idnits 2.17.1 draft-ietf-i2nsf-nsf-monitoring-data-model-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1205 has weird spacing: '...ty-time yan...' -- The document date (15 October 2021) is 914 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 3501 (Obsoleted by RFC 9051) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-15 == Outdated reference: A later version (-29) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-14 == Outdated reference: A later version (-26) exists of draft-ietf-i2nsf-registration-interface-dm-12 == Outdated reference: A later version (-16) exists of draft-yang-i2nsf-security-policy-translation-09 == Outdated reference: A later version (-28) exists of draft-ietf-tcpm-rfc793bis-25 Summary: 6 errors (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong, Ed. 3 Internet-Draft P. Lingga 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: 18 April 2022 S. Hares 6 L. Xia 7 Huawei 8 H. Birkholz 9 Fraunhofer SIT 10 15 October 2021 12 I2NSF NSF Monitoring Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-monitoring-data-model-11 15 Abstract 17 This document proposes an information model and the corresponding 18 YANG data model of an interface for monitoring Network Security 19 Functions (NSFs) in the Interface to Network Security Functions 20 (I2NSF) framework. If the monitoring of NSFs is performed with the 21 NSF monitoring interface in a comprehensive way, it is possible to 22 detect the indication of malicious activity, anomalous behavior, the 23 potential sign of denial of service attacks, or system overload in a 24 timely manner. This monitoring functionality is based on the 25 monitoring information that is generated by NSFs. Thus, this 26 document describes not only an information model for the NSF 27 monitoring interface along with a YANG data diagram, but also the 28 corresponding YANG data model. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 18 April 2022. 47 Copyright Notice 49 Copyright (c) 2021 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Simplified BSD License text 58 as described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 66 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 67 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 68 4.2. Notifications, Events, and Records . . . . . . . . . . . 8 69 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8 70 5. Basic Information Model for Monitoring Data . . . . . . . . . 9 71 6. Extended Information Model for Monitoring Data . . . . . . . 9 72 6.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 10 73 6.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 10 74 6.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 11 75 6.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 11 76 6.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 11 77 6.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12 78 6.2. System Events . . . . . . . . . . . . . . . . . . . . . . 12 79 6.2.1. Access Violation . . . . . . . . . . . . . . . . . . 12 80 6.2.2. Configuration Change . . . . . . . . . . . . . . . . 13 81 6.2.3. Session Table Event . . . . . . . . . . . . . . . . . 13 82 6.2.4. Traffic Flows . . . . . . . . . . . . . . . . . . . . 14 83 6.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14 84 6.3.1. DDoS Detection . . . . . . . . . . . . . . . . . . . 14 85 6.3.2. Virus Event . . . . . . . . . . . . . . . . . . . . . 15 86 6.3.3. Intrusion Event . . . . . . . . . . . . . . . . . . . 16 87 6.3.4. Web Attack Event . . . . . . . . . . . . . . . . . . 16 88 6.3.5. VoIP/VoLTE Event . . . . . . . . . . . . . . . . . . 17 89 6.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 18 90 6.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 18 91 6.4.2. Resource Utilization Log . . . . . . . . . . . . . . 18 92 6.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 19 93 6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 20 94 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 20 96 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 20 97 6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21 98 6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22 99 6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22 100 6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 23 101 7. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24 102 8. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25 103 9. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 32 104 10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 78 105 11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 79 106 11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 79 107 11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 80 108 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 82 109 13. Security Considerations . . . . . . . . . . . . . . . . . . . 82 110 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 84 111 15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 84 112 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 84 113 16.1. Normative References . . . . . . . . . . . . . . . . . . 84 114 16.2. Informative References . . . . . . . . . . . . . . . . . 88 115 Appendix A. Changes from 116 draft-ietf-i2nsf-nsf-monitoring-data-model-09 . . . . . . 89 117 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 89 119 1. Introduction 121 According to [RFC8329], the interface provided by a Network Security 122 Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to 123 administrative entities (e.g., Security Controller) to enable remote 124 management (i.e., configuring and monitoring) is referred to as an 125 I2NSF Monitoring Interface. This interface enables the sharing of 126 vital data from the NSFs (e.g., alarms, records, and counters) to the 127 Security Controller through a variety of mechanisms (e.g., queries, 128 notifications, and events). The monitoring of NSF plays an important 129 role in an overall security framework, if it is done in a timely and 130 comprehensive way. The monitoring information generated by an NSF 131 can be a good, early indication of anomalous behavior or malicious 132 activity, such as denial of service attacks (DoS). 134 This document defines a comprehensive information model of an NSF 135 monitoring interface that provides visibility into an NSF for the NSF 136 data collector (e.g., Security Controller). Note that an NSF data 137 collector is defined as an entity to collect NSF monitoring data from 138 an NSF, such as Security Controller. It specifies the information 139 and illustrates the methods that enable an NSF to provide the 140 information required in order to be monitored in a scalable and 141 efficient way via the NSF Monitoring Interface. The information 142 model for the NSF monitoring interface presented in this document is 143 complementary for the security policy provisioning functionality of 144 the NSF-Facing Interface specified in 145 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. 147 This document also defines a YANG [RFC7950] data model for the NSF 148 monitoring interface, which is derived from the information model for 149 the NSF monitoring interface. 151 2. Terminology 153 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 154 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 155 "OPTIONAL" in this document are to be interpreted as described in BCP 156 14 [RFC2119] [RFC8174] when, and only when, they appear in all 157 capitals, as shown here. 159 This document uses the terminology described in [RFC8329]. 161 This document follows the guidelines of [RFC8407], uses the common 162 YANG types defined in [RFC6991], and adopts the Network Management 163 Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols 164 in tree diagrams is defined in [RFC8340]. 166 3. Use Cases for NSF Monitoring Data 168 As mentioned earlier, monitoring plays a critical role in an overall 169 security framework. The monitoring of the NSF provides very valuable 170 information to an NSF data collector (e.g., Security Controller) in 171 maintaining the provisioned security posture. Besides this, there 172 are various other reasons to monitor the NSF as listed below: 174 * The security administrator with I2NSF User can configure a policy 175 that is triggered on a specific event occurring in the NSF or the 176 network [RFC8329] [I-D.ietf-i2nsf-consumer-facing-interface-dm]. 177 If an NSF data collector detects the specified event, it 178 configures additional security functions as defined by policies. 180 * The events triggered by an NSF as a result of security policy 181 violation can be used by Security Information and Event Management 182 (SIEM) to detect any suspicious activity in a larger correlation 183 context. 185 * The information (i.e., events, records, and counters) from an NSF 186 can be used to build advanced analytics, such as behavior and 187 predictive models to improve security posture in large 188 deployments. 190 * The NSF data collector can use events from the NSF for achieving 191 high availability. It can take corrective actions such as 192 restarting a failed NSF and horizontally scaling up the NSF. 194 * The information (i.e., events, records, and counters) from the NSF 195 can aid in the root cause analysis of an operational issue, so it 196 can improve debugging. 198 * The records from the NSF can be used to build historical data for 199 operation and business reasons. 201 4. Classification of NSF Monitoring Data 203 In order to maintain a strong security posture, it is not only 204 necessary to configure an NSF's security policies but also to 205 continuously monitor the NSF by consuming acquirable and observable 206 data. This enables security administrators to assess the state of 207 the networks and in a timely fashion. It is not possible to block 208 all the internal and external threats based on static security 209 posture. A more practical approach is supported by enabling dynamic 210 security measures, for which continuous visibility is required. This 211 document defines a set of monitoring elements and their scopes that 212 can be acquired from an NSF and can be used as NSF monitoring data. 213 In essence, these types of monitoring data can be leveraged to 214 support constant visibility on multiple levels of granularity and can 215 be consumed by the corresponding functions. 217 Three basic domains about the monitoring data originating from a 218 system entity [RFC4949], i.e., an NSF, are highlighted in this 219 document. 221 * Retention and Emission 223 * Notifications, Events, and Records 225 * Unsolicited Poll and Solicited Push 226 As with I2NSF components, every generic system entity can include a 227 set of capabilities that creates information about some context with 228 monitoring data (i.e., monitoring information), composition, 229 configuration, state or behavior of that system entity. This 230 information is intended to be provided to other consumers of 231 information and in the scope of this document, which deals with NSF 232 monitoring data in an automated fashion. 234 4.1. Retention and Emission 236 A system entity (e.g., NSF) first retains I2NSF monitoring data 237 inside its own system before emitting the information another I2NSF 238 component (e.g., NSF Data Collector). The I2NSF monitoring 239 information consist of I2NSF Event, I2NSF Record, and I2NSF Counter 240 as follows: 242 I2NSF Event: I2NSF Event is defined as an important occurrence over 243 time, that is, a change in the system being managed or a change in 244 the environment of the system being managed. An I2NSF Event 245 requires immediate attention and should be notified as soon as 246 possible. When used in the context of an (imperative) I2NSF 247 Policy Rule, an I2NSF Event is used to determine whether the 248 Condition clause of that Policy Rule can be evaluated or not. The 249 Alarm Management Framework in [RFC3877] defines an event as 250 something that happens which may be of interest. Examples for an 251 event are a fault, a change in status, crossing a threshold, or an 252 external input to the system. In the I2NSF domain, I2NSF events 253 are created following the definition of an event in the Alarm 254 Management Framework. 256 I2NSF Record: A record is defined as an item of information that is 257 kept to be looked at and used in the future. Unlike I2NSF Event, 258 records do not require immediate attention but may be useful for 259 visibility and retroactive cyber forensic. Depending on the 260 record format, there are different qualities in regard to 261 structure and detail. Records are typically stored in log-files 262 or databases on a system entity or NSF. Records in the form of 263 log-files usually include less structures but potentially more 264 detailed information in regard to the changes of a system entity's 265 characteristics. In contrast, databases often use more strict 266 schemas or data models, therefore enforcing a better structure. 267 However, they inhibit storing information that does not match 268 those models ("closed world assumption"). Records can be 269 continuously processed by a system entity as an I2NSF Producer and 270 emitted with a format tailored to a certain type of record. 271 Typically, records are information generated by a system entity 272 (e.g., NSF) that is based on operational and informational data, 273 that is, various changes in system characteristics. The examples 274 of records include as user activities, network/traffic status, and 275 network activity. They are important for debugging, auditing and 276 security forensic of a system entity or the network having the 277 system entity. 279 I2NSF Counter: An I2NSF Counter is defined as a specific 280 representation of continuous value changes of information elements 281 that occur very frequently. Prominent examples are network 282 interface counters for protocol data unit (PDU) amount, byte 283 amount, drop counters, and error counters. Counters are useful in 284 debugging and visibility into operational behavior of a system 285 entity (e.g., NSF). When an NSF data collector asks for the value 286 of a counter to it, a system entity emits 288 For the utilization of the storage space for accumulated NSF 289 monitoring data, all of the information MUST provide the general 290 information (e.g., timestamp) for purging existing records, which is 291 discussed in Section 5. This document provides a YANG data model in 292 Section 9 for the important I2NSF monitoring information that should 293 be retained. All of the information in the data model is considered 294 important and should be kept permanently as the information might be 295 useful in many circumstances in the future. The allowed cases for 296 removing some monitoring information include the following: 298 * When the system storage is full to create a fresh record 299 [RFC4949], the oldest record can be removed. 301 * The administrator deletes existing records manually after 302 analyzing the information in them. 304 The I2NSF monitoring information retained on a system entity (e.g., 305 NSF) may be delivered to a corresponding I2NSF User via an NSF data 306 collector. The information consists of the aggregated records, 307 typically in the form of log-files or databases. For the NSF 308 Monitoring Interface to deliver the information to the NSF data 309 collector, the NSF needs to accommodate standardized delivery 310 protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. The NSF 311 data collector can forward the information to the I2NSF User through 312 one of standardized delivery protocols. The interface for this 313 delivery is out of the scope of this document. 315 4.2. Notifications, Events, and Records 317 A specific task of I2NSF User is to process I2NSF Policy Rules. The 318 rules of a policy are composed of three clauses: Event, Condition, 319 and Action clauses. In consequence, an I2NSF Event is specified to 320 trigger an I2NSF Policy Rule. Such an I2NSF Event is defined as any 321 important occurrence over time in the system being managed, and/or in 322 the environment of the system being managed, which aligns well with 323 the generic definition of Event from [RFC3877]. 325 Another role of the I2NSF Event is to trigger a notification for 326 monitoring the status of an NSF. A notification is defined in 327 [RFC3877] as an unsolicited transmission of management information. 328 System alarm (called alarm) is defined as a warning related to 329 service degradation in system hardware in Section 6.1. System event 330 (called alert) is defined as a warning about any changes of 331 configuration, any access violation, the information of sessions and 332 traffic flows in Section 6.2. Both an alarm and an alert are I2NSF 333 Events that can be delivered as a notification. The model 334 illustrated in this document introduces a complementary type of 335 information that can be a conveyed notification. 