addresses) 883 and the actions that users perform. User activity reports are 884 helpful to identify exceptions during a user's login and network 885 access activities. 887 * user: Name of a user. 889 * group: Group to which a user belongs. 891 * login-ip-addr: Login IP address of a user. 893 * authentication: The method to verify the valid user, i.e., pre- 894 configured-key and certificate-authority. 896 * online-duration: The duration of a user's activeness (stays in 897 login) during a session. 899 * logout-duration: The duration of a user's inactiveness (not in 900 login) from the last session. 902 * additional-info: Additional Information for login: 904 1. type: User activities. e.g., Successful User Login, Failed 905 Login attempts, User Logout, Successful User Password Change, 906 Failed User Password Change, User Lockout, and User Unlocking. 908 2. cause: Cause of a failed user activity. 910 6.5. NSF Logs 912 NSF logs have the folowing characteristics: 914 * acquisition-method: subscription 916 * emission-type: on-change 918 * dampening-type: on-repetition 920 6.5.1. Deep Packet Inspection Log 922 Deep Packet Inspection (DPI) Logs provide statistics on uploaded and 923 downloaded files and data, sent and received emails, and alert and 924 blocking records on websites. It is helpful to learn risky user 925 behaviors and why access to some URLs is blocked or allowed with an 926 alert record. 928 * attack-type: DPI action types. e.g., File Blocking, Data 929 Filtering, and Application Behavior Control. 931 * src-user: User source who generates the policy. 933 * policy-name: Security policy name that traffic matches. 935 * action: Action defined in the file blocking rule, data filtering 936 rule, or application behavior control rule that traffic matches. 938 6.6. System Counter 940 System counter has the following characteristics: 942 * acquisition-method: subscription or query 943 * emission-type: periodic 945 * dampening-type: none 947 6.6.1. Interface Counter 949 Interface counters provide visibility into traffic into and out of an 950 NSF, and bandwidth usage. The statistics of the interface counters 951 should be computed from the start of the service. When the service 952 is reset, the computation of statistics per counter should restart 953 from 0. 955 * interface-name: Network interface name configured in NSF. 957 * in-total-traffic-pkts: Total inbound packets. 959 * out-total-traffic-pkts: Total outbound packets. 961 * in-total-traffic-bytes: Total inbound bytes. 963 * out-total-traffic-bytes: Total outbound bytes. 965 * in-drop-traffic-pkts: Total inbound drop packets. 967 * out-drop-traffic-pkts: Total outbound drop packets. 969 * in-drop-traffic-bytes: Total inbound drop bytes. 971 * out-drop-traffic-bytes: Total outbound drop bytes. 973 * in-traffic-average-rate: Inbound traffic average rate in packets 974 per second. 976 * in-traffic-peak-rate: Inbound traffic peak rate in packets per 977 second. 979 * in-traffic-average-speed: Inbound traffic average speed in bits 980 per second. 982 * in-traffic-peak-speed: Inbound traffic peak speed in bits per 983 second. 985 * out-traffic-average-rate: Outbound traffic average rate in packets 986 per second. 988 * out-traffic-peak-rate: Outbound traffic peak rate in packets per 989 second. 991 * out-traffic-average-speed: Outbound traffic average speed in bits 992 per second. 994 * out-traffic-peak-speed: Outbound traffic peak speed in bits per 995 second. 997 6.7. NSF Counters 999 NSF counters have the following characteristics: 1001 * acquisition-method: subscription or query 1003 * emission-type: periodic 1005 * dampening-type: none 1007 6.7.1. Firewall Counter 1009 Firewall counters provide visibility into traffic signatures, 1010 bandwidth usage, and how the configured security and bandwidth 1011 policies have been applied. 1013 * src-ip: Source IP address of traffic. 1015 * src-user: User who generates the policy. 1017 * dst-ip: Destination IP address of traffic. 1019 * src-port: Source port of traffic. 1021 * dst-port: Destination port of traffic. 1023 * protocol: Protocol type of traffic. 1025 * app: Application type of traffic. 1027 * policy-id: Security policy id that traffic matches. 1029 * policy-name: Security policy name that traffic matches. 1031 * in-interface: Inbound interface of traffic. 1033 * out-interface: Outbound interface of traffic. 1035 * total-traffic: Total traffic volume. 1037 * in-traffic-average-rate: Inbound traffic average rate in packets 1038 per second. 1040 * in-traffic-peak-rate: Inbound traffic peak rate in packets per 1041 second. 1043 * in-traffic-average-speed: Inbound traffic average speed in bits 1044 per second. 1046 * in-traffic-peak-speed: Inbound traffic peak speed in bits per 1047 second. 1049 * out-traffic-average-rate: Outbound traffic average rate in packets 1050 per second. 1052 * out-traffic-peak-rate: Outbound traffic peak rate in packets per 1053 second. 1055 * out-traffic-average-speed: Outbound traffic average speed in bits 1056 per second. 1058 * out-traffic-peak-speed: Outbound traffic peak speed in bits per 1059 second. 1061 6.7.2. Policy Hit Counter 1063 Policy Hit Counters record the security policy that traffic matches 1064 and its hit count. It can check if policy configurations are 1065 correct. 1067 * src-ip: Source IP address of traffic. 1069 * src-user: User who generates the policy. 1071 * dst-ip: Destination IP address of traffic. 1073 * src-port: Source port of traffic. 1075 * dst-port: Destination port of traffic. 1077 * protocol: Protocol type of traffic. 1079 * app: Application type of traffic. 1081 * policy-id: Security policy id that traffic matches. 1083 * policy-name: Security policy name that traffic matches. 1085 * hit-times: The hit times that the security policy matches the 1086 specified traffic. 1088 7. NSF Monitoring Management in I2NSF 1090 A standard model for monitoring data is required for an administrator 1091 to check the monitoring data generated by an NSF. The administrator 1092 can check the monitoring data through the following process. When 1093 the NSF monitoring data that is under the standard format is 1094 generated, the NSF forwards it to an NSF data collector via the I2NSF 1095 NSF Monitoring Interface. The NSF data collector delivers it to 1096 I2NSF Consumer or Developer's Management System (DMS) so that the 1097 administrator can know the state of the I2NSF framework. 1099 In order to communicate with other components, an I2NSF framework 1100 [RFC8329] requires the interfaces. The three main interfaces in 1101 I2NSF framework are used for sending monitoring data as follows: 1103 * I2NSF Consumer-Facing Interface 1104 [I-D.ietf-i2nsf-consumer-facing-interface-dm]: When an I2NSF User 1105 makes a security policy and forwards it to the Security Controller 1106 via Consumer-Facing Interface, it can specify the threat-feed for 1107 threat prevention, the custom list, the malicious code scan group, 1108 and the event map group. They can be used as an event to be 1109 monitored by an NSF. 1111 * I2NSF Registration Interface 1112 [I-D.ietf-i2nsf-registration-interface-dm]: The Network Functions 1113 Virtualization (NFV) architecture provides the lifecycle 1114 management of a Virtual Network Function (VNF) via the Ve-Vnfm 1115 interface. The role of Ve-Vnfm is to request VNF lifecycle 1116 management (e.g., the instantiation and de-instantiation of an 1117 NSF, and load balancing among NSFs), exchange configuration 1118 information, and exchange status information for a network 1119 service. In the I2NSF framework, the DMS manages data about 1120 resource states and network traffic for the lifecycle management 1121 of an NSF. Therefore, the generated monitoring data from NSFs are 1122 delivered from the NSF data collector to the DMS via either 1123 Registration Interface or a new interface (e.g., NSF Monitoring 1124 Interface). These data are delivered from the DMS to the VNF 1125 Manager in the Management and Orchestration (MANO) in the NFV 1126 system [I-D.ietf-i2nsf-applicability]. 1128 * I2NSF NSF Monitoring Interface [RFC8329]: After a high-level 1129 security policy from I2NSF User is translated by security policy 1130 translator [I-D.yang-i2nsf-security-policy-translation] in the 1131 Security Controller, the translated security policy (i.e., low- 1132 level policy) is applied to an NSF via NSF-Facing Interface. The 1133 monitoring interface data model for an NSF specifies the list of 1134 events that can trigger Event-Condition-Action (ECA) policies via 1135 NSF Monitoring Interface. 1137 8. Tree Structure 1139 The tree structure of the NSF monitoring YANG module is provided 1140 below: 1142 module: ietf-i2nsf-nsf-monitoring 1143 +--ro i2nsf-counters 1144 | +--ro system-interface* [interface-name] 1145 | | +--ro acquisition-method? identityref 1146 | | +--ro emission-type? identityref 1147 | | +--ro dampening-type? identityref 1148 | | +--ro interface-name string 1149 | | +--ro in-total-traffic-pkts? yang:counter32 1150 | | +--ro out-total-traffic-pkts? yang:counter32 1151 | | +--ro in-total-traffic-bytes? uint64 1152 | | +--ro out-total-traffic-bytes? uint64 1153 | | +--ro in-drop-traffic-pkts? yang:counter32 1154 | | +--ro out-drop-traffic-pkts? yang:counter32 1155 | | +--ro in-drop-traffic-bytes? uint64 1156 | | +--ro out-drop-traffic-bytes? uint64 1157 | | +--ro total-traffic? yang:counter32 1158 | | +--ro in-traffic-average-rate? uint32 1159 | | +--ro in-traffic-peak-rate? uint32 1160 | | +--ro in-traffic-average-speed? uint32 1161 | | +--ro in-traffic-peak-speed? uint32 1162 | | +--ro out-traffic-average-rate? uint32 1163 | | +--ro out-traffic-peak-rate? uint32 1164 | | +--ro out-traffic-average-speed? uint32 1165 | | +--ro out-traffic-peak-speed? uint32 1166 | | +--ro message? string 1167 | | +--ro vendor-name? string 1168 | | +--ro nsf-name? union 1169 | | +--ro severity? severity 1170 | | +--ro timestamp? yang:date-and-time 1171 | +--ro nsf-firewall* [policy-name] 1172 | | +--ro acquisition-method? identityref 1173 | | +--ro emission-type? identityref 1174 | | +--ro dampening-type? identityref 1175 | | +--ro policy-name 1176 -> /nsfintf:i2nsf-security-policy/system-policy-name 1177 | | +--ro src-user? string 1178 | | +--ro total-traffic? yang:counter32 1179 | | +--ro in-traffic-average-rate? uint32 1180 | | +--ro in-traffic-peak-rate? uint32 1181 | | +--ro in-traffic-average-speed? uint32 1182 | | +--ro in-traffic-peak-speed? uint32 1183 | | +--ro out-traffic-average-rate? uint32 1184 | | +--ro out-traffic-peak-rate? uint32 1185 | | +--ro out-traffic-average-speed? uint32 1186 | | +--ro out-traffic-peak-speed? uint32 1187 | | +--ro message? string 1188 | | +--ro vendor-name? string 1189 | | +--ro nsf-name? union 1190 | | +--ro severity? severity 1191 | | +--ro timestamp? yang:date-and-time 1192 | +--ro nsf-policy-hits* [policy-name] 1193 | +--ro acquisition-method? identityref 1194 | +--ro emission-type? identityref 1195 | +--ro dampening-type? identityref 1196 | +--ro policy-name 1197 -> /nsfintf:i2nsf-security-policy/system-policy-name 1198 | +--ro src-user? string 1199 | +--ro message? string 1200 | +--ro vendor-name? string 1201 | +--ro nsf-name? union 1202 | +--ro severity? severity 1203 | +--ro hit-times? yang:counter32 1204 | +--ro timestamp? yang:date-and-time 1205 +--rw i2nsf-monitoring-configuration 1206 +--rw i2nsf-system-detection-alarm 1207 | +--rw enabled? boolean 1208 | +--rw system-alarm* [alarm-type] 1209 | +--rw alarm-type enumeration 1210 | +--rw threshold? uint8 1211 | +--rw dampening-period? uint32 1212 +--rw i2nsf-system-detection-event 1213 | +--rw enabled? boolean 1214 | +--rw dampening-period? uint32 1215 +--rw i2nsf-traffic-flows 1216 | +--rw dampening-period? uint32 1217 | +--rw enabled? boolean 1218 +--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}? 1219 | +--rw enabled? boolean 1220 | +--rw dampening-period? uint32 1221 +--rw i2nsf-nsf-detection-session-table-configuration 1222 | +--rw enabled? boolean 1223 | +--rw dampening-period? uint32 1224 +--rw i2nsf-nsf-detection-intrusion 1225 {i2nsf-nsf-detection-intrusion}? 