idnits 2.17.1 draft-ietf-i2nsf-nsf-monitoring-data-model-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1196 has weird spacing: '...ty-time yan...' -- The document date (17 November 2021) is 884 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-15 == Outdated reference: A later version (-29) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-15 == Outdated reference: A later version (-26) exists of draft-ietf-i2nsf-registration-interface-dm-13 == Outdated reference: A later version (-16) exists of draft-yang-i2nsf-security-policy-translation-09 == Outdated reference: A later version (-28) exists of draft-ietf-tcpm-rfc793bis-25 Summary: 5 errors (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong, Ed. 3 Internet-Draft P. Lingga 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: 21 May 2022 S. Hares 6 L. Xia 7 Huawei 8 H. Birkholz 9 Fraunhofer SIT 10 17 November 2021 12 I2NSF NSF Monitoring Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-monitoring-data-model-12 15 Abstract 17 This document proposes an information model and the corresponding 18 YANG data model of an interface for monitoring Network Security 19 Functions (NSFs) in the Interface to Network Security Functions 20 (I2NSF) framework. If the monitoring of NSFs is performed with the 21 NSF monitoring interface in a comprehensive way, it is possible to 22 detect the indication of malicious activity, anomalous behavior, the 23 potential sign of denial of service attacks, or system overload in a 24 timely manner. This monitoring functionality is based on the 25 monitoring information that is generated by NSFs. Thus, this 26 document describes not only an information model for the NSF 27 monitoring interface along with a YANG data diagram, but also the 28 corresponding YANG data model. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 21 May 2022. 47 Copyright Notice 49 Copyright (c) 2021 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Simplified BSD License text 58 as described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 66 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 67 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 68 4.2. Notifications, Events, and Records . . . . . . . . . . . 7 69 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8 70 5. Basic Information Model for Monitoring Data . . . . . . . . . 9 71 6. Extended Information Model for Monitoring Data . . . . . . . 9 72 6.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 10 73 6.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 10 74 6.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 10 75 6.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 11 76 6.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 11 77 6.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12 78 6.2. System Events . . . . . . . . . . . . . . . . . . . . . . 12 79 6.2.1. Access Violation . . . . . . . . . . . . . . . . . . 12 80 6.2.2. Configuration Change . . . . . . . . . . . . . . . . 13 81 6.2.3. Session Table Event . . . . . . . . . . . . . . . . . 13 82 6.2.4. Traffic Flows . . . . . . . . . . . . . . . . . . . . 13 83 6.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14 84 6.3.1. DDoS Detection . . . . . . . . . . . . . . . . . . . 14 85 6.3.2. Virus Event . . . . . . . . . . . . . . . . . . . . . 15 86 6.3.3. Intrusion Event . . . . . . . . . . . . . . . . . . . 15 87 6.3.4. Web Attack Event . . . . . . . . . . . . . . . . . . 16 88 6.3.5. VoIP/VoLTE Event . . . . . . . . . . . . . . . . . . 17 89 6.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 18 90 6.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 18 91 6.4.2. Resource Utilization Log . . . . . . . . . . . . . . 18 92 6.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 19 93 6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 20 94 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 20 96 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 20 97 6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21 98 6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22 99 6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22 100 6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 23 101 7. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24 102 8. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25 103 9. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 32 104 10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 78 105 11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 79 106 11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 79 107 11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 80 108 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 82 109 13. Security Considerations . . . . . . . . . . . . . . . . . . . 82 110 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 84 111 15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 84 112 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 85 113 16.1. Normative References . . . . . . . . . . . . . . . . . . 85 114 16.2. Informative References . . . . . . . . . . . . . . . . . 88 115 Appendix A. Changes from 116 draft-ietf-i2nsf-nsf-monitoring-data-model-11 . . . . . . 90 117 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 90 119 1. Introduction 121 According to [RFC8329], the interface provided by a Network Security 122 Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to 123 administrative entities (e.g., Security Controller) to enable remote 124 management (i.e., configuring and monitoring) is referred to as an 125 I2NSF Monitoring Interface. This interface enables the sharing of 126 vital data from the NSFs (e.g., alarms, records, and counters) to the 127 Security Controller through a variety of mechanisms (e.g., queries, 128 notifications, and events). The monitoring of NSF plays an important 129 role in an overall security framework, if it is done in a timely and 130 comprehensive way. The monitoring information generated by an NSF 131 can be a good, early indication of anomalous behavior or malicious 132 activity, such as denial of service attacks (DoS). 134 This document defines a comprehensive information model of an NSF 135 monitoring interface that provides visibility into an NSF for the NSF 136 data collector (e.g., Security Controller). Note that an NSF data 137 collector is defined as an entity to collect NSF monitoring data from 138 an NSF, such as Security Controller. It specifies the information 139 and illustrates the methods that enable an NSF to provide the 140 information required in order to be monitored in a scalable and 141 efficient way via the NSF Monitoring Interface. The information 142 model for the NSF monitoring interface presented in this document is 143 complementary for the security policy provisioning functionality of 144 the NSF-Facing Interface specified in 145 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. 147 This document also defines a YANG [RFC7950] data model for the NSF 148 monitoring interface, which is derived from the information model for 149 the NSF monitoring interface. 151 2. Terminology 153 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 154 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 155 "OPTIONAL" in this document are to be interpreted as described in BCP 156 14 [RFC2119] [RFC8174] when, and only when, they appear in all 157 capitals, as shown here. 159 This document uses the terminology described in [RFC8329]. 161 This document follows the guidelines of [RFC8407], uses the common 162 YANG types defined in [RFC6991], and adopts the Network Management 163 Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols 164 in tree diagrams is defined in [RFC8340]. 166 3. Use Cases for NSF Monitoring Data 168 As mentioned earlier, monitoring plays a critical role in an overall 169 security framework. The monitoring of the NSF provides very valuable 170 information to an NSF data collector (e.g., Security Controller) in 171 maintaining the provisioned security posture. Besides this, there 172 are various other reasons to monitor the NSF as listed below: 174 * The security administrator with I2NSF User can configure a policy 175 that is triggered on a specific event occurring in the NSF or the 176 network [RFC8329] [I-D.ietf-i2nsf-consumer-facing-interface-dm]. 177 If an NSF data collector detects the specified event, it 178 configures additional security functions as defined by policies. 180 * The events triggered by an NSF as a result of security policy 181 violation can be used by Security Information and Event Management 182 (SIEM) to detect any suspicious activity in a larger correlation 183 context. 185 * The information (i.e., events, records, and counters) from an NSF 186 can be used to build advanced analytics, such as behavior and 187 predictive models to improve security posture in large 188 deployments. 190 * The NSF data collector can use events from the NSF for achieving 191 high availability. It can take corrective actions such as 192 restarting a failed NSF and horizontally scaling up the NSF. 194 * The information (i.e., events, records, and counters) from the NSF 195 can aid in the root cause analysis of an operational issue, so it 196 can improve debugging. 198 * The records from the NSF can be used to build historical data for 199 operation and business reasons. 201 4. Classification of NSF Monitoring Data 203 In order to maintain a strong security posture, it is not only 204 necessary to configure an NSF's security policies but also to 205 continuously monitor the NSF by consuming acquirable and observable 206 data. This enables security administrators to assess the state of 207 the networks and in a timely fashion. It is not possible to block 208 all the internal and external threats based on static security 209 posture. A more practical approach is supported by enabling dynamic 210 security measures, for which continuous visibility is required. This 211 document defines a set of monitoring elements and their scopes that 212 can be acquired from an NSF and can be used as NSF monitoring data. 213 In essence, these types of monitoring data can be leveraged to 214 support constant visibility on multiple levels of granularity and can 215 be consumed by the corresponding functions. 217 Three basic domains about the monitoring data originating from a 218 system entity [RFC4949], i.e., an NSF, are highlighted in this 219 document. 221 * Retention and Emission 223 * Notifications, Events, and Records 225 * Unsolicited Poll and Solicited Push 226 As with I2NSF components, every generic system entity can include a 227 set of capabilities that creates information about some context with 228 monitoring data (i.e., monitoring information), composition, 229 configuration, state or behavior of that system entity. This 230 information is intended to be provided to other consumers of 231 information and in the scope of this document, which deals with NSF 232 monitoring data in an automated fashion. 234 4.1. Retention and Emission 236 A system entity (e.g., NSF) first retains I2NSF monitoring data 237 inside its own system before emitting the information to another 238 I2NSF component (e.g., NSF Data Collector). The I2NSF monitoring 239 information consist of I2NSF Event, I2NSF Record, and I2NSF Counter 240 as follows: 242 I2NSF Event: I2NSF Event is defined as an important occurrence over 243 time, that is, a change in the system being managed or a change in 244 the environment of the system being managed. An I2NSF Event 245 requires immediate attention and should be notified as soon as 246 possible. When used in the context of an (imperative) I2NSF 247 Policy Rule, an I2NSF Event is used to determine whether the 248 Condition clause of that Policy Rule can be evaluated or not. The 249 Alarm Management Framework in [RFC3877] defines an event as 250 something that happens which may be of interest. Examples for an 251 event are a fault, a change in status, crossing a threshold, or an 252 external input to the system. In the I2NSF domain, I2NSF events 253 are created following the definition of an event in the Alarm 254 Management Framework. 256 I2NSF Record: A record is defined as an item of information that is 257 kept to be looked at and used in the future. Unlike I2NSF Event, 258 records do not require immediate attention but may be useful for 259 visibility and retroactive cyber forensic. Depending on the 260 record format, there are different qualities in regard to 261 structure and detail. Records are typically stored in log-files 262 or databases on a system entity or NSF. Records in the form of 263 log-files usually include less structures but potentially more 264 detailed information in regard to the changes of a system entity's 265 characteristics. In contrast, databases often use more strict 266 schemas or data models, therefore enforcing a better structure. 267 However, they inhibit storing information that does not match 268 those models ("closed world assumption"). Records can be 269 continuously processed by a system entity as an I2NSF Producer and 270 emitted with a format tailored to a certain type of record. 271 Typically, records are information generated by a system entity 272 (e.g., NSF) that is based on operational and informational data, 273 that is, various changes in system characteristics. The examples 274 of records include as user activities, network/traffic status, and 275 network activity. They are important for debugging, auditing and 276 security forensic of a system entity or the network having the 277 system entity. 