337 In I2NSF monitoring, a notification is used to deliver either an 338 event and a record via the I2NSF Monitoring Interface. The 339 difference between the event and record is the timing by which the 340 notifications are emitted. An event is emitted as soon as it happens 341 in order to notify an NSF Data Collector of the problem that needs 342 immediate attention. A record is not emitted immediately to the NSF 343 Data Collector, and it can be emitted periodically to the NSF Data 344 Collector every certain time interval. 346 It is important to note that an NSF Data Collector as a consumer 347 (i.e., observer) of a notification assesses the importance of the 348 notification rather than an NSF as a producer. The producer can 349 include metadata in a notification that supports the observer in 350 assessing its importance (e.g., severity). 352 4.3. Unsolicited Poll and Solicited Push 354 The freshness of the monitored information depends on the acquisition 355 method. Ideally, an I2NSF User is accessing every relevant 356 information about the I2NSF Component and is emitting I2NSF Events to 357 an NSF data collector (e.g., Security Controller) in a timely manner. 358 Publication of events via a pubsub/broker model, peer-2-peer meshes, 359 or static defined channels are only a few examples on how a solicited 360 push of I2NSF Events can be facilitated. The actual mechanism 361 implemented by an I2NSF Component is out of the scope of this 362 document. 364 Often, the corresponding management interfaces have to be queried in 365 intervals or on demand if required by an I2NSF Policy rule. In some 366 cases, the collection of information has to be conducted via a login 367 mechanism provided by a system entity. Accessing records of 368 information via this kind of unsolicited polls can introduce a 369 significant latency in regard to the freshness of the monitored 370 information. The actual definition of intervals implemented by an 371 I2NSF Component is also out of scope of this document. 373 5. Basic Information Model for Monitoring Data 375 As explained in the above section, there is a wealth of data 376 available from the NSF that can be monitored. Firstly, there must be 377 some general information with each monitoring message sent from an 378 NSF that helps a consumer to identify meta data with that message, 379 which are listed as below: 381 * message: The extra detail to give the context of the information. 383 * vendor-name: The name of the NSF vendor. 385 * nsf-name: The name or IP address of the NSF generating the 386 message. If the given nsf-name is not IP address, the name can be 387 an arbitrary string including FQDN (Fully Qualified Domain Name). 388 The name MUST be unique in the scope of management domain for a 389 different NSF to identify the NSF that generates the message. 391 * severity: It indicates the severity level. There are total four 392 levels, i.e., critical, high, middle, and low. 394 * timestamp: Indicates the time when the message is generated. For 395 the notification operations (i.e., System Alarms, System Events, 396 NSF Events, System Logs, and NSF Logs), this is represented by the 397 eventTime of NETCONF event notification [RFC5277] For other 398 operations (i.e., System Counter and NSF Counter), the timestamp 399 MUST be provided separately. 401 6. Extended Information Model for Monitoring Data 403 This section covers the additional information associated with the 404 system messages. The extended information model is only for the 405 structured data such as events, record, and counters. Any 406 unstructured data is specified with the basic information model only. 408 Each information has characteristics as follows: 410 * Acquisition method: The method to obtain the message. It can be a 411 "query" or a "subscription". A "query" is a request-based method 412 to acquire the solicited information. A "subscription" is a 413 subscribe-based method to acquire the unsolicited information. 415 * Emission type: The cause type for the message to be emitted. It 416 can be "on-change" or "periodic". An "on-change" message is 417 emitted when an important event happens in the NSF. A "periodic" 418 message is emitted at a certain time interval. The time to 419 periodically emit the message is configurable. 421 * Dampening type: The type of message dampening to stop the rapid 422 transmission of messages. The dampening types are "on-repetition" 423 and "no-dampening". The "on-repetition" type limits the 424 transmitted "on-change" message to one message at a certain 425 interval. This interval is defined as dampening-period in 426 [RFC8641]. The dampening-period is configurable. The "no- 427 dampening" type does not limit the transmission for the messages 428 of the same type. In short, "on-repetition" means that the 429 dampening is active and "no-dampening" is inactive. It is 430 recommended to activate the dampening for an "on-change" type of 431 message to reduce the number of messages generated. 433 6.1. System Alarms 435 System alarms have the following characteristics: 437 * acquisition-method: subscription 439 * emission-type: on-change 441 * dampening-type: on-repetition 443 6.1.1. Memory Alarm 445 The memory is the hardware to store information temporarily or for a 446 short period, i.e., Random Access Memory (RAM). The memory-alarm is 447 emitted when the RAM usage exceeds the threshold. The following 448 information should be included in a Memory Alarm: 450 * event-name: memory-alarm. 452 * usage: specifies the size of memory used. 454 * threshold: The threshold triggering the alarm 456 * severity: The severity of the alarm such as critical, high, 457 medium, and low. 459 * message: Simple information such as "The memory usage exceeded the 460 threshold" or with extra information. 462 6.1.2. CPU Alarm 464 CPU is the Central Processing Unit that executes basic operations of 465 the system. The cpu-alarm is emitted when the CPU usage exceeds the 466 threshold. The following information should be included in a CPU 467 Alarm: 469 * event-name: cpu-alarm. 471 * usage: Specifies the size of CPU used. 473 * threshold: The threshold triggering the event. 475 * severity: The severity of the alarm such as critical, high, 476 medium, and low. 478 * message: Simple information such as "The CPU usage exceeded the 479 threshold" or with extra information. 481 6.1.3. Disk Alarm 483 Disk is the hardware to store information for a long period, i.e., 484 Hard Disk or Solid-State Drive. The disk-alarm is emitted when the 485 Disk usage exceeds the threshold. The following information should 486 be included in a Disk Alarm: 488 * event-name: disk-alarm. 490 * usage: Specifies the size of disk space used. 492 * threshold: The threshold triggering the event. 494 * severity: The severity of the alarm such as critical, high, 495 medium, and low. 497 * message: Simple information such as "The disk usage exceeded the 498 threshold" or with extra information. 500 6.1.4. Hardware Alarm 502 The hardware-alarm is emitted when a hardware, e.g., CPU, memory, 503 disk, or interface, problem is detected. The following information 504 should be included in a Hardware Alarm: 506 * event-name: hardware-alarm. 508 * component-name: It indicates the hardware component responsible 509 for generating this alarm. 511 * severity: The severity of the alarm such as critical, high, 512 medium, and low. 514 * message: Simple information such as "The hardware component has 515 failed or degraded" or with extra information. 517 6.1.5. Interface Alarm 519 Interface is the network interface for connecting a device with the 520 network. The interface-alarm is emitted when the state of the 521 interface is changed. The following information should be included 522 in an Interface Alarm: 524 * event-name: interface-alarm. 526 * interface-name: The name of the interface. 528 * interface-state: down, up (not congested), congested (up but 529 congested). 531 * severity: The severity of the alarm such as critical, high, 532 medium, and low. 534 * message: Simple information such as "The interface is 'interface- 535 state'" or with extra information. 537 6.2. System Events 539 System events (as alerts) have the following characteristics: 541 * acquisition-method: subscription 543 * emission-type: on-change 545 * dampening-type: on-repetition 547 6.2.1. Access Violation 549 The access-violation system event is an event when a user tries to 550 access (read, write, create, or delete) any information or execute 551 commands above their privilege. 553 * event-name: access-denied. 555 * user: Name of a user. 557 * group: Group(s) to which a user belongs. A user can belong to 558 multiple groups. 560 * ip-address: The IP address of the user that triggered the event. 562 * authentication: The method to verify the valid user, i.e., pre- 563 configured-key and certificate-authority. 565 * message: The message to give the context of the event, such as 566 "Access is denied". 568 6.2.2. Configuration Change 570 A configuration change is a system event when a new configuration is 571 added or an existing configuration is modified. The following 572 information should be included in this event: 574 * event-name: config-change. 576 * user: Name of a user. 578 * group: Group(s) to which a user belongs. A user can belong to 579 multiple groups. 581 * ip-address: The IP address of the user that triggered the event. 583 * authentication: The method to verify the valid user, i.e., pre- 584 configured-key and certificate-authority. 586 * message: The message to give the context of the event, such as 587 "Configuration is modified" or "New configuration is added". 589 6.2.3. Session Table Event 591 The following information should be included in a Session 592 Table Event: 594 * event-name: session-table. 596 * current-session: The number of concurrent sessions. 598 * maximum-session: The maximum number of sessions that the session 599 table can support. 601 * threshold: The threshold triggering the event. 603 * message: The message to give the context of the event, such as 604 "The number of session table exceeded the threshold". 606 6.2.4. Traffic Flows 608 Traffic flows need to be monitored because they might be used for 609 security attacks to the network. The following information should be 610 included in this event: 612 * src-ip: The source IPv4 or IPv6 address of the traffic flow. 614 * dst-ip: The destination IPv4 or IPv6 address of the traffic flow. 616 * src-port: The source port of the traffic flow. 618 * dst-port: The destination port of the traffic flow. 620 * protocol: The protocol of the traffic flow. 622 * arrival-rate: Arrival rate of packets of the traffic flow. 624 6.3. NSF Events 626 NSF events have the following characteristics: 628 * acquisition-method: subscription 630 * emission-type: on-change 632 * dampening-type: on-repetition 634 6.3.1. DDoS Detection 636 The following information should be included in a DDoS Event: 638 * event-name: detection-ddos. 640 * attack-type: Any one of SYN flood, ACK flood, SYN-ACK flood, FIN/ 641 RST flood, TCP Connection flood, UDP flood, ICMP flood, HTTPS 642 flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood, 643 SSL flood, and NTP amplification flood. 645 * attack-src-ip: The IP address of the source of the DDoS attack. 647 * attack-dst-ip: The network prefix with a network mask (for IPv4) 648 or prefix length (for IPv6) of a victim under DDoS attack. 650 * dst-port: The port number that the attack traffic aims at. 652 * start-time: The time stamp indicating when the attack started. 654 * end-time: The time stamp indicating when the attack ended. If the 655 attack is still undergoing when sending out the alarm, this field 656 can be empty. 658 * attack-rate: The packets per second of attack traffic. 660 * attack-speed: The bytes per second of attack traffic. 662 * rule-name: The name of the I2NSF Policy Rule being triggered. 663 Note that rule-name is used to match a detected NSF event with a 664 policy rule in [I-D.ietf-i2nsf-nsf-facing-interface-dm], and also 665 that there is no rule-name in a system event. 667 6.3.2. Virus Event 669 The following information should be included in a Virus Event: 671 * event-name: detection-virus. 673 * virus: Type of the virus. e.g., trojan, worm, macro virus type. 675 * virus-name: Name of the virus. 677 * dst-ip: The destination IP address of the packet where the virus 678 is found. 680 * src-ip: The source IP address of the packet where the virus is 681 found. 683 * src-port: The source port of the packet where the virus is found. 685 * dst-port: The destination port of the packet where the virus is 686 found. 688 * src-location: The source geographical location (e.g., country and 689 city) of the virus. 691 * dst-location: The destination geographical location (e.g., country 692 and city) of the virus. 694 * file-type: The type of the file where the virus is hided within. 696 * file-name: The name of the file where the virus is hided within. 698 * raw-info: The information describing the packet triggering the 699 event. 701 * rule-name: The name of the rule being triggered. 703 6.3.3. Intrusion Event 705 The following information should be included in an Intrusion Event: 707 * event-name: The name of the event. e.g., detection-intrusion. 709 * attack-type: Attack type, e.g., brutal force and buffer overflow. 711 * src-ip: The source IP address of the flow. 713 * dst-ip: The destination IP address of the flow. 715 * src-port:The source port number of the flow. 717 * dst-port: The destination port number of the flow 719 * src-location: The source geographical location (e.g., country and 720 city) of the flow. 722 * dst-location: The destination geographical location (e.g., country 723 and city) of the flow. 725 * protocol: The employed transport layer protocol. e.g., TCP and 726 UDP. 728 * app: The employed application layer protocol. e.g., HTTP and FTP. 730 * rule-name: The name of the I2NSF Policy Rule being triggered. 732 * raw-info: The information describing the flow triggering the 733 event. 735 6.3.4. Web Attack Event 737 The following information should be included in a Web Attack Alarm: 739 * event-name: The name of event. e.g., detection-web-attack. 741 * attack-type: Concrete web attack type. e.g., SQL injection, 742 command injection, XSS, CSRF. 744 * src-ip: The source IP address of the packet. 746 * dst-ip: The destination IP address of the packet. 748 * src-port: The source port number of the packet. 750 * dst-port: The destination port number of the packet. 752 * src-location: The source geographical location (e.g., country and 753 city) of the packet. 755 * dst-location: The destination geographical location (e.g., country 756 and city) of the packet. 758 * request-method: The method of requirement. For instance, "PUT" 759 and "GET" in HTTP. 761 * req-uri: Requested URI. 763 * response-code: The HTTP Response code. 765 * req-user-agent: The HTTP request user agent header field. 767 * req-cookies: The HTTP Cookie previously sent by the server with 768 Set-Cookie. 770 * req-host: The domain name of the requested host. 772 * uri-category: Matched URI category. 774 * filtering-type: URL filtering type. e.g., deny-list, allow-list, 775 and unknown. 777 * rule-name: The name of the I2NSF Policy Rule being triggered. 779 6.3.5. VoIP/VoLTE Event 781 The following information should be included in a VoIP/VoLTE Event: 783 * source-voice-id: The detected source voice Call ID for VoIP and 784 VoLTE that violates the policy. 786 * destination-voice-id: The destination voice Call ID for VoIP and 787 VoLTE that violates the policy. 789 * user-agent: The user agent for VoIP and VoLTE that violates the 790 policy. 792 * src-ip: The source IP address of the VoIP/VoLTE. 794 * dst-ip: The destination IP address of the VoIP/VoLTE. 796 * src-port: The source port number of the VoIP/VoLTE. 798 * dst-port: The destination port number of VoIP/VoLTE. 800 * src-location: The source geographical location (e.g., country and 801 city) of the VoIP/VoLTE. 803 * dst-location: The destination geographical location (e.g., country 804 and city) of the VoIP/VoLTE. 806 * rule-name: The name of the I2NSF Policy Rule being triggered. 808 6.4. System Logs 810 System log is a record that is used to monitor the activity of the 811 user on the NSF and the status of the NSF. System logs have the 812 following characteristics: 814 * acquisition-method: subscription 816 * emission-type: on-change or periodic 818 * dampening-type: on-repetition 820 6.4.1. Access Log 822 Access logs record administrators' login, logout, and operations on a 823 device. By analyzing them, security vulnerabilities can be 824 identified. The following information should be included in an 825 operation report: 827 * username: The username that operates on the device. 