1226 | +--rw enabled? boolean 1227 | +--rw dampening-period? uint32 1228 +--rw i2nsf-nsf-detection-web-attack 1229 {i2nsf-nsf-detection-web-attack}? 1230 | +--rw enabled? boolean 1231 | +--rw dampening-period? uint32 1232 +--rw i2nsf-nsf-system-access-log 1233 | +--rw enabled? boolean 1234 | +--rw dampening-period? uint32 1235 +--rw i2nsf-system-res-util-log 1236 | +--rw enabled? boolean 1237 | +--rw dampening-period? uint32 1238 +--rw i2nsf-system-user-activity-log 1239 | +--rw enabled? boolean 1240 | +--rw dampening-period? uint32 1241 +--rw i2nsf-nsf-log-dpi {i2nsf-nsf-log-dpi}? 1242 | +--rw enabled? boolean 1243 | +--rw dampening-period? uint32 1244 +--rw i2nsf-counter 1245 +--rw period? uint16 1247 notifications: 1248 +---n i2nsf-event 1249 | +--ro (sub-event-type)? 1250 | +--:(i2nsf-system-detection-alarm) 1251 | | +--ro i2nsf-system-detection-alarm 1252 | | +--ro alarm-category? identityref 1253 | | +--ro component-name? string 1254 | | +--ro interface-name? string 1255 | | +--ro interface-state? enumeration 1256 | | +--ro acquisition-method? identityref 1257 | | +--ro emission-type? identityref 1258 | | +--ro dampening-type? identityref 1259 | | +--ro usage? uint8 1260 | | +--ro threshold? uint8 1261 | | +--ro message? string 1262 | | +--ro vendor-name? string 1263 | | +--ro nsf-name? union 1264 | | +--ro severity? severity 1265 | +--:(i2nsf-system-detection-event) 1266 | | +--ro i2nsf-system-detection-event 1267 | | +--ro event-category? identityref 1268 | | +--ro acquisition-method? identityref 1269 | | +--ro emission-type? identityref 1270 | | +--ro dampening-type? identityref 1271 | | +--ro user string 1272 | | +--ro group* string 1273 | | +--ro ip-address inet:ip-address-no-zone 1274 | | +--ro authentication? identityref 1275 | | +--ro message? string 1276 | | +--ro vendor-name? string 1277 | | +--ro nsf-name? union 1278 | | +--ro severity? severity 1279 | +--:(i2nsf-traffic-flows) 1280 | | +--ro i2nsf-traffic-flows 1281 | | +--ro src-ip? inet:ip-address-no-zone 1282 | | +--ro dst-ip? inet:ip-address-no-zone 1283 | | +--ro protocol? identityref 1284 | | +--ro src-port? inet:port-number 1285 | | +--ro dst-port? inet:port-number 1286 | | +--ro arrival-rate? uint32 1287 | | +--ro acquisition-method? identityref 1288 | | +--ro emission-type? identityref 1289 | | +--ro dampening-type? identityref 1290 | | +--ro message? string 1291 | | +--ro vendor-name? string 1292 | | +--ro nsf-name? union 1293 | | +--ro severity? severity 1294 | +--:(i2nsf-nsf-detection-session-table) 1295 | +--ro i2nsf-nsf-detection-session-table 1296 | +--ro current-session? uint32 1297 | +--ro maximum-session? uint32 1298 | +--ro threshold? uint32 1299 | +--ro message? string 1300 | +--ro vendor-name? string 1301 | +--ro nsf-name? union 1302 | +--ro severity? severity 1303 +---n i2nsf-log 1304 | +--ro (sub-logs-type)? 1305 | +--:(i2nsf-nsf-system-access-log) 1306 | | +--ro i2nsf-nsf-system-access-log 1307 | | +--ro login-ip inet:ip-address-no-zone 1308 | | +--ro username? string 1309 | | +--ro login-role? login-role 1310 | | +--ro operation-type? operation-type 1311 | | +--ro input? string 1312 | | +--ro output? string 1313 | | +--ro acquisition-method? identityref 1314 | | +--ro emission-type? identityref 1315 | | +--ro dampening-type? identityref 1316 | | +--ro message? string 1317 | | +--ro vendor-name? string 1318 | | +--ro nsf-name? union 1319 | | +--ro severity? severity 1320 | +--:(i2nsf-system-res-util-log) 1321 | | +--ro i2nsf-system-res-util-log 1322 | | +--ro system-status? enumeration 1323 | | +--ro cpu-usage? uint8 1324 | | +--ro memory-usage? uint8 1325 | | +--ro disk* [disk-id] 1326 | | | +--ro disk-id string 1327 | | | +--ro disk-usage? uint8 1328 | | | +--ro disk-left? uint8 1329 | | +--ro session-num? uint32 1330 | | +--ro process-num? uint32 1331 | | +--ro interface* [interface-id] 1332 | | | +--ro interface-id string 1333 | | | +--ro in-traffic-rate? uint32 1334 | | | +--ro out-traffic-rate? uint32 1335 | | | +--ro in-traffic-speed? uint32 1336 | | | +--ro out-traffic-speed? uint32 1337 | | +--ro acquisition-method? identityref 1338 | | +--ro emission-type? identityref 1339 | | +--ro dampening-type? identityref 1340 | | +--ro message? string 1341 | | +--ro vendor-name? string 1342 | | +--ro nsf-name? union 1343 | | +--ro severity? severity 1344 | +--:(i2nsf-system-user-activity-log) 1345 | +--ro i2nsf-system-user-activity-log 1346 | +--ro acquisition-method? identityref 1347 | +--ro emission-type? identityref 1348 | +--ro dampening-type? identityref 1349 | +--ro user string 1350 | +--ro group* string 1351 | +--ro ip-address inet:ip-address-no-zone 1352 | +--ro authentication? identityref 1353 | +--ro message? string 1354 | +--ro vendor-name? string 1355 | +--ro nsf-name? union 1356 | +--ro severity? severity 1357 | +--ro online-duration? uint32 1358 | +--ro logout-duration? uint32 1359 | +--ro additional-info? enumeration 1360 +---n i2nsf-nsf-event 1361 +--ro (sub-event-type)? 1362 +--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}? 1363 | +--ro i2nsf-nsf-detection-ddos 1364 | +--ro attack-type? identityref 1365 | +--ro start-time yang:date-and-time 1366 | +--ro end-time yang:date-and-time 1367 | +--ro attack-src-ip* inet:ip-address-no-zone 1368 | +--ro attack-dst-ip* inet:ip-prefix 1369 | +--ro attack-src-port* inet:port-number 1370 | +--ro attack-dst-port* inet:port-number 1371 | +--ro rule-name 1372 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1373 | +--ro raw-info? string 1374 | +--ro attack-rate? uint32 1375 | +--ro attack-speed? uint32 1376 | +--ro action* log-action 1377 | +--ro acquisition-method? identityref 1378 | +--ro emission-type? identityref 1379 | +--ro dampening-type? identityref 1380 | +--ro message? string 1381 | +--ro vendor-name? string 1382 | +--ro nsf-name? union 1383 | +--ro severity? severity 1384 +--:(i2nsf-nsf-detection-virus) 1385 {i2nsf-nsf-detection-virus}? 1386 | +--ro i2nsf-nsf-detection-virus 1387 | +--ro dst-ip? inet:ip-address-no-zone 1388 | +--ro dst-port? inet:port-number 1389 | +--ro rule-name 1390 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1391 | +--ro raw-info? string 1392 | +--ro src-ip? inet:ip-address-no-zone 1393 | +--ro src-port? inet:port-number 1394 | +--ro src-location? string 1395 | +--ro dst-location? string 1396 | +--ro virus? identityref 1397 | +--ro virus-name? string 1398 | +--ro file-type? string 1399 | +--ro file-name? string 1400 | +--ro os? string 1401 | +--ro action* log-action 1402 | +--ro acquisition-method? identityref 1403 | +--ro emission-type? identityref 1404 | +--ro dampening-type? identityref 1405 | +--ro message? string 1406 | +--ro vendor-name? string 1407 | +--ro nsf-name? union 1408 | +--ro severity? severity 1409 +--:(i2nsf-nsf-detection-intrusion) 1410 {i2nsf-nsf-detection-intrusion}? 1411 | +--ro i2nsf-nsf-detection-intrusion 1412 | +--ro dst-ip? inet:ip-address-no-zone 1413 | +--ro dst-port? inet:port-number 1414 | +--ro rule-name 1415 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1416 | +--ro raw-info? string 1417 | +--ro src-ip? inet:ip-address-no-zone 1418 | +--ro src-port? inet:port-number 1419 | +--ro src-location? string 1420 | +--ro dst-location? string 1421 | +--ro protocol? identityref 1422 | +--ro app? identityref 1423 | +--ro attack-type? identityref 1424 | +--ro action* log-action 1425 | +--ro attack-rate? uint32 1426 | +--ro attack-speed? uint32 1427 | +--ro acquisition-method? identityref 1428 | +--ro emission-type? identityref 1429 | +--ro dampening-type? identityref 1430 | +--ro message? string 1431 | +--ro vendor-name? string 1432 | +--ro nsf-name? union 1433 | +--ro severity? severity 1434 +--:(i2nsf-nsf-detection-web-attack) 1435 {i2nsf-nsf-detection-web-attack}? 1436 | +--ro i2nsf-nsf-detection-web-attack 1437 | +--ro dst-ip? inet:ip-address-no-zone 1438 | +--ro dst-port? inet:port-number 1439 | +--ro rule-name 1440 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1441 | +--ro raw-info? string 1442 | +--ro src-ip? inet:ip-address-no-zone 1443 | +--ro src-port? inet:port-number 1444 | +--ro src-location? string 1445 | +--ro dst-location? string 1446 | +--ro attack-type? identityref 1447 | +--ro request-method? identityref 1448 | +--ro req-uri? string 1449 | +--ro filtering-type* identityref 1450 | +--ro req-user-agent? string 1451 | +--ro req-cookie? string 1452 | +--ro req-host? string 1453 | +--ro response-code? string 1454 | +--ro acquisition-method? identityref 1455 | +--ro emission-type? identityref 1456 | +--ro dampening-type? identityref 1457 | +--ro action* log-action 1458 | +--ro message? string 1459 | +--ro vendor-name? string 1460 | +--ro nsf-name? union 1461 | +--ro severity? severity 1462 +--:(i2nsf-nsf-detection-voip-volte) 1463 {i2nsf-nsf-detection-voip-volte}? 1464 | +--ro i2nsf-nsf-detection-voip-volte 1465 | +--ro dst-ip? inet:ip-address-no-zone 1466 | +--ro dst-port? inet:port-number 1467 | +--ro rule-name 1468 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1469 | +--ro raw-info? string 1470 | +--ro src-ip? inet:ip-address-no-zone 1471 | +--ro src-port? inet:port-number 1472 | +--ro src-location? string 1473 | +--ro dst-location? string 1474 | +--ro source-voice-id* string 1475 | +--ro destination-voice-id* string 1476 | +--ro user-agent* string 1477 +--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}? 1478 +--ro i2nsf-nsf-log-dpi 1479 +--ro attack-type? dpi-type 1480 +--ro acquisition-method? identityref 1481 +--ro emission-type? identityref 1482 +--ro dampening-type? identityref 1483 +--ro policy-name 1484 -> /nsfintf:i2nsf-security-policy/system-policy-name 1485 +--ro src-user? string 1486 +--ro message? string 1487 +--ro vendor-name? string 1488 +--ro nsf-name? union 1489 +--ro severity? severity 1491 Figure 1: Information Model for NSF Monitoring 1493 9. YANG Data Model 1495 This section describes a YANG module of I2NSF NSF Monitoring. The 1496 data model provided in this document uses identities to be used to 1497 get information of the monitored of an NSF's monitoring data. Every 1498 identity used in the document gives information or status about the 1499 current situation of an NSF. This YANG module imports from 1500 [RFC6991], and makes references to [RFC0768][RFC0791] 1501 [RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959] 1502 [RFC3501][RFC4340][RFC4443] [RFC4960][RFC5231][RFC7230] 1503 [RFC7231][RFC8200][RFC8641] [I-D.ietf-tcpm-rfc793bis] 1504 [IANA-HTTP-Status-Code] [IANA-Media-Types]. 1506 file "ietf-i2nsf-nsf-monitoring@2021-09-15.yang" 1507 module ietf-i2nsf-nsf-monitoring { 1508 yang-version 1.1; 1509 namespace 1510 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; 1511 prefix 1512 nsfmi; 1513 import ietf-inet-types{ 1514 prefix inet; 1515 reference 1516 "Section 4 of RFC 6991"; 1517 } 1518 import ietf-yang-types { 1519 prefix yang; 1520 reference 1521 "Section 3 of RFC 6991"; 1522 } 1523 import ietf-i2nsf-policy-rule-for-nsf { 1524 prefix nsfintf; 1525 reference 1526 "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-14"; 1527 } 1528 organization 1529 "IETF I2NSF (Interface to Network Security Functions) 1530 Working Group"; 1531 contact 1532 "WG Web: 1533 WG List: 1535 Editor: Jaehoon Paul Jeong 1536 1538 Editor: Patrick Lingga 1539 "; 1541 description 1542 "This module is a YANG module for I2NSF NSF Monitoring. 1544 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1545 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1546 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 1547 document are to be interpreted as described in BCP 14 1548 (RFC 2119) (RFC 8174) when, and only when, they appear 1549 in all capitals, as shown here. 1551 Copyright (c) 2021 IETF Trust and the persons identified as 1552 authors of the code. All rights reserved. 1554 Redistribution and use in source and binary forms, with or 1555 without modification, is permitted pursuant to, and subject to 1556 the license terms contained in, the Simplified BSD License set 1557 forth in Section 4.c of the IETF Trust's Legal Provisions 1558 Relating to IETF Documents 1559 (https://trustee.ietf.org/license-info). 