279 I2NSF Counter: An I2NSF Counter is defined as a specific 280 representation of continuous value changes of information elements 281 that occur very frequently. Prominent examples are network 282 interface counters for protocol data unit (PDU) amount, byte 283 amount, drop counters, and error counters. Counters are useful in 284 debugging and visibility into operational behavior of a system 285 entity (e.g., NSF). When an NSF data collector asks for the value 286 of a counter to it, a system entity emits 288 The retention of I2NSF monitoring information listed in Section 9 may 289 be affected by the importance of the data. The importance of the 290 data could be context-dependent, where it may not just be based on 291 the type of data, but may also depend on where it is deployed, e.g., 292 a test lab and testbed. The local policy and configuration will 293 dictate the policies and procedures to review, archive, or purge the 294 collected monitoring data. 296 The I2NSF monitoring information retained on a system entity (e.g., 297 NSF) may be delivered to a corresponding I2NSF User via an NSF data 298 collector. The information consists of the aggregated records, 299 typically in the form of log-files or databases. For the NSF 300 Monitoring Interface to deliver the information to the NSF data 301 collector, the NSF needs to accommodate standardized delivery 302 protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. The NSF 303 data collector can forward the information to the I2NSF User through 304 one of standardized delivery protocols. The interface for this 305 delivery is out of the scope of this document. 307 4.2. Notifications, Events, and Records 309 A specific task of I2NSF User is to process I2NSF Policy Rules. The 310 rules of a policy are composed of three clauses: Event, Condition, 311 and Action clauses. In consequence, an I2NSF Event is specified to 312 trigger an I2NSF Policy Rule. Such an I2NSF Event is defined as any 313 important occurrence over time in the system being managed, and/or in 314 the environment of the system being managed, which aligns well with 315 the generic definition of Event from [RFC3877]. 317 Another role of the I2NSF Event is to trigger a notification for 318 monitoring the status of an NSF. A notification is defined in 319 [RFC3877] as an unsolicited transmission of management information. 320 System alarm (called alarm) is defined as a warning related to 321 service degradation in system hardware in Section 6.1. System event 322 (called alert) is defined as a warning about any changes of 323 configuration, any access violation, the information of sessions and 324 traffic flows in Section 6.2. Both an alarm and an alert are I2NSF 325 Events that can be delivered as a notification. The model 326 illustrated in this document introduces a complementary type of 327 information that can be a conveyed notification. 329 In I2NSF monitoring, a notification is used to deliver either an 330 event and a record via the I2NSF Monitoring Interface. The 331 difference between the event and record is the timing by which the 332 notifications are emitted. An event is emitted as soon as it happens 333 in order to notify an NSF Data Collector of the problem that needs 334 immediate attention. A record is not emitted immediately to the NSF 335 Data Collector, and it can be emitted periodically to the NSF Data 336 Collector every certain time interval. 338 It is important to note that an NSF Data Collector as a consumer 339 (i.e., observer) of a notification assesses the importance of the 340 notification rather than an NSF as a producer. The producer can 341 include metadata in a notification that supports the observer in 342 assessing its importance (e.g., severity). 344 4.3. Unsolicited Poll and Solicited Push 346 The freshness of the monitored information depends on the acquisition 347 method. Ideally, an I2NSF User is accessing every relevant 348 information about the I2NSF Component and is emitting I2NSF Events to 349 an NSF data collector (e.g., Security Controller) in a timely manner. 350 Publication of events via a pubsub/broker model, peer-2-peer meshes, 351 or static defined channels are only a few examples on how a solicited 352 push of I2NSF Events can be facilitated. The actual mechanism 353 implemented by an I2NSF Component is out of the scope of this 354 document. 356 Often, the corresponding management interfaces have to be queried in 357 intervals or on demand if required by an I2NSF Policy rule. In some 358 cases, the collection of information has to be conducted via a login 359 mechanism provided by a system entity. Accessing records of 360 information via this kind of unsolicited polls can introduce a 361 significant latency in regard to the freshness of the monitored 362 information. The actual definition of intervals implemented by an 363 I2NSF Component is also out of scope of this document. 365 5. Basic Information Model for Monitoring Data 367 As explained in the above section, there is a wealth of data 368 available from the NSF that can be monitored. Firstly, there must be 369 some general information with each monitoring message sent from an 370 NSF that helps a consumer to identify meta data with that message, 371 which are listed as below: 373 * message: The extra detail to give the context of the information. 375 * vendor-name: The name of the NSF vendor. 377 * nsf-name: The name or IP address of the NSF generating the 378 message. If the given nsf-name is not IP address, the name can be 379 an arbitrary string including FQDN (Fully Qualified Domain Name). 380 The name MUST be unique in the scope of management domain for a 381 different NSF to identify the NSF that generates the message. 383 * severity: It indicates the severity level. There are total four 384 levels, i.e., critical, high, middle, and low. 386 * timestamp: Indicates the time when the message is generated. For 387 the notification operations (i.e., System Alarms, System Events, 388 NSF Events, System Logs, and NSF Logs), this is represented by the 389 eventTime of NETCONF event notification [RFC5277] For other 390 operations (i.e., System Counter and NSF Counter), the timestamp 391 MUST be provided separately. 393 6. Extended Information Model for Monitoring Data 395 This section covers the additional information associated with the 396 system messages. The extended information model is only for the 397 structured data such as events, record, and counters. Any 398 unstructured data is specified with the basic information model only. 400 Each information has characteristics as follows: 402 * Acquisition method: The method to obtain the message. It can be a 403 "query" or a "subscription". A "query" is a request-based method 404 to acquire the solicited information. A "subscription" is a 405 subscribe-based method to acquire the unsolicited information. 407 * Emission type: The cause type for the message to be emitted. It 408 can be "on-change" or "periodic". An "on-change" message is 409 emitted when an important event happens in the NSF. A "periodic" 410 message is emitted at a certain time interval. The time to 411 periodically emit the message is configurable. 413 * Dampening type: The type of message dampening to stop the rapid 414 transmission of messages. The dampening types are "on-repetition" 415 and "no-dampening". The "on-repetition" type limits the 416 transmitted "on-change" message to one message at a certain 417 interval. This interval is defined as dampening-period in 418 [RFC8641]. The dampening-period is configurable. The "no- 419 dampening" type does not limit the transmission for the messages 420 of the same type. In short, "on-repetition" means that the 421 dampening is active and "no-dampening" is inactive. It is 422 recommended to activate the dampening for an "on-change" type of 423 message to reduce the number of messages generated. 425 6.1. System Alarms 427 System alarms have the following characteristics: 429 * acquisition-method: subscription 431 * emission-type: on-change 433 * dampening-type: on-repetition 435 6.1.1. Memory Alarm 437 The memory is the hardware to store information temporarily or for a 438 short period, i.e., Random Access Memory (RAM). The memory-alarm is 439 emitted when the RAM usage exceeds the threshold. The following 440 information should be included in a Memory Alarm: 442 * event-name: memory-alarm. 444 * usage: specifies the size of memory used. 446 * threshold: The threshold triggering the alarm 448 * severity: The severity of the alarm such as critical, high, 449 medium, and low. 451 * message: Simple information such as "The memory usage exceeded the 452 threshold" or with extra information. 454 6.1.2. CPU Alarm 456 CPU is the Central Processing Unit that executes basic operations of 457 the system. The cpu-alarm is emitted when the CPU usage exceeds the 458 threshold. The following information should be included in a CPU 459 Alarm: 461 * event-name: cpu-alarm. 463 * usage: Specifies the CPU utilization. 465 * threshold: The threshold triggering the event. 467 * severity: The severity of the alarm such as critical, high, 468 medium, and low. 470 * message: Simple information such as "The CPU usage exceeded the 471 threshold" or with extra information. 473 6.1.3. Disk Alarm 475 Disk is the hardware to store information for a long period, i.e., 476 Hard Disk or Solid-State Drive. The disk-alarm is emitted when the 477 Disk usage exceeds the threshold. The following information should 478 be included in a Disk Alarm: 480 * event-name: disk-alarm. 482 * usage: Specifies the size of disk space used. 484 * threshold: The threshold triggering the event. 486 * severity: The severity of the alarm such as critical, high, 487 medium, and low. 489 * message: Simple information such as "The disk usage exceeded the 490 threshold" or with extra information. 492 6.1.4. Hardware Alarm 494 The hardware-alarm is emitted when a hardware, e.g., CPU, memory, 495 disk, or interface, problem is detected. The following information 496 should be included in a Hardware Alarm: 498 * event-name: hardware-alarm. 500 * component-name: It indicates the hardware component responsible 501 for generating this alarm. 503 * severity: The severity of the alarm such as critical, high, 504 medium, and low. 506 * message: Simple information such as "The hardware component has 507 failed or degraded" or with extra information. 509 6.1.5. Interface Alarm 511 Interface is the network interface for connecting a device with the 512 network. The interface-alarm is emitted when the state of the 513 interface is changed. The following information should be included 514 in an Interface Alarm: 516 * event-name: interface-alarm. 518 * interface-name: The name of the interface. 520 * interface-state: down, up (not congested), congested (up but 521 congested). 523 * severity: The severity of the alarm such as critical, high, 524 medium, and low. 526 * message: Simple information such as "The interface is 'interface- 527 state'" or with extra information. 529 6.2. System Events 531 System events (as alerts) have the following characteristics: 533 * acquisition-method: subscription 535 * emission-type: on-change 537 * dampening-type: on-repetition 539 6.2.1. Access Violation 541 The access-violation system event is an event when a user tries to 542 access (read, write, create, or delete) any information or execute 543 commands above their privilege. 545 * event-name: access-denied. 547 * user: Name of a user. 549 * group: Group(s) to which a user belongs. A user can belong to 550 multiple groups. 552 * ip-address: The IP address of the user that triggered the event. 554 * authentication: The method to verify the valid user, i.e., pre- 555 configured-key and certificate-authority. 557 * message: The message to give the context of the event, such as 558 "Access is denied". 560 6.2.2. Configuration Change 562 A configuration change is a system event when a new configuration is 563 added or an existing configuration is modified. The following 564 information should be included in this event: 566 * event-name: config-change. 568 * user: Name of a user. 570 * group: Group(s) to which a user belongs. A user can belong to 571 multiple groups. 573 * ip-address: The IP address of the user that triggered the event. 575 * authentication: The method to verify the valid user, i.e., pre- 576 configured-key and certificate-authority. 578 * message: The message to give the context of the event, such as 579 "Configuration is modified" or "New configuration is added". 581 6.2.3. Session Table Event 583 The following information should be included in a Session 584 Table Event: 586 * event-name: session-table. 588 * current-session: The number of concurrent sessions. 590 * maximum-session: The maximum number of sessions that the session 591 table can support. 593 * threshold: The threshold triggering the event. 595 * message: The message to give the context of the event, such as 596 "The number of session table exceeded the threshold". 598 6.2.4. Traffic Flows 600 Traffic flows need to be monitored because they might be used for 601 security attacks to the network. The following information should be 602 included in this event: 604 * src-ip: The source IPv4 or IPv6 address of the traffic flow. 606 * dst-ip: The destination IPv4 or IPv6 address of the traffic flow. 608 * src-port: The source port of the traffic flow. 610 * dst-port: The destination port of the traffic flow. 612 * protocol: The protocol of the traffic flow. 614 * arrival-rate: Arrival rate of packets of the traffic flow. 616 6.3. NSF Events 618 NSF events have the following characteristics: 620 * acquisition-method: subscription 622 * emission-type: on-change 624 * dampening-type: on-repetition 626 6.3.1. DDoS Detection 628 The following information should be included in a DDoS Event: 630 * event-name: detection-ddos. 632 * attack-type: Any one of SYN flood, ACK flood, SYN-ACK flood, FIN/ 633 RST flood, TCP Connection flood, UDP flood, ICMP flood, HTTPS 634 flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood, 635 SSL flood, and NTP amplification flood. 637 * attack-src-ip: The IP address of the source of the DDoS attack. 639 * attack-dst-ip: The network prefix with a network mask (for IPv4) 640 or prefix length (for IPv6) of a victim under DDoS attack. 