829 * login-ip: IP address used by an administrator to log in. 831 * login-mode: Specifies the administrator logs in mode e.g. 832 administrator, user, and guest. 834 * operation-type: The operation type that the administrator execute, 835 e.g., login, logout, configuration, and other. 837 * input: The operation performed by a user after login. The 838 operation is a command given by a user. 840 * output: The result after executing the input. 842 6.4.2. Resource Utilization Log 844 Running reports record the device system's running status, which is 845 useful for device monitoring. The following information should be 846 included in running report: 848 * system-status: The current system's running status. 850 * cpu-usage: Specifies the aggregated CPU usage. 852 * memory-usage: Specifies the memory usage. 854 * disk-id: Specifies the disk ID to identify the storage disk. 856 * disk-usage: Specifies the disk usage of disk-id. 858 * disk-left: Specifies the available disk space left of disk-id. 860 * session-number: Specifies total concurrent sessions. 862 * process-number: Specifies total number of systems processes. 864 * interface-id: Specifies the interface ID to identify the network 865 interface. 867 * in-traffic-rate: The total inbound traffic rate in packets per 868 second. 870 * out-traffic-rate: The total outbound traffic rate in packets per 871 second. 873 * in-traffic-speed: The total inbound traffic speed in bytes per 874 second. 876 * out-traffic-speed: The total outbound traffic speed in bytes per 877 second. 879 6.4.3. User Activity Log 881 User activity logs provide visibility into users' online records 882 (such as login time, online/lockout duration, and login IP addresses) 883 and the actions that users perform. User activity reports are 884 helpful to identify exceptions during a user's login and network 885 access activities. 887 * user: Name of a user. 889 * group: Group to which a user belongs. 891 * login-ip-addr: Login IP address of a user. 893 * authentication: The method to verify the valid user, i.e., pre- 894 configured-key and certificate-authority. 896 * online-duration: The duration of a user's activeness (stays in 897 login) during a session. 899 * logout-duration: The duration of a user's inactiveness (not in 900 login) from the last session. 902 * additional-info: Additional Information for login: 904 1. type: User activities. e.g., Successful User Login, Failed 905 Login attempts, User Logout, Successful User Password Change, 906 Failed User Password Change, User Lockout, and User Unlocking. 908 2. cause: Cause of a failed user activity. 910 6.5. NSF Logs 912 NSF logs have the folowing characteristics: 914 * acquisition-method: subscription 916 * emission-type: on-change 918 * dampening-type: on-repetition 920 6.5.1. Deep Packet Inspection Log 922 Deep Packet Inspection (DPI) Logs provide statistics on uploaded and 923 downloaded files and data, sent and received emails, and alert and 924 blocking records on websites. It is helpful to learn risky user 925 behaviors and why access to some URLs is blocked or allowed with an 926 alert record. 928 * attack-type: DPI action types. e.g., File Blocking, Data 929 Filtering, and Application Behavior Control. 931 * src-user: User source who generates the policy. 933 * policy-name: Security policy name that traffic matches. 935 * action: Action defined in the file blocking rule, data filtering 936 rule, or application behavior control rule that traffic matches. 938 6.6. System Counter 940 System counter has the following characteristics: 942 * acquisition-method: subscription or query 943 * emission-type: periodic 945 * dampening-type: none 947 6.6.1. Interface Counter 949 Interface counters provide visibility into traffic into and out of an 950 NSF, and bandwidth usage. The statistics of the interface counters 951 should be computed from the start of the service. When the service 952 is reset, the computation of statistics per counter should restart 953 from 0. 955 * interface-name: Network interface name configured in NSF. 957 * in-total-traffic-pkts: Total inbound packets. 959 * out-total-traffic-pkts: Total outbound packets. 961 * in-total-traffic-bytes: Total inbound bytes. 963 * out-total-traffic-bytes: Total outbound bytes. 965 * in-drop-traffic-pkts: Total inbound drop packets. 967 * out-drop-traffic-pkts: Total outbound drop packets. 969 * in-drop-traffic-bytes: Total inbound drop bytes. 971 * out-drop-traffic-bytes: Total outbound drop bytes. 973 * in-traffic-average-rate: Inbound traffic average rate in packets 974 per second. 976 * in-traffic-peak-rate: Inbound traffic peak rate in packets per 977 second. 979 * in-traffic-average-speed: Inbound traffic average speed in bytes 980 per second. 982 * in-traffic-peak-speed: Inbound traffic peak speed in bytes per 983 second. 985 * out-traffic-average-rate: Outbound traffic average rate in packets 986 per second. 988 * out-traffic-peak-rate: Outbound traffic peak rate in packets per 989 second. 991 * out-traffic-average-speed: Outbound traffic average speed in bytes 992 per second. 994 * out-traffic-peak-speed: Outbound traffic peak speed in bytes per 995 second. 997 6.7. NSF Counters 999 NSF counters have the following characteristics: 1001 * acquisition-method: subscription or query 1003 * emission-type: periodic 1005 * dampening-type: none 1007 6.7.1. Firewall Counter 1009 Firewall counters provide visibility into traffic signatures, 1010 bandwidth usage, and how the configured security and bandwidth 1011 policies have been applied. 1013 * src-ip: Source IP address of traffic. 1015 * src-user: User who generates the policy. 1017 * dst-ip: Destination IP address of traffic. 1019 * src-port: Source port of traffic. 1021 * dst-port: Destination port of traffic. 1023 * protocol: Protocol type of traffic. 1025 * app: Application type of traffic. 1027 * policy-id: Security policy id that traffic matches. 1029 * policy-name: Security policy name that traffic matches. 1031 * in-interface: Inbound interface of traffic. 1033 * out-interface: Outbound interface of traffic. 1035 * total-traffic: Total traffic volume. 1037 * in-traffic-average-rate: Inbound traffic average rate in packets 1038 per second. 1040 * in-traffic-peak-rate: Inbound traffic peak rate in packets per 1041 second. 1043 * in-traffic-average-speed: Inbound traffic average speed in bytes 1044 per second. 1046 * in-traffic-peak-speed: Inbound traffic peak speed in bytes per 1047 second. 1049 * out-traffic-average-rate: Outbound traffic average rate in packets 1050 per second. 1052 * out-traffic-peak-rate: Outbound traffic peak rate in packets per 1053 second. 1055 * out-traffic-average-speed: Outbound traffic average speed in bytes 1056 per second. 1058 * out-traffic-peak-speed: Outbound traffic peak speed in bytes per 1059 second. 1061 6.7.2. Policy Hit Counter 1063 Policy Hit Counters record the security policy that traffic matches 1064 and its hit count. It can check if policy configurations are 1065 correct. 1067 * src-ip: Source IP address of traffic. 1069 * src-user: User who generates the policy. 1071 * dst-ip: Destination IP address of traffic. 1073 * src-port: Source port of traffic. 1075 * dst-port: Destination port of traffic. 1077 * protocol: Protocol type of traffic. 1079 * app: Application type of traffic. 1081 * policy-id: Security policy id that traffic matches. 1083 * policy-name: Security policy name that traffic matches. 1085 * hit-times: The hit times that the security policy matches the 1086 specified traffic. 1088 7. NSF Monitoring Management in I2NSF 1090 A standard model for monitoring data is required for an administrator 1091 to check the monitoring data generated by an NSF. The administrator 1092 can check the monitoring data through the following process. When 1093 the NSF monitoring data that is under the standard format is 1094 generated, the NSF forwards it to an NSF data collector via the I2NSF 1095 NSF Monitoring Interface. The NSF data collector delivers it to 1096 I2NSF Consumer or Developer's Management System (DMS) so that the 1097 administrator can know the state of the I2NSF framework. 1099 In order to communicate with other components, an I2NSF framework 1100 [RFC8329] requires the interfaces. The three main interfaces in 1101 I2NSF framework are used for sending monitoring data as follows: 1103 * I2NSF Consumer-Facing Interface 1104 [I-D.ietf-i2nsf-consumer-facing-interface-dm]: When an I2NSF User 1105 makes a security policy and forwards it to the Security Controller 1106 via Consumer-Facing Interface, it can specify the threat-feed for 1107 threat prevention, the custom list, the malicious code scan group, 1108 and the event map group. They can be used as an event to be 1109 monitored by an NSF. 1111 * I2NSF Registration Interface 1112 [I-D.ietf-i2nsf-registration-interface-dm]: The Network Functions 1113 Virtualization (NFV) architecture provides the lifecycle 1114 management of a Virtual Network Function (VNF) via the Ve-Vnfm 1115 interface. The role of Ve-Vnfm is to request VNF lifecycle 1116 management (e.g., the instantiation and de-instantiation of an 1117 NSF, and load balancing among NSFs), exchange configuration 1118 information, and exchange status information for a network 1119 service. In the I2NSF framework, the DMS manages data about 1120 resource states and network traffic for the lifecycle management 1121 of an NSF. Therefore, the generated monitoring data from NSFs are 1122 delivered from the NSF data collector to the DMS via either 1123 Registration Interface or a new interface (e.g., NSF Monitoring 1124 Interface). These data are delivered from the DMS to the VNF 1125 Manager in the Management and Orchestration (MANO) in the NFV 1126 system [I-D.ietf-i2nsf-applicability]. 1128 * I2NSF NSF Monitoring Interface [RFC8329]: After a high-level 1129 security policy from I2NSF User is translated by security policy 1130 translator [I-D.yang-i2nsf-security-policy-translation] in the 1131 Security Controller, the translated security policy (i.e., low- 1132 level policy) is applied to an NSF via NSF-Facing Interface. The 1133 monitoring interface data model for an NSF specifies the list of 1134 events that can trigger Event-Condition-Action (ECA) policies via 1135 NSF Monitoring Interface. 1137 8. Tree Structure 1139 The tree structure of the NSF monitoring YANG module is provided 1140 below: 1142 module: ietf-i2nsf-nsf-monitoring 1143 +--ro i2nsf-counters 1144 | +--ro system-interface* [interface-name] 1145 | | +--ro acquisition-method? identityref 1146 | | +--ro emission-type? identityref 1147 | | +--ro dampening-type? identityref 1148 | | +--ro interface-name if:interface-ref 1149 | | +--ro in-total-traffic-pkts? yang:counter32 1150 | | +--ro out-total-traffic-pkts? yang:counter32 1151 | | +--ro in-total-traffic-bytes? uint64 1152 | | +--ro out-total-traffic-bytes? uint64 1153 | | +--ro in-drop-traffic-pkts? yang:counter32 1154 | | +--ro out-drop-traffic-pkts? yang:counter32 1155 | | +--ro in-drop-traffic-bytes? uint64 1156 | | +--ro out-drop-traffic-bytes? uint64 1157 | | +--ro discontinuity-time yang:date-and-time 1158 | | +--ro total-traffic? yang:counter32 1159 | | +--ro in-traffic-average-rate? uint32 1160 | | +--ro in-traffic-peak-rate? uint32 1161 | | +--ro in-traffic-average-speed? uint64 1162 | | +--ro in-traffic-peak-speed? uint64 1163 | | +--ro out-traffic-average-rate? uint32 1164 | | +--ro out-traffic-peak-rate? uint32 1165 | | +--ro out-traffic-average-speed? uint64 1166 | | +--ro out-traffic-peak-speed? uint64 1167 | | +--ro message? string 1168 | | +--ro vendor-name? string 1169 | | +--ro nsf-name? union 1170 | | +--ro severity? severity 1171 | | +--ro timestamp? yang:date-and-time 1172 | +--ro nsf-firewall* [policy-name] 1173 | | +--ro acquisition-method? identityref 1174 | | +--ro emission-type? identityref 1175 | | +--ro dampening-type? identityref 1176 | | +--ro policy-name 1177 -> /nsfintf:i2nsf-security-policy/system-policy-name 1178 | | +--ro src-user? string 1179 | | +--ro discontinuity-time yang:date-and-time 1180 | | +--ro total-traffic? yang:counter32 1181 | | +--ro in-traffic-average-rate? uint32 1182 | | +--ro in-traffic-peak-rate? uint32 1183 | | +--ro in-traffic-average-speed? uint64 1184 | | +--ro in-traffic-peak-speed? uint64 1185 | | +--ro out-traffic-average-rate? uint32 1186 | | +--ro out-traffic-peak-rate? uint32 1187 | | +--ro out-traffic-average-speed? uint64 1188 | | +--ro out-traffic-peak-speed? uint64 1189 | | +--ro message? string 1190 | | +--ro vendor-name? string 1191 | | +--ro nsf-name? union 1192 | | +--ro severity? severity 1193 | | +--ro timestamp? yang:date-and-time 1194 | +--ro nsf-policy-hits* [policy-name] 1195 | +--ro acquisition-method? identityref 1196 | +--ro emission-type? identityref 1197 | +--ro dampening-type? identityref 1198 | +--ro policy-name 1199 -> /nsfintf:i2nsf-security-policy/system-policy-name 1200 | +--ro src-user? string 1201 | +--ro message? string 1202 | +--ro vendor-name? string 1203 | +--ro nsf-name? union 1204 | +--ro severity? severity 1205 | +--ro discontinuity-time yang:date-and-time 1206 | +--ro hit-times? yang:counter32 1207 | +--ro timestamp? yang:date-and-time 1208 +--rw i2nsf-monitoring-configuration 1209 +--rw i2nsf-system-detection-alarm 1210 | +--rw enabled? boolean 1211 | +--rw system-alarm* [alarm-type] 1212 | +--rw alarm-type enumeration 1213 | +--rw threshold? uint8 1214 | +--rw dampening-period? uint32 1215 +--rw i2nsf-system-detection-event 1216 | +--rw enabled? boolean 1217 | +--rw dampening-period? uint32 1218 +--rw i2nsf-traffic-flows 1219 | +--rw dampening-period? uint32 1220 | +--rw enabled? boolean 1221 +--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}? 1222 | +--rw enabled? boolean 1223 | +--rw dampening-period? uint32 1224 +--rw i2nsf-nsf-detection-session-table-configuration 1225 | +--rw enabled? boolean 1226 | +--rw dampening-period? uint32 1227 +--rw i2nsf-nsf-detection-intrusion 1228 {i2nsf-nsf-detection-intrusion}? 1229 | +--rw enabled? boolean 1230 | +--rw dampening-period? uint32 1231 +--rw i2nsf-nsf-detection-web-attack 1232 {i2nsf-nsf-detection-web-attack}? 1234 | +--rw enabled? boolean 1235 | +--rw dampening-period? uint32 1236 +--rw i2nsf-nsf-system-access-log 1237 | +--rw enabled? boolean 1238 | +--rw dampening-period? uint32 1239 +--rw i2nsf-system-res-util-log 1240 | +--rw enabled? boolean 1241 | +--rw dampening-period? uint32 1242 +--rw i2nsf-system-user-activity-log 1243 | +--rw enabled? boolean 1244 | +--rw dampening-period? uint32 1245 +--rw i2nsf-nsf-log-dpi {i2nsf-nsf-log-dpi}? 1246 | +--rw enabled? boolean 1247 | +--rw dampening-period? uint32 1248 +--rw i2nsf-counter 1249 +--rw period? uint16 1251 notifications: 1252 +---n i2nsf-event 1253 | +--ro (sub-event-type)? 1254 | +--:(i2nsf-system-detection-alarm) 1255 | | +--ro i2nsf-system-detection-alarm 1256 | | +--ro alarm-category? identityref 1257 | | +--ro component-name? string 1258 | | +--ro interface-name? if:interface-ref 1259 | | +--ro interface-state? enumeration 1260 | | +--ro acquisition-method? identityref 1261 | | +--ro emission-type? identityref 1262 | | +--ro dampening-type? identityref 1263 | | +--ro usage? uint8 1264 | | +--ro threshold? uint8 1265 | | +--ro message? string 1266 | | +--ro vendor-name? string 1267 | | +--ro nsf-name? union 1268 | | +--ro severity? severity 1269 | +--:(i2nsf-system-detection-event) 1270 | | +--ro i2nsf-system-detection-event 1271 | | +--ro event-category? identityref 1272 | | +--ro acquisition-method? identityref 1273 | | +--ro emission-type? identityref 1274 | | +--ro dampening-type? identityref 1275 | | +--ro user string 1276 | | +--ro group* string 1277 | | +--ro ip-address inet:ip-address-no-zone 1278 | | +--ro authentication? identityref 1279 | | +--ro message? string 1280 | | +--ro vendor-name? string 1281 | | +--ro nsf-name? union 1282 | | +--ro severity? severity 1283 | +--:(i2nsf-traffic-flows) 1284 | | +--ro i2nsf-traffic-flows 1285 | | +--ro src-ip? inet:ip-address-no-zone 1286 | | +--ro dst-ip? inet:ip-address-no-zone 1287 | | +--ro protocol? identityref 1288 | | +--ro src-port? inet:port-number 1289 | | +--ro dst-port? inet:port-number 1290 | | +--ro arrival-rate? uint32 1291 | | +--ro acquisition-method? identityref 1292 | | +--ro emission-type? identityref 1293 | | +--ro dampening-type? identityref 1294 | | +--ro message? string 1295 | | +--ro vendor-name? string 1296 | | +--ro nsf-name? union 1297 | | +--ro severity? severity 1298 | +--:(i2nsf-nsf-detection-session-table) 1299 | +--ro i2nsf-nsf-detection-session-table 1300 | +--ro current-session? uint32 1301 | +--ro maximum-session? uint32 1302 | +--ro threshold? uint32 1303 | +--ro message? string 1304 | +--ro vendor-name? string 1305 | +--ro nsf-name? union 1306 | +--ro severity? severity 1307 +---n i2nsf-log 1308 | +--ro (sub-logs-type)? 