1561 This version of this YANG module is part of RFC XXXX 1562 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 1563 for full legal notices."; 1565 revision "2021-09-15" { 1566 description "Latest revision"; 1567 reference 1568 "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; 1570 // RFC Ed.: replace XXXX with an actual RFC number and remove 1571 // this note. 1572 } 1574 /* 1575 * Typedefs 1576 */ 1578 typedef severity { 1579 type enumeration { 1580 enum critical { 1581 description 1582 "The 'critical' severity level indicates that 1583 an immediate corrective action is required. 1584 A 'critical' severity is reported when a service 1585 becomes totally out of service and must be restored."; 1586 } 1587 enum high { 1588 description 1589 "The 'high' severity level indicates that 1590 an urgent corrective action is required. 1591 A 'high' severity is reported when there is 1592 a severe degradation in the capability of the 1593 service and its full capability must be restored."; 1594 } 1595 enum middle { 1596 description 1597 "The 'middle' severity level indicates the 1598 existence of a non-service-affecting fault 1599 condition and corrective action should be done 1600 to prevent a more serious fault. The 'middle' 1601 severity is reported when the detected problem 1602 is not degrading the capability of the service, but 1603 some service degradation might happen if not 1604 prevented."; 1605 } 1606 enum low { 1607 description 1608 "The 'low' severity level indicates the detection 1609 of a potential fault before any effect is observed. 1610 The 'low' severity is reported when an action should 1611 be done before a fault happen."; 1612 } 1613 } 1614 description 1615 "An indicator representing severity levels. The severity 1616 levels starting from the highest are critical, high, middle, 1617 and low."; 1618 } 1620 typedef log-action { 1621 type enumeration { 1622 enum allow { 1623 description 1624 "If action is allowed"; 1625 } 1626 enum alert { 1627 description 1628 "If action is alert"; 1629 } 1630 enum block { 1631 description 1632 "If action is block"; 1633 } 1634 enum discard { 1635 description 1636 "If action is discarded"; 1637 } 1638 enum declare { 1639 description 1640 "If action is declared"; 1641 } 1642 enum block-ip { 1643 description 1644 "If action is block-ip"; 1645 } 1646 enum block-service{ 1647 description 1648 "If action is block-service"; 1649 } 1650 } 1651 description 1652 "The type representing action for logging."; 1653 } 1655 typedef dpi-type{ 1656 type enumeration { 1657 enum file-blocking{ 1658 description 1659 "DPI for preventing the specified file types from flowing 1660 in the network."; 1661 } 1662 enum data-filtering{ 1663 description 1664 "DPI for preventing sensitive information (e.g., Credit 1665 Card Number or Social Security Numbers) leaving a 1666 protected network."; 1667 } 1668 enum application-behavior-control{ 1669 description 1670 "DPI for filtering packet based on the application or 1671 network behavior analysis to identify malicious or 1672 unusual activity."; 1673 } 1674 } 1675 description 1676 "The type of Deep Packet Inspection (DPI). 1677 The defined types are file-blocking, data-filtering, and 1678 application-behavior-control."; 1679 } 1681 typedef operation-type{ 1682 type enumeration { 1683 enum login { 1684 description 1685 "The operation type is Login."; 1686 } 1687 enum logout { 1688 description 1689 "The operation type is Logout."; 1690 } 1691 enum configuration { 1692 description 1693 "The operation type is Configuration. The configuration 1694 operation includes the command for writing a new 1695 configuration and modifying an existing configuration."; 1696 } 1697 enum other { 1698 description 1699 "The operation type is Other operation. This other 1700 includes all operations done by a user except login, 1701 logout, and configuration."; 1702 } 1703 } 1704 description 1705 "The type of operation done by a user during a session. 1706 The user operation is not considering their privileges."; 1707 } 1709 typedef login-role { 1710 type enumeration { 1711 enum administrator { 1712 description 1713 "Administrator (i.e., Super User) login role. 1714 Non-restricted role."; 1715 } 1716 enum user { 1717 description 1718 "User login role. Semi-restricted role, some data and 1719 configurations are available but confidential or important 1720 data and configuration are restricted."; 1721 } 1722 enum guest { 1723 description 1724 "Guest login role. Restricted role, only few read data are 1725 available and write configurations are restricted."; 1726 } 1727 } 1728 description 1729 "The role of a user after login."; 1730 } 1732 /* 1733 * Identity 1734 */ 1736 identity characteristics { 1737 description 1738 "Base identity for monitoring information 1739 characteristics"; 1740 } 1741 identity acquisition-method { 1742 base characteristics; 1743 description 1744 "The type of acquisition-method. It can be multiple 1745 types at once."; 1746 } 1747 identity subscription { 1748 base acquisition-method; 1749 description 1750 "The acquisition-method type is subscription."; 1751 } 1752 identity query { 1753 base acquisition-method; 1754 description 1755 "The acquisition-method type is query."; 1756 } 1757 identity emission-type { 1758 base characteristics; 1759 description 1760 "The type of emission-type."; 1761 } 1762 identity periodic { 1763 base emission-type; 1764 description 1765 "The emission-type type is periodic."; 1766 } 1767 identity on-change { 1768 base emission-type; 1769 description 1770 "The emission-type type is on-change."; 1771 } 1772 identity dampening-type { 1773 base characteristics; 1774 description 1775 "The type of message dampening to stop the rapid transmission 1776 of messages. The dampening types are on-repetition and 1777 no-dampening"; 1778 } 1779 identity no-dampening { 1780 base dampening-type; 1781 description 1782 "The dampening-type is no-dampening. No-dampening type does 1783 not limit the transmission for the messages of the same 1784 type."; 1785 } 1786 identity on-repetition { 1787 base dampening-type; 1788 description 1789 "The dampening-type is on-repetition. On-repetition type limits 1790 the transmitted on-change message to one message at a certain 1791 interval."; 1792 } 1794 identity authentication-mode { 1795 description 1796 "The authentication mode for a user to connect to the NSF, 1797 e.g., pre-configured-key and certificate-authority"; 1798 } 1799 identity pre-configured-key { 1800 base authentication-mode; 1801 description 1802 "The pre-configured-key is an authentication using a key 1803 authentication."; 1804 } 1805 identity certificate-authority { 1806 base authentication-mode; 1807 description 1808 "The certificate-authority (CA) is an authentication using a 1809 digital certificate."; 1810 } 1812 identity event { 1813 description 1814 "Base identity for I2NSF events."; 1815 } 1817 identity system-event { 1818 base event; 1819 description 1820 "Identity for system event"; 1821 } 1823 identity system-alarm { 1824 base event; 1825 description 1826 "Base identity for detectable system alarm types"; 1827 } 1829 identity memory-alarm { 1830 base system-alarm; 1831 description 1832 "A memory alarm is alerted."; 1833 } 1834 identity cpu-alarm { 1835 base system-alarm; 1836 description 1837 "A CPU alarm is alerted."; 1838 } 1839 identity disk-alarm { 1840 base system-alarm; 1841 description 1842 "A disk alarm is alerted."; 1843 } 1844 identity hardware-alarm { 1845 base system-alarm; 1846 description 1847 "A hardware alarm (i.e., hardware failure) is alerted."; 1848 } 1849 identity interface-alarm { 1850 base system-alarm; 1851 description 1852 "An interface alarm is alerted."; 1853 } 1855 identity access-violation { 1856 base system-event; 1857 description 1858 "The access-violation system event is an event when a user 1859 tries to access (read or write) any information above their 1860 privilege."; 1861 } 1862 identity configuration-change { 1863 base system-event; 1864 description 1865 "The configuration-change system event is an event when a user 1866 adds a new configuration or modify an existing configuration 1867 (write configuration)."; 1868 } 1870 identity attack-type { 1871 description 1872 "The root ID of attack-based notification 1873 in the notification taxonomy"; 1874 } 1875 identity nsf-attack-type { 1876 base attack-type; 1877 description 1878 "This ID is intended to be used 1879 in the context of NSF event."; 1880 } 1882 identity virus-type { 1883 base nsf-attack-type; 1884 description 1885 "The type of virus. It can be multiple types at once. 1886 This attack type is associated with a detected 1887 system-log virus-attack."; 1888 } 1889 identity trojan { 1890 base virus-type; 1891 description 1892 "The virus type is a trojan. Trojan is able to disguise the 1893 intent of the files or programs to misleads the users."; 1894 } 1895 identity worm { 1896 base virus-type; 1897 description 1898 "The virus type is a worm. Worm can self-replicate and 1899 spread through the network automatically."; 1900 } 1901 identity macro { 1902 base virus-type; 1903 description 1904 "The virus type is a macro virus. Macro causes a series of 1905 threats automatically after the program is executed."; 1906 } 1907 identity boot-sector { 1908 base virus-type; 1909 description 1910 "The virus type is a boot sector virus. Boot sector is a virus 1911 that infects the core of the computer, affecting the startup 1912 process."; 1913 } 1914 identity polymorphic { 1915 base virus-type; 1916 description 1917 "The virus type is a polymorphic virus. Polymorphic can 1918 modify its version when it replicates, making it hard to 1919 detect."; 1920 } 1921 identity overwrite { 1922 base virus-type; 1923 description 1924 "The virus type is an overwrite virus. Overwrite can remove 1925 existing software and replace it with malicious code by 1926 overwriting it."; 1927 } 1928 identity resident { 1929 base virus-type; 1930 description 1931 "The virus-type is a resident virus. Resident saves itself in 1932 the computer's memory and infects other files and software."; 1933 } 1934 identity non-resident { 1935 base virus-type; 1936 description 1937 "The virus-type is a non-resident virus. Non-resident attaches 1938 directly to an executable file and enters the device when 1939 executed."; 1940 } 1941 identity multipartite { 1942 base virus-type; 1943 description 1944 "The virus-type is a multipartite virus. Multipartite attacks 1945 both the boot sector and executables files of a computer."; 1946 } 1947 identity spacefiller { 1948 base virus-type; 1949 description 1950 "The virus-type is a spacefiller virus. Spacefiller fills empty 1951 spaces of a file or software with malicious code."; 1953 } 1955 identity intrusion-attack-type { 1956 base nsf-attack-type; 1957 description 1958 "The attack type is associated with a detected 1959 system-log intrusion."; 1960 } 1961 identity brute-force { 1962 base intrusion-attack-type; 1963 description 1964 "The intrusion type is brute-force."; 1965 } 1966 identity buffer-overflow { 1967 base intrusion-attack-type; 1968 description 1969 "The intrusion type is buffer-overflow."; 1970 } 1971 identity web-attack-type { 1972 base nsf-attack-type; 1973 description 1974 "The attack type is associated with a detected 1975 system-log web-attack."; 1976 } 1977 identity command-injection { 1978 base web-attack-type; 1979 description 1980 "The detected web attack type is command injection."; 1981 } 1982 identity xss { 1983 base web-attack-type; 1984 description 1985 "The detected web attack type is XSS."; 1986 } 1987 identity csrf { 1988 base web-attack-type; 1989 description 1990 "The detected web attack type is CSRF."; 1991 } 1993 identity ddos-type { 1994 base nsf-attack-type; 1995 description 1996 "Base identity for detectable flood types"; 1997 } 1998 identity syn-flood { 1999 base ddos-type; 2000 description 2001 "A SYN flood is detected."; 2002 } 2003 identity ack-flood { 2004 base ddos-type; 2005 description 2006 "An ACK flood is detected."; 2007 } 2008 identity syn-ack-flood { 2009 base ddos-type; 2010 description 2011 "A SYN-ACK flood is detected."; 2012 } 2013 identity fin-rst-flood { 2014 base ddos-type; 2015 description 2016 "A FIN-RST flood is detected."; 2017 } 2018 identity tcp-con-flood { 2019 base ddos-type; 2020 description 2021 "A TCP connection flood is detected."; 2022 } 2023 identity udp-flood { 2024 base ddos-type; 2025 description 2026 "A UDP flood is detected."; 2027 } 2028 identity icmpv4-flood { 2029 base ddos-type; 2030 description 2031 "An ICMPv4 flood is detected."; 2032 } 2033 identity icmpv6-flood { 2034 base ddos-type; 2035 description 2036 "An ICMPv6 flood is detected."; 2037 } 2038 identity http-flood { 2039 base ddos-type; 2040 description 2041 "An HTTP flood is detected."; 2042 } 2043 identity https-flood { 2044 base ddos-type; 2045 description 2046 "An HTTPS flood is detected."; 2047 } 2048 identity dns-query-flood { 2049 base ddos-type; 2050 description 2051 "A Domain Name System (DNS) query flood is detected."; 2052 } 2053 identity dns-reply-flood { 2054 base ddos-type; 2055 description 2056 "A Domain Name System (DNS) reply flood is detected."; 2057 } 2058 identity sip-flood { 2059 base ddos-type; 2060 description 2061 "A Session Initiation Protocol (SIP) flood is detected."; 2062 } 2063 identity ssl-flood { 2064 base ddos-type; 2065 description 2066 "An Secure Sockets Layer (SSL) flood is detected"; 2067 } 2068 identity ntp-amp-flood { 2069 base ddos-type; 2070 description 2071 "A Network Time Protocol (NTP) amplification is detected"; 2072 } 2074 identity request-method { 2075 description 2076 "A set of request types in HTTP (if applicable)."; 2077 } 2078 identity put { 2079 base request-method; 2080 description 2081 "The detected request type is PUT."; 2082 reference 2083 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2084 and Content - Request Method PUT"; 2085 } 2086 identity post { 2087 base request-method; 2088 description 2089 "The detected request type is POST."; 2090 reference 2091 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2092 and Content - Request Method POST"; 2093 } 2094 identity get { 2095 base request-method; 2096 description 2097 "The detected request type is GET."; 2098 reference 2099 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2100 and Content - Request Method GET"; 2101 } 2102 identity head { 2103 base request-method; 2104 description 2105 "The detected request type is HEAD."; 2106 reference 2107 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2108 and Content - Request Method HEAD"; 2109 } 2110 identity delete { 2111 base request-method; 2112 description 2113 "The detected request type is DELETE."; 2114 reference 2115 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2116 and Content - Request Method DELETE"; 2117 } 2118 identity connect { 2119 base request-method; 2120 description 2121 "The detected request type is CONNECT."; 2122 reference 2123 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2124 and Content - Request Method CONNECT"; 2125 } 2126 identity options { 2127 base request-method; 2128 description 2129 "The detected request type is OPTIONS."; 2130 reference 2131 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2132 and Content - Request Method OPTIONS"; 2133 } 2134 identity trace { 2135 base request-method; 2136 description 2137 "The detected request type is TRACE."; 2138 reference 2139 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2140 and Content - Request Method TRACE"; 2141 } 2143 identity filter-type { 2144 description 2145 "The type of filter used to detect an attack, 2146 for example, a web-attack. It can be applicable to 2147 more than web-attacks."; 2148 } 2149 identity allow-list { 2150 base filter-type; 2151 description 2152 "The applied filter type is an allow list. This filter blocks 2153 all connection except the specified list."; 2154 } 2155 identity deny-list { 2156 base filter-type; 2157 description 2158 "The applied filter type is a deny list. This filter opens all 2159 connection except the specified list."; 2160 } 2161 identity unknown-filter { 2162 base filter-type; 2163 description 2164 "The applied filter is unknown."; 2165 } 2167 identity protocol { 2168 description 2169 "An identity used to enable type choices in leaves 2170 and leaflists with respect to protocol metadata. This is used 2171 to identify the type of protocol that goes through the NSF."; 2172 } 2173 identity ip { 2174 base protocol; 2175 description 2176 "General IP protocol type."; 2177 reference 2178 "RFC 791: Internet Protocol 2179 RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2180 } 2181 identity ipv4 { 2182 base ip; 2183 description 2184 "IPv4 protocol type."; 2185 reference 2186 "RFC 791: Internet Protocol"; 2187 } 2188 identity ipv6 { 2189 base ip; 2190 description 2191 "IPv6 protocol type."; 2192 reference 2193 "RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2194 } 2195 identity icmp { 2196 base protocol; 2197 description 2198 "Base identity for ICMPv4 and ICMPv6 condition capability"; 2199 reference 2200 "RFC 792: Internet Control Message Protocol 2201 RFC 4443: Internet Control Message Protocol (ICMPv6) 2202 for the Internet Protocol Version 6 (IPv6) Specification 2203 - ICMPv6"; 2204 } 2205 identity icmpv4 { 2206 base icmp; 2207 description 2208 "ICMPv4 protocol type."; 2209 reference 2210 "RFC 791: Internet Protocol 2211 RFC 792: Internet Control Message Protocol"; 2212 } 2213 identity icmpv6 { 2214 base icmp; 2215 description 2216 "ICMPv6 protocol type."; 2217 reference 2218 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2219 RFC 4443: Internet Control Message Protocol (ICMPv6) 2220 for the Internet Protocol Version 6 (IPv6) 2221 Specification"; 2222 } 2223 identity transport-protocol { 2224 base protocol; 2225 description 2226 "Base identity for Layer 4 protocol condition capabilities, 2227 e.g., TCP, UDP, SCTP, DCCP, and ICMP"; 2228 } 2229 identity tcp { 2230 base transport-protocol; 2231 description 2232 "TCP protocol type."; 2233 reference 2234 "RFC 793: Transmission Control Protocol 2235 draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 2236 (TCP) Specification"; 2237 } 2238 identity udp { 2239 base transport-protocol; 2240 description 2241 "UDP protocol type."; 2242 reference 2243 "RFC 768: User Datagram Protocol"; 2244 } 2245 identity sctp { 2246 base transport-protocol; 2247 description 2248 "Identity for SCTP condition capabilities"; 2249 reference 2250 "RFC 4960: Stream Control Transmission Protocol"; 2251 } 2252 identity dccp { 2253 base transport-protocol; 2254 description 2255 "Identity for DCCP condition capabilities"; 2256 reference 2257 "RFC 4340: Datagram Congestion Control Protocol"; 2258 } 2259 identity application-protocol { 2260 base protocol; 2261 description 2262 "Base identity for Application protocol, e.g., HTTP, FTP"; 2263 } 2264 identity http { 2265 base application-protocol; 2266 description 2267 "HTTP protocol type."; 2268 reference 2269 "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message 2270 Syntax and Routing 2271 RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2272 and Content"; 2273 } 2274 identity https { 2275 base application-protocol; 2276 description 2277 "HTTPS protocol type."; 2278 reference 2279 "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message 2280 Syntax and Routing 2281 RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2282 and Content"; 2283 } 2284 identity ftp { 2285 base application-protocol; 2286 description 2287 "FTP protocol type."; 2288 reference 2289 "RFC 959: File Transfer Protocol"; 2290 } 2291 identity ssh { 2292 base application-protocol; 2293 description 2294 "SSH protocol type."; 2295 reference 2296 "RFC 959: File Transfer Protocol"; 2297 } 2298 identity telnet { 2299 base application-protocol; 2300 description 2301 "The identity for telnet."; 2302 reference 2303 "RFC 854: Telnet Protocol"; 2304 } 2305 identity smtp { 2306 base application-protocol; 2307 description 2308 "The identity for smtp."; 2309 reference 2310 "RFC 5321: Simple Mail Transfer Protocol (SMTP)"; 2311 } 2312 identity pop3 { 2313 base application-protocol; 2314 description 2315 "The identity for pop3."; 2316 reference 2317 "RFC 1939: Post Office Protocol - Version 3 (POP3)"; 2318 } 2319 identity imap { 2320 base application-protocol; 2321 description 2322 "The identity for Internet Message Access Protocol."; 2323 reference 2324 "RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1"; 2325 } 2327 /* 2328 * Grouping 2329 */ 2331 grouping timestamp { 2332 description 2333 "Grouping for identifying the time of the message."; 2334 leaf timestamp { 2335 type yang:date-and-time; 2336 description 2337 "Specify the time of a message being delivered."; 2338 } 2339 } 2341 grouping common-monitoring-data { 2342 description 2343 "A set of common monitoring data that is needed 2344 as the basic information."; 2345 leaf message { 2346 type string; 2347 description 2348 "This is a freetext annotation for 2349 monitoring a notification's content."; 2350 } 2351 leaf vendor-name { 2352 type string; 2353 description 2354 "The name of the NSF vendor. The string is unrestricted to 2355 identify the provider or vendor of the NSF."; 2356 } 2357 leaf nsf-name { 2358 type union { 2359 type string; 2360 type inet:ip-address-no-zone; 2361 } 2362 description 2363 "The name or IP address of the NSF generating the message. 2364 If the given nsf-name is not IP address, the name can be an 2365 arbitrary string including FQDN (Fully Qualified Domain 2366 Name). The name MUST be unique for different NSF to 2367 identify the NSF that generates the message."; 2368 } 2369 leaf severity { 2370 type severity; 2371 description 2372 "The severity of the alarm such as critical, high, 2373 middle, and low."; 2374 } 2375 } 2376 grouping characteristics { 2377 description 2378 "A set of characteristics of a notification."; 2379 leaf acquisition-method { 2380 type identityref { 2381 base acquisition-method; 2382 } 2383 description 2384 "The acquisition-method for characteristics"; 2386 } 2387 leaf emission-type { 2388 type identityref { 2389 base emission-type; 2390 } 2391 description 2392 "The emission-type for characteristics"; 2393 } 2394 leaf dampening-type { 2395 type identityref { 2396 base dampening-type; 2397 } 2398 description 2399 "The dampening-type for characteristics"; 2400 } 2401 } 2402 grouping i2nsf-system-alarm-type-content { 2403 description 2404 "A set of contents for alarm type notification."; 2405 leaf usage { 2406 type uint8 { 2407 range "0..100"; 2408 } 2409 units "percent"; 2410 description 2411 "Specifies the used percentage"; 2412 } 2413 leaf threshold { 2414 type uint8 { 2415 range "0..100"; 2416 } 2417 units "percent"; 2418 description 2419 "The threshold percentage triggering the alarm or 2420 the event"; 2421 } 2422 } 2423 grouping i2nsf-system-event-type-content { 2424 description 2425 "System event metadata associated with system events 2426 caused by user activity."; 2427 leaf user { 2428 type string; 2429 mandatory true; 2430 description 2431 "The name of a user"; 2432 } 2433 leaf-list group { 2434 type string; 2435 description 2436 "The group(s) to which a user belongs."; 2437 } 2438 leaf ip-address { 2439 type inet:ip-address-no-zone; 2440 mandatory true; 2441 description 2442 "The IPv4 (or IPv6) address of a user that trigger the 2443 event."; 2444 } 2445 leaf authentication { 2446 type identityref { 2447 base authentication-mode; 2448 } 2449 description 2450 "The authentication-mode of a user."; 2451 } 2452 } 2453 grouping i2nsf-nsf-event-type-content { 2454 description 2455 "A set of common IPv4 (or IPv6)-related NSF event 2456 content elements"; 2457 leaf dst-ip { 2458 type inet:ip-address-no-zone; 2459 description 2460 "The destination IPv4 (IPv6) address of the packet"; 2461 } 2462 leaf dst-port { 2463 type inet:port-number; 2464 description 2465 "The destination port of the packet"; 2466 } 2467 leaf rule-name { 2468 type leafref { 2469 path 2470 "/nsfintf:i2nsf-security-policy" 2471 +"/nsfintf:rules/nsfintf:rule-name"; 2472 } 2473 mandatory true; 2474 description 2475 "The name of the I2NSF Policy Rule being triggered"; 2476 } 2477 leaf raw-info { 2478 type string; 2479 description 2480 "The information describing the packet 2481 triggering the event."; 2483 } 2484 } 2485 grouping i2nsf-nsf-event-type-content-extend { 2486 description 2487 "A set of extended