642 * dst-port: The port number that the attack traffic aims at. 644 * start-time: The time stamp indicating when the attack started. 646 * end-time: The time stamp indicating when the attack ended. If the 647 attack is still undergoing when sending out the alarm, this field 648 can be empty. 650 * attack-rate: The packets per second of attack traffic. 652 * attack-speed: The bytes per second of attack traffic. 654 * rule-name: The name of the I2NSF Policy Rule being triggered. 655 Note that rule-name is used to match a detected NSF event with a 656 policy rule in [I-D.ietf-i2nsf-nsf-facing-interface-dm]. 658 6.3.2. Virus Event 660 The following information should be included in a Virus Event: 662 * event-name: detection-virus. 664 * virus: Type of the virus. e.g., trojan, worm, macro virus type. 666 * virus-name: Name of the virus. 668 * dst-ip: The destination IP address of the flow where the virus is 669 found. 671 * src-ip: The source IP address of the flow where the virus is 672 found. 674 * src-port: The source port of the flow where the virus is found. 676 * dst-port: The destination port of the flow where the virus is 677 found. 679 * src-location: The geographical location (e.g., country and city) 680 of the src-ip field. 682 * dst-location: The geographical location (e.g., country and city) 683 of the dst-ip field. 685 * os: The operating system of the host that has the virus. 687 * file-type: The type of the file where the virus is hidden. 689 * file-name: The name of the file where the virus is hidden. 691 * raw-info: The information describing the packet triggering the 692 event. 694 * rule-name: The name of the rule being triggered. 696 6.3.3. Intrusion Event 698 The following information should be included in an Intrusion Event: 700 * event-name: The name of the event. e.g., detection-intrusion. 702 * attack-type: Attack type, e.g., brutal force and buffer overflow. 704 * src-ip: The source IP address of the flow. 706 * dst-ip: The destination IP address of the flow. 708 * src-port:The source port number of the flow. 710 * dst-port: The destination port number of the flow 712 * src-location: The source geographical location (e.g., country and 713 city) of the src-ip field. 715 * dst-location: The destination geographical location (e.g., country 716 and city) of the dst-ip field. 718 * protocol: The employed transport layer protocol. e.g., TCP and 719 UDP. 721 * app: The employed application layer protocol. e.g., HTTP and FTP. 723 * rule-name: The name of the I2NSF Policy Rule being triggered. 725 * raw-info: The information describing the flow triggering the 726 event. 728 6.3.4. Web Attack Event 730 The following information should be included in a Web Attack Alarm: 732 * event-name: The name of event. e.g., detection-web-attack. 734 * attack-type: Concrete web attack type. e.g., SQL injection, 735 command injection, XSS, CSRF. 737 * src-ip: The source IP address of the packet. 739 * dst-ip: The destination IP address of the packet. 741 * src-port: The source port number of the packet. 743 * dst-port: The destination port number of the packet. 745 * src-location: The source geographical location (e.g., country and 746 city) of the src-ip field. 748 * dst-location: The destination geographical location (e.g., country 749 and city) of the dst-ip field. 751 * req-method: The HTTP method of the request. For instance, "PUT" 752 and "GET" in HTTP. 754 * req-target: The HTTP Request Target. 756 * response-code: The HTTP Response status code. 758 * req-user-agent: The HTTP User-Agent header field of the request. 760 * cookies: The HTTP Set-Cookie header field of the response. 762 * req-host: The HTTP Host header field of the request. 764 * filtering-type: URL filtering type. e.g., deny-list, allow-list, 765 and unknown. 767 * rule-name: The name of the I2NSF Policy Rule being triggered. 769 6.3.5. VoIP/VoLTE Event 771 The following information should be included in a VoIP/VoLTE Event: 773 * source-voice-id: The detected source voice Call ID for VoIP and 774 VoLTE that violates the policy. 776 * destination-voice-id: The destination voice Call ID for VoIP and 777 VoLTE that violates the policy. 779 * user-agent: The user agent for VoIP and VoLTE that violates the 780 policy. 782 * src-ip: The source IP address of the VoIP/VoLTE. 784 * dst-ip: The destination IP address of the VoIP/VoLTE. 786 * src-port: The source port number of the VoIP/VoLTE. 788 * dst-port: The destination port number of VoIP/VoLTE. 790 * src-location: The source geographical location (e.g., country and 791 city) of the src-ip field. 793 * dst-location: The destination geographical location (e.g., country 794 and city) of the dst-ip field. 796 * rule-name: The name of the I2NSF Policy Rule being triggered. 798 6.4. System Logs 800 System log is a record that is used to monitor the activity of the 801 user on the NSF and the status of the NSF. System logs have the 802 following characteristics: 804 * acquisition-method: subscription 806 * emission-type: on-change or periodic 808 * dampening-type: on-repetition 810 6.4.1. Access Log 812 Access logs record administrators' login, logout, and operations on a 813 device. By analyzing them, security vulnerabilities can be 814 identified. The following information should be included in an 815 operation report: 817 * username: The username that operates on the device. 819 * login-ip: IP address used by an administrator to log in. 821 * login-role: The login role to specify the privilege level of the 822 user account, e.g., administrator, user, and guest. 824 * operation-type: The operation type that the administrator execute, 825 e.g., login, logout, configuration, and other. 827 * input: The operation performed by a user after login. The 828 operation is a command given by a user. 830 * output: The result after executing the input. 832 6.4.2. Resource Utilization Log 834 Running reports record the device system's running status, which is 835 useful for device monitoring. The following information should be 836 included in running report: 838 * system-status: The current system's running status. 840 * cpu-usage: Specifies the aggregated CPU usage. 842 * memory-usage: Specifies the memory usage. 844 * disk-id: Specifies the disk ID to identify the storage disk. 846 * disk-usage: Specifies the disk usage of disk-id. 848 * disk-left: Specifies the available disk space left of disk-id. 850 * session-number: Specifies total concurrent sessions. 852 * process-number: Specifies total number of systems processes. 854 * interface-id: Specifies the interface ID to identify the network 855 interface. 857 * in-traffic-rate: The total inbound traffic rate in packets per 858 second. 860 * out-traffic-rate: The total outbound traffic rate in packets per 861 second. 863 * in-traffic-speed: The total inbound traffic speed in bytes per 864 second. 866 * out-traffic-speed: The total outbound traffic speed in bytes per 867 second. 869 6.4.3. User Activity Log 871 User activity logs provide visibility into users' online records 872 (such as login time, online/lockout duration, and login IP addresses) 873 and the actions that users perform. User activity reports are 874 helpful to identify exceptions during a user's login and network 875 access activities. 877 * user: Name of a user. 879 * group: Group to which a user belongs. 881 * login-ip-addr: Login IP address of a user. 883 * authentication: The method to verify the valid user, i.e., pre- 884 configured-key and certificate-authority. 886 * online-duration: The duration of a user's activeness (stays in 887 login) during a session. 889 * logout-duration: The duration of a user's inactiveness (not in 890 login) from the last session. 892 * additional-info: Additional Information for login: 894 1. type: User activities. e.g., Successful User Login, Failed 895 Login attempts, User Logout, Successful User Password Change, 896 Failed User Password Change, User Lockout, and User Unlocking. 898 2. cause: Cause of a failed user activity. 900 6.5. NSF Logs 902 NSF logs have the folowing characteristics: 904 * acquisition-method: subscription 906 * emission-type: on-change 908 * dampening-type: on-repetition 910 6.5.1. Deep Packet Inspection Log 912 Deep Packet Inspection (DPI) Logs provide statistics on uploaded and 913 downloaded files and data, sent and received emails, and alert and 914 blocking records on websites. It is helpful to learn risky user 915 behaviors and why access to some URLs is blocked or allowed with an 916 alert record. 918 * attack-type: DPI action types. e.g., File Blocking, Data 919 Filtering, and Application Behavior Control. 921 * src-user: User source who generates the policy. 923 * policy-name: Security policy name that traffic matches. 925 * action: Action defined in the file blocking rule, data filtering 926 rule, or application behavior control rule that traffic matches. 928 6.6. System Counter 930 System counter has the following characteristics: 932 * acquisition-method: subscription or query 934 * emission-type: periodic 936 * dampening-type: none 938 6.6.1. Interface Counter 940 Interface counters provide visibility into traffic into and out of an 941 NSF, and bandwidth usage. The statistics of the interface counters 942 should be computed from the start of the service. When the service 943 is reset, the computation of statistics per counter should restart 944 from 0. 946 * interface-name: Network interface name configured in NSF. 948 * in-total-traffic-pkts: Total inbound packets. 950 * out-total-traffic-pkts: Total outbound packets. 952 * in-total-traffic-bytes: Total inbound bytes. 954 * out-total-traffic-bytes: Total outbound bytes. 956 * in-drop-traffic-pkts: Total inbound drop packets. 958 * out-drop-traffic-pkts: Total outbound drop packets. 960 * in-drop-traffic-bytes: Total inbound drop bytes. 962 * out-drop-traffic-bytes: Total outbound drop bytes. 964 * in-traffic-average-rate: Inbound traffic average rate in packets 965 per second. 967 * in-traffic-peak-rate: Inbound traffic peak rate in packets per 968 second. 970 * in-traffic-average-speed: Inbound traffic average speed in bytes 971 per second. 973 * in-traffic-peak-speed: Inbound traffic peak speed in bytes per 974 second. 976 * out-traffic-average-rate: Outbound traffic average rate in packets 977 per second. 979 * out-traffic-peak-rate: Outbound traffic peak rate in packets per 980 second. 982 * out-traffic-average-speed: Outbound traffic average speed in bytes 983 per second. 985 * out-traffic-peak-speed: Outbound traffic peak speed in bytes per 986 second. 988 6.7. NSF Counters 990 NSF counters have the following characteristics: 992 * acquisition-method: subscription or query 994 * emission-type: periodic 996 * dampening-type: none 998 6.7.1. Firewall Counter 1000 Firewall counters provide visibility into traffic signatures, 1001 bandwidth usage, and how the configured security and bandwidth 1002 policies have been applied. 1004 * src-ip: Source IP address of traffic. 1006 * src-user: User who generates the policy. 1008 * dst-ip: Destination IP address of traffic. 1010 * src-port: Source port of traffic. 1012 * dst-port: Destination port of traffic. 1014 * protocol: Protocol type of traffic. 1016 * app: Application type of traffic. 1018 * policy-id: Security policy id that traffic matches. 1020 * policy-name: Security policy name that traffic matches. 1022 * in-interface: Inbound interface of traffic. 1024 * out-interface: Outbound interface of traffic. 1026 * total-traffic: Total traffic volume. 1028 * in-traffic-average-rate: Inbound traffic average rate in packets 1029 per second. 1031 * in-traffic-peak-rate: Inbound traffic peak rate in packets per 1032 second. 1034 * in-traffic-average-speed: Inbound traffic average speed in bytes 1035 per second. 1037 * in-traffic-peak-speed: Inbound traffic peak speed in bytes per 1038 second. 1040 * out-traffic-average-rate: Outbound traffic average rate in packets 1041 per second. 1043 * out-traffic-peak-rate: Outbound traffic peak rate in packets per 1044 second. 1046 * out-traffic-average-speed: Outbound traffic average speed in bytes 1047 per second. 1049 * out-traffic-peak-speed: Outbound traffic peak speed in bytes per 1050 second. 1052 6.7.2. Policy Hit Counter 1054 Policy Hit Counters record the security policy that traffic matches 1055 and its hit count. It can check if policy configurations are 1056 correct. 1058 * src-ip: Source IP address of traffic. 1060 * src-user: User who generates the policy. 1062 * dst-ip: Destination IP address of traffic. 1064 * src-port: Source port of traffic. 1066 * dst-port: Destination port of traffic. 1068 * protocol: Protocol type of traffic. 1070 * app: Application type of traffic. 1072 * policy-id: Security policy id that traffic matches. 1074 * policy-name: Security policy name that traffic matches. 1076 * hit-times: The hit times that the security policy matches the 1077 specified traffic. 1079 7. NSF Monitoring Management in I2NSF 1081 A standard model for monitoring data is required for an administrator 1082 to check the monitoring data generated by an NSF. The administrator 1083 can check the monitoring data through the following process. When 1084 the NSF monitoring data that is under the standard format is 1085 generated, the NSF forwards it to an NSF data collector via the I2NSF 1086 NSF Monitoring Interface. The NSF data collector delivers it to 1087 I2NSF Consumer or Developer's Management System (DMS) so that the 1088 administrator can know the state of the I2NSF framework. 