1309 | +--:(i2nsf-nsf-system-access-log) 1310 | | +--ro i2nsf-nsf-system-access-log 1311 | | +--ro login-ip? inet:ip-address-no-zone 1312 | | +--ro username? string 1313 | | +--ro login-role? login-role 1314 | | +--ro operation-type? operation-type 1315 | | +--ro input? string 1316 | | +--ro output? string 1317 | | +--ro acquisition-method? identityref 1318 | | +--ro emission-type? identityref 1319 | | +--ro dampening-type? identityref 1320 | | +--ro message? string 1321 | | +--ro vendor-name? string 1322 | | +--ro nsf-name? union 1323 | | +--ro severity? severity 1324 | +--:(i2nsf-system-res-util-log) 1325 | | +--ro i2nsf-system-res-util-log 1326 | | +--ro system-status? enumeration 1327 | | +--ro cpu-usage? uint8 1328 | | +--ro memory-usage? uint8 1329 | | +--ro disk* [disk-id] 1330 | | | +--ro disk-id string 1331 | | | +--ro disk-usage? uint8 1332 | | | +--ro disk-left? uint8 1333 | | +--ro session-num? uint32 1334 | | +--ro process-num? uint32 1335 | | +--ro interface* [interface-id] 1336 | | | +--ro interface-id string 1337 | | | +--ro in-traffic-rate? uint32 1338 | | | +--ro out-traffic-rate? uint32 1339 | | | +--ro in-traffic-speed? uint64 1340 | | | +--ro out-traffic-speed? uint64 1341 | | +--ro acquisition-method? identityref 1342 | | +--ro emission-type? identityref 1343 | | +--ro dampening-type? identityref 1344 | | +--ro message? string 1345 | | +--ro vendor-name? string 1346 | | +--ro nsf-name? union 1347 | | +--ro severity? severity 1348 | +--:(i2nsf-system-user-activity-log) 1349 | +--ro i2nsf-system-user-activity-log 1350 | +--ro acquisition-method? identityref 1351 | +--ro emission-type? identityref 1352 | +--ro dampening-type? identityref 1353 | +--ro user string 1354 | +--ro group* string 1355 | +--ro ip-address inet:ip-address-no-zone 1356 | +--ro authentication? identityref 1357 | +--ro message? string 1358 | +--ro vendor-name? string 1359 | +--ro nsf-name? union 1360 | +--ro severity? severity 1361 | +--ro online-duration? uint32 1362 | +--ro logout-duration? uint32 1363 | +--ro additional-info? enumeration 1364 +---n i2nsf-nsf-event 1365 +--ro (sub-event-type)? 1366 +--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}? 1367 | +--ro i2nsf-nsf-detection-ddos 1368 | +--ro attack-type? identityref 1369 | +--ro start-time yang:date-and-time 1370 | +--ro end-time yang:date-and-time 1371 | +--ro attack-src-ip* inet:ip-address-no-zone 1372 | +--ro attack-dst-ip* inet:ip-address-no-zone 1373 | +--ro attack-src-port* inet:port-number 1374 | +--ro attack-dst-port* inet:port-number 1375 | +--ro rule-name 1376 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1377 | +--ro raw-info? string 1378 | +--ro attack-rate? uint32 1379 | +--ro attack-speed? uint64 1380 | +--ro action* log-action 1381 | +--ro acquisition-method? identityref 1382 | +--ro emission-type? identityref 1383 | +--ro dampening-type? identityref 1384 | +--ro message? string 1385 | +--ro vendor-name? string 1386 | +--ro nsf-name? union 1387 | +--ro severity? severity 1388 +--:(i2nsf-nsf-detection-virus) 1389 {i2nsf-nsf-detection-virus}? 1390 | +--ro i2nsf-nsf-detection-virus 1391 | +--ro dst-ip? inet:ip-address-no-zone 1392 | +--ro dst-port? inet:port-number 1393 | +--ro rule-name 1394 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1395 | +--ro raw-info? string 1396 | +--ro src-ip? inet:ip-address-no-zone 1397 | +--ro src-port? inet:port-number 1398 | +--ro src-location? string 1399 | +--ro dst-location? string 1400 | +--ro virus? identityref 1401 | +--ro virus-name? string 1402 | +--ro file-type? string 1403 | +--ro file-name? string 1404 | +--ro os? string 1405 | +--ro action* log-action 1406 | +--ro acquisition-method? identityref 1407 | +--ro emission-type? identityref 1408 | +--ro dampening-type? identityref 1409 | +--ro message? string 1410 | +--ro vendor-name? string 1411 | +--ro nsf-name? union 1412 | +--ro severity? severity 1413 +--:(i2nsf-nsf-detection-intrusion) 1414 {i2nsf-nsf-detection-intrusion}? 1415 | +--ro i2nsf-nsf-detection-intrusion 1416 | +--ro dst-ip? inet:ip-address-no-zone 1417 | +--ro dst-port? inet:port-number 1418 | +--ro rule-name 1419 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1420 | +--ro raw-info? string 1421 | +--ro src-ip? inet:ip-address-no-zone 1422 | +--ro src-port? inet:port-number 1423 | +--ro src-location? string 1424 | +--ro dst-location? string 1425 | +--ro protocol? identityref 1426 | +--ro app? identityref 1427 | +--ro attack-type? identityref 1428 | +--ro action* log-action 1429 | +--ro attack-rate? uint32 1430 | +--ro attack-speed? uint64 1431 | +--ro acquisition-method? identityref 1432 | +--ro emission-type? identityref 1433 | +--ro dampening-type? identityref 1434 | +--ro message? string 1435 | +--ro vendor-name? string 1436 | +--ro nsf-name? union 1437 | +--ro severity? severity 1438 +--:(i2nsf-nsf-detection-web-attack) 1439 {i2nsf-nsf-detection-web-attack}? 1440 | +--ro i2nsf-nsf-detection-web-attack 1441 | +--ro dst-ip? inet:ip-address-no-zone 1442 | +--ro dst-port? inet:port-number 1443 | +--ro rule-name 1444 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1445 | +--ro raw-info? string 1446 | +--ro src-ip? inet:ip-address-no-zone 1447 | +--ro src-port? inet:port-number 1448 | +--ro src-location? string 1449 | +--ro dst-location? string 1450 | +--ro attack-type? identityref 1451 | +--ro request-method? identityref 1452 | +--ro req-uri? string 1453 | +--ro filtering-type* identityref 1454 | +--ro req-user-agent? string 1455 | +--ro req-cookie? string 1456 | +--ro req-host? string 1457 | +--ro response-code? string 1458 | +--ro acquisition-method? identityref 1459 | +--ro emission-type? identityref 1460 | +--ro dampening-type? identityref 1461 | +--ro action* log-action 1462 | +--ro message? string 1463 | +--ro vendor-name? string 1464 | +--ro nsf-name? union 1465 | +--ro severity? severity 1466 +--:(i2nsf-nsf-detection-voip-volte) 1467 {i2nsf-nsf-detection-voip-volte}? 1468 | +--ro i2nsf-nsf-detection-voip-volte 1469 | +--ro dst-ip? inet:ip-address-no-zone 1470 | +--ro dst-port? inet:port-number 1471 | +--ro rule-name 1472 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1473 | +--ro raw-info? string 1474 | +--ro src-ip? inet:ip-address-no-zone 1475 | +--ro src-port? inet:port-number 1476 | +--ro src-location? string 1477 | +--ro dst-location? string 1478 | +--ro source-voice-id* string 1479 | +--ro destination-voice-id* string 1480 | +--ro user-agent* string 1481 +--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}? 1482 +--ro i2nsf-nsf-log-dpi 1483 +--ro attack-type? dpi-type 1484 +--ro acquisition-method? identityref 1485 +--ro emission-type? identityref 1486 +--ro dampening-type? identityref 1487 +--ro policy-name 1488 -> /nsfintf:i2nsf-security-policy/system-policy-name 1489 +--ro src-user? string 1490 +--ro message? string 1491 +--ro vendor-name? string 1492 +--ro nsf-name? union 1493 +--ro severity? severity 1495 Figure 1: Information Model for NSF Monitoring 1497 9. YANG Data Model 1499 This section describes a YANG module of I2NSF NSF Monitoring. The 1500 data model provided in this document uses identities to be used to 1501 get information of the monitored of an NSF's monitoring data. Every 1502 identity used in the document gives information or status about the 1503 current situation of an NSF. This YANG module imports from 1504 [RFC6991], and makes references to [RFC0768][RFC0791] 1505 [RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959][RFC3501] 1506 [RFC4340][RFC4443][RFC4960] [RFC5321][RFC6242][RFC7230] 1507 [RFC7231][RFC8200][RFC8641] [I-D.ietf-tcpm-rfc793bis] 1508 [IANA-HTTP-Status-Code] [IANA-Media-Types]. 1510 file "ietf-i2nsf-nsf-monitoring@2021-10-15.yang" 1511 module ietf-i2nsf-nsf-monitoring { 1512 yang-version 1.1; 1513 namespace 1514 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; 1515 prefix 1516 nsfmi; 1517 import ietf-inet-types{ 1518 prefix inet; 1519 reference 1520 "Section 4 of RFC 6991"; 1522 } 1523 import ietf-yang-types { 1524 prefix yang; 1525 reference 1526 "Section 3 of RFC 6991"; 1527 } 1528 import ietf-i2nsf-policy-rule-for-nsf { 1529 prefix nsfintf; 1530 reference 1531 "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-14"; 1532 } 1533 import ietf-interfaces { 1534 prefix if; 1535 reference 1536 "Section 5 of RFC 8343"; 1537 } 1538 organization 1539 "IETF I2NSF (Interface to Network Security Functions) 1540 Working Group"; 1541 contact 1542 "WG Web: 1543 WG List: 1545 Editor: Jaehoon Paul Jeong 1546 1548 Editor: Patrick Lingga 1549 "; 1551 description 1552 "This module is a YANG module for I2NSF NSF Monitoring. 1554 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1555 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1556 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 1557 document are to be interpreted as described in BCP 14 1558 (RFC 2119) (RFC 8174) when, and only when, they appear 1559 in all capitals, as shown here. 1561 Copyright (c) 2021 IETF Trust and the persons identified as 1562 authors of the code. All rights reserved. 1564 Redistribution and use in source and binary forms, with or 1565 without modification, is permitted pursuant to, and subject to 1566 the license terms contained in, the Simplified BSD License set 1567 forth in Section 4.c of the IETF Trust's Legal Provisions 1568 Relating to IETF Documents 1569 (https://trustee.ietf.org/license-info). 1571 This version of this YANG module is part of RFC XXXX 1572 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 1573 for full legal notices."; 1575 revision "2021-10-15" { 1576 description "Latest revision"; 1577 reference 1578 "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; 1580 // RFC Ed.: replace XXXX with an actual RFC number and remove 1581 // this note. 1582 } 1584 /* 1585 * Typedefs 1586 */ 1588 typedef severity { 1589 type enumeration { 1590 enum critical { 1591 description 1592 "The 'critical' severity level indicates that 1593 an immediate corrective action is required. 1594 A 'critical' severity is reported when a service 1595 becomes totally out of service and must be restored."; 1596 } 1597 enum high { 1598 description 1599 "The 'high' severity level indicates that 1600 an urgent corrective action is required. 1601 A 'high' severity is reported when there is 1602 a severe degradation in the capability of the 1603 service and its full capability must be restored."; 1604 } 1605 enum middle { 1606 description 1607 "The 'middle' severity level indicates the 1608 existence of a non-service-affecting fault 1609 condition and corrective action should be done 1610 to prevent a more serious fault. The 'middle' 1611 severity is reported when the detected problem 1612 is not degrading the capability of the service, but 1613 some service degradation might happen if not 1614 prevented."; 1615 } 1616 enum low { 1617 description 1618 "The 'low' severity level indicates the detection 1619 of a potential fault before any effect is observed. 1620 The 'low' severity is reported when an action should 1621 be done before a fault happen."; 1622 } 1623 } 1624 description 1625 "An indicator representing severity levels. The severity 1626 levels starting from the highest are critical, high, middle, 1627 and low."; 1628 } 1630 typedef log-action { 1631 type enumeration { 1632 enum allow { 1633 description 1634 "If action is allowed"; 1635 } 1636 enum alert { 1637 description 1638 "If action is alert"; 1639 } 1640 enum block { 1641 description 1642 "If action is block"; 1643 } 1644 enum discard { 1645 description 1646 "If action is discarded"; 1647 } 1648 enum declare { 1649 description 1650 "If action is declared"; 1651 } 1652 enum block-ip { 1653 description 1654 "If action is block-ip"; 1655 } 1656 enum block-service{ 1657 description 1658 "If action is block-service"; 1659 } 1660 } 1661 description 1662 "The type representing action for logging."; 1663 } 1665 typedef dpi-type{ 1666 type enumeration { 1667 enum file-blocking{ 1668 description 1669 "DPI for preventing the specified file types from flowing 1670 in the network."; 1671 } 1672 enum data-filtering{ 1673 description 1674 "DPI for preventing sensitive information (e.g., Credit 1675 Card Number or Social Security Numbers) leaving a 1676 protected network."; 1677 } 1678 enum application-behavior-control{ 1679 description 1680 "DPI for filtering packet based on the application or 1681 network behavior analysis to identify malicious or 1682 unusual activity."; 1683 } 1684 } 1685 description 1686 "The type of Deep Packet Inspection (DPI). 1687 The defined types are file-blocking, data-filtering, and 1688 application-behavior-control."; 1689 } 1691 typedef operation-type{ 1692 type enumeration { 1693 enum login { 1694 description 1695 "The operation type is Login."; 1696 } 1697 enum logout { 1698 description 1699 "The operation type is Logout."; 1700 } 1701 enum configuration { 1702 description 1703 "The operation type is Configuration. The configuration 1704 operation includes the command for writing a new 1705 configuration and modifying an existing configuration."; 1706 } 1707 enum other { 1708 description 1709 "The operation type is Other operation. This other 1710 includes all operations done by a user except login, 1711 logout, and configuration."; 1712 } 1713 } 1714 description 1715 "The type of operation done by a user during a session. 1716 The user operation is not considering their privileges."; 1717 } 1719 typedef login-role { 1720 type enumeration { 1721 enum administrator { 1722 description 1723 "Administrator (i.e., Super User) login role. 1724 Non-restricted role."; 1725 } 1726 enum user { 1727 description 1728 "User login role. Semi-restricted role, some data and 1729 configurations are available but confidential or important 1730 data and configuration are restricted."; 1731 } 1732 enum guest { 1733 description 1734 "Guest login role. Restricted role, only few read data are 1735 available and write configurations are restricted."; 1736 } 1737 } 1738 description 1739 "The role of a user after login."; 1740 } 1742 /* 1743 * Identity 1744 */ 1746 identity characteristics { 1747 description 1748 "Base identity for monitoring information 1749 characteristics"; 1750 } 1751 identity acquisition-method { 1752 base characteristics; 1753 description 1754 "The type of acquisition-method. It can be multiple 1755 types at once."; 1756 } 1757 identity subscription { 1758 base acquisition-method; 1759 description 1760 "The acquisition-method type is subscription."; 1761 } 1762 identity query { 1763 base acquisition-method; 1764 description 1765 "The acquisition-method type is query."; 1766 } 1767 identity emission-type { 1768 base characteristics; 1769 description 1770 "The type of emission-type."; 1771 } 1772 identity periodic { 1773 base emission-type; 1774 description 1775 "The emission-type type is periodic."; 1776 } 1777 identity on-change { 1778 base emission-type; 1779 description 1780 "The emission-type type is on-change."; 1781 } 1782 identity dampening-type { 1783 base characteristics; 1784 description 1785 "The type of message dampening to stop the rapid transmission 1786 of messages. The dampening types are on-repetition and 1787 no-dampening"; 1788 } 1789 identity no-dampening { 1790 base dampening-type; 1791 description 1792 "The dampening-type is no-dampening. No-dampening type does 1793 not limit the transmission for the messages of the same 1794 type."; 1795 } 1796 identity on-repetition { 1797 base dampening-type; 1798 description 1799 "The dampening-type is on-repetition. On-repetition type limits 1800 the transmitted on-change message to one message at a certain 1801 interval."; 1802 } 1804 identity authentication-mode { 1805 description 1806 "The authentication mode for a user to connect to the NSF, 1807 e.g., pre-configured-key and certificate-authority"; 1808 } 1809 identity pre-configured-key { 1810 base authentication-mode; 1811 description 1812 "The pre-configured-key is an authentication using a key 1813 authentication."; 1814 } 1815 identity certificate-authority { 1816 base authentication-mode; 1817 description 1818 "The certificate-authority (CA) is an authentication using a 1819 digital certificate."; 1820 } 1822 identity event { 1823 description 1824 "Base identity for I2NSF events."; 1825 } 1827 identity system-event { 1828 base event; 1829 description 1830 "Identity for system event"; 1831 } 1833 identity system-alarm { 1834 base event; 1835 description 1836 "Base identity for detectable system alarm types"; 1837 } 1839 identity memory-alarm { 1840 base system-alarm; 1841 description 1842 "A memory alarm is alerted."; 1843 } 1844 identity cpu-alarm { 1845 base system-alarm; 1846 description 1847 "A CPU alarm is alerted."; 1848 } 1849 identity disk-alarm { 1850 base system-alarm; 