common IPv4 (or IPv6)-related NSF 2488 event content elements"; 2489 uses i2nsf-nsf-event-type-content; 2490 leaf src-ip { 2491 type inet:ip-address-no-zone; 2492 description 2493 "The source IPv4 (or IPv6) address of the packet"; 2494 } 2495 leaf src-port { 2496 type inet:port-number; 2497 description 2498 "The source port of the packet"; 2499 } 2500 leaf src-location { 2501 type string { 2502 length "1..100"; 2503 pattern "[0-9a-zA-Z ]*"; 2504 } 2505 description 2506 "The source geographical location (e.g., country and city) of 2507 the packet."; 2508 } 2509 leaf dst-location { 2510 type string { 2511 length "1..100"; 2512 pattern "[0-9a-zA-Z ]*"; 2513 } 2514 description 2515 "The destination geographical location (e.g., country and 2516 city) of the packet."; 2517 } 2518 } 2519 grouping log-action { 2520 description 2521 "A grouping for logging action."; 2522 leaf-list action { 2523 type log-action; 2524 description 2525 "Action type: allow, alert, block, discard, declare, 2526 block-ip, block-service"; 2527 } 2528 } 2529 grouping attack-rates { 2530 description 2531 "A set of traffic rates for monitoring attack traffic 2532 data"; 2533 leaf attack-rate { 2534 type uint32; 2535 units "pps"; 2536 description 2537 "The average packets per second (pps) rate of attack 2538 traffic"; 2539 } 2540 leaf attack-speed { 2541 type uint32; 2542 units "bps"; 2543 description 2544 "The average bits per second (bps) speed of attack traffic"; 2545 } 2546 } 2547 grouping traffic-rates { 2548 description 2549 "A set of traffic rates for statistics data"; 2550 leaf total-traffic { 2551 type yang:counter32; 2552 units "packets"; 2553 description 2554 "The total number of traffic packets (in and out) in the 2555 NSF."; 2556 } 2557 leaf in-traffic-average-rate { 2558 type uint32; 2559 units "pps"; 2560 description 2561 "Inbound traffic average rate in packets per second (pps). 2562 The average is calculated from the start of the NSF service 2563 until the generation of this record."; 2564 } 2565 leaf in-traffic-peak-rate { 2566 type uint32; 2567 units "pps"; 2568 description 2569 "Inbound traffic peak rate in packets per second (pps)."; 2570 } 2571 leaf in-traffic-average-speed { 2572 type uint32; 2573 units "bps"; 2574 description 2575 "Inbound traffic average speed in bits per second (bps). 2576 The average is calculated from the start of the NSF service 2577 until the generation of this record."; 2578 } 2579 leaf in-traffic-peak-speed { 2580 type uint32; 2581 units "bps"; 2582 description 2583 "Inbound traffic peak speed in bits per second (bps)."; 2584 } 2585 leaf out-traffic-average-rate { 2586 type uint32; 2587 units "pps"; 2588 description 2589 "Outbound traffic average rate in packets per second (pps). 2590 The average is calculated from the start of the NSF service 2591 until the generation of this record."; 2592 } 2593 leaf out-traffic-peak-rate { 2594 type uint32; 2595 units "pps"; 2596 description 2597 "Outbound traffic peak rate in packets per Second (pps)."; 2598 } 2599 leaf out-traffic-average-speed { 2600 type uint32; 2601 units "bps"; 2602 description 2603 "Outbound traffic average speed in bits per second (bps). 2604 The average is calculated from the start of the NSF service 2605 until the generation of this record."; 2606 } 2607 leaf out-traffic-peak-speed { 2608 type uint32; 2609 units "bps"; 2610 description 2611 "Outbound traffic peak speed in bits per second (bps)."; 2612 } 2613 } 2614 grouping i2nsf-system-counter-type-content{ 2615 description 2616 "A set of counters for an interface traffic data."; 2617 leaf interface-name { 2618 type string; 2619 description 2620 "Network interface name configured in an NSF"; 2621 } 2622 leaf in-total-traffic-pkts { 2623 type yang:counter32; 2624 description 2625 "Total inbound packets"; 2626 } 2627 leaf out-total-traffic-pkts { 2628 type yang:counter32; 2629 description 2630 "Total outbound packets"; 2631 } 2632 leaf in-total-traffic-bytes { 2633 type uint64; 2634 units "bytes"; 2635 description 2636 "Total inbound bytes"; 2637 } 2638 leaf out-total-traffic-bytes { 2639 type uint64; 2640 units "bytes"; 2641 description 2642 "Total outbound bytes"; 2643 } 2644 leaf in-drop-traffic-pkts { 2645 type yang:counter32; 2646 description 2647 "Total inbound drop packets"; 2648 } 2649 leaf out-drop-traffic-pkts { 2650 type yang:counter32; 2651 description 2652 "Total outbound drop packets"; 2653 } 2654 leaf in-drop-traffic-bytes { 2655 type uint64; 2656 units "bytes"; 2657 description 2658 "Total inbound drop bytes"; 2659 } 2660 leaf out-drop-traffic-bytes { 2661 type uint64; 2662 units "bytes"; 2663 description 2664 "Total outbound drop bytes"; 2665 } 2666 uses traffic-rates; 2667 } 2669 grouping i2nsf-nsf-counters-type-content{ 2670 description 2671 "A set of contents of a policy in an NSF."; 2672 leaf policy-name { 2673 type leafref { 2674 path 2675 "/nsfintf:i2nsf-security-policy" 2676 +"/nsfintf:system-policy-name"; 2677 } 2678 mandatory true; 2679 description 2680 "The name of the policy being triggered"; 2681 } 2682 leaf src-user{ 2683 type string; 2684 description 2685 "The I2NSF User's name who generates the policy."; 2686 } 2687 } 2689 grouping enable-notification { 2690 description 2691 "A grouping for enabling or disabling notification"; 2692 leaf enabled { 2693 type boolean; 2694 default "true"; 2695 description 2696 "Enables or Disables the notification. 2697 If 'true', then the notification is enabled. 2698 If 'false, then the notification is disabled."; 2699 } 2700 } 2702 grouping dampening { 2703 description 2704 "A grouping for dampening period of notification."; 2705 leaf dampening-period { 2706 type uint32; 2707 units "centiseconds"; 2708 default "0"; 2709 description 2710 "Specifies the minimum interval between the assembly of 2711 successive update records for a single receiver of a 2712 subscription. Whenever subscribed objects change and 2713 a dampening-period interval (which may be zero) has 2714 elapsed since the previous update record creation for 2715 a receiver, any subscribed objects and properties 2716 that have changed since the previous update record 2717 will have their current values marshalled and placed 2718 in a new update record. But if the subscribed objects change 2719 when the dampening-period is active, it should update the 2720 record without sending the notification until the dampening- 2721 period is finished. If multiple changes happen during the 2722 active dampening-period, it should update the record with 2723 the latest data. And at the end of the dampening-period, it 2724 should send the record as a notification with the latest 2725 updated record and restart the countdown."; 2726 reference 2727 "RFC 8641: Subscription to YANG Notifications for 2728 Datastore Updates - Section 5."; 2729 } 2730 } 2732 /* 2733 * Feature Nodes 2734 */ 2736 feature i2nsf-nsf-detection-ddos { 2737 description 2738 "This feature means it supports I2NSF nsf-detection-ddos 2739 notification"; 2740 } 2741 feature i2nsf-nsf-detection-virus { 2742 description 2743 "This feature means it supports I2NSF nsf-detection-virus 2744 notification"; 2745 } 2746 feature i2nsf-nsf-detection-intrusion { 2747 description 2748 "This feature means it supports I2NSF nsf-detection-intrusion 2749 notification"; 2750 } 2751 feature i2nsf-nsf-detection-web-attack { 2752 description 2753 "This feature means it supports I2NSF nsf-detection-web-attack 2754 notification"; 2755 } 2756 feature i2nsf-nsf-detection-voip-volte { 2757 description 2758 "This feature means it supports I2NSF nsf-detection-voip-volte 2759 notification"; 2760 } 2761 feature i2nsf-nsf-log-dpi { 2762 description 2763 "This feature means it supports I2NSF nsf-log-dpi 2764 notification"; 2765 } 2767 /* 2768 * Notification nodes 2769 */ 2771 notification i2nsf-event { 2772 description 2773 "Notification for I2NSF Event."; 2774 choice sub-event-type { 2775 description 2776 "This choice must be augmented with cases for each allowed 2777 sub-event. Only 1 sub-event will be instantiated in each 2778 i2nsf-event message. Each case is expected to define one 2779 container with all the sub-event fields."; 2780 case i2nsf-system-detection-alarm { 2781 container i2nsf-system-detection-alarm{ 2782 description 2783 "This notification is sent, when a system alarm 2784 is detected."; 2785 leaf alarm-category { 2786 type identityref { 2787 base system-alarm; 2788 } 2789 description 2790 "The alarm category for 2791 system-detection-alarm notification"; 2792 } 2793 leaf component-name { 2794 type string; 2795 description 2796 "The hardware component responsible for generating 2797 the message. Applicable for Hardware Failure 2798 Alarm."; 2799 } 2800 leaf interface-name { 2801 type string; 2802 description 2803 "The interface name responsible for generating 2804 the message. Applicable for Network Interface 2805 Failure Alarm."; 2806 } 2807 leaf interface-state { 2808 type enumeration { 2809 enum down { 2810 description 2811 "The interface state is down."; 2812 } 2813 enum up { 2814 description 2815 "The interface state is up and not congested."; 2816 } 2817 enum congested { 2818 description 2819 "The interface state is up but congested."; 2820 } 2821 } 2822 description 2823 "The state of the interface (i.e., up, down, 2824 congested). Applicable for Network Interface Failure 2825 Alarm."; 2826 } 2827 uses characteristics; 2828 uses i2nsf-system-alarm-type-content; 2829 uses common-monitoring-data; 2830 } 2831 } 2833 case i2nsf-system-detection-event { 2834 container i2nsf-system-detection-event { 2835 description 2836 "This notification is sent when a security-sensitive 2837 authentication action fails."; 2838 leaf event-category { 2839 type identityref { 2840 base system-event; 2841 } 2842 description 2843 "The event category for system-detection-event"; 2844 } 2845 uses characteristics; 2846 uses i2nsf-system-event-type-content; 2847 uses common-monitoring-data; 2848 } 2849 } 2851 case i2nsf-traffic-flows { 2852 container i2nsf-traffic-flows { 2853 description 2854 "This notification is sent to inform about the traffic 2855 flows."; 2856 leaf src-ip { 2857 type inet:ip-address-no-zone; 2858 description 2859 "The source IPv4 (or IPv6) address of the flow"; 2860 } 2861 leaf dst-ip { 2862 type inet:ip-address-no-zone; 2863 description 2864 "The destination IPv4 (or IPv6) address of the flow"; 2865 } 2866 leaf protocol { 2867 type identityref { 2868 base protocol; 2869 } 2870 description 2871 "The protocol type for nsf-detection-intrusion 2872 notification"; 2873 } 2874 leaf src-port { 2875 type inet:port-number; 2876 description 2877 "The source port of the flow"; 2878 } 2879 leaf dst-port { 2880 type inet:port-number; 2881 description 2882 "The destination port of the flow"; 2883 } 2884 leaf arrival-rate { 2885 type uint32; 2886 units "pps"; 2887 description 2888 "The average arrival rate of the flow in packets per 2889 second. The average is calculated from the start of 2890 the NSF service until the generation of this 2891 record."; 2892 } 2893 uses characteristics; 2894 uses common-monitoring-data; 2895 } 2896 } 2898 case i2nsf-nsf-detection-session-table { 2899 container i2nsf-nsf-detection-session-table { 2900 description 2901 "This notification is sent, when a session table 2902 event is detected."; 2903 leaf current-session { 2904 type uint32; 2905 description 2906 "The number of concurrent sessions"; 2907 } 2908 leaf maximum-session { 2909 type uint32; 2910 description 2911 "The maximum number of sessions that the session 2912 table can support"; 2913 } 2914 leaf threshold { 2915 type uint32; 2916 description 2917 "The threshold triggering the event"; 2918 } 2919 uses common-monitoring-data; 2920 } 2921 } 2922 } 2923 } 2925 notification i2nsf-log { 2926 description 2927 "Notification for I2NSF log. The notification is generated 2928 from the logs of the NSF."; 2929 choice sub-logs-type { 2930 description 2931 "This choice must be augmented with cases for each allowed 2932 sub-logs. Only 1 sub-event will be instantiated in each 2933 i2nsf-logs message. Each case is expected to define one 2934 container with all the sub-logs fields."; 2935 case i2nsf-nsf-system-access-log { 2936 container i2nsf-nsf-system-access-log { 2937 description 2938 "The notification is sent, if there is a new system 2939 log entry about a system access event."; 2940 leaf login-ip { 2941 type inet:ip-address-no-zone; 2942 mandatory true; 2943 description 2944 "Login IP address of a user"; 2945 } 2946 leaf username { 2947 type string; 2948 description 2949 "The login username that maintains the device"; 2950 } 2951 leaf login-role { 2952 type login-role; 2953 description 2954 "Specifies the user log-in role, i.e., administrator, 2955 user, or guest."; 2956 } 2957 leaf operation-type { 2958 type operation-type; 2959 description 2960 "The operation type that the user executes"; 2961 } 2962 leaf input { 2963 type string; 2964 description 2965 "The operation performed by a user after login. The 2966 operation is a command given by a user."; 2967 } 2968 leaf output { 2969 type string; 2970 description 2971 "The result in text format after executing the 2972 input."; 2973 } 2974 uses characteristics; 2975 uses common-monitoring-data; 2976 } 2977 } 2979 case i2nsf-system-res-util-log { 2980 container i2nsf-system-res-util-log { 2981 description 2982 "This notification is sent, if there is a new log 2983 entry representing resource utilization updates."; 2984 leaf system-status { 2985 type enumeration { 2986 enum running { 2987 description 2988 "The system is active and running the security 2989 service."; 2990 } 2991 enum waiting { 2992 description 2993 "The system is active but waiting for an event to 2994 provide the security service."; 2995 } 2996 enum inactive { 2997 description 2998 "The system is inactive and not running the 2999 security service."; 3000 } 3001 } 3002 description 3003 "The current system's running status"; 3004 } 3005 leaf cpu-usage { 3006 type uint8; 3007 units "percent"; 3008 description 3009 "Specifies the relative percentage of CPU usage with 3010 respect to platform resources"; 3012 } 3013 leaf memory-usage { 3014 type uint8; 3015 units "percent"; 3016 description 3017 "Specifies the percentage of memory usage."; 3018 } 3019 list disk { 3020 key disk-id; 3021 description 3022 "Disk is the hardware to store information for a 3023 long period, i.e., Hard Disk or Solid-State Drive."; 3024 leaf disk-id { 3025 type string; 3026 description 3027 "The ID of the storage disk. It is a free form 3028 identifier to identify the storage disk."; 3029 } 3030 leaf disk-usage { 3031 type uint8; 3032 units "percent"; 3033 description 3034 "Specifies the percentage of disk usage"; 3035 } 3036 leaf disk-left { 3037 type uint8; 3038 units "percent"; 3039 description 3040 "Specifies the percentage of disk left"; 3041 } 3042 } 3043 leaf session-num { 3044 type uint32; 3045 description 3046 "The total number of sessions"; 3047 } 3048 leaf process-num { 3049 type uint32; 3050 description 3051 "The total number of processes"; 3052 } 3053 list interface { 3054 key interface-id; 3055 description 3056 "The network interface for connecting a device 3057 with the network."; 3058 leaf interface-id { 3059 type string; 3060 description 3061 "The ID of the network interface. It is a free form 3062 identifier to identify the network interface."; 3063 } 3064 leaf in-traffic-rate { 3065 type uint32; 3066 units "pps"; 3067 description 3068 "The total inbound traffic rate in packets per 3069 second"; 3070 } 3071 leaf out-traffic-rate { 3072 type uint32; 3073 units "pps"; 3074 description 3075 "The total outbound traffic rate in packets per 3076 second"; 3077 } 3078 leaf in-traffic-speed { 3079 type uint32; 3080 units "bps"; 3081 description 3082 "The total inbound traffic speed in bits per second"; 3083 } 3084 leaf out-traffic-speed { 3085 type uint32; 3086 units "bps"; 3087 description 3088 "The total outbound traffic speed in bits per 3089 second"; 3090 } 3091 } 3092 uses characteristics; 3093 uses common-monitoring-data; 3094 } 3095 } 3097 case i2nsf-system-user-activity-log { 3098 container i2nsf-system-user-activity-log { 3099 description 3100 "This notification is sent, if there is a new user 3101 activity log entry."; 3102 uses characteristics; 3103 uses i2nsf-system-event-type-content; 3104 uses common-monitoring-data; 3105 leaf online-duration { 3106 type uint32; 3107 units "seconds"; 3108 description 3109 "The duration of a user's activeness (stays in login) 3110 during a session."; 3112 } 3113 leaf logout-duration { 3114 type uint32; 3115 units "seconds"; 3116 description 3117 "The duration of a user's inactiveness (not in login) 3118 from the last session."; 3119 } 3120 leaf additional-info { 3121 type enumeration { 3122 enum successful-login { 3123 description 3124 "The user has succeeded in login."; 3125 } 3126 enum failed-login { 3127 description 3128 "The user has failed in login (e.g., wrong 3129 password)"; 3130 } 3131 enum logout { 3132 description 3133 "The user has succeeded in logout"; 3134 } 3135 enum successful-password-changed { 3136 description 3137 "The password has been changed successfully"; 3138 } 3139 enum failed-password-changed{ 3140 description 3141 "The attempt to change password has failed"; 3142 } 3143 enum lock { 3144 description 3145 "The user has been locked. A locked user cannot 3146 login."; 3147 } 3148 enum unlock { 3149 description 3150 "The user has been unlocked."; 3151 } 3152 } 3153 description 3154 "User activities, e.g., Successful User Login, 3155 Failed Login attempts, User Logout, Successful User 3156 Password Change, Failed User Password Change, User 3157 Lockout, User Unlocking, and Unknown."; 3158 } 3159 } 3160 } 3161 } 3162 } 3164 notification i2nsf-nsf-event { 3165 description 3166 "Notification for I2NSF NSF Event. This notification is 3167 used for a specific NSF that supported such feature."; 3168 choice sub-event-type { 3169 description 3170 "This choice must be augmented with cases for each allowed 3171 sub-event. Only 1 sub-event will be instantiated in each 3172 i2nsf-event message. Each case is expected to define one 3173 container with all the sub-event fields."; 3174 case i2nsf-nsf-detection-ddos { 3175 if-feature "i2nsf-nsf-detection-ddos"; 3176 container i2nsf-nsf-detection-ddos { 3177 description 3178 "This notification is sent, when a specific flood type 3179 is detected."; 3180 leaf attack-type { 3181 type identityref { 3182 base ddos-type; 3183 } 3184 description 3185 "Any one of Syn flood, ACK flood, SYN-ACK flood, 3186 FIN/RST flood, TCP Connection flood, UDP flood, 3187 ICMP (i.e., ICMPv4 or ICMPv6) flood, HTTP flood, 3188 HTTPS flood, DNS query flood, DNS reply flood, SIP 3189 flood, etc."; 3190 } 3191 leaf start-time { 3192 type yang:date-and-time; 3193 mandatory true; 3194 description 3195 "The time stamp indicating when the attack started"; 3196 } 3197 leaf end-time { 3198 type yang:date-and-time; 3199 mandatory true; 3200 description 3201 "The time stamp indicating when the attack ended"; 3202 } 3203 leaf-list attack-src-ip { 3204 type inet:ip-address-no-zone; 3205 description 3206 "The source IPv4 (or IPv6) addresses of attack 3207 traffic. It can hold multiple IPv4 (or IPv6) 3208 addresses."; 3209 } 3210 leaf-list attack-dst-ip { 3211 type inet:ip-prefix; 3212 description 3213 "The destination IPv4 (or IPv6) addresses of attack 3214 traffic. It can hold multiple IPv4 (or IPv6) 3215 addresses."; 3216 } 3217 leaf-list attack-src-port { 3218 type inet:port-number; 3219 description 3220 "The source ports of the DDoS attack"; 3221 } 3222 leaf-list attack-dst-port { 3223 type inet:port-number; 3224 description 3225 "The destination ports of the DDoS attack"; 3226 } 3227 leaf rule-name { 3228 type leafref { 3229 path 3230 "/nsfintf:i2nsf-security-policy" 3231 +"/nsfintf:rules/nsfintf:rule-name"; 3232 } 3233 mandatory true; 3234 description 3235 "The name of the I2NSF Policy Rule being triggered"; 3236 } 3237 leaf raw-info { 3238 type string; 3239 description 3240 "The information describing the packet 3241 triggering the event."; 3242 } 3243 uses attack-rates; 3244 uses log-action; 3245 uses characteristics; 3246 uses common-monitoring-data; 3247 } 3248 } 3249 case i2nsf-nsf-detection-virus { 3250 if-feature "i2nsf-nsf-detection-virus"; 3251 container i2nsf-nsf-detection-virus { 3252 description 3253 "This notification is sent, when a virus is detected."; 3254 uses i2nsf-nsf-event-type-content-extend; 3255 leaf virus { 3256 type identityref { 3257 base virus-type; 3258 } 3259 description 3260 "The virus type for nsf-detection-virus notification"; 3261 } 3262 leaf virus-name { 3263 type string; 3264 description 3265 "The name of the detected virus"; 3266 } 3267 leaf file-type { 3268 type string; 3269 description 3270 "The type of file virus code is found in (if 3271 applicable)."; 3272 reference 3273 "IANA Website: Media Types"; 3274 } 3275 leaf file-name { 3276 type string; 3277 description 3278 "The name of file virus code is found in (if 3279 applicable)."; 3280 } 3281 leaf os { 3282 type string; 3283 description 3284 "The operating system of the device."; 3285 } 3286 uses log-action; 3287 uses characteristics; 3288 uses common-monitoring-data; 3289 } 3290 } 3291 case i2nsf-nsf-detection-intrusion { 3292 if-feature "i2nsf-nsf-detection-intrusion"; 3293 container i2nsf-nsf-detection-intrusion { 3294 description 3295 "This notification is sent, when an intrusion event 3296 is detected."; 3297 uses i2nsf-nsf-event-type-content-extend; 3298 leaf protocol { 3299 type identityref { 3300 base transport-protocol; 3301 } 3302 description 3303 "The transport protocol type for 3304 nsf-detection-intrusion notification"; 3305 } 3306 leaf app { 3307 type identityref { 3308 base application-protocol; 3309 } 3310 description 3311 "The employed application layer protocol"; 3312 } 3313 leaf attack-type { 3314 type identityref { 3315 base intrusion-attack-type; 3316 } 3317 description 3318 "The sub attack type for intrusion attack"; 3319 } 3320 uses log-action; 3321 uses attack-rates; 3322 uses characteristics; 3323 uses common-monitoring-data; 3324 } 3325 } 3326 case i2nsf-nsf-detection-web-attack { 3327 if-feature "i2nsf-nsf-detection-web-attack"; 3328 container i2nsf-nsf-detection-web-attack { 3329 description 3330 "This notification is sent, when an attack event is 3331 detected."; 3332 uses i2nsf-nsf-event-type-content-extend; 3333 leaf attack-type { 3334 type identityref { 3335 base web-attack-type; 3336 } 3337 description 3338 "Concrete web attack type, e.g., SQL injection, 3339 command injection, XSS, and CSRF."; 3340 } 3341 leaf request-method { 3342 type identityref { 3343 base request-method; 3344 } 3345 description 3346 "The HTTP request method, e.g., PUT or GET."; 3347 reference 3348 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): 3349 Semantics and Content - Request Methods"; 3350 } 3351 leaf req-uri { 3352 type string; 3353 description 3354 "The Requested URI"; 3355 } 3356 leaf-list filtering-type { 3357 type identityref { 3358 base filter-type; 3359 } 3360 description 3361 "URL filtering type, e.g., deny-list, allow-list, 3362 and Unknown"; 3363 } 3364 leaf req-user-agent { 3365 type string; 3366 description 3367 "The request user agent"; 3368 } 3369 leaf req-cookie { 3370 type string; 3371 description 3372 "The HTTP Cookie previously sent by the server with 3373 Set-Cookie"; 3374 } 3375 leaf req-host { 3376 type string; 3377 description 3378 "The domain name of the requested host"; 3379 } 3380 leaf response-code { 3381 type string; 3382 description 3383 "The HTTP Response code"; 3384 reference 3385 "IANA Website: Hypertext Transfer Protocol (HTTP) 3386 Status Code Registry"; 3387 } 3388 uses characteristics; 3389 uses log-action; 3390 uses common-monitoring-data; 3391 } 3392 } 3393 case i2nsf-nsf-detection-voip-volte{ 3394 if-feature "i2nsf-nsf-detection-voip-volte"; 3395 container i2nsf-nsf-detection-voip-volte { 3396 description 3397 "This notification is sent, when a VoIP/VoLTE violation 3398 is detected."; 3399 uses i2nsf-nsf-event-type-content-extend; 3400 leaf-list source-voice-id { 3401 type string; 3402 description 3403 "The detected source voice ID for VoIP and VoLTE that 3404 violates the security policy."; 3405 } 3406 leaf-list destination-voice-id { 3407 type string; 3408 