1090 In order to communicate with other components, an I2NSF framework 1091 [RFC8329] requires the interfaces. The three main interfaces in 1092 I2NSF framework are used for sending monitoring data as follows: 1094 * I2NSF Consumer-Facing Interface 1095 [I-D.ietf-i2nsf-consumer-facing-interface-dm]: When an I2NSF User 1096 makes a security policy and forwards it to the Security Controller 1097 via Consumer-Facing Interface, it can specify the threat-feed for 1098 threat prevention, the custom list, the malicious code scan group, 1099 and the event map group. They can be used as an event to be 1100 monitored by an NSF. 1102 * I2NSF Registration Interface 1103 [I-D.ietf-i2nsf-registration-interface-dm]: The Network Functions 1104 Virtualization (NFV) architecture provides the lifecycle 1105 management of a Virtual Network Function (VNF) via the Ve-Vnfm 1106 interface. The role of Ve-Vnfm is to request VNF lifecycle 1107 management (e.g., the instantiation and de-instantiation of an 1108 NSF, and load balancing among NSFs), exchange configuration 1109 information, and exchange status information for a network 1110 service. In the I2NSF framework, the DMS manages data about 1111 resource states and network traffic for the lifecycle management 1112 of an NSF. Therefore, the generated monitoring data from NSFs are 1113 delivered from the NSF data collector to the DMS via either 1114 Registration Interface or a new interface (e.g., NSF Monitoring 1115 Interface). These data are delivered from the DMS to the VNF 1116 Manager in the Management and Orchestration (MANO) in the NFV 1117 system [I-D.ietf-i2nsf-applicability]. 1119 * I2NSF NSF Monitoring Interface [RFC8329]: After a high-level 1120 security policy from I2NSF User is translated by security policy 1121 translator [I-D.yang-i2nsf-security-policy-translation] in the 1122 Security Controller, the translated security policy (i.e., low- 1123 level policy) is applied to an NSF via NSF-Facing Interface. The 1124 monitoring interface data model for an NSF specifies the list of 1125 events that can trigger Event-Condition-Action (ECA) policies via 1126 NSF Monitoring Interface. 1128 8. Tree Structure 1130 The tree structure of the NSF monitoring YANG module is provided 1131 below: 1133 module: ietf-i2nsf-nsf-monitoring 1134 +--ro i2nsf-counters 1135 | +--ro system-interface* [interface-name] 1136 | | +--ro acquisition-method? identityref 1137 | | +--ro emission-type? identityref 1138 | | +--ro dampening-type? identityref 1139 | | +--ro interface-name if:interface-ref 1140 | | +--ro in-total-traffic-pkts? yang:counter32 1141 | | +--ro out-total-traffic-pkts? yang:counter32 1142 | | +--ro in-total-traffic-bytes? uint64 1143 | | +--ro out-total-traffic-bytes? uint64 1144 | | +--ro in-drop-traffic-pkts? yang:counter32 1145 | | +--ro out-drop-traffic-pkts? yang:counter32 1146 | | +--ro in-drop-traffic-bytes? uint64 1147 | | +--ro out-drop-traffic-bytes? uint64 1148 | | +--ro discontinuity-time yang:date-and-time 1149 | | +--ro total-traffic? yang:counter32 1150 | | +--ro in-traffic-average-rate? uint32 1151 | | +--ro in-traffic-peak-rate? uint32 1152 | | +--ro in-traffic-average-speed? uint64 1153 | | +--ro in-traffic-peak-speed? uint64 1154 | | +--ro out-traffic-average-rate? uint32 1155 | | +--ro out-traffic-peak-rate? uint32 1156 | | +--ro out-traffic-average-speed? uint64 1157 | | +--ro out-traffic-peak-speed? uint64 1158 | | +--ro message? string 1159 | | +--ro vendor-name? string 1160 | | +--ro nsf-name? union 1161 | | +--ro severity? severity 1162 | | +--ro timestamp? yang:date-and-time 1163 | +--ro nsf-firewall* [policy-name] 1164 | | +--ro acquisition-method? identityref 1165 | | +--ro emission-type? identityref 1166 | | +--ro dampening-type? identityref 1167 | | +--ro policy-name 1168 -> /nsfintf:i2nsf-security-policy/system-policy-name 1169 | | +--ro src-user? string 1170 | | +--ro discontinuity-time yang:date-and-time 1171 | | +--ro total-traffic? yang:counter32 1172 | | +--ro in-traffic-average-rate? uint32 1173 | | +--ro in-traffic-peak-rate? uint32 1174 | | +--ro in-traffic-average-speed? uint64 1175 | | +--ro in-traffic-peak-speed? uint64 1176 | | +--ro out-traffic-average-rate? uint32 1177 | | +--ro out-traffic-peak-rate? uint32 1178 | | +--ro out-traffic-average-speed? uint64 1179 | | +--ro out-traffic-peak-speed? uint64 1180 | | +--ro message? string 1181 | | +--ro vendor-name? string 1182 | | +--ro nsf-name? union 1183 | | +--ro severity? severity 1184 | | +--ro timestamp? yang:date-and-time 1185 | +--ro nsf-policy-hits* [policy-name] 1186 | +--ro acquisition-method? identityref 1187 | +--ro emission-type? identityref 1188 | +--ro dampening-type? identityref 1189 | +--ro policy-name 1190 -> /nsfintf:i2nsf-security-policy/system-policy-name 1191 | +--ro src-user? string 1192 | +--ro message? string 1193 | +--ro vendor-name? string 1194 | +--ro nsf-name? union 1195 | +--ro severity? severity 1196 | +--ro discontinuity-time yang:date-and-time 1197 | +--ro hit-times? yang:counter32 1198 | +--ro timestamp? yang:date-and-time 1199 +--rw i2nsf-monitoring-configuration 1200 +--rw i2nsf-system-detection-alarm 1201 | +--rw enabled? boolean 1202 | +--rw system-alarm* [alarm-type] 1203 | +--rw alarm-type enumeration 1204 | +--rw threshold? uint8 1205 | +--rw dampening-period? uint32 1206 +--rw i2nsf-system-detection-event 1207 | +--rw enabled? boolean 1208 | +--rw dampening-period? uint32 1209 +--rw i2nsf-traffic-flows 1210 | +--rw dampening-period? uint32 1211 | +--rw enabled? boolean 1212 +--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}? 1213 | +--rw enabled? boolean 1214 | +--rw dampening-period? uint32 1215 +--rw i2nsf-nsf-detection-session-table-configuration 1216 | +--rw enabled? boolean 1217 | +--rw dampening-period? uint32 1218 +--rw i2nsf-nsf-detection-intrusion 1219 {i2nsf-nsf-detection-intrusion}? 1220 | +--rw enabled? boolean 1221 | +--rw dampening-period? uint32 1222 +--rw i2nsf-nsf-detection-web-attack 1223 {i2nsf-nsf-detection-web-attack}? 1225 | +--rw enabled? boolean 1226 | +--rw dampening-period? uint32 1227 +--rw i2nsf-nsf-system-access-log 1228 | +--rw enabled? boolean 1229 | +--rw dampening-period? uint32 1230 +--rw i2nsf-system-res-util-log 1231 | +--rw enabled? boolean 1232 | +--rw dampening-period? uint32 1233 +--rw i2nsf-system-user-activity-log 1234 | +--rw enabled? boolean 1235 | +--rw dampening-period? uint32 1236 +--rw i2nsf-nsf-log-dpi {i2nsf-nsf-log-dpi}? 1237 | +--rw enabled? boolean 1238 | +--rw dampening-period? uint32 1239 +--rw i2nsf-counter 1240 +--rw period? uint16 1242 notifications: 1243 +---n i2nsf-event 1244 | +--ro (sub-event-type)? 1245 | +--:(i2nsf-system-detection-alarm) 1246 | | +--ro i2nsf-system-detection-alarm 1247 | | +--ro alarm-category? identityref 1248 | | +--ro component-name? string 1249 | | +--ro interface-name? if:interface-ref 1250 | | +--ro interface-state? enumeration 1251 | | +--ro acquisition-method? identityref 1252 | | +--ro emission-type? identityref 1253 | | +--ro dampening-type? identityref 1254 | | +--ro usage? uint8 1255 | | +--ro threshold? uint8 1256 | | +--ro message? string 1257 | | +--ro vendor-name? string 1258 | | +--ro nsf-name? union 1259 | | +--ro severity? severity 1260 | +--:(i2nsf-system-detection-event) 1261 | | +--ro i2nsf-system-detection-event 1262 | | +--ro event-category? identityref 1263 | | +--ro acquisition-method? identityref 1264 | | +--ro emission-type? identityref 1265 | | +--ro dampening-type? identityref 1266 | | +--ro user string 1267 | | +--ro group* string 1268 | | +--ro ip-address inet:ip-address-no-zone 1269 | | +--ro authentication? identityref 1270 | | +--ro message? string 1271 | | +--ro vendor-name? string 1272 | | +--ro nsf-name? union 1273 | | +--ro severity? severity 1274 | +--:(i2nsf-traffic-flows) 1275 | | +--ro i2nsf-traffic-flows 1276 | | +--ro src-ip? inet:ip-address-no-zone 1277 | | +--ro dst-ip? inet:ip-address-no-zone 1278 | | +--ro protocol? identityref 1279 | | +--ro src-port? inet:port-number 1280 | | +--ro dst-port? inet:port-number 1281 | | +--ro arrival-rate? uint32 1282 | | +--ro acquisition-method? identityref 1283 | | +--ro emission-type? identityref 1284 | | +--ro dampening-type? identityref 1285 | | +--ro message? string 1286 | | +--ro vendor-name? string 1287 | | +--ro nsf-name? union 1288 | | +--ro severity? severity 1289 | +--:(i2nsf-nsf-detection-session-table) 1290 | +--ro i2nsf-nsf-detection-session-table 1291 | +--ro current-session? uint32 1292 | +--ro maximum-session? uint32 1293 | +--ro threshold? uint32 1294 | +--ro message? string 1295 | +--ro vendor-name? string 1296 | +--ro nsf-name? union 1297 | +--ro severity? severity 1298 +---n i2nsf-log 1299 | +--ro (sub-logs-type)? 1300 | +--:(i2nsf-nsf-system-access-log) 1301 | | +--ro i2nsf-nsf-system-access-log 1302 | | +--ro login-ip? inet:ip-address-no-zone 1303 | | +--ro username? string 1304 | | +--ro login-role? login-role 1305 | | +--ro operation-type? operation-type 1306 | | +--ro input? string 1307 | | +--ro output? string 1308 | | +--ro acquisition-method? identityref 1309 | | +--ro emission-type? identityref 1310 | | +--ro dampening-type? identityref 1311 | | +--ro message? string 1312 | | +--ro vendor-name? string 1313 | | +--ro nsf-name? union 1314 | | +--ro severity? severity 1315 | +--:(i2nsf-system-res-util-log) 1316 | | +--ro i2nsf-system-res-util-log 1317 | | +--ro system-status? enumeration 1318 | | +--ro cpu-usage? uint8 1319 | | +--ro memory-usage? uint8 1320 | | +--ro disk* [disk-id] 1321 | | | +--ro disk-id string 1322 | | | +--ro disk-usage? uint8 1323 | | | +--ro disk-left? uint8 1324 | | +--ro session-num? uint32 1325 | | +--ro process-num? uint32 1326 | | +--ro interface* [interface-id] 1327 | | | +--ro interface-id string 1328 | | | +--ro in-traffic-rate? uint32 1329 | | | +--ro out-traffic-rate? uint32 1330 | | | +--ro in-traffic-speed? uint64 1331 | | | +--ro out-traffic-speed? uint64 1332 | | +--ro acquisition-method? identityref 1333 | | +--ro emission-type? identityref 1334 | | +--ro dampening-type? identityref 1335 | | +--ro message? string 1336 | | +--ro vendor-name? string 1337 | | +--ro nsf-name? union 1338 | | +--ro severity? severity 1339 | +--:(i2nsf-system-user-activity-log) 1340 | +--ro i2nsf-system-user-activity-log 1341 | +--ro acquisition-method? identityref 1342 | +--ro emission-type? identityref 1343 | +--ro dampening-type? identityref 1344 | +--ro user string 1345 | +--ro group* string 1346 | +--ro ip-address inet:ip-address-no-zone 1347 | +--ro authentication? identityref 1348 | +--ro message? string 1349 | +--ro vendor-name? string 1350 | +--ro nsf-name? union 1351 | +--ro severity? severity 1352 | +--ro online-duration? uint32 1353 | +--ro logout-duration? uint32 1354 | +--ro additional-info? enumeration 1355 +---n i2nsf-nsf-event 1356 +--ro (sub-event-type)? 1357 +--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}? 1358 | +--ro i2nsf-nsf-detection-ddos 1359 | +--ro attack-type? identityref 1360 | +--ro start-time yang:date-and-time 1361 | +--ro end-time yang:date-and-time 1362 | +--ro attack-src-ip* inet:ip-address-no-zone 1363 | +--ro attack-dst-ip* inet:ip-address-no-zone 1364 | +--ro attack-src-port* inet:port-number 1365 | +--ro attack-dst-port* inet:port-number 1366 | +--ro rule-name 1367 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1368 | +--ro raw-info? string 1369 | +--ro attack-rate? uint32 1370 | +--ro attack-speed? uint64 1371 | +--ro action* log-action 1372 | +--ro acquisition-method? identityref 1373 | +--ro emission-type? identityref 1374 | +--ro dampening-type? identityref 1375 | +--ro message? string 1376 | +--ro vendor-name? string 1377 | +--ro nsf-name? union 1378 | +--ro severity? severity 1379 +--:(i2nsf-nsf-detection-virus) 1380 {i2nsf-nsf-detection-virus}? 1381 | +--ro i2nsf-nsf-detection-virus 1382 | +--ro dst-ip? inet:ip-address-no-zone 1383 | +--ro dst-port? inet:port-number 1384 | +--ro rule-name 1385 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1386 | +--ro raw-info? string 1387 | +--ro src-ip? inet:ip-address-no-zone 1388 | +--ro src-port? inet:port-number 1389 | +--ro src-location? string 1390 | +--ro dst-location? string 1391 | +--ro virus? identityref 1392 | +--ro virus-name? string 1393 | +--ro file-type? string 1394 | +--ro file-name? string 1395 | +--ro os? string 1396 | +--ro action* log-action 1397 | +--ro acquisition-method? identityref 1398 | +--ro emission-type? identityref 1399 | +--ro dampening-type? identityref 1400 | +--ro message? string 1401 | +--ro vendor-name? string 1402 | +--ro nsf-name? union 1403 | +--ro severity? severity 1404 +--:(i2nsf-nsf-detection-intrusion) 1405 {i2nsf-nsf-detection-intrusion}? 1406 | +--ro i2nsf-nsf-detection-intrusion 1407 | +--ro dst-ip? inet:ip-address-no-zone 1408 | +--ro dst-port? inet:port-number 1409 | +--ro rule-name 1410 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1411 | +--ro raw-info? string 1412 | +--ro src-ip? inet:ip-address-no-zone 1413 | +--ro src-port? inet:port-number 1414 | +--ro src-location? string 1415 | +--ro dst-location? string 1416 | +--ro protocol? identityref 1417 | +--ro app? identityref 1418 | +--ro attack-type? identityref 1419 | +--ro action* log-action 1420 | +--ro attack-rate? uint32 1421 | +--ro attack-speed? uint64 1422 | +--ro acquisition-method? identityref 1423 | +--ro emission-type? identityref 1424 | +--ro dampening-type? identityref 1425 | +--ro message? string 1426 | +--ro vendor-name? string 1427 | +--ro nsf-name? union 1428 | +--ro severity? severity 1429 +--:(i2nsf-nsf-detection-web-attack) 1430 {i2nsf-nsf-detection-web-attack}? 1431 | +--ro i2nsf-nsf-detection-web-attack 1432 | +--ro dst-ip? inet:ip-address-no-zone 1433 | +--ro dst-port? inet:port-number 1434 | +--ro rule-name 1435 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1436 | +--ro raw-info? string 1437 | +--ro src-ip? inet:ip-address-no-zone 1438 | +--ro src-port? inet:port-number 1439 | +--ro src-location? string 1440 | +--ro dst-location? string 1441 | +--ro attack-type? identityref 1442 | +--ro req-method? identityref 1443 | +--ro req-target? string 1444 | +--ro filtering-type* identityref 1445 | +--ro req-user-agent? string 1446 | +--ro cookies? string 1447 | +--ro req-host? string 1448 | +--ro response-code? string 1449 | +--ro acquisition-method? identityref 1450 | +--ro emission-type? identityref 1451 | +--ro dampening-type? identityref 1452 | +--ro action* log-action 1453 | +--ro message? string 1454 | +--ro vendor-name? string 1455 | +--ro nsf-name? union 1456 | +--ro severity? severity 1457 +--:(i2nsf-nsf-detection-voip-volte) 1458 {i2nsf-nsf-detection-voip-volte}? 