1851 description 1852 "A disk alarm is alerted."; 1853 } 1854 identity hardware-alarm { 1855 base system-alarm; 1856 description 1857 "A hardware alarm (i.e., hardware failure) is alerted."; 1858 } 1859 identity interface-alarm { 1860 base system-alarm; 1861 description 1862 "An interface alarm is alerted."; 1863 } 1865 identity access-violation { 1866 base system-event; 1867 description 1868 "The access-violation system event is an event when a user 1869 tries to access (read, write, create, or delete) any 1870 information or execute commands above their privilege."; 1871 } 1872 identity configuration-change { 1873 base system-event; 1874 description 1875 "The configuration-change system event is an event when a user 1876 adds a new configuration or modify an existing configuration 1877 (write configuration)."; 1878 } 1880 identity attack-type { 1881 description 1882 "The root ID of attack-based notification 1883 in the notification taxonomy"; 1884 } 1885 identity nsf-attack-type { 1886 base attack-type; 1887 description 1888 "This ID is intended to be used 1889 in the context of NSF event."; 1890 } 1892 identity virus-type { 1893 base nsf-attack-type; 1894 description 1895 "The type of virus. It can be multiple types at once. 1896 This attack type is associated with a detected 1897 system-log virus-attack."; 1898 } 1899 identity trojan { 1900 base virus-type; 1901 description 1902 "The virus type is a trojan. Trojan is able to disguise the 1903 intent of the files or programs to misleads the users."; 1904 } 1905 identity worm { 1906 base virus-type; 1907 description 1908 "The virus type is a worm. Worm can self-replicate and 1909 spread through the network automatically."; 1910 } 1911 identity macro { 1912 base virus-type; 1913 description 1914 "The virus type is a macro virus. Macro causes a series of 1915 threats automatically after the program is executed."; 1916 } 1917 identity boot-sector { 1918 base virus-type; 1919 description 1920 "The virus type is a boot sector virus. Boot sector is a virus 1921 that infects the core of the computer, affecting the startup 1922 process."; 1923 } 1924 identity polymorphic { 1925 base virus-type; 1926 description 1927 "The virus type is a polymorphic virus. Polymorphic can 1928 modify its version when it replicates, making it hard to 1929 detect."; 1930 } 1931 identity overwrite { 1932 base virus-type; 1933 description 1934 "The virus type is an overwrite virus. Overwrite can remove 1935 existing software and replace it with malicious code by 1936 overwriting it."; 1937 } 1938 identity resident { 1939 base virus-type; 1940 description 1941 "The virus-type is a resident virus. Resident saves itself in 1942 the computer's memory and infects other files and software."; 1943 } 1944 identity non-resident { 1945 base virus-type; 1946 description 1947 "The virus-type is a non-resident virus. Non-resident attaches 1948 directly to an executable file and enters the device when 1949 executed."; 1950 } 1951 identity multipartite { 1952 base virus-type; 1953 description 1954 "The virus-type is a multipartite virus. Multipartite attacks 1955 both the boot sector and executables files of a computer."; 1956 } 1957 identity spacefiller { 1958 base virus-type; 1959 description 1960 "The virus-type is a spacefiller virus. Spacefiller fills empty 1961 spaces of a file or software with malicious code."; 1962 } 1964 identity intrusion-attack-type { 1965 base nsf-attack-type; 1966 description 1967 "The attack type is associated with a detected 1968 system-log intrusion."; 1969 } 1970 identity brute-force { 1971 base intrusion-attack-type; 1972 description 1973 "The intrusion type is brute-force."; 1974 } 1975 identity buffer-overflow { 1976 base intrusion-attack-type; 1977 description 1978 "The intrusion type is buffer-overflow."; 1979 } 1980 identity web-attack-type { 1981 base nsf-attack-type; 1982 description 1983 "The attack type is associated with a detected 1984 system-log web-attack."; 1985 } 1986 identity command-injection { 1987 base web-attack-type; 1988 description 1989 "The detected web attack type is command injection."; 1990 } 1991 identity xss { 1992 base web-attack-type; 1993 description 1994 "The detected web attack type is XSS."; 1995 } 1996 identity csrf { 1997 base web-attack-type; 1998 description 1999 "The detected web attack type is CSRF."; 2000 } 2002 identity ddos-type { 2003 base nsf-attack-type; 2004 description 2005 "Base identity for detectable flood types"; 2006 } 2007 identity syn-flood { 2008 base ddos-type; 2009 description 2010 "A SYN flood is detected."; 2011 } 2012 identity ack-flood { 2013 base ddos-type; 2014 description 2015 "An ACK flood is detected."; 2016 } 2017 identity syn-ack-flood { 2018 base ddos-type; 2019 description 2020 "A SYN-ACK flood is detected."; 2021 } 2022 identity fin-rst-flood { 2023 base ddos-type; 2024 description 2025 "A FIN-RST flood is detected."; 2026 } 2027 identity tcp-con-flood { 2028 base ddos-type; 2029 description 2030 "A TCP connection flood is detected."; 2031 } 2032 identity udp-flood { 2033 base ddos-type; 2034 description 2035 "A UDP flood is detected."; 2036 } 2037 identity icmpv4-flood { 2038 base ddos-type; 2039 description 2040 "An ICMPv4 flood is detected."; 2041 } 2042 identity icmpv6-flood { 2043 base ddos-type; 2044 description 2045 "An ICMPv6 flood is detected."; 2046 } 2047 identity http-flood { 2048 base ddos-type; 2049 description 2050 "An HTTP flood is detected."; 2052 } 2053 identity https-flood { 2054 base ddos-type; 2055 description 2056 "An HTTPS flood is detected."; 2057 } 2058 identity dns-query-flood { 2059 base ddos-type; 2060 description 2061 "A Domain Name System (DNS) query flood is detected."; 2062 } 2063 identity dns-reply-flood { 2064 base ddos-type; 2065 description 2066 "A Domain Name System (DNS) reply flood is detected."; 2067 } 2068 identity sip-flood { 2069 base ddos-type; 2070 description 2071 "A Session Initiation Protocol (SIP) flood is detected."; 2072 } 2073 identity ssl-flood { 2074 base ddos-type; 2075 description 2076 "An Secure Sockets Layer (SSL) flood is detected"; 2077 } 2078 identity ntp-amp-flood { 2079 base ddos-type; 2080 description 2081 "A Network Time Protocol (NTP) amplification is detected"; 2082 } 2084 identity request-method { 2085 description 2086 "A set of request types in HTTP (if applicable)."; 2087 } 2088 identity put { 2089 base request-method; 2090 description 2091 "The detected request type is PUT."; 2092 reference 2093 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2094 and Content - Request Method PUT"; 2095 } 2096 identity post { 2097 base request-method; 2098 description 2099 "The detected request type is POST."; 2101 reference 2102 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2103 and Content - Request Method POST"; 2104 } 2105 identity get { 2106 base request-method; 2107 description 2108 "The detected request type is GET."; 2109 reference 2110 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2111 and Content - Request Method GET"; 2112 } 2113 identity head { 2114 base request-method; 2115 description 2116 "The detected request type is HEAD."; 2117 reference 2118 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2119 and Content - Request Method HEAD"; 2120 } 2121 identity delete { 2122 base request-method; 2123 description 2124 "The detected request type is DELETE."; 2125 reference 2126 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2127 and Content - Request Method DELETE"; 2128 } 2129 identity connect { 2130 base request-method; 2131 description 2132 "The detected request type is CONNECT."; 2133 reference 2134 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2135 and Content - Request Method CONNECT"; 2136 } 2137 identity options { 2138 base request-method; 2139 description 2140 "The detected request type is OPTIONS."; 2141 reference 2142 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2143 and Content - Request Method OPTIONS"; 2144 } 2145 identity trace { 2146 base request-method; 2147 description 2148 "The detected request type is TRACE."; 2150 reference 2151 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2152 and Content - Request Method TRACE"; 2153 } 2155 identity filter-type { 2156 description 2157 "The type of filter used to detect an attack, 2158 for example, a web-attack. It can be applicable to 2159 more than web-attacks."; 2160 } 2161 identity allow-list { 2162 base filter-type; 2163 description 2164 "The applied filter type is an allow list. This filter blocks 2165 all connection except the specified list."; 2166 } 2167 identity deny-list { 2168 base filter-type; 2169 description 2170 "The applied filter type is a deny list. This filter opens all 2171 connection except the specified list."; 2172 } 2173 identity unknown-filter { 2174 base filter-type; 2175 description 2176 "The applied filter is unknown."; 2177 } 2179 identity protocol { 2180 description 2181 "An identity used to enable type choices in leaves 2182 and leaflists with respect to protocol metadata. This is used 2183 to identify the type of protocol that goes through the NSF."; 2184 } 2185 identity ip { 2186 base protocol; 2187 description 2188 "General IP protocol type."; 2189 reference 2190 "RFC 791: Internet Protocol 2191 RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2192 } 2193 identity ipv4 { 2194 base ip; 2195 description 2196 "IPv4 protocol type."; 2197 reference 2198 "RFC 791: Internet Protocol"; 2199 } 2200 identity ipv6 { 2201 base ip; 2202 description 2203 "IPv6 protocol type."; 2204 reference 2205 "RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2206 } 2207 identity icmp { 2208 base protocol; 2209 description 2210 "Base identity for ICMPv4 and ICMPv6 condition capability"; 2211 reference 2212 "RFC 792: Internet Control Message Protocol 2213 RFC 4443: Internet Control Message Protocol (ICMPv6) 2214 for the Internet Protocol Version 6 (IPv6) Specification 2215 - ICMPv6"; 2216 } 2217 identity icmpv4 { 2218 base icmp; 2219 description 2220 "ICMPv4 protocol type."; 2221 reference 2222 "RFC 791: Internet Protocol 2223 RFC 792: Internet Control Message Protocol"; 2224 } 2225 identity icmpv6 { 2226 base icmp; 2227 description 2228 "ICMPv6 protocol type."; 2229 reference 2230 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2231 RFC 4443: Internet Control Message Protocol (ICMPv6) 2232 for the Internet Protocol Version 6 (IPv6) 2233 Specification"; 2234 } 2235 identity transport-protocol { 2236 base protocol; 2237 description 2238 "Base identity for Layer 4 protocol condition capabilities, 2239 e.g., TCP, UDP, SCTP, DCCP, and ICMP"; 2240 } 2241 identity tcp { 2242 base transport-protocol; 2243 description 2244 "TCP protocol type."; 2245 reference 2246 "RFC 793: Transmission Control Protocol 2247 draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 2248 (TCP) Specification"; 2249 } 2250 identity udp { 2251 base transport-protocol; 2252 description 2253 "UDP protocol type."; 2254 reference 2255 "RFC 768: User Datagram Protocol"; 2256 } 2257 identity sctp { 2258 base transport-protocol; 2259 description 2260 "Identity for SCTP condition capabilities"; 2261 reference 2262 "RFC 4960: Stream Control Transmission Protocol"; 2263 } 2264 identity dccp { 2265 base transport-protocol; 2266 description 2267 "Identity for DCCP condition capabilities"; 2268 reference 2269 "RFC 4340: Datagram Congestion Control Protocol"; 2270 } 2271 identity application-protocol { 2272 base protocol; 2273 description 2274 "Base identity for Application protocol, e.g., HTTP, FTP"; 2275 } 2276 identity http { 2277 base application-protocol; 2278 description 2279 "HTTP protocol type."; 2280 reference 2281 "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message 2282 Syntax and Routing 2283 RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2284 and Content"; 2285 } 2286 identity https { 2287 base application-protocol; 2288 description 2289 "HTTPS protocol type."; 2290 reference 2291 "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message 2292 Syntax and Routing 2293 RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2294 and Content"; 2295 } 2296 identity ftp { 2297 base application-protocol; 2298 description 2299 "FTP protocol type."; 2300 reference 2301 "RFC 959: File Transfer Protocol"; 2302 } 2303 identity ssh { 2304 base application-protocol; 2305 description 2306 "SSH protocol type."; 2307 reference 2308 "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)"; 2309 } 2310 identity telnet { 2311 base application-protocol; 2312 description 2313 "The identity for telnet."; 2314 reference 2315 "RFC 854: Telnet Protocol"; 2316 } 2317 identity smtp { 2318 base application-protocol; 2319 description 2320 "The identity for smtp."; 2321 reference 2322 "RFC 5321: Simple Mail Transfer Protocol (SMTP)"; 2323 } 2324 identity pop3 { 2325 base application-protocol; 2326 description 2327 "The identity for pop3."; 2328 reference 2329 "RFC 1939: Post Office Protocol - Version 3 (POP3)"; 2330 } 2331 identity imap { 2332 base application-protocol; 2333 description 2334 "The identity for Internet Message Access Protocol."; 2335 reference 2336 "RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1"; 2337 } 2339 /* 2340 * Grouping 2341 */ 2343 grouping timestamp { 2344 description 2345 "Grouping for identifying the time of the message."; 2346 leaf timestamp { 2347 type yang:date-and-time; 2348 description 2349 "Specify the time of a message being delivered."; 2350 } 2351 } 2353 grouping common-monitoring-data { 2354 description 2355 "A set of common monitoring data that is needed 2356 as the basic information."; 2357 leaf message { 2358 type string; 2359 description 2360 "This is a freetext annotation for 2361 monitoring a notification's content."; 2362 } 2363 leaf vendor-name { 2364 type string; 2365 description 2366 "The name of the NSF vendor. The string is unrestricted to 2367 identify the provider or vendor of the NSF."; 2368 } 2369 leaf nsf-name { 2370 type union { 2371 type string; 2372 type inet:ip-address-no-zone; 2373 } 2374 description 2375 "The name or IP address of the NSF generating the message. 2376 If the given nsf-name is not IP address, the name can be an 2377 arbitrary string including FQDN (Fully Qualified Domain 2378 Name). The name MUST be unique in the scope of management 2379 domain for a different NSF to identify the NSF that 2380 generates the message."; 2381 } 2382 leaf severity { 2383 type severity; 2384 description 2385 "The severity of the alarm such as critical, high, 2386 middle, and low."; 2387 } 2388 } 2389 grouping characteristics { 2390 description 2391 "A set of characteristics of a notification."; 2392 leaf acquisition-method { 2393 type identityref { 2394 base acquisition-method; 2395 } 2396 description 2397 "The acquisition-method for characteristics"; 2398 } 2399 leaf emission-type { 2400 type identityref { 2401 base emission-type; 2402 } 2403 description 2404 "The emission-type for characteristics"; 2405 } 2406 leaf dampening-type { 2407 type identityref { 2408 base dampening-type; 2409 } 2410 description 2411 "The dampening-type for characteristics"; 2412 } 2413 } 2414 grouping i2nsf-system-alarm-type-content { 2415 description 2416 "A set of contents for alarm type notification."; 2417 leaf usage { 2418 type uint8 { 2419 range "0..100"; 2420 } 2421 units "percent"; 2422 description 2423 "Specifies the used percentage"; 2424 } 2425 leaf threshold { 2426 type uint8 { 2427 range "0..100"; 2428 } 2429 units "percent"; 2430 description 2431 "The threshold percentage triggering the alarm or 2432 the event"; 2433 } 2434 } 2435 grouping i2nsf-system-event-type-content { 2436 description 2437 "System event metadata associated with system events 2438 caused by user activity."; 2440 leaf user { 2441 type string; 2442 mandatory true; 2443 description 2444 "The name of a user"; 2445 } 2446 leaf-list group { 2447 type string; 2448 description 2449 "The group(s) to which a user belongs."; 2450 } 2451 leaf ip-address { 2452 type inet:ip-address-no-zone; 2453 mandatory true; 2454 description 2455 "The IPv4 (or IPv6) address of a user that trigger the 2456 event."; 2457 } 2458 leaf authentication { 2459 type identityref { 2460 base authentication-mode; 2461 } 2462 description 2463 "The authentication-mode of a user."; 2464 } 2465 } 2466 grouping i2nsf-nsf-event-type-content { 2467 description 2468 "A set of common IPv4 (or IPv6)-related NSF event 2469 content elements"; 2470 leaf dst-ip { 2471 type inet:ip-address-no-zone; 2472 description 2473 "The destination IPv4 (IPv6) address of the packet"; 2474 } 2475 leaf dst-port { 2476 type inet:port-number; 2477 description 2478 "The destination port of the packet"; 2479 } 2480 leaf rule-name { 2481 type leafref { 2482 path 2483 "/nsfintf:i2nsf-security-policy" 2484 +"/nsfintf:rules/nsfintf:rule-name"; 2485 } 2486 mandatory true; 2487 description 2488 "The name of the I2NSF Policy Rule being triggered"; 2489 } 2490 leaf raw-info { 2491 type string; 2492 description 2493 "The information describing the packet 2494 triggering the event."; 2495 } 2496 } 2497 grouping i2nsf-nsf-event-type-content-extend { 2498 description 2499 "A set of extended common IPv4 (or IPv6)-related NSF 2500 event content elements"; 2501 uses i2nsf-nsf-event-type-content; 2502 leaf src-ip { 2503 type inet:ip-address-no-zone; 2504 description 2505 "The source IPv4 (or IPv6) address of the packet"; 2506 } 2507 leaf src-port { 2508 type inet:port-number; 2509 description 2510 "The source port of the packet"; 2511 } 2512 leaf src-location { 2513 type string { 2514 length "1..100"; 2515 pattern "[0-9a-zA-Z ]*"; 2516 } 2517 description 2518 "The source geographical location (e.g., country and city) 2519 of the packet."; 2520 } 2521 leaf dst-location { 2522 type string { 2523 length "1..100"; 2524 pattern "[0-9a-zA-Z ]*"; 2525 } 2526 description 2527 "The destination geographical location (e.g., country and 2528 city) of the packet."; 2529 } 2530 } 2531 grouping log-action { 2532 description 2533 "A grouping for logging action."; 2534 leaf-list action { 2535 type log-action; 2536 description 2537 "Action type: allow, alert, block, discard, declare, 2538 block-ip, block-service"; 2539 } 2540 } 2541 grouping attack-rates { 2542 description 2543 "A set of traffic rates for monitoring attack traffic 2544 data"; 2545 leaf attack-rate { 2546 type uint32; 2547 units "pps"; 2548 description 2549 "The average packets per second (pps) rate of attack 2550 traffic"; 2551 } 2552 leaf attack-speed { 2553 type uint64; 2554 units "Bps"; 2555 description 2556 "The average bytes per second (Bps) speed of attack traffic"; 2557 } 2558 } 2559 grouping traffic-rates { 2560 description 2561 "A set of traffic rates for statistics data"; 2562 leaf discontinuity-time { 2563 type yang:date-and-time; 2564 mandatory true; 2565 description 2566 "The time on the most recent occasion at which any one or 2567 more of this interface's counters suffered a discontinuity. 