description 3409 "The detected destination voice ID for VoIP and VoLTE 3410 that violates the security policy."; 3411 } 3412 leaf-list user-agent { 3413 type string; 3414 description 3415 "The detected user-agent for VoIP and VoLTE that 3416 violates the security policy."; 3417 } 3418 } 3419 } 3420 case i2nsf-nsf-log-dpi { 3421 if-feature "i2nsf-nsf-log-dpi"; 3422 container i2nsf-nsf-log-dpi { 3423 description 3424 "This notification is sent, if there is a new DPI 3425 event in the NSF log."; 3426 leaf attack-type { 3427 type dpi-type; 3428 description 3429 "The type of the DPI"; 3430 } 3431 uses characteristics; 3432 uses i2nsf-nsf-counters-type-content; 3433 uses common-monitoring-data; 3434 } 3435 } 3436 } 3437 } 3438 /* 3439 * Data nodes 3440 */ 3441 container i2nsf-counters { 3442 config false; 3443 description 3444 "The state data representing continuous value changes of 3445 information elements that occur very frequently. The value 3446 should be calculated from the start of the service of the 3447 NSF."; 3448 list system-interface { 3449 key interface-name; 3450 description 3451 "Interface counters provide the visibility of traffic into 3452 and out of an NSF, and bandwidth usage."; 3453 uses characteristics; 3454 uses i2nsf-system-counter-type-content; 3455 uses common-monitoring-data; 3456 uses timestamp; 3457 } 3458 list nsf-firewall { 3459 key policy-name; 3460 description 3461 "Firewall counters provide the visibility of traffic 3462 signatures, bandwidth usage, and how the configured security 3463 and bandwidth policies have been applied."; 3464 uses characteristics; 3465 uses i2nsf-nsf-counters-type-content; 3466 uses traffic-rates; 3467 uses common-monitoring-data; 3468 uses timestamp; 3469 } 3470 list nsf-policy-hits { 3471 key policy-name; 3472 description 3473 "Policy Hit Counters record the number of hits that traffic 3474 packets match a security policy. It can check if policy 3475 configurations are correct or not."; 3476 uses characteristics; 3477 uses i2nsf-nsf-counters-type-content; 3478 uses common-monitoring-data; 3479 leaf hit-times { 3480 type yang:counter32; 3481 description 3482 "The number of times a policy is hit"; 3483 } 3484 uses timestamp; 3485 } 3486 } 3488 container i2nsf-monitoring-configuration { 3489 description 3490 "The container for configuring I2NSF monitoring."; 3491 container i2nsf-system-detection-alarm { 3492 description 3493 "The container for configuring I2NSF system-detection-alarm 3494 notification"; 3495 uses enable-notification; 3496 list system-alarm { 3497 key alarm-type; 3498 description 3499 "Configuration for system alarm (i.e., CPU, Memory, 3500 and Disk Usage)"; 3501 leaf alarm-type { 3502 type enumeration { 3503 enum cpu { 3504 description 3505 "To configure the CPU usage threshold to trigger the 3506 cpu-alarm"; 3507 } 3508 enum memory { 3509 description 3510 "To configure the Memory usage threshold to trigger 3511 the memory-alarm"; 3512 } 3513 enum disk { 3514 description 3515 "To configure the Disk (storage) usage threshold to 3516 trigger the disk-alarm"; 3517 } 3518 } 3519 description 3520 "Type of alarm to be configured"; 3521 } 3522 leaf threshold { 3523 type uint8 { 3524 range "1..100"; 3525 } 3526 units "percent"; 3527 description 3528 "The configuration for threshold percentage to trigger 3529 the alarm. The alarm will be triggered if the usage 3530 is exceeded the threshold."; 3531 } 3532 uses dampening; 3533 } 3534 } 3535 container i2nsf-system-detection-event { 3536 description 3537 "The container for configuring I2NSF system-detection-event 3538 notification"; 3539 uses enable-notification; 3540 uses dampening; 3541 } 3542 container i2nsf-traffic-flows { 3543 description 3544 "The container for configuring I2NSF traffic-flows 3545 notification"; 3546 uses dampening; 3547 uses enable-notification; 3548 } 3549 container i2nsf-nsf-detection-ddos { 3550 if-feature "i2nsf-nsf-detection-ddos"; 3551 description 3552 "The container for configuring I2NSF nsf-detection-ddos 3553 notification"; 3554 uses enable-notification; 3555 uses dampening; 3556 } 3557 container i2nsf-nsf-detection-session-table-configuration { 3558 description 3559 "The container for configuring I2NSF nsf-detection-session- 3560 table notification"; 3561 uses enable-notification; 3562 uses dampening; 3563 } 3564 container i2nsf-nsf-detection-intrusion { 3565 if-feature "i2nsf-nsf-detection-intrusion"; 3566 description 3567 "The container for configuring I2NSF nsf-detection-intrusion 3568 notification"; 3569 uses enable-notification; 3570 uses dampening; 3571 } 3572 container i2nsf-nsf-detection-web-attack { 3573 if-feature "i2nsf-nsf-detection-web-attack"; 3574 description 3575 "The container for configuring I2NSF nsf-detection-web-attack 3576 notification"; 3577 uses enable-notification; 3578 uses dampening; 3579 } 3580 container i2nsf-nsf-system-access-log { 3581 description 3582 "The container for configuring I2NSF system-access-log 3583 notification"; 3584 uses enable-notification; 3585 uses dampening; 3586 } 3587 container i2nsf-system-res-util-log { 3588 description 3589 "The container for configuring I2NSF system-res-util-log 3590 notification"; 3591 uses enable-notification; 3592 uses dampening; 3593 } 3594 container i2nsf-system-user-activity-log { 3595 description 3596 "The container for configuring I2NSF system-user-activity-log 3597 notification"; 3598 uses enable-notification; 3599 uses dampening; 3600 } 3601 container i2nsf-nsf-log-dpi { 3602 if-feature "i2nsf-nsf-log-dpi"; 3603 description 3604 "The container for configuring I2NSF nsf-log-dpi 3605 notification"; 3606 uses enable-notification; 3607 uses dampening; 3608 } 3609 container i2nsf-counter { 3610 description 3611 "This is used to configure the counters 3612 for monitoring an NSF"; 3613 leaf period { 3614 type uint16; 3615 units "minutes"; 3616 default 0; 3617 description 3618 "The configuration for the period interval of reporting 3619 the counter. If 0, then the counter period is disabled. 3620 If value is not 0, then the counter will be reported 3621 following the period value."; 3622 } 3623 } 3624 } 3625 } 3626 3628 Figure 2: Data Model of Monitoring 3630 10. I2NSF Event Stream 3632 This section discusses the NETCONF event stream for I2NSF NSF 3633 Monitoring subscription. The YANG module in this document supports 3634 "ietf-subscribed-notifications" YANG module [RFC8639] for 3635 subscription. The reserved event stream name for this document is 3636 "I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support 3637 "I2NSF-Monitoring" event stream for an NSF data collector (e.g., 3638 Security Controller). The "I2NSF-Monitoring" event stream contains 3639 all I2NSF events described in this document. The following example 3640 shows the capabilities of the event streams of an NSF (e.g., 3641 "NETCONF" and "I2NSF-Monitoring" event streams) by the subscription 3642 of an NSF data collector; note that this example XML file is 3643 delivered by an NSF to an NSF data collector. The XML examples in 3644 this document follow the line breaks as per [RFC8792]. 3646 3647 3649 3650 3651 3652 3653 NETCONF 3654 Default NETCONF Event Stream 3655 false 3656 3657 3658 I2NSF-Monitoring 3659 I2NSF Monitoring Event Stream 3660 true 3661 3662 2021-04-29T09:37:39+00:00 3663 3664 3665 3666 3667 3668 3670 Figure 3: Example of NETCONF Server supporting I2NSF-Monitoring 3671 Event Stream 3673 11. XML Examples for I2NSF NSF Monitoring 3675 This section shows the XML examples of I2NSF NSF Monitoring data 3676 delivered via Monitoring Interface from an NSF. 3678 11.1. I2NSF System Detection Alarm 3680 The following example shows an alarm triggered by Memory Usage of the 3681 server; note that this example XML file is delivered by an NSF to an 3682 NSF data collector: 3684 3685 3687 2021-04-29T07:43:52.181088+00:00 3688 3690 3691 3694 nsfmi:memory-alarm 3695 3696 3699 nsfmi:subscription 3700 3701 3704 nsfmi:on-change 3705 3706 3709 nsfmi:on-repetition 3710 3711 91 3712 90 3713 Memory Usage Exceeded the Threshold 3714 time_based_firewall 3715 high 3716 3717 3718 3719 Figure 4: Example of I2NSF System Detection Alarm triggered by 3720 Memory Usage 3722 The XML data above shows: 3724 1. The NSF that sends the information is named 3725 "time_based_firewall". 3727 2. The memory usage of the NSF triggered the alarm. 3729 3. The monitoring information is received by subscription method. 3731 4. The monitoring information is emitted "on-change". 3733 5. The monitoring information is dampened "on-repetition". 3735 6. The memory usage of the NSF is 91 percent. 3737 7. The memory threshold to trigger the alarm is 90 percent. 3739 8. The severity level of the notification is high. 3741 11.2. I2NSF Interface Counters 3743 To get the I2NSF system interface counters information by query, 3744 NETCONF Client (e.g., NSF data collector) needs to initiate GET 3745 connection with NETCONF Server (e.g., NSF). The following XML file 3746 can be used to get the state data and filter the information. 3748 3749 3750 3751 3753 3754 3755 3756 3757 3758 3760 Figure 5: XML Example for NETCONF GET with System Interface Filter 3762 The following XML file shows the reply from the NETCONF Server (e.g., 3763 NSF): 3765 3766 3768 3769 3771 3772 ens3 3773 3776 nsfmi:query 3777 3778 549050 3779 814956 3780 0 3781 5078 3782 time_based_firewall 3783 3784 3785 lo 3786 3789 nsfmi:query 3790 3791 48487 3792 48487 3793 0 3794 0 3795 time_based_firewall 3796 3797 3798 3799 3801 Figure 6: Example of I2NSF System Interface Counters XML Information 3803 12. IANA Considerations 3805 This document requests IANA to register the following URI in the 3806 "IETF XML Registry" [RFC3688]: 3808 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 3809 Registrant Contact: The IESG. 3810 XML: N/A; the requested URI is an XML namespace. 3812 This document requests IANA to register the following YANG module in 3813 the "YANG Module Names" registry [RFC7950][RFC8525]: 3815 name: ietf-i2nsf-nsf-monitoring 3816 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 3817 prefix: nsfmi 3818 reference: RFC XXXX 3820 // RFC Ed.: replace XXXX with an actual RFC number and remove 3821 // this note. 3823 13. Security Considerations 3825 YANG module described in this document defines a schema for data that 3826 is designed to be accessed via network management protocols such as 3827 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 3828 the secure transport layer, and the mandatory-to-implement secure 3829 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 3830 is HTTPS, and the mandatory-to-implement secure transport is TLS 3831 [RFC8446]. 3833 The NETCONF access control model [RFC8341] provides the means to 3834 restrict access for particular NETCONF or RESTCONF users to a 3835 preconfigured subset of all available NETCONF or RESTCONF protocol 3836 operations and content. 3838 All data nodes defined in the YANG module which can be created, 3839 modified and deleted (i.e., config true, which is the default) are 3840 considered sensitive as they all could potentially impact security 3841 monitoring and mitigation activities. Write operations (e.g., edit- 3842 config) applied to these data nodes without proper protection could 3843 result in missed alarms or incorrect alarms information being 3844 returned to the NSF data collector. There are threats that need to 3845 be considered and mitigated: 3847 Compromised NSF with valid credentials: It can send falsified 3848 information to the NSF data collector to mislead detection or 3849 mitigation activities; and/or to hide activity. Currently, there 3850 is no in-framework mechanism to mitigate this and an issue for all 3851 monitoring infrastructures. It is important to keep the enclosure 3852 of confidential information to unauthorized persons to mitigate 3853 the possibility of compromising the NSF with this information. 3855 Compromised NSF data collector with valid credentials: It has 3856 visibility to all collected security alarms; entire detection and 3857 mitigation infrastructure may be suspect. It is important to keep 3858 the enclosure of confidential information to unauthorized persons 3859 to mitigate the possibility of compromising the NSF with this 3860 information. 