1459 | +--ro i2nsf-nsf-detection-voip-volte 1460 | +--ro dst-ip? inet:ip-address-no-zone 1461 | +--ro dst-port? inet:port-number 1462 | +--ro rule-name 1463 -> /nsfintf:i2nsf-security-policy/rules/rule-name 1464 | +--ro raw-info? string 1465 | +--ro src-ip? inet:ip-address-no-zone 1466 | +--ro src-port? inet:port-number 1467 | +--ro src-location? string 1468 | +--ro dst-location? string 1469 | +--ro source-voice-id* string 1470 | +--ro destination-voice-id* string 1471 | +--ro user-agent* string 1472 +--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}? 1473 +--ro i2nsf-nsf-log-dpi 1474 +--ro attack-type? dpi-type 1475 +--ro acquisition-method? identityref 1476 +--ro emission-type? identityref 1477 +--ro dampening-type? identityref 1478 +--ro policy-name 1479 -> /nsfintf:i2nsf-security-policy/system-policy-name 1480 +--ro src-user? string 1481 +--ro message? string 1482 +--ro vendor-name? string 1483 +--ro nsf-name? union 1484 +--ro severity? severity 1486 Figure 1: Information Model for NSF Monitoring 1488 9. YANG Data Model 1490 This section describes a YANG module of I2NSF NSF Monitoring. The 1491 data model provided in this document uses identities to be used to 1492 get information of the monitored of an NSF's monitoring data. Every 1493 identity used in the document gives information or status about the 1494 current situation of an NSF. This YANG module imports from 1495 [RFC6991], and makes references to [RFC0768][RFC0791] 1496 [RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959][RFC4340] 1497 [RFC4443][RFC4960][RFC5321] [RFC6242][RFC6265][RFC7230] 1498 [RFC7231][RFC8200][RFC8641] [RFC9051] [I-D.ietf-tcpm-rfc793bis] 1499 [IANA-HTTP-Status-Code] [IANA-Media-Types]. 1501 file "ietf-i2nsf-nsf-monitoring@2021-11-17.yang" 1502 module ietf-i2nsf-nsf-monitoring { 1503 yang-version 1.1; 1504 namespace 1505 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; 1506 prefix 1507 nsfmi; 1508 import ietf-inet-types{ 1509 prefix inet; 1510 reference 1511 "Section 4 of RFC 6991"; 1513 } 1514 import ietf-yang-types { 1515 prefix yang; 1516 reference 1517 "Section 3 of RFC 6991"; 1518 } 1519 import ietf-i2nsf-policy-rule-for-nsf { 1520 prefix nsfintf; 1521 reference 1522 "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-14"; 1523 } 1524 import ietf-interfaces { 1525 prefix if; 1526 reference 1527 "Section 5 of RFC 8343"; 1528 } 1529 organization 1530 "IETF I2NSF (Interface to Network Security Functions) 1531 Working Group"; 1532 contact 1533 "WG Web: 1534 WG List: 1536 Editor: Jaehoon Paul Jeong 1537 1539 Editor: Patrick Lingga 1540 "; 1542 description 1543 "This module is a YANG module for I2NSF NSF Monitoring. 1545 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1546 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1547 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 1548 document are to be interpreted as described in BCP 14 1549 (RFC 2119) (RFC 8174) when, and only when, they appear 1550 in all capitals, as shown here. 1552 Copyright (c) 2021 IETF Trust and the persons identified as 1553 authors of the code. All rights reserved. 1555 Redistribution and use in source and binary forms, with or 1556 without modification, is permitted pursuant to, and subject to 1557 the license terms contained in, the Simplified BSD License set 1558 forth in Section 4.c of the IETF Trust's Legal Provisions 1559 Relating to IETF Documents 1560 (https://trustee.ietf.org/license-info). 1562 This version of this YANG module is part of RFC XXXX 1563 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 1564 for full legal notices."; 1566 revision "2021-11-17" { 1567 description "Latest revision"; 1568 reference 1569 "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; 1571 // RFC Ed.: replace XXXX with an actual RFC number and remove 1572 // this note. 1573 } 1575 /* 1576 * Typedefs 1577 */ 1579 typedef severity { 1580 type enumeration { 1581 enum critical { 1582 description 1583 "The 'critical' severity level indicates that 1584 an immediate corrective action is required. 1585 A 'critical' severity is reported when a service 1586 becomes totally out of service and must be restored."; 1587 } 1588 enum high { 1589 description 1590 "The 'high' severity level indicates that 1591 an urgent corrective action is required. 1592 A 'high' severity is reported when there is 1593 a severe degradation in the capability of the 1594 service and its full capability must be restored."; 1595 } 1596 enum middle { 1597 description 1598 "The 'middle' severity level indicates the 1599 existence of a non-service-affecting fault 1600 condition and corrective action should be done 1601 to prevent a more serious fault. The 'middle' 1602 severity is reported when the detected problem 1603 is not degrading the capability of the service, but 1604 some service degradation might happen if not 1605 prevented."; 1606 } 1607 enum low { 1608 description 1609 "The 'low' severity level indicates the detection 1610 of a potential fault before any effect is observed. 1611 The 'low' severity is reported when an action should 1612 be done before a fault happen."; 1613 } 1614 } 1615 description 1616 "An indicator representing severity levels. The severity 1617 levels starting from the highest are critical, high, middle, 1618 and low."; 1619 } 1621 typedef log-action { 1622 type enumeration { 1623 enum allow { 1624 description 1625 "If action is allowed"; 1626 } 1627 enum alert { 1628 description 1629 "If action is alert"; 1630 } 1631 enum block { 1632 description 1633 "If action is block"; 1634 } 1635 enum discard { 1636 description 1637 "If action is discarded"; 1638 } 1639 enum declare { 1640 description 1641 "If action is declared"; 1642 } 1643 enum block-ip { 1644 description 1645 "If action is block-ip"; 1646 } 1647 enum block-service{ 1648 description 1649 "If action is block-service"; 1650 } 1651 } 1652 description 1653 "The type representing action for logging."; 1654 } 1656 typedef dpi-type{ 1657 type enumeration { 1658 enum file-blocking{ 1659 description 1660 "DPI for preventing the specified file types from flowing 1661 in the network."; 1662 } 1663 enum data-filtering{ 1664 description 1665 "DPI for preventing sensitive information (e.g., Credit 1666 Card Number or Social Security Numbers) leaving a 1667 protected network."; 1668 } 1669 enum application-behavior-control{ 1670 description 1671 "DPI for filtering packet based on the application or 1672 network behavior analysis to identify malicious or 1673 unusual activity."; 1674 } 1675 } 1676 description 1677 "The type of Deep Packet Inspection (DPI). 1678 The defined types are file-blocking, data-filtering, and 1679 application-behavior-control."; 1680 } 1682 typedef operation-type{ 1683 type enumeration { 1684 enum login { 1685 description 1686 "The operation type is Login."; 1687 } 1688 enum logout { 1689 description 1690 "The operation type is Logout."; 1691 } 1692 enum configuration { 1693 description 1694 "The operation type is Configuration. The configuration 1695 operation includes the command for writing a new 1696 configuration and modifying an existing configuration."; 1697 } 1698 enum other { 1699 description 1700 "The operation type is Other operation. This other 1701 includes all operations done by a user except login, 1702 logout, and configuration."; 1703 } 1704 } 1705 description 1706 "The type of operation done by a user during a session. 1707 The user operation is not considering their privileges."; 1708 } 1710 typedef login-role { 1711 type enumeration { 1712 enum administrator { 1713 description 1714 "Administrator (i.e., Superuser)'s login role. 1715 Non-restricted role."; 1716 } 1717 enum user { 1718 description 1719 "User login role. Semi-restricted role, some data and 1720 configurations are available but confidential or important 1721 data and configuration are restricted."; 1722 } 1723 enum guest { 1724 description 1725 "Guest login role. Restricted role, only few read data are 1726 available and write configurations are restricted."; 1727 } 1728 } 1729 description 1730 "The privilege level of the user account."; 1731 } 1733 /* 1734 * Identity 1735 */ 1737 identity characteristics { 1738 description 1739 "Base identity for monitoring information 1740 characteristics"; 1741 } 1742 identity acquisition-method { 1743 base characteristics; 1744 description 1745 "The type of acquisition-method. It can be multiple 1746 types at once."; 1747 } 1748 identity subscription { 1749 base acquisition-method; 1750 description 1751 "The acquisition-method type is subscription."; 1752 } 1753 identity query { 1754 base acquisition-method; 1755 description 1756 "The acquisition-method type is query."; 1757 } 1758 identity emission-type { 1759 base characteristics; 1760 description 1761 "The type of emission-type."; 1762 } 1763 identity periodic { 1764 base emission-type; 1765 description 1766 "The emission-type type is periodic."; 1767 } 1768 identity on-change { 1769 base emission-type; 1770 description 1771 "The emission-type type is on-change."; 1772 } 1773 identity dampening-type { 1774 base characteristics; 1775 description 1776 "The type of message dampening to stop the rapid transmission 1777 of messages. The dampening types are on-repetition and 1778 no-dampening"; 1779 } 1780 identity no-dampening { 1781 base dampening-type; 1782 description 1783 "The dampening-type is no-dampening. No-dampening type does 1784 not limit the transmission for the messages of the same 1785 type."; 1786 } 1787 identity on-repetition { 1788 base dampening-type; 1789 description 1790 "The dampening-type is on-repetition. On-repetition type limits 1791 the transmitted on-change message to one message at a certain 1792 interval."; 1793 } 1795 identity authentication-mode { 1796 description 1797 "The authentication mode for a user to connect to the NSF, 1798 e.g., pre-configured-key and certificate-authority"; 1799 } 1800 identity pre-configured-key { 1801 base authentication-mode; 1802 description 1803 "The pre-configured-key is an authentication using a key 1804 authentication."; 1805 } 1806 identity certificate-authority { 1807 base authentication-mode; 1808 description 1809 "The certificate-authority (CA) is an authentication using a 1810 digital certificate."; 1811 } 1813 identity event { 1814 description 1815 "Base identity for I2NSF events."; 1816 } 1818 identity system-event { 1819 base event; 1820 description 1821 "Identity for system event"; 1822 } 1824 identity system-alarm { 1825 base event; 1826 description 1827 "Base identity for detectable system alarm types"; 1828 } 1830 identity memory-alarm { 1831 base system-alarm; 1832 description 1833 "A memory alarm is alerted."; 1834 } 1835 identity cpu-alarm { 1836 base system-alarm; 1837 description 1838 "A CPU alarm is alerted."; 1839 } 1840 identity disk-alarm { 1841 base system-alarm; 1842 description 1843 "A disk alarm is alerted."; 1844 } 1845 identity hardware-alarm { 1846 base system-alarm; 1847 description 1848 "A hardware alarm (i.e., hardware failure) is alerted."; 1849 } 1850 identity interface-alarm { 1851 base system-alarm; 1852 description 1853 "An interface alarm is alerted."; 1854 } 1856 identity access-violation { 1857 base system-event; 1858 description 1859 "The access-violation system event is an event when a user 1860 tries to access (read, write, create, or delete) any 1861 information or execute commands above their privilege."; 1862 } 1863 identity configuration-change { 1864 base system-event; 1865 description 1866 "The configuration-change system event is an event when a user 1867 adds a new configuration or modify an existing configuration 1868 (write configuration)."; 1869 } 1871 identity attack-type { 1872 description 1873 "The root ID of attack-based notification 1874 in the notification taxonomy"; 1875 } 1876 identity nsf-attack-type { 1877 base attack-type; 1878 description 1879 "This ID is intended to be used 1880 in the context of NSF event."; 1881 } 1883 identity virus-type { 1884 base nsf-attack-type; 1885 description 1886 "The type of virus. It can be multiple types at once. 1887 This attack type is associated with a detected 1888 system-log virus-attack."; 1889 } 1890 identity trojan { 1891 base virus-type; 1892 description 1893 "The virus type is a trojan. Trojan is able to disguise the 1894 intent of the files or programs to misleads the users."; 1895 } 1896 identity worm { 1897 base virus-type; 1898 description 1899 "The virus type is a worm. Worm can self-replicate and 1900 spread through the network automatically."; 1901 } 1902 identity macro { 1903 base virus-type; 1904 description 1905 "The virus type is a macro virus. Macro causes a series of 1906 threats automatically after the program is executed."; 1907 } 1908 identity boot-sector { 1909 base virus-type; 1910 description 1911 "The virus type is a boot sector virus. Boot sector is a virus 1912 that infects the core of the computer, affecting the startup 1913 process."; 1914 } 1915 identity polymorphic { 1916 base virus-type; 1917 description 1918 "The virus type is a polymorphic virus. Polymorphic can 1919 modify its version when it replicates, making it hard to 1920 detect."; 1921 } 1922 identity overwrite { 1923 base virus-type; 1924 description 1925 "The virus type is an overwrite virus. Overwrite can remove 1926 existing software and replace it with malicious code by 1927 overwriting it."; 1928 } 1929 identity resident { 1930 base virus-type; 1931 description 1932 "The virus-type is a resident virus. Resident saves itself in 1933 the computer's memory and infects other files and software."; 1934 } 1935 identity non-resident { 1936 base virus-type; 1937 description 1938 "The virus-type