2568 If no such discontinuities have occurred since the last 2569 re-initialization of the local management subsystem, then 2570 this node contains the time the local management subsystem 2571 re-initialized itself."; 2572 } 2573 leaf total-traffic { 2574 type yang:counter32; 2575 units "packets"; 2576 description 2577 "The total number of traffic packets (in and out) in the 2578 NSF."; 2579 } 2580 leaf in-traffic-average-rate { 2581 type uint32; 2582 units "pps"; 2583 description 2584 "Inbound traffic average rate in packets per second (pps). 2585 The average is calculated from the start of the NSF service 2586 until the generation of this record."; 2587 } 2588 leaf in-traffic-peak-rate { 2589 type uint32; 2590 units "pps"; 2591 description 2592 "Inbound traffic peak rate in packets per second (pps)."; 2593 } 2594 leaf in-traffic-average-speed { 2595 type uint64; 2596 units "Bps"; 2597 description 2598 "Inbound traffic average speed in bytes per second (Bps). 2599 The average is calculated from the start of the NSF service 2600 until the generation of this record."; 2601 } 2602 leaf in-traffic-peak-speed { 2603 type uint64; 2604 units "Bps"; 2605 description 2606 "Inbound traffic peak speed in bytes per second (Bps)."; 2607 } 2608 leaf out-traffic-average-rate { 2609 type uint32; 2610 units "pps"; 2611 description 2612 "Outbound traffic average rate in packets per second (pps). 2613 The average is calculated from the start of the NSF service 2614 until the generation of this record."; 2615 } 2616 leaf out-traffic-peak-rate { 2617 type uint32; 2618 units "pps"; 2619 description 2620 "Outbound traffic peak rate in packets per second (pps)."; 2621 } 2622 leaf out-traffic-average-speed { 2623 type uint64; 2624 units "Bps"; 2625 description 2626 "Outbound traffic average speed in bytes per second (Bps). 2627 The average is calculated from the start of the NSF service 2628 until the generation of this record."; 2629 } 2630 leaf out-traffic-peak-speed { 2631 type uint64; 2632 units "Bps"; 2633 description 2634 "Outbound traffic peak speed in bytes per second (Bps)."; 2635 } 2636 } 2637 grouping i2nsf-system-counter-type-content{ 2638 description 2639 "A set of counters for an interface traffic data."; 2640 leaf interface-name { 2641 type if:interface-ref; 2642 description 2643 "Network interface name configured in an NSF"; 2644 reference 2645 "RFC 8343: A YANG Data Model for Interface Management"; 2646 } 2647 leaf in-total-traffic-pkts { 2648 type yang:counter32; 2649 description 2650 "Total inbound packets"; 2651 } 2652 leaf out-total-traffic-pkts { 2653 type yang:counter32; 2654 description 2655 "Total outbound packets"; 2656 } 2657 leaf in-total-traffic-bytes { 2658 type uint64; 2659 units "bytes"; 2660 description 2661 "Total inbound bytes"; 2662 } 2663 leaf out-total-traffic-bytes { 2664 type uint64; 2665 units "bytes"; 2666 description 2667 "Total outbound bytes"; 2668 } 2669 leaf in-drop-traffic-pkts { 2670 type yang:counter32; 2671 description 2672 "Total inbound drop packets"; 2673 } 2674 leaf out-drop-traffic-pkts { 2675 type yang:counter32; 2676 description 2677 "Total outbound drop packets"; 2678 } 2679 leaf in-drop-traffic-bytes { 2680 type uint64; 2681 units "bytes"; 2682 description 2683 "Total inbound drop bytes"; 2684 } 2685 leaf out-drop-traffic-bytes { 2686 type uint64; 2687 units "bytes"; 2688 description 2689 "Total outbound drop bytes"; 2690 } 2691 uses traffic-rates; 2692 } 2694 grouping i2nsf-nsf-counters-type-content{ 2695 description 2696 "A set of contents of a policy in an NSF."; 2697 leaf policy-name { 2698 type leafref { 2699 path 2700 "/nsfintf:i2nsf-security-policy" 2701 +"/nsfintf:system-policy-name"; 2702 } 2703 mandatory true; 2704 description 2705 "The name of the policy being triggered"; 2706 } 2707 leaf src-user{ 2708 type string; 2709 description 2710 "The I2NSF User's name who generates the policy."; 2711 } 2712 } 2714 grouping enable-notification { 2715 description 2716 "A grouping for enabling or disabling notification"; 2717 leaf enabled { 2718 type boolean; 2719 default "true"; 2720 description 2721 "Enables or Disables the notification. 2722 If 'true', then the notification is enabled. 2723 If 'false, then the notification is disabled."; 2724 } 2725 } 2727 grouping dampening { 2728 description 2729 "A grouping for dampening period of notification."; 2730 leaf dampening-period { 2731 type uint32; 2732 units "centiseconds"; 2733 default "0"; 2734 description 2735 "Specifies the minimum interval between the assembly of 2736 successive update records for a single receiver of a 2737 subscription. Whenever subscribed objects change and 2738 a dampening-period interval (which may be zero) has 2739 elapsed since the previous update record creation for 2740 a receiver, any subscribed objects and properties 2741 that have changed since the previous update record 2742 will have their current values marshalled and placed 2743 in a new update record. But if the subscribed objects change 2744 when the dampening-period is active, it should update the 2745 record without sending the notification until the dampening- 2746 period is finished. If multiple changes happen during the 2747 active dampening-period, it should update the record with 2748 the latest data. And at the end of the dampening-period, it 2749 should send the record as a notification with the latest 2750 updated record and restart the countdown."; 2751 reference 2752 "RFC 8641: Subscription to YANG Notifications for 2753 Datastore Updates - Section 5."; 2754 } 2755 } 2757 /* 2758 * Feature Nodes 2759 */ 2761 feature i2nsf-nsf-detection-ddos { 2762 description 2763 "This feature means it supports I2NSF nsf-detection-ddos 2764 notification"; 2765 } 2766 feature i2nsf-nsf-detection-virus { 2767 description 2768 "This feature means it supports I2NSF nsf-detection-virus 2769 notification"; 2770 } 2771 feature i2nsf-nsf-detection-intrusion { 2772 description 2773 "This feature means it supports I2NSF nsf-detection-intrusion 2774 notification"; 2775 } 2776 feature i2nsf-nsf-detection-web-attack { 2777 description 2778 "This feature means it supports I2NSF nsf-detection-web-attack 2779 notification"; 2780 } 2781 feature i2nsf-nsf-detection-voip-volte { 2782 description 2783 "This feature means it supports I2NSF nsf-detection-voip-volte 2784 notification"; 2785 } 2786 feature i2nsf-nsf-log-dpi { 2787 description 2788 "This feature means it supports I2NSF nsf-log-dpi 2789 notification"; 2790 } 2792 /* 2793 * Notification nodes 2794 */ 2796 notification i2nsf-event { 2797 description 2798 "Notification for I2NSF Event."; 2799 choice sub-event-type { 2800 description 2801 "This choice must be augmented with cases for each allowed 2802 sub-event. Only 1 sub-event will be instantiated in each 2803 i2nsf-event message. Each case is expected to define one 2804 container with all the sub-event fields."; 2805 case i2nsf-system-detection-alarm { 2806 container i2nsf-system-detection-alarm{ 2807 description 2808 "This notification is sent, when a system alarm 2809 is detected."; 2810 leaf alarm-category { 2811 type identityref { 2812 base system-alarm; 2813 } 2814 description 2815 "The alarm category for 2816 system-detection-alarm notification"; 2817 } 2818 leaf component-name { 2819 type string; 2820 description 2821 "The hardware component responsible for generating 2822 the message. Applicable for Hardware Failure 2823 Alarm."; 2825 } 2826 leaf interface-name { 2827 type if:interface-ref; 2828 description 2829 "The interface name responsible for generating 2830 the message. Applicable for Network Interface 2831 Failure Alarm."; 2832 reference 2833 "RFC 8343: A YANG Data Model for Interface Management"; 2834 } 2835 leaf interface-state { 2836 type enumeration { 2837 enum down { 2838 description 2839 "The interface state is down."; 2840 } 2841 enum up { 2842 description 2843 "The interface state is up and not congested."; 2844 } 2845 enum congested { 2846 description 2847 "The interface state is up but congested."; 2848 } 2849 } 2850 description 2851 "The state of the interface (i.e., up, down, 2852 congested). Applicable for Network Interface Failure 2853 Alarm."; 2854 } 2855 uses characteristics; 2856 uses i2nsf-system-alarm-type-content; 2857 uses common-monitoring-data; 2858 } 2859 } 2861 case i2nsf-system-detection-event { 2862 container i2nsf-system-detection-event { 2863 description 2864 "This notification is sent when a security-sensitive 2865 authentication action fails."; 2866 leaf event-category { 2867 type identityref { 2868 base system-event; 2869 } 2870 description 2871 "The event category for system-detection-event"; 2872 } 2873 uses characteristics; 2874 uses i2nsf-system-event-type-content; 2875 uses common-monitoring-data; 2876 } 2877 } 2879 case i2nsf-traffic-flows { 2880 container i2nsf-traffic-flows { 2881 description 2882 "This notification is sent to inform about the traffic 2883 flows."; 2884 leaf src-ip { 2885 type inet:ip-address-no-zone; 2886 description 2887 "The source IPv4 (or IPv6) address of the flow"; 2888 } 2889 leaf dst-ip { 2890 type inet:ip-address-no-zone; 2891 description 2892 "The destination IPv4 (or IPv6) address of the flow"; 2893 } 2894 leaf protocol { 2895 type identityref { 2896 base protocol; 2897 } 2898 description 2899 "The protocol type for nsf-detection-intrusion 2900 notification"; 2901 } 2902 leaf src-port { 2903 type inet:port-number; 2904 description 2905 "The source port of the flow"; 2906 } 2907 leaf dst-port { 2908 type inet:port-number; 2909 description 2910 "The destination port of the flow"; 2911 } 2912 leaf arrival-rate { 2913 type uint32; 2914 units "pps"; 2915 description 2916 "The average arrival rate of the flow in packets per 2917 second. The average is calculated from the start of 2918 the NSF service until the generation of this 2919 record."; 2920 } 2921 uses characteristics; 2922 uses common-monitoring-data; 2923 } 2924 } 2926 case i2nsf-nsf-detection-session-table { 2927 container i2nsf-nsf-detection-session-table { 2928 description 2929 "This notification is sent, when a session table 2930 event is detected."; 2931 leaf current-session { 2932 type uint32; 2933 description 2934 "The number of concurrent sessions"; 2935 } 2936 leaf maximum-session { 2937 type uint32; 2938 description 2939 "The maximum number of sessions that the session 2940 table can support"; 2941 } 2942 leaf threshold { 2943 type uint32; 2944 description 2945 "The threshold triggering the event"; 2946 } 2947 uses common-monitoring-data; 2948 } 2949 } 2950 } 2951 } 2953 notification i2nsf-log { 2954 description 2955 "Notification for I2NSF log. The notification is generated 2956 from the logs of the NSF."; 2957 choice sub-logs-type { 2958 description 2959 "This choice must be augmented with cases for each allowed 2960 sub-logs. Only 1 sub-event will be instantiated in each 2961 i2nsf-logs message. Each case is expected to define one 2962 container with all the sub-logs fields."; 2963 case i2nsf-nsf-system-access-log { 2964 container i2nsf-nsf-system-access-log { 2965 description 2966 "The notification is sent, if there is a new system 2967 log entry about a system access event."; 2968 leaf login-ip { 2969 type inet:ip-address-no-zone; 2970 description 2971 "Login IP address of a user"; 2972 } 2973 leaf username { 2974 type string; 2975 description 2976 "The login username that maintains the device"; 2977 } 2978 leaf login-role { 2979 type login-role; 2980 description 2981 "Specifies the user log-in role, i.e., administrator, 2982 user, or guest."; 2983 } 2984 leaf operation-type { 2985 type operation-type; 2986 description 2987 "The operation type that the user executes"; 2988 } 2989 leaf input { 2990 type string; 2991 description 2992 "The operation performed by a user after login. The 2993 operation is a command given by a user."; 2994 } 2995 leaf output { 2996 type string; 2997 description 2998 "The result in text format after executing the 2999 input."; 3000 } 3001 uses characteristics; 3002 uses common-monitoring-data; 3003 } 3004 } 3006 case i2nsf-system-res-util-log { 3007 container i2nsf-system-res-util-log { 3008 description 3009 "This notification is sent, if there is a new log 3010 entry representing resource utilization updates."; 3011 leaf system-status { 3012 type enumeration { 3013 enum running { 3014 description 3015 "The system is active and running the security 3016 service."; 3018 } 3019 enum waiting { 3020 description 3021 "The system is active but waiting for an event to 3022 provide the security service."; 3023 } 3024 enum inactive { 3025 description 3026 "The system is inactive and not running the 3027 security service."; 3028 } 3029 } 3030 description 3031 "The current system's running status"; 3032 } 3033 leaf cpu-usage { 3034 type uint8; 3035 units "percent"; 3036 description 3037 "Specifies the relative percentage of CPU usage with 3038 respect to platform resources"; 3039 } 3040 leaf memory-usage { 3041 type uint8; 3042 units "percent"; 3043 description 3044 "Specifies the percentage of memory usage."; 3045 } 3046 list disk { 3047 key disk-id; 3048 description 3049 "Disk is the hardware to store information for a 3050 long period, i.e., Hard Disk or Solid-State Drive."; 3051 leaf disk-id { 3052 type string; 3053 description 3054 "The ID of the storage disk. It is a free form 3055 identifier to identify the storage disk."; 3056 } 3057 leaf disk-usage { 3058 type uint8; 3059 units "percent"; 3060 description 3061 "Specifies the percentage of disk usage"; 3062 } 3063 leaf disk-left { 3064 type uint8; 3065 units "percent"; 3066 description 3067 "Specifies the percentage of disk left"; 3068 } 3069 } 3070 leaf session-num { 3071 type uint32; 3072 description 3073 "The total number of sessions"; 3074 } 3075 leaf process-num { 3076 type uint32; 3077 description 3078 "The total number of processes"; 3079 } 3080 list interface { 3081 key interface-id; 3082 description 3083 "The network interface for connecting a device 3084 with the network."; 3085 leaf interface-id { 3086 type string; 3087 description 3088 "The ID of the network interface. It is a free form 3089 identifier to identify the network interface."; 3090 } 3091 leaf in-traffic-rate { 3092 type uint32; 3093 units "pps"; 3094 description 3095 "The total inbound traffic rate in packets per 3096 second"; 3097 } 3098 leaf out-traffic-rate { 3099 type uint32; 3100 units "pps"; 3101 description 3102 "The total outbound traffic rate in packets per 3103 second"; 3104 } 3105 leaf in-traffic-speed { 3106 type uint64; 3107 units "Bps"; 3108 description 3109 "The total inbound traffic speed in bytes per second"; 3110 } 3111 leaf out-traffic-speed { 3112 type uint64; 3113 units "Bps"; 3114 description 3115 "The total