3862 Impersonating NSF: It is a system trying to send false information 3863 while imitating an NSF; client authentication would help the NSF 3864 data collector to identify this invalid NSF in the "push" model 3865 (NSF-to-collector), while the "pull" model (collector-to-NSF) 3866 should already be addressed with the authentication. 3868 Impersonating NSF data collector: It is a rogue NSF data collector 3869 with which a legitimate NSF is tricked into communicating; for 3870 "push" model (NSF-to-collector), it is important to have valid 3871 credentials, without it it should not work; for "pull" model 3872 (collector-to-NSF), mutual authentication should be used to 3873 mitigate the threat. 3875 In addition, to defend against the DDoS attack caused by a lot of 3876 NSFs sending massive notifications to the NSF data collector, the 3877 rate limiting or similar mechanisms should be considered in both an 3878 NSF and NSF data collector, whether in advance or just in the process 3879 of DDoS attack. 3881 All of the readable data nodes in this YANG module may be considered 3882 vulnerable in some network environments. Some data also may contain 3883 private information that is highly sensitive to the user, such as the 3884 IP address of a user in the container "i2nsf-system-user-activity- 3885 log" and the container "i2nsf-system-detection-event". It is 3886 important to control read access (e.g., via get, get-config, or 3887 notification) to the data nodes. If access control is not properly 3888 configured, it can expose system internals to those who should not 3889 have access to this information. 3891 14. Acknowledgments 3893 This work was supported by Institute of Information & Communications 3894 Technology Planning & Evaluation (IITP) grant funded by the Korea 3895 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 3896 Security Intelligence Technology Development for the Customized 3897 Security Service Provisioning). This work was supported in part by 3898 the IITP (2020-0-00395, Standard Development of Blockchain based 3899 Network Management Automation Technology). This work was supported 3900 in part by the MSIT under the Information Technology Research Center 3901 (ITRC) support program (IITP-2021-2017-0-01633) supervised by the 3902 IITP. 3904 15. Contributors 3906 This document is made by the group effort of I2NSF working group. 3907 Many people actively contributed to this document. The authors 3908 sincerely appreciate their contributions. 3910 The following are co-authors of this document: 3912 Chaehong Chung Department of Electronic, Electrical and Computer 3913 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3914 Gyeonggi-do 16419 Republic of Korea EMail: darkhong@skku.edu 3916 Jinyong (Tim) Kim Department of Electronic, Electrical and Computer 3917 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3918 Gyeonggi-do 16419 Republic of Korea EMail: timkim@skku.edu 3920 Dongjin Hong Department of Electronic, Electrical and Computer 3921 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3922 Gyeonggi-do 16419 Republic of Korea EMail: dong.jin@skku.edu 3924 Dacheng Zhang Huawei EMail: dacheng.zhang@huawei.com 3926 Yi Wu Aliababa Group EMail: anren.wy@alibaba-inc.com 3928 Rakesh Kumar Juniper Networks 1133 Innovation Way Sunnyvale, CA 94089 3929 USA EMail: rkkumar@juniper.net 3931 Anil Lohiya Juniper Networks EMail: alohiya@juniper.net 3933 16. References 3935 16.1. Normative References 3937 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 3938 DOI 10.17487/RFC0768, August 1980, 3939 . 3941 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 3942 DOI 10.17487/RFC0791, September 1981, 3943 . 3945 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 3946 RFC 792, DOI 10.17487/RFC0792, September 1981, 3947 . 3949 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 3950 RFC 793, DOI 10.17487/RFC0793, September 1981, 3951 . 3953 [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol 3954 Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May 3955 1983, . 3957 [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", 3958 STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, 3959 . 3961 [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", 3962 STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, 3963 . 3965 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3966 Requirement Levels", BCP 14, RFC 2119, 3967 DOI 10.17487/RFC2119, March 1997, 3968 . 3970 [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION 3971 4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003, 3972 . 3974 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3975 DOI 10.17487/RFC3688, January 2004, 3976 . 3978 [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management 3979 Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, 3980 September 2004, . 3982 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 3983 Congestion Control Protocol (DCCP)", RFC 4340, 3984 DOI 10.17487/RFC4340, March 2006, 3985 . 3987 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 3988 Control Message Protocol (ICMPv6) for the Internet 3989 Protocol Version 6 (IPv6) Specification", STD 89, 3990 RFC 4443, DOI 10.17487/RFC4443, March 2006, 3991 . 3993 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 3994 RFC 4960, DOI 10.17487/RFC4960, September 2007, 3995 . 3997 [RFC5231] Segmuller, W. and B. Leiba, "Sieve Email Filtering: 3998 Relational Extension", RFC 5231, DOI 10.17487/RFC5231, 3999 January 2008, . 4001 [RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event 4002 Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, 4003 . 4005 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4006 and A. Bierman, Ed., "Network Configuration Protocol 4007 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4008 . 4010 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4011 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4012 . 4014 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4015 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4016 . 4018 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 4019 Protocol (HTTP/1.1): Message Syntax and Routing", 4020 RFC 7230, DOI 10.17487/RFC7230, June 2014, 4021 . 4023 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 4024 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 4025 DOI 10.17487/RFC7231, June 2014, 4026 . 4028 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4029 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4030 . 4032 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4033 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4034 . 4036 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 4037 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 4038 May 2017, . 4040 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 4041 (IPv6) Specification", STD 86, RFC 8200, 4042 DOI 10.17487/RFC8200, July 2017, 4043 . 4045 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4046 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4047 . 4049 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4050 Access Control Model", STD 91, RFC 8341, 4051 DOI 10.17487/RFC8341, March 2018, 4052 . 4054 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 4055 and R. Wilton, "Network Management Datastore Architecture 4056 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 4057 . 4059 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 4060 Documents Containing YANG Data Models", BCP 216, RFC 8407, 4061 DOI 10.17487/RFC8407, October 2018, 4062 . 4064 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4065 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4066 . 4068 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 4069 and R. Wilton, "YANG Library", RFC 8525, 4070 DOI 10.17487/RFC8525, March 2019, 4071 . 4073 [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, 4074 E., and A. Tripathy, "Subscription to YANG Notifications", 4075 RFC 8639, DOI 10.17487/RFC8639, September 2019, 4076 . 4078 [RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications 4079 for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641, 4080 September 2019, . 4082 16.2. Informative References 4084 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 4085 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 4086 . 4088 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4089 Kumar, "Framework for Interface to Network Security 4090 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4091 . 4093 [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, 4094 "Handling Long Lines in Content of Internet-Drafts and 4095 RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, 4096 . 4098 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 4099 Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, 4100 "I2NSF Consumer-Facing Interface YANG Data Model", Work in 4101 Progress, Internet-Draft, draft-ietf-i2nsf-consumer- 4102 facing-interface-dm-14, 21 August 2021, 4103 . 4106 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 4107 Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, 4108 "I2NSF Network Security Function-Facing Interface YANG 4109 Data Model", Work in Progress, Internet-Draft, draft-ietf- 4110 i2nsf-nsf-facing-interface-dm-13, 15 August 2021, 4111 . 4114 [I-D.ietf-i2nsf-registration-interface-dm] 4115 Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park, 4116 "I2NSF Registration Interface YANG Data Model", Work in 4117 Progress, Internet-Draft, draft-ietf-i2nsf-registration- 4118 interface-dm-11, 21 August 2021, 4119 . 4122 [I-D.ietf-i2nsf-applicability] 4123 Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R. 4124 Lopez, "Applicability of Interfaces to Network Security 4125 Functions to Network-Based Security Services", Work in 4126 Progress, Internet-Draft, draft-ietf-i2nsf-applicability- 4127 18, 16 September 2019, . 4130 [I-D.yang-i2nsf-security-policy-translation] 4131 Jeong, J. (., Lingga, P., Yang, J., and C. Chung, 4132 "Security Policy Translation in Interface to Network 4133 Security Functions", Work in Progress, Internet-Draft, 4134 draft-yang-i2nsf-security-policy-translation-09, 21 August 4135 2021, . 4138 [I-D.ietf-tcpm-rfc793bis] 4139 Eddy, W. M., "Transmission Control Protocol (TCP) 4140 Specification", Work in Progress, Internet-Draft, draft- 4141 ietf-tcpm-rfc793bis-25, 7 September 2021, 4142 . 4145 [IANA-HTTP-Status-Code] 4146 Internet Assigned Numbers Authority (IANA), "Hypertext 4147 Transfer Protocol (HTTP) Status Code Registry", September 4148 2018, . 4151 [IANA-Media-Types] 4152 Internet Assigned Numbers Authority (IANA), "Media Types", 4153 August 2021, . 4156 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-09 4158 The following changes are made from draft-ietf-i2nsf-nsf-monitoring- 4159 data-model-09: 4161 * This version is revised following Tom Petch's, Martin Bjorklund's, 4162 and Roman Danyliw's Comments. 4164 * This version is revised to synchronize with other I2NSF documents. 4166 Authors' Addresses 4168 Jaehoon (Paul) Jeong (editor) 4169 Department of Computer Science and Engineering 4170 Sungkyunkwan University 4171 2066 Seobu-Ro, Jangan-Gu 4172 Suwon 4173 Gyeonggi-Do 4174 16419 4175 Republic of Korea 4177 Phone: +82 31 299 4957 4178 Email: pauljeong@skku.edu 4179 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4181 Patrick Lingga 4182 Department of Electrical and Computer Engineering 4183 Sungkyunkwan University 4184 2066 Seobu-Ro, Jangan-Gu 4185 Suwon 4186 Gyeonggi-Do 4187 16419 4188 Republic of Korea 4190 Phone: +82 31 299 4957 4191 Email: patricklink@skku.edu 4192 Susan Hares 4193 Huawei 4194 7453 Hickory Hill 4195 Saline, MI 48176 4196 United States of America 4198 Phone: +1-734-604-0332 4199 Email: shares@ndzh.com 4201 Liang (Frank) Xia 4202 Huawei 4203 101 Software Avenue, Yuhuatai District 4204 Nanjing 4205 Jiangsu, 4206 China 4208 Email: Frank.xialiang@huawei.com 4210 Henk Birkholz 4211 Fraunhofer Institute for Secure Information Technology 4212 Rheinstrasse 75 4213 64295 Darmstadt 4214 Germany 4216 Email: henk.birkholz@sit.fraunhofer.de