is a non-resident virus. Non-resident attaches 1939 directly to an executable file and enters the device when 1940 executed."; 1941 } 1942 identity multipartite { 1943 base virus-type; 1944 description 1945 "The virus-type is a multipartite virus. Multipartite attacks 1946 both the boot sector and executables files of a computer."; 1947 } 1948 identity spacefiller { 1949 base virus-type; 1950 description 1951 "The virus-type is a spacefiller virus. Spacefiller fills empty 1952 spaces of a file or software with malicious code."; 1953 } 1955 identity intrusion-attack-type { 1956 base nsf-attack-type; 1957 description 1958 "The attack type is associated with a detected 1959 system-log intrusion."; 1960 } 1961 identity brute-force { 1962 base intrusion-attack-type; 1963 description 1964 "The intrusion type is brute-force."; 1965 } 1966 identity buffer-overflow { 1967 base intrusion-attack-type; 1968 description 1969 "The intrusion type is buffer-overflow."; 1970 } 1971 identity web-attack-type { 1972 base nsf-attack-type; 1973 description 1974 "The attack type is associated with a detected 1975 system-log web-attack."; 1976 } 1977 identity command-injection { 1978 base web-attack-type; 1979 description 1980 "The detected web attack type is command injection."; 1981 } 1982 identity xss { 1983 base web-attack-type; 1984 description 1985 "The detected web attack type is XSS."; 1986 } 1987 identity csrf { 1988 base web-attack-type; 1989 description 1990 "The detected web attack type is CSRF."; 1991 } 1993 identity ddos-type { 1994 base nsf-attack-type; 1995 description 1996 "Base identity for detectable flood types"; 1997 } 1998 identity syn-flood { 1999 base ddos-type; 2000 description 2001 "A SYN flood is detected."; 2002 } 2003 identity ack-flood { 2004 base ddos-type; 2005 description 2006 "An ACK flood is detected."; 2007 } 2008 identity syn-ack-flood { 2009 base ddos-type; 2010 description 2011 "A SYN-ACK flood is detected."; 2012 } 2013 identity fin-rst-flood { 2014 base ddos-type; 2015 description 2016 "A FIN-RST flood is detected."; 2017 } 2018 identity tcp-con-flood { 2019 base ddos-type; 2020 description 2021 "A TCP connection flood is detected."; 2022 } 2023 identity udp-flood { 2024 base ddos-type; 2025 description 2026 "A UDP flood is detected."; 2027 } 2028 identity icmpv4-flood { 2029 base ddos-type; 2030 description 2031 "An ICMPv4 flood is detected."; 2032 } 2033 identity icmpv6-flood { 2034 base ddos-type; 2035 description 2036 "An ICMPv6 flood is detected."; 2037 } 2038 identity http-flood { 2039 base ddos-type; 2040 description 2041 "An HTTP flood is detected."; 2043 } 2044 identity https-flood { 2045 base ddos-type; 2046 description 2047 "An HTTPS flood is detected."; 2048 } 2049 identity dns-query-flood { 2050 base ddos-type; 2051 description 2052 "A Domain Name System (DNS) query flood is detected."; 2053 } 2054 identity dns-reply-flood { 2055 base ddos-type; 2056 description 2057 "A Domain Name System (DNS) reply flood is detected."; 2058 } 2059 identity sip-flood { 2060 base ddos-type; 2061 description 2062 "A Session Initiation Protocol (SIP) flood is detected."; 2063 } 2064 identity ssl-flood { 2065 base ddos-type; 2066 description 2067 "An Secure Sockets Layer (SSL) flood is detected"; 2068 } 2069 identity ntp-amp-flood { 2070 base ddos-type; 2071 description 2072 "A Network Time Protocol (NTP) amplification is detected"; 2073 } 2075 identity req-method { 2076 description 2077 "A set of request types in HTTP (if applicable)."; 2078 } 2079 identity put { 2080 base req-method; 2081 description 2082 "The detected request type is PUT."; 2083 reference 2084 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2085 and Content - Request Method PUT"; 2086 } 2087 identity post { 2088 base req-method; 2089 description 2090 "The detected request type is POST."; 2092 reference 2093 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2094 and Content - Request Method POST"; 2095 } 2096 identity get { 2097 base req-method; 2098 description 2099 "The detected request type is GET."; 2100 reference 2101 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2102 and Content - Request Method GET"; 2103 } 2104 identity head { 2105 base req-method; 2106 description 2107 "The detected request type is HEAD."; 2108 reference 2109 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2110 and Content - Request Method HEAD"; 2111 } 2112 identity delete { 2113 base req-method; 2114 description 2115 "The detected request type is DELETE."; 2116 reference 2117 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2118 and Content - Request Method DELETE"; 2119 } 2120 identity connect { 2121 base req-method; 2122 description 2123 "The detected request type is CONNECT."; 2124 reference 2125 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2126 and Content - Request Method CONNECT"; 2127 } 2128 identity options { 2129 base req-method; 2130 description 2131 "The detected request type is OPTIONS."; 2132 reference 2133 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2134 and Content - Request Method OPTIONS"; 2135 } 2136 identity trace { 2137 base req-method; 2138 description 2139 "The detected request type is TRACE."; 2141 reference 2142 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2143 and Content - Request Method TRACE"; 2144 } 2146 identity filter-type { 2147 description 2148 "The type of filter used to detect an attack, 2149 for example, a web-attack. It can be applicable to 2150 more than web-attacks."; 2151 } 2152 identity allow-list { 2153 base filter-type; 2154 description 2155 "The applied filter type is an allow list. This filter blocks 2156 all connection except the specified list."; 2157 } 2158 identity deny-list { 2159 base filter-type; 2160 description 2161 "The applied filter type is a deny list. This filter opens all 2162 connection except the specified list."; 2163 } 2164 identity unknown-filter { 2165 base filter-type; 2166 description 2167 "The applied filter is unknown."; 2168 } 2170 identity protocol { 2171 description 2172 "An identity used to enable type choices in leaves 2173 and leaflists with respect to protocol metadata. This is used 2174 to identify the type of protocol that goes through the NSF."; 2175 } 2176 identity ip { 2177 base protocol; 2178 description 2179 "General IP protocol type."; 2180 reference 2181 "RFC 791: Internet Protocol 2182 RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2183 } 2184 identity ipv4 { 2185 base ip; 2186 description 2187 "IPv4 protocol type."; 2188 reference 2189 "RFC 791: Internet Protocol"; 2190 } 2191 identity ipv6 { 2192 base ip; 2193 description 2194 "IPv6 protocol type."; 2195 reference 2196 "RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2197 } 2198 identity icmp { 2199 base protocol; 2200 description 2201 "Base identity for ICMPv4 and ICMPv6 condition capability"; 2202 reference 2203 "RFC 792: Internet Control Message Protocol 2204 RFC 4443: Internet Control Message Protocol (ICMPv6) 2205 for the Internet Protocol Version 6 (IPv6) Specification 2206 - ICMPv6"; 2207 } 2208 identity icmpv4 { 2209 base icmp; 2210 description 2211 "ICMPv4 protocol type."; 2212 reference 2213 "RFC 791: Internet Protocol 2214 RFC 792: Internet Control Message Protocol"; 2215 } 2216 identity icmpv6 { 2217 base icmp; 2218 description 2219 "ICMPv6 protocol type."; 2220 reference 2221 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2222 RFC 4443: Internet Control Message Protocol (ICMPv6) 2223 for the Internet Protocol Version 6 (IPv6) 2224 Specification"; 2225 } 2226 identity transport-protocol { 2227 base protocol; 2228 description 2229 "Base identity for Layer 4 protocol condition capabilities, 2230 e.g., TCP, UDP, SCTP, DCCP, and ICMP"; 2231 } 2232 identity tcp { 2233 base transport-protocol; 2234 description 2235 "TCP protocol type."; 2236 reference 2237 "RFC 793: Transmission Control Protocol 2238 draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 2239 (TCP) Specification"; 2240 } 2241 identity udp { 2242 base transport-protocol; 2243 description 2244 "UDP protocol type."; 2245 reference 2246 "RFC 768: User Datagram Protocol"; 2247 } 2248 identity sctp { 2249 base transport-protocol; 2250 description 2251 "Identity for SCTP condition capabilities"; 2252 reference 2253 "RFC 4960: Stream Control Transmission Protocol"; 2254 } 2255 identity dccp { 2256 base transport-protocol; 2257 description 2258 "Identity for DCCP condition capabilities"; 2259 reference 2260 "RFC 4340: Datagram Congestion Control Protocol"; 2261 } 2262 identity application-protocol { 2263 base protocol; 2264 description 2265 "Base identity for Application protocol, e.g., HTTP, FTP"; 2266 } 2267 identity http { 2268 base application-protocol; 2269 description 2270 "HTTP protocol type."; 2271 reference 2272 "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message 2273 Syntax and Routing 2274 RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2275 and Content"; 2276 } 2277 identity https { 2278 base application-protocol; 2279 description 2280 "HTTPS protocol type."; 2281 reference 2282 "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message 2283 Syntax and Routing 2284 RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2285 and Content"; 2286 } 2287 identity ftp { 2288 base application-protocol; 2289 description 2290 "FTP protocol type."; 2291 reference 2292 "RFC 959: File Transfer Protocol"; 2293 } 2294 identity ssh { 2295 base application-protocol; 2296 description 2297 "SSH protocol type."; 2298 reference 2299 "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)"; 2300 } 2301 identity telnet { 2302 base application-protocol; 2303 description 2304 "The identity for telnet."; 2305 reference 2306 "RFC 854: Telnet Protocol"; 2307 } 2308 identity smtp { 2309 base application-protocol; 2310 description 2311 "The identity for smtp."; 2312 reference 2313 "RFC 5321: Simple Mail Transfer Protocol (SMTP)"; 2314 } 2315 identity pop3 { 2316 base application-protocol; 2317 description 2318 "The identity for pop3."; 2319 reference 2320 "RFC 1939: Post Office Protocol - Version 3 (POP3)"; 2321 } 2322 identity imap { 2323 base application-protocol; 2324 description 2325 "The identity for Internet Message Access Protocol."; 2326 reference 2327 "RFC 9051: Internet Message Access Protocol (IMAP) - Version 2328 4rev2"; 2329 } 2331 /* 2332 * Grouping 2333 */ 2335 grouping timestamp { 2336 description 2337 "Grouping for identifying the time of the message."; 2338 leaf timestamp { 2339 type yang:date-and-time; 2340 description 2341 "Specify the time of a message being delivered."; 2342 } 2343 } 2345 grouping common-monitoring-data { 2346 description 2347 "A set of common monitoring data that is needed 2348 as the basic information."; 2349 leaf message { 2350 type string; 2351 description 2352 "This is a freetext annotation for 2353 monitoring a notification's content."; 2354 } 2355 leaf vendor-name { 2356 type string; 2357 description 2358 "The name of the NSF vendor. The string is unrestricted to 2359 identify the provider or vendor of the NSF."; 2360 } 2361 leaf nsf-name { 2362 type union { 2363 type string; 2364 type inet:ip-address-no-zone; 2365 } 2366 description 2367 "The name or IP address of the NSF generating the message. 2368 If the given nsf-name is not IP address, the name can be an 2369 arbitrary string including FQDN (Fully Qualified Domain 2370 Name). The name MUST be unique in the scope of management 2371 domain for a different NSF to identify the NSF that 2372 generates the message."; 2373 } 2374 leaf severity { 2375 type severity; 2376 description 2377 "The severity of the alarm such as critical, high, 2378 middle, and low."; 2379 } 2380 } 2381 grouping characteristics { 2382 description 2383 "A set of characteristics of a notification."; 2384 leaf acquisition-method { 2385 type identityref { 2386 base acquisition-method; 2387 } 2388 description 2389 "The acquisition-method for characteristics"; 2390 } 2391 leaf emission-type { 2392 type identityref { 2393 base emission-type; 2394 } 2395 description 2396 "The emission-type for characteristics"; 2397 } 2398 leaf dampening-type { 2399 type identityref { 2400 base dampening-type; 2401 } 2402 description 2403 "The dampening-type for characteristics"; 2404 } 2405 } 2406 grouping i2nsf-system-alarm-type-content { 2407 description 2408 "A set of contents for alarm type notification."; 2409 leaf usage { 2410 type uint8 { 2411 range "0..100"; 2412 } 2413 units "percent"; 2414 description 2415 "Specifies the used percentage"; 2416 } 2417 leaf threshold { 2418 type uint8 { 2419 range "0..100"; 2420 } 2421 units "percent"; 2422 description 2423 "The threshold percentage triggering the alarm or 2424 the event"; 2425 } 2426 } 2427 grouping i2nsf-system-event-type-content { 2428 description 2429 "System event metadata associated with system events 2430 caused by user activity."; 2431 leaf user { 2432 type string; 2433 mandatory true; 2434 description 2435 "The name of a user"; 2436 } 2437 leaf-list group { 2438 type string; 2439 description 2440 "The group(s) to which a user belongs."; 2441 } 2442 leaf ip-address { 2443 type inet:ip-address-no-zone; 2444 mandatory true; 2445 description 2446 "The IPv4 (or IPv6) address of a user that trigger the 2447 event."; 2448 } 2449 leaf authentication { 2450 type identityref { 2451 base authentication-mode; 2452 } 2453 description 2454 "The authentication-mode of a user."; 2455 } 2456 } 2457 grouping i2nsf-nsf-event-type-content { 2458 description 2459 "A set of common IPv4 (or IPv6)-related NSF event 2460 content elements"; 2461 leaf dst-ip { 2462 type inet:ip-address-no-zone; 2463 description 2464 "The destination IPv4 (IPv6) address of the packet"; 2465 } 2466 leaf dst-port { 2467 type inet:port-number; 2468 description 2469 "The destination port of the packet"; 2470 } 2471 leaf rule-name { 2472 type leafref { 2473 path 2474 "/nsfintf:i2nsf-security-policy" 2475 +"/nsfintf:rules/nsfintf:rule-name"; 