outbound traffic speed in bytes per 3116 second"; 3117 } 3118 } 3119 uses characteristics; 3120 uses common-monitoring-data; 3121 } 3122 } 3124 case i2nsf-system-user-activity-log { 3125 container i2nsf-system-user-activity-log { 3126 description 3127 "This notification is sent, if there is a new user 3128 activity log entry."; 3129 uses characteristics; 3130 uses i2nsf-system-event-type-content; 3131 uses common-monitoring-data; 3132 leaf online-duration { 3133 type uint32; 3134 units "seconds"; 3135 description 3136 "The duration of a user's activeness (stays in login) 3137 during a session."; 3139 } 3140 leaf logout-duration { 3141 type uint32; 3142 units "seconds"; 3143 description 3144 "The duration of a user's inactiveness (not in login) 3145 from the last session."; 3146 } 3147 leaf additional-info { 3148 type enumeration { 3149 enum successful-login { 3150 description 3151 "The user has succeeded in login."; 3152 } 3153 enum failed-login { 3154 description 3155 "The user has failed in login (e.g., wrong 3156 password)"; 3157 } 3158 enum logout { 3159 description 3160 "The user has succeeded in logout"; 3161 } 3162 enum successful-password-changed { 3163 description 3164 "The password has been changed successfully"; 3165 } 3166 enum failed-password-changed{ 3167 description 3168 "The attempt to change password has failed"; 3169 } 3170 enum lock { 3171 description 3172 "The user has been locked. A locked user cannot 3173 login."; 3174 } 3175 enum unlock { 3176 description 3177 "The user has been unlocked."; 3178 } 3179 } 3180 description 3181 "User activities, e.g., Successful User Login, 3182 Failed Login attempts, User Logout, Successful User 3183 Password Change, Failed User Password Change, User 3184 Lockout, User Unlocking, and Unknown."; 3185 } 3186 } 3187 } 3188 } 3189 } 3191 notification i2nsf-nsf-event { 3192 description 3193 "Notification for I2NSF NSF Event. This notification is 3194 used for a specific NSF that supported such feature."; 3195 choice sub-event-type { 3196 description 3197 "This choice must be augmented with cases for each allowed 3198 sub-event. Only 1 sub-event will be instantiated in each 3199 i2nsf-event message. Each case is expected to define one 3200 container with all the sub-event fields."; 3201 case i2nsf-nsf-detection-ddos { 3202 if-feature "i2nsf-nsf-detection-ddos"; 3203 container i2nsf-nsf-detection-ddos { 3204 description 3205 "This notification is sent, when a specific flood type 3206 is detected."; 3207 leaf attack-type { 3208 type identityref { 3209 base ddos-type; 3211 } 3212 description 3213 "Any one of Syn flood, ACK flood, SYN-ACK flood, 3214 FIN/RST flood, TCP Connection flood, UDP flood, 3215 ICMP (i.e., ICMPv4 or ICMPv6) flood, HTTP flood, 3216 HTTPS flood, DNS query flood, DNS reply flood, SIP 3217 flood, etc."; 3218 } 3219 leaf start-time { 3220 type yang:date-and-time; 3221 mandatory true; 3222 description 3223 "The time stamp indicating when the attack started"; 3224 } 3225 leaf end-time { 3226 type yang:date-and-time; 3227 mandatory true; 3228 description 3229 "The time stamp indicating when the attack ended"; 3230 } 3231 leaf-list attack-src-ip { 3232 type inet:ip-address-no-zone; 3233 description 3234 "The source IPv4 (or IPv6) addresses of attack 3235 traffic. It can hold multiple IPv4 (or IPv6) 3236 addresses."; 3237 } 3238 leaf-list attack-dst-ip { 3239 type inet:ip-address-no-zone; 3240 description 3241 "The destination IPv4 (or IPv6) addresses of attack 3242 traffic. It can hold multiple IPv4 (or IPv6) 3243 addresses."; 3244 } 3245 leaf-list attack-src-port { 3246 type inet:port-number; 3247 description 3248 "The source ports of the DDoS attack"; 3249 } 3250 leaf-list attack-dst-port { 3251 type inet:port-number; 3252 description 3253 "The destination ports of the DDoS attack"; 3254 } 3255 leaf rule-name { 3256 type leafref { 3257 path 3258 "/nsfintf:i2nsf-security-policy" 3260 +"/nsfintf:rules/nsfintf:rule-name"; 3261 } 3262 mandatory true; 3263 description 3264 "The name of the I2NSF Policy Rule being triggered"; 3265 } 3266 leaf raw-info { 3267 type string; 3268 description 3269 "The information describing the packet 3270 triggering the event."; 3271 } 3272 uses attack-rates; 3273 uses log-action; 3274 uses characteristics; 3275 uses common-monitoring-data; 3276 } 3277 } 3278 case i2nsf-nsf-detection-virus { 3279 if-feature "i2nsf-nsf-detection-virus"; 3280 container i2nsf-nsf-detection-virus { 3281 description 3282 "This notification is sent, when a virus is detected."; 3283 uses i2nsf-nsf-event-type-content-extend; 3284 leaf virus { 3285 type identityref { 3286 base virus-type; 3287 } 3288 description 3289 "The virus type for nsf-detection-virus notification"; 3290 } 3291 leaf virus-name { 3292 type string; 3293 description 3294 "The name of the detected virus"; 3295 } 3296 leaf file-type { 3297 type string; 3298 description 3299 "The type of file virus code is found in (if 3300 applicable)."; 3301 reference 3302 "IANA Website: Media Types"; 3303 } 3304 leaf file-name { 3305 type string; 3306 description 3307 "The name of file virus code is found in (if 3308 applicable)."; 3309 } 3310 leaf os { 3311 type string; 3312 description 3313 "The operating system of the device."; 3314 } 3315 uses log-action; 3316 uses characteristics; 3317 uses common-monitoring-data; 3318 } 3319 } 3320 case i2nsf-nsf-detection-intrusion { 3321 if-feature "i2nsf-nsf-detection-intrusion"; 3322 container i2nsf-nsf-detection-intrusion { 3323 description 3324 "This notification is sent, when an intrusion event 3325 is detected."; 3326 uses i2nsf-nsf-event-type-content-extend; 3327 leaf protocol { 3328 type identityref { 3329 base transport-protocol; 3330 } 3331 description 3332 "The transport protocol type for 3333 nsf-detection-intrusion notification"; 3334 } 3335 leaf app { 3336 type identityref { 3337 base application-protocol; 3338 } 3339 description 3340 "The employed application layer protocol"; 3341 } 3342 leaf attack-type { 3343 type identityref { 3344 base intrusion-attack-type; 3345 } 3346 description 3347 "The sub attack type for intrusion attack"; 3348 } 3349 uses log-action; 3350 uses attack-rates; 3351 uses characteristics; 3352 uses common-monitoring-data; 3353 } 3354 } 3355 case i2nsf-nsf-detection-web-attack { 3356 if-feature "i2nsf-nsf-detection-web-attack"; 3357 container i2nsf-nsf-detection-web-attack { 3358 description 3359 "This notification is sent, when an attack event is 3360 detected."; 3361 uses i2nsf-nsf-event-type-content-extend; 3362 leaf attack-type { 3363 type identityref { 3364 base web-attack-type; 3365 } 3366 description 3367 "Concrete web attack type, e.g., SQL injection, 3368 command injection, XSS, and CSRF."; 3369 } 3370 leaf request-method { 3371 type identityref { 3372 base request-method; 3373 } 3374 description 3375 "The HTTP request method, e.g., PUT or GET."; 3376 reference 3377 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): 3378 Semantics and Content - Request Methods"; 3379 } 3380 leaf req-uri { 3381 type string; 3382 description 3383 "The Requested URI"; 3384 } 3385 leaf-list filtering-type { 3386 type identityref { 3387 base filter-type; 3388 } 3389 description 3390 "URL filtering type, e.g., deny-list, allow-list, 3391 and Unknown"; 3392 } 3393 leaf req-user-agent { 3394 type string; 3395 description 3396 "The request user agent"; 3397 } 3398 leaf req-cookie { 3399 type string; 3400 description 3401 "The HTTP Cookie previously sent by the server with 3402 Set-Cookie"; 3403 } 3404 leaf req-host { 3405 type string; 3406 description 3407 "The domain name of the requested host"; 3408 } 3409 leaf response-code { 3410 type string; 3411 description 3412 "The HTTP Response code"; 3413 reference 3414 "IANA Website: Hypertext Transfer Protocol (HTTP) 3415 Status Code Registry"; 3416 } 3417 uses characteristics; 3418 uses log-action; 3419 uses common-monitoring-data; 3420 } 3421 } 3422 case i2nsf-nsf-detection-voip-volte{ 3423 if-feature "i2nsf-nsf-detection-voip-volte"; 3424 container i2nsf-nsf-detection-voip-volte { 3425 description 3426 "This notification is sent, when a VoIP/VoLTE violation 3427 is detected."; 3428 uses i2nsf-nsf-event-type-content-extend; 3429 leaf-list source-voice-id { 3430 type string; 3431 description 3432 "The detected source voice ID for VoIP and VoLTE that 3433 violates the security policy."; 3434 } 3435 leaf-list destination-voice-id { 3436 type string; 3437 description 3438 "The detected destination voice ID for VoIP and VoLTE 3439 that violates the security policy."; 3440 } 3441 leaf-list user-agent { 3442 type string; 3443 description 3444 "The detected user-agent for VoIP and VoLTE that 3445 violates the security policy."; 3446 } 3447 } 3448 } 3449 case i2nsf-nsf-log-dpi { 3450 if-feature "i2nsf-nsf-log-dpi"; 3451 container i2nsf-nsf-log-dpi { 3452 description 3453 "This notification is sent, if there is a new DPI 3454 event in the NSF log."; 3455 leaf attack-type { 3456 type dpi-type; 3457 description 3458 "The type of the DPI"; 3459 } 3460 uses characteristics; 3461 uses i2nsf-nsf-counters-type-content; 3462 uses common-monitoring-data; 3463 } 3464 } 3465 } 3466 } 3467 /* 3468 * Data nodes 3469 */ 3470 container i2nsf-counters { 3471 config false; 3472 description 3473 "The state data representing continuous value changes of 3474 information elements that occur very frequently. The value 3475 should be calculated from the start of the service of the 3476 NSF."; 3477 list system-interface { 3478 key interface-name; 3479 description 3480 "Interface counters provide the visibility of traffic into 3481 and out of an NSF, and bandwidth usage."; 3482 uses characteristics; 3483 uses i2nsf-system-counter-type-content; 3484 uses common-monitoring-data; 3485 uses timestamp; 3486 } 3487 list nsf-firewall { 3488 key policy-name; 3489 description 3490 "Firewall counters provide the visibility of traffic 3491 signatures, bandwidth usage, and how the configured security 3492 and bandwidth policies have been applied."; 3493 uses characteristics; 3494 uses i2nsf-nsf-counters-type-content; 3495 uses traffic-rates; 3496 uses common-monitoring-data; 3497 uses timestamp; 3498 } 3499 list nsf-policy-hits { 3500 key policy-name; 3501 description 3502 "Policy Hit Counters record the number of hits that traffic 3503 packets match a security policy. It can check if policy 3504 configurations are correct or not."; 3505 uses characteristics; 3506 uses i2nsf-nsf-counters-type-content; 3507 uses common-monitoring-data; 3508 leaf discontinuity-time { 3509 type yang:date-and-time; 3510 mandatory true; 3511 description 3512 "The time on the most recent occasion at which any one or 3513 more of this interface's counters suffered a discontinuity. 3514 If no such discontinuities have occurred since the last 3515 re-initialization of the local management subsystem, then 3516 this node contains the time the local management subsystem 3517 re-initialized itself."; 3518 } 3519 leaf hit-times { 3520 type yang:counter32; 3521 description 3522 "The number of times a policy is hit"; 3523 } 3524 uses timestamp; 3525 } 3526 } 3528 container i2nsf-monitoring-configuration { 3529 description 3530 "The container for configuring I2NSF monitoring."; 3531 container i2nsf-system-detection-alarm { 3532 description 3533 "The container for configuring I2NSF system-detection-alarm 3534 notification"; 3535 uses enable-notification; 3536 list system-alarm { 3537 key alarm-type; 3538 description 3539 "Configuration for system alarm (i.e., CPU, Memory, and 3540 Disk Usage)"; 3541 leaf alarm-type { 3542 type enumeration { 3543 enum cpu { 3544 description 3545 "To configure the CPU usage threshold to trigger the 3546 cpu-alarm"; 3547 } 3548 enum memory { 3549 description 3550 "To configure the Memory usage threshold to trigger 3551 the memory-alarm"; 3552 } 3553 enum disk { 3554 description 3555 "To configure the Disk (storage) usage threshold to 3556 trigger the disk-alarm"; 3557 } 3558 } 3559 description 3560 "Type of alarm to be configured. The three alarm-types 3561 defined here are used to configure the threshold of the 3562 monitoring notification. The threshold is used to 3563 determine when the notification should be sent. 3564 The other two alarms defined in the module (i.e., 3565 hardware-alarm and interface-alarm) do not use any 3566 threshold value to create a notification. These alarms 3567 detect a failure or a change of state to create a 3568 notification."; 3569 } 3570 leaf threshold { 3571 type uint8 { 3572 range "1..100"; 3573 } 3574 units "percent"; 3575 description 3576 "The configuration for threshold percentage to trigger 3577 the alarm. The alarm will be triggered if the usage 3578 is exceeded the threshold."; 3579 } 3580 uses dampening; 3581 } 3582 } 3583 container i2nsf-system-detection-event { 3584 description 3585 "The container for configuring I2NSF system-detection-event 3586 notification"; 3587 uses enable-notification; 3588 uses dampening; 3589 } 3590 container i2nsf-traffic-flows { 3591 description 3592 "The container for configuring I2NSF traffic-flows 3593 notification"; 3594 uses dampening; 3595 uses enable-notification; 3597 } 3598 container i2nsf-nsf-detection-ddos { 3599 if-feature "i2nsf-nsf-detection-ddos"; 3600 description 3601 "The container for configuring I2NSF nsf-detection-ddos 3602 notification"; 3603 uses enable-notification; 3604 uses dampening; 3605 } 3606 container i2nsf-nsf-detection-session-table-configuration { 3607 description 3608 "The container for configuring I2NSF nsf-detection-session- 3609 table notification"; 3610 uses enable-notification; 3611 uses dampening; 3612 } 3613 container i2nsf-nsf-detection-intrusion { 3614 if-feature "i2nsf-nsf-detection-intrusion"; 3615 description 3616 "The container for configuring I2NSF nsf-detection-intrusion 3617 notification"; 3618 uses enable-notification; 3619 uses dampening; 3620 } 3621 container i2nsf-nsf-detection-web-attack { 3622 if-feature "i2nsf-nsf-detection-web-attack"; 3623 description 3624 "The container for configuring I2NSF nsf-detection-web-attack 3625 notification"; 3626 uses enable-notification; 3627 uses dampening; 3628 } 3629 container i2nsf-nsf-system-access-log { 3630 description 3631 "The container for configuring I2NSF system-access-log 3632 notification"; 3633 uses enable-notification; 3634 uses dampening; 3635 } 3636 container i2nsf-system-res-util-log { 3637 description 3638 "The container for configuring I2NSF system-res-util-log 3639 notification"; 3640 uses enable-notification; 3641 uses dampening; 3642 } 3643 container i2nsf-system-user-activity-log { 3644 description 3645 "The container for configuring I2NSF system-user-activity-log 3646 notification"; 3647 uses enable-notification; 3648 uses dampening; 3649 } 3650 container i2nsf-nsf-log-dpi { 3651 if-feature "i2nsf-nsf-log-dpi"; 3652 description 3653 "The container for configuring I2NSF nsf-log-dpi 3654 notification"; 3655 uses enable-notification; 3656 uses dampening; 3657 } 3658 container i2nsf-counter { 3659 description 3660 "This is used to configure the counters 3661 for monitoring an NSF"; 3662 leaf period { 3663 type uint16; 3664 units "minutes"; 3665 default 0; 3666 description 3667 "The configuration for the period interval of reporting 3668 the counter. If 0, then the counter period is disabled. 3669 If value is not 0, then the counter will be reported 3670 following the period value."; 3671 } 3672 } 3673 } 3674 } 3675 3677 Figure 2: Data Model of Monitoring 3679 10. I2NSF Event Stream 3681 This section discusses the NETCONF event stream for I2NSF NSF 3682 Monitoring subscription. The YANG module in this document supports 3683 "ietf-subscribed-notifications" YANG module [RFC8639] for 3684 subscription. The reserved event stream name for this document is 3685 "I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support 3686 "I2NSF-Monitoring" event stream for an NSF data collector (e.g., 3687 Security Controller). The "I2NSF-Monitoring" event stream contains 3688 all I2NSF events described in this document. The following example 3689 shows the capabilities of the event streams of an NSF (e.g., 3690 "NETCONF" and "I2NSF-Monitoring" event streams) by the subscription 3691 of an NSF data collector; note that this example XML file is 3692 delivered by an NSF to an NSF data collector. The XML examples in 3693 this document follow the line breaks as per [RFC8792]. 3695 3696 3698 3699 3700 3701 3702 NETCONF 3703 Default NETCONF Event Stream 3704 false 3705 3706 3707 I2NSF-Monitoring 3708 I2NSF Monitoring Event Stream 3709 true 3710 3711 2021-04-29T09:37:39+00:00 3712 3713 3714 3715 3716 3717 3719 Figure 3: Example of NETCONF Server supporting I2NSF-Monitoring 3720 Event Stream 3722 11. XML Examples for I2NSF NSF Monitoring 3724 This section shows the XML examples of I2NSF NSF Monitoring data 3725 delivered via Monitoring Interface from an NSF. 3727 11.1. I2NSF System Detection Alarm 3729 The following example shows an alarm triggered by Memory Usage of the 3730 server; note that this example XML file is delivered by an NSF to an 3731 NSF data collector: 3733 3734 3736 2021-04-29T07:43:52.181088+00:00 3737 3739 3740 3743 nsfmi:memory-alarm 3744 3745 3748 nsfmi:subscription 3749 3750 3753 nsfmi:on-change 3754 3755 3758 nsfmi:on-repetition 3759 3760 91 3761 90 3762 Memory Usage Exceeded the Threshold 3763 time_based_firewall 3764 high 3765 3766 3767 3768 Figure 4: Example of I2NSF System Detection Alarm triggered by 3769 Memory Usage 3771 The XML data above shows: 3773 1. The NSF that sends the information is named 3774 "time_based_firewall". 3776 2. The memory usage of the NSF triggered the alarm. 3778 3. The monitoring information is received by subscription method. 3780 4. The monitoring information is emitted "on-change". 3782 5. The monitoring information is dampened "on-repetition". 3784 6. The memory usage of the NSF is 91 percent. 3786 7. The memory threshold to trigger the alarm is 90 percent. 3788 8. The severity level of the notification is high. 3790 11.2. I2NSF Interface Counters 3792 To get the I2NSF system interface counters information by query, 3793 NETCONF Client (e.g., NSF data collector) needs to initiate GET 3794 connection with NETCONF Server (e.g., NSF). The following XML file 3795 can be used to get the state data and filter the information. 3797 3798 3799 3800 3802 3803 3804 3805 3806 3807 3809 Figure 5: XML Example for NETCONF GET with System Interface Filter 3811 The following XML file shows the reply from the NETCONF Server (e.g., 3812 NSF): 3814 3815 3817 3818 3820 3821 3822 2021-04-29T08:43:52.181088+00:00 3823 3824 ens3 3825 3828 nsfmi:query 3829 3830 549050 3831 814956 3832 0 3833 5078 3834 time_based_firewall 3835 3836 3837 3838 2021-04-29T08:43:52.181088+00:00 3839 3840 lo 3841 3844 nsfmi:query 3845 3846 48487 3847 48487 3848 0 3849 0 3850 time_based_firewall 3851 3852 3853 3854 3856 Figure 6: Example of I2NSF System Interface Counters XML Information 3858 12. IANA Considerations 3860 This document requests IANA to register the following URI in the 3861 "IETF XML Registry" [RFC3688]: 3863 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 3864 Registrant Contact: The IESG. 3865 XML: N/A; the requested URI is an XML namespace. 3867 This document requests IANA to register the following YANG module in 3868 the "YANG Module Names" registry [RFC7950][RFC8525]: 3870 name: ietf-i2nsf-nsf-monitoring 3871 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 3872 prefix: nsfmi 3873 reference: RFC XXXX 3875 // RFC Ed.: replace XXXX with an actual RFC number and remove 3876 // this note. 3878 13. Security Considerations 3880 YANG module described in this document defines a schema for data that 3881 is designed to be accessed via network management protocols such as 3882 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 3883 the secure transport layer, and the mandatory-to-implement secure 3884 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 3885 is HTTPS, and the mandatory-to-implement secure transport is TLS 3886 [RFC8446]. 3888 The NETCONF access control model [RFC8341] provides the means to 3889 restrict access for particular NETCONF or RESTCONF users to a 3890 preconfigured subset of all available NETCONF or RESTCONF protocol 3891 operations and content. 3893 All data nodes defined in the YANG module which can be created, 3894 modified and deleted (i.e., config true, which is the default) are 3895 considered sensitive as they all could potentially impact security 3896 monitoring and mitigation activities. Write operations (e.g., edit- 3897 config) applied to these data nodes without proper protection could 3898 result in missed alarms or incorrect alarms information being 3899 returned to the NSF data collector. There are threats that need to 3900 be considered and mitigated: 3902 Compromised NSF with valid credentials: It can send falsified 3903 information to the NSF data collector to mislead detection or 3904 mitigation activities; and/or to hide activity. Currently, there 3905 is no in-framework mechanism to mitigate this and an issue for all 3906 monitoring infrastructures. It is important to keep the enclosure 3907 of confidential information to unauthorized persons to mitigate 3908 the possibility of compromising the NSF with this information. 3910 Compromised NSF data collector with valid credentials: It has 3911 visibility to all collected security alarms; entire detection and 3912 mitigation infrastructure may be suspect. It is important to keep 3913 the enclosure of confidential information to unauthorized persons 3914 to mitigate the possibility of compromising the NSF with this 3915 information. 3917 Impersonating NSF: It is a system trying to send false information 3918 while imitating an NSF; client authentication would help the NSF 3919 data collector to identify this invalid NSF in the "push" model 3920 (NSF-to-collector), while the "pull" model (collector-to-NSF) 3921 should already be addressed with the authentication. 3923 Impersonating NSF data collector: It is a rogue NSF data collector 3924 with which a legitimate NSF is tricked into communicating; for 3925 "push" model (NSF-to-collector), it is important to have valid 3926 credentials, without it it should not work; for "pull" model 3927 (collector-to-NSF), mutual authentication should be used to 3928 mitigate the threat. 3930 In addition, to defend against the DDoS attack caused by a lot of 3931 NSFs sending massive notifications to the NSF data collector, the 3932 rate limiting or similar mechanisms should be considered in both an 3933 NSF and NSF data collector, whether in advance or just in the process 3934 of DDoS attack. 3936 All of the readable data nodes in this YANG module may be considered 3937 vulnerable in some network environments. Some data also may contain 3938 private information that is highly sensitive to the user, such as the 3939 IP address of a user in the container "i2nsf-system-user-activity- 3940 log" and the container "i2nsf-system-detection-event". It is 3941 important to control read access (e.g., via get, get-config, or 3942 notification) to the data nodes. If access control is not properly 3943 configured, it can expose system internals to those who should not 3944 have access to this information. 3946 14. Acknowledgments 3948 This work was supported by Institute of Information & Communications 3949 Technology Planning & Evaluation (IITP) grant funded by the Korea 3950 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 3951 Security Intelligence Technology Development for the Customized 3952 Security Service Provisioning). This work was supported in part by 3953 the IITP (2020-0-00395, Standard Development of Blockchain based 3954 Network Management Automation Technology). This work was supported 3955 in part by the MSIT under the Information Technology Research Center 3956 (ITRC) support program (IITP-2021-2017-0-01633) supervised by the 3957 IITP. 3959 15. Contributors 3961 This document is made by the group effort of I2NSF working group. 3962 Many people actively contributed to this document. The authors 3963 sincerely appreciate their contributions. 3965 The following are co-authors of this document: 3967 Chaehong Chung Department of Electronic, Electrical and Computer 3968 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3969 Gyeonggi-do 16419 Republic of Korea EMail: darkhong@skku.edu 3971 Jinyong (Tim) Kim Department of Electronic, Electrical and Computer 3972 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3973 Gyeonggi-do 16419 Republic of Korea EMail: timkim@skku.edu 3975 Dongjin Hong Department of Electronic, Electrical and Computer 3976 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3977 Gyeonggi-do 16419 Republic of Korea EMail: dong.jin@skku.edu 3979 Dacheng Zhang Huawei EMail: dacheng.zhang@huawei.com 3981 Yi Wu Aliababa Group EMail: anren.wy@alibaba-inc.com 3983 Rakesh Kumar Juniper Networks 1133 Innovation Way Sunnyvale, CA 94089 3984 USA EMail: rkkumar@juniper.net 3986 Anil Lohiya Juniper Networks EMail: alohiya@juniper.net 3988 16. References 3990 16.1. Normative References 3992 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 3993 DOI 10.17487/RFC0768, August 1980, 3994 . 3996 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 3997 DOI 10.17487/RFC0791, September 1981, 3998 . 4000 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 4001 RFC 792, DOI 10.17487/RFC0792, September 1981, 4002 . 4004 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 4005 RFC 793, DOI 10.17487/RFC0793, September 1981, 4006 . 4008 [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol 4009 Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May 4010 1983, . 4012 [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", 4013 STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, 4014 . 4016 [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", 4017 STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, 4018 . 4020 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4021 Requirement Levels", BCP 14, RFC 2119, 4022 DOI 10.17487/RFC2119, March 1997, 4023 . 4025 [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4026 4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003, 4027 . 4029 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 4030 DOI 10.17487/RFC3688, January 2004, 4031 . 4033 [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management 4034 Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, 4035 September 2004, . 4037 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 4038 Congestion Control Protocol (DCCP)", RFC 4340, 4039 DOI 10.17487/RFC4340, March 2006, 4040 . 4042 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 4043 Control Message Protocol (ICMPv6) for the Internet 4044 Protocol Version 6 (IPv6) Specification", STD 89, 4045 RFC 4443, DOI 10.17487/RFC4443, March 2006, 4046 . 4048 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 4049 RFC 4960, DOI 10.17487/RFC4960, September 2007, 4050 . 4052 [RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event 4053 Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, 4054 . 4056 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 4057 DOI 10.17487/RFC5321, October 2008, 4058 . 4060 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4061 and A. Bierman, Ed., "Network Configuration Protocol 4062 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4063 . 4065 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4066 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4067 . 4069 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4070 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4071 . 4073 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 4074 Protocol (HTTP/1.1): Message Syntax and Routing", 4075 RFC 7230, DOI 10.17487/RFC7230, June 2014, 4076 . 4078 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 4079 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 4080 DOI 10.17487/RFC7231, June 2014, 4081 . 4083 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4084 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4085 . 4087 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4088 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4089 . 4091 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 4092 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 4093 May 2017, . 4095 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 4096 (IPv6) Specification", STD 86, RFC 8200, 4097 DOI 10.17487/RFC8200, July 2017, 4098 . 4100 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4101 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4102 . 4104 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4105 Access Control Model", STD 91, RFC 8341, 4106 DOI 10.17487/RFC8341, March 2018, 4107 . 4109 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 4110 and R. Wilton, "Network Management Datastore Architecture 4111 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 4112 . 4114 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 4115 Documents Containing YANG Data Models", BCP 216, RFC 8407, 4116 DOI 10.17487/RFC8407, October 2018, 4117 . 4119 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4120 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4121 . 4123 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 4124 and R. Wilton, "YANG Library", RFC 8525, 4125 DOI 10.17487/RFC8525, March 2019, 4126 . 4128 [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, 4129 E., and A. Tripathy, "Subscription to YANG Notifications", 4130 RFC 8639, DOI 10.17487/RFC8639, September 2019, 4131 . 4133 [RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications 4134 for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641, 4135 September 2019, . 4137 16.2. Informative References 4139 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 4140 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 4141 . 4143 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4144 Kumar, "Framework for Interface to Network Security 4145 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4146 . 4148 [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, 4149 "Handling Long Lines in Content of Internet-Drafts and 4150 RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, 4151 . 4153 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 4154 Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, 4155 "I2NSF Consumer-Facing Interface YANG Data Model", Work in 4156 Progress, Internet-Draft, draft-ietf-i2nsf-consumer- 4157 facing-interface-dm-15, 15 September 2021, 4158 . 4161 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 4162 Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, 4163 "I2NSF Network Security Function-Facing Interface YANG 4164 Data Model", Work in Progress, Internet-Draft, draft-ietf- 4165 i2nsf-nsf-facing-interface-dm-14, 15 September 2021, 4166 . 4169 [I-D.ietf-i2nsf-registration-interface-dm] 4170 Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park, 4171 "I2NSF Registration Interface YANG Data Model", Work in 4172 Progress, Internet-Draft, draft-ietf-i2nsf-registration- 4173 interface-dm-12, 15 September 2021, 4174 . 4177 [I-D.ietf-i2nsf-applicability] 4178 Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R. 4179 Lopez, "Applicability of Interfaces to Network Security 4180 Functions to Network-Based Security Services", Work in 4181 Progress, Internet-Draft, draft-ietf-i2nsf-applicability- 4182 18, 16 September 2019, . 4185 [I-D.yang-i2nsf-security-policy-translation] 4186 Jeong, J. (., Lingga, P., Yang, J., and C. Chung, 4187 "Security Policy Translation in Interface to Network 4188 Security Functions", Work in Progress, Internet-Draft, 4189 draft-yang-i2nsf-security-policy-translation-09, 21 August 4190 2021, . 4193 [I-D.ietf-tcpm-rfc793bis] 4194 Eddy, W. M., "Transmission Control Protocol (TCP) 4195 Specification", Work in Progress, Internet-Draft, draft- 4196 ietf-tcpm-rfc793bis-25, 7 September 2021, 4197 . 4200 [IANA-HTTP-Status-Code] 4201 Internet Assigned Numbers Authority (IANA), "Hypertext 4202 Transfer Protocol (HTTP) Status Code Registry", September 4203 2018, . 4206 [IANA-Media-Types] 4207 Internet Assigned Numbers Authority (IANA), "Media Types", 4208 August 2021, . 4211 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-09 4213 The following changes are made from draft-ietf-i2nsf-nsf-monitoring- 4214 data-model-09: 4216 * This version is revised following Tom Petch's, Martin Bjorklund's, 4217 and Roman Danyliw's Comments. 4219 * This version is revised to synchronize with other I2NSF documents. 4221 Authors' Addresses 4222 Jaehoon (Paul) Jeong (editor) 4223 Department of Computer Science and Engineering 4224 Sungkyunkwan University 4225 2066 Seobu-Ro, Jangan-Gu 4226 Suwon 4227 Gyeonggi-Do 4228 16419 4229 Republic of Korea 4231 Phone: +82 31 299 4957 4232 Email: pauljeong@skku.edu 4233 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4235 Patrick Lingga 4236 Department of Electrical and Computer Engineering 4237 Sungkyunkwan University 4238 2066 Seobu-Ro, Jangan-Gu 4239 Suwon 4240 Gyeonggi-Do 4241 16419 4242 Republic of Korea 4244 Phone: +82 31 299 4957 4245 Email: patricklink@skku.edu 4247 Susan Hares 4248 Huawei 4249 7453 Hickory Hill 4250 Saline, MI 48176 4251 United States of America 4253 Phone: +1-734-604-0332 4254 Email: shares@ndzh.com 4256 Liang (Frank) Xia 4257 Huawei 4258 101 Software Avenue, Yuhuatai District 4259 Nanjing 4260 Jiangsu, 4261 China 4263 Email: Frank.xialiang@huawei.com 4264 Henk Birkholz 4265 Fraunhofer Institute for Secure Information Technology 4266 Rheinstrasse 75 4267 64295 Darmstadt 4268 Germany 4270 Email: henk.birkholz@sit.fraunhofer.de