2476 } 2477 mandatory true; 2478 description 2479 "The name of the I2NSF Policy Rule being triggered"; 2480 } 2481 leaf raw-info { 2482 type string; 2483 description 2484 "The information describing the packet 2485 triggering the event."; 2486 } 2487 } 2488 grouping i2nsf-nsf-event-type-content-extend { 2489 description 2490 "A set of extended common IPv4 (or IPv6)-related NSF 2491 event content elements"; 2492 uses i2nsf-nsf-event-type-content; 2493 leaf src-ip { 2494 type inet:ip-address-no-zone; 2495 description 2496 "The source IPv4 (or IPv6) address of the packet or flow"; 2497 } 2498 leaf src-port { 2499 type inet:port-number; 2500 description 2501 "The source port of the packet or flow"; 2502 } 2503 leaf src-location { 2504 type string { 2505 length "1..100"; 2506 pattern "[0-9a-zA-Z ]*"; 2507 } 2508 description 2509 "The source geographical location (e.g., country and city) 2510 of the src-ip field."; 2511 } 2512 leaf dst-location { 2513 type string { 2514 length "1..100"; 2515 pattern "[0-9a-zA-Z ]*"; 2516 } 2517 description 2518 "The destination geographical location (e.g., country and 2519 city) of the dst-ip field."; 2520 } 2521 } 2522 grouping log-action { 2523 description 2524 "A grouping for logging action."; 2526 leaf-list action { 2527 type log-action; 2528 description 2529 "Action type: allow, alert, block, discard, declare, 2530 block-ip, block-service"; 2531 } 2532 } 2533 grouping attack-rates { 2534 description 2535 "A set of traffic rates for monitoring attack traffic 2536 data"; 2537 leaf attack-rate { 2538 type uint32; 2539 units "pps"; 2540 description 2541 "The average packets per second (pps) rate of attack 2542 traffic"; 2543 } 2544 leaf attack-speed { 2545 type uint64; 2546 units "Bps"; 2547 description 2548 "The average bytes per second (Bps) speed of attack traffic"; 2549 } 2550 } 2551 grouping traffic-rates { 2552 description 2553 "A set of traffic rates for statistics data"; 2554 leaf discontinuity-time { 2555 type yang:date-and-time; 2556 mandatory true; 2557 description 2558 "The time on the most recent occasion at which any one or 2559 more of this interface's counters suffered a discontinuity. 2560 If no such discontinuities have occurred since the last 2561 re-initialization of the local management subsystem, then 2562 this node contains the time the local management subsystem 2563 re-initialized itself."; 2564 } 2565 leaf total-traffic { 2566 type yang:counter32; 2567 units "packets"; 2568 description 2569 "The total number of traffic packets (in and out) in the 2570 NSF."; 2571 } 2572 leaf in-traffic-average-rate { 2573 type uint32; 2574 units "pps"; 2575 description 2576 "Inbound traffic average rate in packets per second (pps). 2577 The average is calculated from the start of the NSF service 2578 until the generation of this record."; 2579 } 2580 leaf in-traffic-peak-rate { 2581 type uint32; 2582 units "pps"; 2583 description 2584 "Inbound traffic peak rate in packets per second (pps)."; 2585 } 2586 leaf in-traffic-average-speed { 2587 type uint64; 2588 units "Bps"; 2589 description 2590 "Inbound traffic average speed in bytes per second (Bps). 2591 The average is calculated from the start of the NSF service 2592 until the generation of this record."; 2593 } 2594 leaf in-traffic-peak-speed { 2595 type uint64; 2596 units "Bps"; 2597 description 2598 "Inbound traffic peak speed in bytes per second (Bps)."; 2599 } 2600 leaf out-traffic-average-rate { 2601 type uint32; 2602 units "pps"; 2603 description 2604 "Outbound traffic average rate in packets per second (pps). 2605 The average is calculated from the start of the NSF service 2606 until the generation of this record."; 2607 } 2608 leaf out-traffic-peak-rate { 2609 type uint32; 2610 units "pps"; 2611 description 2612 "Outbound traffic peak rate in packets per second (pps)."; 2613 } 2614 leaf out-traffic-average-speed { 2615 type uint64; 2616 units "Bps"; 2617 description 2618 "Outbound traffic average speed in bytes per second (Bps). 2619 The average is calculated from the start of the NSF service 2620 until the generation of this record."; 2621 } 2622 leaf out-traffic-peak-speed { 2623 type uint64; 2624 units "Bps"; 2625 description 2626 "Outbound traffic peak speed in bytes per second (Bps)."; 2627 } 2628 } 2629 grouping i2nsf-system-counter-type-content{ 2630 description 2631 "A set of counters for an interface traffic data."; 2632 leaf interface-name { 2633 type if:interface-ref; 2634 description 2635 "Network interface name configured in an NSF"; 2636 reference 2637 "RFC 8343: A YANG Data Model for Interface Management"; 2638 } 2639 leaf in-total-traffic-pkts { 2640 type yang:counter32; 2641 description 2642 "Total inbound packets"; 2643 } 2644 leaf out-total-traffic-pkts { 2645 type yang:counter32; 2646 description 2647 "Total outbound packets"; 2648 } 2649 leaf in-total-traffic-bytes { 2650 type uint64; 2651 units "bytes"; 2652 description 2653 "Total inbound bytes"; 2654 } 2655 leaf out-total-traffic-bytes { 2656 type uint64; 2657 units "bytes"; 2658 description 2659 "Total outbound bytes"; 2660 } 2661 leaf in-drop-traffic-pkts { 2662 type yang:counter32; 2663 description 2664 "Total inbound drop packets"; 2665 } 2666 leaf out-drop-traffic-pkts { 2667 type yang:counter32; 2668 description 2669 "Total outbound drop packets"; 2671 } 2672 leaf in-drop-traffic-bytes { 2673 type uint64; 2674 units "bytes"; 2675 description 2676 "Total inbound drop bytes"; 2677 } 2678 leaf out-drop-traffic-bytes { 2679 type uint64; 2680 units "bytes"; 2681 description 2682 "Total outbound drop bytes"; 2683 } 2684 uses traffic-rates; 2685 } 2687 grouping i2nsf-nsf-counters-type-content{ 2688 description 2689 "A set of contents of a policy in an NSF."; 2690 leaf policy-name { 2691 type leafref { 2692 path 2693 "/nsfintf:i2nsf-security-policy" 2694 +"/nsfintf:system-policy-name"; 2695 } 2696 mandatory true; 2697 description 2698 "The name of the policy being triggered"; 2699 } 2700 leaf src-user{ 2701 type string; 2702 description 2703 "The I2NSF User's name who generates the policy."; 2704 } 2705 } 2707 grouping enable-notification { 2708 description 2709 "A grouping for enabling or disabling notification"; 2710 leaf enabled { 2711 type boolean; 2712 default "true"; 2713 description 2714 "Enables or Disables the notification. 2715 If 'true', then the notification is enabled. 2716 If 'false, then the notification is disabled."; 2717 } 2718 } 2719 grouping dampening { 2720 description 2721 "A grouping for dampening period of notification."; 2722 leaf dampening-period { 2723 type uint32; 2724 units "centiseconds"; 2725 default "0"; 2726 description 2727 "Specifies the minimum interval between the assembly of 2728 successive update records for a single receiver of a 2729 subscription. Whenever subscribed objects change and 2730 a dampening-period interval (which may be zero) has 2731 elapsed since the previous update record creation for 2732 a receiver, any subscribed objects and properties 2733 that have changed since the previous update record 2734 will have their current values marshalled and placed 2735 in a new update record. But if the subscribed objects change 2736 when the dampening-period is active, it should update the 2737 record without sending the notification until the dampening- 2738 period is finished. If multiple changes happen during the 2739 active dampening-period, it should update the record with 2740 the latest data. And at the end of the dampening-period, it 2741 should send the record as a notification with the latest 2742 updated record and restart the countdown."; 2743 reference 2744 "RFC 8641: Subscription to YANG Notifications for 2745 Datastore Updates - Section 5."; 2746 } 2747 } 2749 /* 2750 * Feature Nodes 2751 */ 2753 feature i2nsf-nsf-detection-ddos { 2754 description 2755 "This feature means it supports I2NSF nsf-detection-ddos 2756 notification"; 2757 } 2758 feature i2nsf-nsf-detection-virus { 2759 description 2760 "This feature means it supports I2NSF nsf-detection-virus 2761 notification"; 2762 } 2763 feature i2nsf-nsf-detection-intrusion { 2764 description 2765 "This feature means it supports I2NSF nsf-detection-intrusion 2766 notification"; 2768 } 2769 feature i2nsf-nsf-detection-web-attack { 2770 description 2771 "This feature means it supports I2NSF nsf-detection-web-attack 2772 notification"; 2773 } 2774 feature i2nsf-nsf-detection-voip-volte { 2775 description 2776 "This feature means it supports I2NSF nsf-detection-voip-volte 2777 notification"; 2778 } 2779 feature i2nsf-nsf-log-dpi { 2780 description 2781 "This feature means it supports I2NSF nsf-log-dpi 2782 notification"; 2783 } 2785 /* 2786 * Notification nodes 2787 */ 2789 notification i2nsf-event { 2790 description 2791 "Notification for I2NSF Event."; 2792 choice sub-event-type { 2793 description 2794 "This choice must be augmented with cases for each allowed 2795 sub-event. Only 1 sub-event will be instantiated in each 2796 i2nsf-event message. Each case is expected to define one 2797 container with all the sub-event fields."; 2798 case i2nsf-system-detection-alarm { 2799 container i2nsf-system-detection-alarm{ 2800 description 2801 "This notification is sent, when a system alarm 2802 is detected."; 2803 leaf alarm-category { 2804 type identityref { 2805 base system-alarm; 2806 } 2807 description 2808 "The alarm category for 2809 system-detection-alarm notification"; 2810 } 2811 leaf component-name { 2812 type string; 2813 description 2814 "The hardware component responsible for generating 2815 the message. Applicable for Hardware Failure 2816 Alarm."; 2817 } 2818 leaf interface-name { 2819 type if:interface-ref; 2820 description 2821 "The interface name responsible for generating 2822 the message. Applicable for Network Interface 2823 Failure Alarm."; 2824 reference 2825 "RFC 8343: A YANG Data Model for Interface Management"; 2826 } 2827 leaf interface-state { 2828 type enumeration { 2829 enum down { 2830 description 2831 "The interface state is down."; 2832 } 2833 enum up { 2834 description 2835 "The interface state is up and not congested."; 2836 } 2837 enum congested { 2838 description 2839 "The interface state is up but congested."; 2840 } 2841 } 2842 description 2843 "The state of the interface (i.e., up, down, 2844 congested). Applicable for Network Interface Failure 2845 Alarm."; 2846 } 2847 uses characteristics; 2848 uses i2nsf-system-alarm-type-content; 2849 uses common-monitoring-data; 2850 } 2851 } 2853 case i2nsf-system-detection-event { 2854 container i2nsf-system-detection-event { 2855 description 2856 "This notification is sent when a security-sensitive 2857 authentication action fails."; 2858 leaf event-category { 2859 type identityref { 2860 base system-event; 2861 } 2862 description 2863 "The event category for system-detection-event"; 2865 } 2866 uses characteristics; 2867 uses i2nsf-system-event-type-content; 2868 uses common-monitoring-data; 2869 } 2870 } 2872 case i2nsf-traffic-flows { 2873 container i2nsf-traffic-flows { 2874 description 2875 "This notification is sent to inform about the traffic 2876 flows."; 2877 leaf src-ip { 2878 type inet:ip-address-no-zone; 2879 description 2880 "The source IPv4 (or IPv6) address of the flow"; 2881 } 2882 leaf dst-ip { 2883 type inet:ip-address-no-zone; 2884 description 2885 "The destination IPv4 (or IPv6) address of the flow"; 2886 } 2887 leaf protocol { 2888 type identityref { 2889 base protocol; 2890 } 2891 description 2892 "The protocol type for nsf-detection-intrusion 2893 notification"; 2894 } 2895 leaf src-port { 2896 type inet:port-number; 2897 description 2898 "The source port of the flow"; 2899 } 2900 leaf dst-port { 2901 type inet:port-number; 2902 description 2903 "The destination port of the flow"; 2904 } 2905 leaf arrival-rate { 2906 type uint32; 2907 units "pps"; 2908 description 2909 "The average arrival rate of the flow in packets per 2910 second. The average is calculated from the start of 2911 the NSF service until the generation of this 2912 record."; 2914 } 2915 uses characteristics; 2916 uses common-monitoring-data; 2917 } 2918 } 2920 case i2nsf-nsf-detection-session-table { 2921 container i2nsf-nsf-detection-session-table { 2922 description 2923 "This notification is sent, when a session table 2924 event is detected."; 2925 leaf current-session { 2926 type uint32; 2927 description 2928 "The number of concurrent sessions"; 2929 } 2930 leaf maximum-session { 2931 type uint32; 2932 description 2933 "The maximum number of sessions that the session 2934 table can support"; 2935 } 2936 leaf threshold { 2937 type uint32; 2938 description 2939 "The threshold triggering the event"; 2940 } 2941 uses common-monitoring-data; 2942 } 2943 } 2944 } 2945 } 2947 notification i2nsf-log { 2948 description 2949 "Notification for I2NSF log. The notification is generated 2950 from the logs of the NSF."; 2951 choice sub-logs-type { 2952 description 2953 "This choice must be augmented with cases for each allowed 2954 sub-logs. Only 1 sub-event will be instantiated in each 2955 i2nsf-logs message. Each case is expected to define one 2956 container with all the sub-logs fields."; 2957 case i2nsf-nsf-system-access-log { 2958 container i2nsf-nsf-system-access-log { 2959 description 2960 "The notification is sent, if there is a new system 2961 log entry about a system access event."; 2963 leaf login-ip { 2964 type inet:ip-address-no-zone; 2965 description 2966 "Login IP address of a user"; 2967 } 2968 leaf username { 2969 type string; 2970 description 2971 "The login username that maintains the device"; 2972 } 2973 leaf login-role { 2974 type login-role; 2975 description 2976 "The login role to specify the privilege level of the 2977 user account, e.g., administrator, user, or guest."; 2978 } 2979 leaf operation-type { 2980 type operation-type; 2981 description 2982 "The operation type that the user executes"; 2983 } 2984 leaf input { 2985 type string; 2986 description 2987 "The operation performed by a user after login. The 2988 operation is a command given by a user."; 2989 } 2990 leaf output { 2991 type string; 2992 description 2993 "The result in text format after executing the 2994 input."; 2995 } 2996 uses characteristics; 2997 uses common-monitoring-data; 2998 } 2999 } 3001 case i2nsf-system-res-util-log { 3002 container i2nsf-system-res-util-log { 3003 description 3004 "This notification is sent, if there is a new log 3005 entry representing resource utilization updates."; 3006 leaf system-status { 3007 type enumeration { 3008 enum running { 3009 description 3010 "The system is active and running the security 3011 service."; 3012 } 3013 enum waiting { 3014 description 3015 "The system is active but waiting for an event to 3016 provide the security service."; 3017 } 3018 enum inactive { 3019 description 3020 "The system is inactive and not running the 3021 security service."; 3022 } 3023 } 3024 description 3025 "The current system's running status"; 3026 } 3027 leaf cpu-usage { 3028 type uint8; 3029 units "percent"; 3030 description 3031 "Specifies the relative percentage of CPU utilization 3032 with respect to platform resources"; 3033 } 3034 leaf memory-usage { 3035 type uint8; 3036 units "percent"; 3037 description 3038 "Specifies the percentage of memory usage."; 3039 } 3040 list disk { 3041 key disk-id; 3042 description 3043 "Disk is the hardware to store information for a 3044 long period, i.e., Hard Disk or Solid-State Drive."; 3045 leaf disk-id { 3046 type string; 3047 description 3048 "The ID of the storage disk. It is a free form 3049 identifier to identify the storage disk."; 3050 } 3051 leaf disk-usage { 3052 type uint8; 3053 units "percent"; 3054 description 3055 "Specifies the percentage of disk usage"; 3056 } 3057 leaf disk-left { 3058 type uint8; 3059 units "percent"; 3060 description 3061 "Specifies the percentage of disk left"; 3062 } 3063 } 3064 leaf session-num { 3065 type uint32; 3066 description 3067 "The total number of sessions"; 3068 } 3069 leaf process-num { 3070 type uint32; 3071 description 3072 "The total number of processes"; 3073 } 3074 list interface { 3075 key interface-id; 3076 description 3077 "The network interface for connecting a device 3078 with the network."; 3079 leaf interface-id { 3080 type string; 3081 description 3082 "The ID of the network interface. It is a free form 3083 identifier to identify the network interface."; 3084 } 3085 leaf in-traffic-rate { 3086 type uint32; 3087 units "pps"; 3088 description 3089 "The total inbound traffic rate in packets per 3090 second"; 3091 } 3092 leaf out-traffic-rate { 3093 type uint32; 3094 units "pps"; 3095 description 3096 "The total outbound traffic rate in packets per 3097 second"; 3098 } 3099 leaf in-traffic-speed { 3100 type uint64; 3101 units "Bps"; 3102 description 3103 "The total inbound traffic speed in bytes per second"; 3104 } 3105 leaf out-traffic-speed { 3106 type uint64; 3107 units "Bps"; 3108 description 3109 "The total outbound traffic speed in bytes per 3110 second"; 3111 } 3112 } 3113 uses characteristics; 3114 uses common-monitoring-data; 3115 } 3116 } 3118 case i2nsf-system-user-activity-log { 3119 container i2nsf-system-user-activity-log { 3120 description 3121 "This notification is sent, if there is a new user 3122 activity log entry."; 3123 uses characteristics; 3124 uses i2nsf-system-event-type-content; 3125 uses common-monitoring-data; 3126 leaf online-duration { 3127 type uint32; 3128 units "seconds"; 3129 description 3130 "The duration of a user's activeness (stays in login) 3131 during a session."; 3133 } 3134 leaf logout-duration { 3135 type uint32; 3136 units "seconds"; 3137 description 3138 "The duration of a user's inactiveness (not in login) 3139 from the last session."; 3140 } 3141 leaf additional-info { 3142 type enumeration { 3143 enum successful-login { 3144 description 3145 "The user has succeeded in login."; 3146 } 3147 enum failed-login { 3148 description 3149 "The user has failed in login (e.g., wrong 3150 password)"; 3151 } 3152 enum logout { 3153 description 3154 "The user has succeeded in logout"; 3156 } 3157 enum successful-password-changed { 3158 description 3159 "The password has been changed successfully"; 3160 } 3161 enum failed-password-changed{ 3162 description 3163 "The attempt to change password has failed"; 3164 } 3165 enum lock { 3166 description 3167 "The user has been locked. A locked user cannot 3168 login."; 3169 } 3170 enum unlock { 3171 description 3172 "The user has been unlocked."; 3173 } 3174 } 3175 description 3176 "User activities, e.g., Successful User Login, 3177 Failed Login attempts, User Logout, Successful User 3178 Password Change, Failed User Password Change, User 3179 Lockout, User Unlocking, and Unknown."; 3180 } 3181 } 3182 } 3183 } 3184 } 3186 notification i2nsf-nsf-event { 3187 description 3188 "Notification for I2NSF NSF Event. This notification is 3189 used for a specific NSF that supported such feature."; 3190 choice sub-event-type { 3191 description 3192 "This choice must be augmented with cases for each allowed 3193 sub-event. Only 1 sub-event will be instantiated in each 3194 i2nsf-event message. Each case is expected to define one 3195 container with all the sub-event fields."; 3196 case i2nsf-nsf-detection-ddos { 3197 if-feature "i2nsf-nsf-detection-ddos"; 3198 container i2nsf-nsf-detection-ddos { 3199 description 3200 "This notification is sent, when a specific flood type 3201 is detected."; 3202 leaf attack-type { 3203 type identityref { 3204 base ddos-type; 3205 } 3206 description 3207 "Any one of Syn flood, ACK flood, SYN-ACK flood, 3208 FIN/RST flood, TCP Connection flood, UDP flood, 3209 ICMP (i.e., ICMPv4 or ICMPv6) flood, HTTP flood, 3210 HTTPS flood, DNS query flood, DNS reply flood, SIP 3211 flood, etc."; 3212 } 3213 leaf start-time { 3214 type yang:date-and-time; 3215 mandatory true; 3216 description 3217 "The time stamp indicating when the attack started"; 3218 } 3219 leaf end-time { 3220 type yang:date-and-time; 3221 mandatory true; 3222 description 3223 "The time stamp indicating when the attack ended"; 3224 } 3225 leaf-list attack-src-ip { 3226 type inet:ip-address-no-zone; 3227 description 3228 "The source IPv4 (or IPv6) addresses of attack 3229 traffic. It can hold multiple IPv4 (or IPv6) 3230 addresses."; 3231 } 3232 leaf-list attack-dst-ip { 3233 type inet:ip-address-no-zone; 3234 description 3235 "The destination IPv4 (or IPv6) addresses of attack 3236 traffic. It can hold multiple IPv4 (or IPv6) 3237 addresses."; 3238 } 3239 leaf-list attack-src-port { 3240 type inet:port-number; 3241 description 3242 "The source ports of the DDoS attack"; 3243 } 3244 leaf-list attack-dst-port { 3245 type inet:port-number; 3246 description 3247 "The destination ports of the DDoS attack"; 3248 } 3249 leaf rule-name { 3250 type leafref { 3251 path 3252 "/nsfintf:i2nsf-security-policy" 3253 +"/nsfintf:rules/nsfintf:rule-name"; 3254 } 3255 mandatory true; 3256 description 3257 "The name of the I2NSF Policy Rule being triggered"; 3258 } 3259 leaf raw-info { 3260 type string; 3261 description 3262 "The information describing the packet 3263 triggering the event."; 3264 } 3265 uses attack-rates; 3266 uses log-action; 3267 uses characteristics; 3268 uses common-monitoring-data; 3269 } 3270 } 3271 case i2nsf-nsf-detection-virus { 3272 if-feature "i2nsf-nsf-detection-virus"; 3273 container i2nsf-nsf-detection-virus { 3274 description 3275 "This notification is sent, when a virus is detected."; 3276 uses i2nsf-nsf-event-type-content-extend; 3277 leaf virus { 3278 type identityref { 3279 base virus-type; 3280 } 3281 description 3282 "The virus type for nsf-detection-virus notification"; 3283 } 3284 leaf virus-name { 3285 type string; 3286 description 3287 "The name of the detected virus"; 3288 } 3289 leaf file-type { 3290 type string; 3291 description 3292 "The type of file virus code is found in (if 3293 applicable)."; 3294 reference 3295 "IANA Website: Media Types"; 3296 } 3297 leaf file-name { 3298 type string; 3299 description 3300 "The name of file virus code is found in (if 3301 applicable)."; 3302 } 3303 leaf os { 3304 type string; 3305 description 3306 "The operating system of the device."; 3307 } 3308 uses log-action; 3309 uses characteristics; 3310 uses common-monitoring-data; 3311 } 3312 } 3313 case i2nsf-nsf-detection-intrusion { 3314 if-feature "i2nsf-nsf-detection-intrusion"; 3315 container i2nsf-nsf-detection-intrusion { 3316 description 3317 "This notification is sent, when an intrusion event 3318 is detected."; 3319 uses i2nsf-nsf-event-type-content-extend; 3320 leaf protocol { 3321 type identityref { 3322 base transport-protocol; 3323 } 3324 description 3325 "The transport protocol type for 3326 nsf-detection-intrusion notification"; 3327 } 3328 leaf app { 3329 type identityref { 3330 base application-protocol; 3331 } 3332 description 3333 "The employed application layer protocol"; 3334 } 3335 leaf attack-type { 3336 type identityref { 3337 base intrusion-attack-type; 3338 } 3339 description 3340 "The sub attack type for intrusion attack"; 3341 } 3342 uses log-action; 3343 uses attack-rates; 3344 uses characteristics; 3345 uses common-monitoring-data; 3346 } 3347 } 3348 case i2nsf-nsf-detection-web-attack { 3349 if-feature "i2nsf-nsf-detection-web-attack"; 3350 container i2nsf-nsf-detection-web-attack { 3351 description 3352 "This notification is sent, when an attack event is 3353 detected."; 3354 uses i2nsf-nsf-event-type-content-extend; 3355 leaf attack-type { 3356 type identityref { 3357 base web-attack-type; 3358 } 3359 description 3360 "Concrete web attack type, e.g., SQL injection, 3361 command injection, XSS, and CSRF."; 3362 } 3363 leaf req-method { 3364 type identityref { 3365 base req-method; 3366 } 3367 description 3368 "The HTTP method of the request, e.g., PUT or GET."; 3369 reference 3370 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): 3371 Semantics and Content - Request Methods"; 3372 } 3373 leaf req-target { 3374 type string; 3375 description 3376 "The HTTP Request Target. This field can be filled in 3377 the format of origin-form, absolute-form, 3378 authority-form, or asterisk-form"; 3379 reference 3380 "RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): 3381 Message Syntax and Routing - Request Target"; 3382 } 3383 leaf-list filtering-type { 3384 type identityref { 3385 base filter-type; 3386 } 3387 description 3388 "URL filtering type, e.g., deny-list, allow-list, 3389 and Unknown"; 3390 } 3391 leaf req-user-agent { 3392 type string; 3393 description 3394 "The HTTP User-Agent header field of the request"; 3395 reference 3396 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): 3397 Semantics and Content - User Agent"; 3398 } 3399 leaf cookies { 3400 type string; 3401 description 3402 "The HTTP Set-Cookie header field of the response"; 3403 reference 3404 "RFC 6265: HTTP State Management Mechanism - 3405 Set-Cookie"; 3406 } 3407 leaf req-host { 3408 type string; 3409 description 3410 "The HTTP Host header field of the request"; 3411 reference 3412 "RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): 3413 Message Syntax and Routing - Host"; 3414 } 3415 leaf response-code { 3416 type string; 3417 description 3418 "The HTTP Response status code"; 3419 reference 3420 "IANA Website: Hypertext Transfer Protocol (HTTP) 3421 Status Code Registry"; 3422 } 3423 uses characteristics; 3424 uses log-action; 3425 uses common-monitoring-data; 3426 } 3427 } 3428 case i2nsf-nsf-detection-voip-volte{ 3429 if-feature "i2nsf-nsf-detection-voip-volte"; 3430 container i2nsf-nsf-detection-voip-volte { 3431 description 3432 "This notification is sent, when a VoIP/VoLTE violation 3433 is detected."; 3434 uses i2nsf-nsf-event-type-content-extend; 3435 leaf-list source-voice-id { 3436 type string; 3437 description 3438 "The detected source voice ID for VoIP and VoLTE that 3439 violates the security policy."; 3440 } 3441 leaf-list destination-voice-id { 3442 type string; 3443 description 3444 "The detected destination voice ID for VoIP and VoLTE 3445 that violates the security policy."; 3446 } 3447 leaf-list user-agent { 3448 type string; 3449 description 3450 "The detected user-agent for VoIP and VoLTE that 3451 violates the security policy."; 3452 } 3453 } 3454 } 3455 case i2nsf-nsf-log-dpi { 3456 if-feature "i2nsf-nsf-log-dpi"; 3457 container i2nsf-nsf-log-dpi { 3458 description 3459 "This notification is sent, if there is a new DPI 3460 event in the NSF log."; 3461 leaf attack-type { 3462 type dpi-type; 3463 description 3464 "The type of the DPI"; 3465 } 3466 uses characteristics; 3467 uses i2nsf-nsf-counters-type-content; 3468 uses common-monitoring-data; 3469 } 3470 } 3471 } 3472 } 3473 /* 3474 * Data nodes 3475 */ 3476 container i2nsf-counters { 3477 config false; 3478 description 3479 "The state data representing continuous value changes of 3480 information elements that occur very frequently. The value 3481 should be calculated from the start of the service of the 3482 NSF."; 3483 list system-interface { 3484 key interface-name; 3485 description 3486 "Interface counters provide the visibility of traffic into 3487 and out of an NSF, and bandwidth usage."; 3488 uses characteristics; 3489 uses i2nsf-system-counter-type-content; 3490 uses common-monitoring-data; 3491 uses timestamp; 3493 } 3494 list nsf-firewall { 3495 key policy-name; 3496 description 3497 "Firewall counters provide the visibility of traffic 3498 signatures, bandwidth usage, and how the configured security 3499 and bandwidth policies have been applied."; 3500 uses characteristics; 3501 uses i2nsf-nsf-counters-type-content; 3502 uses traffic-rates; 3503 uses common-monitoring-data; 3504 uses timestamp; 3505 } 3506 list nsf-policy-hits { 3507 key policy-name; 3508 description 3509 "Policy Hit Counters record the number of hits that traffic 3510 packets match a security policy. It can check if policy 3511 configurations are correct or not."; 3512 uses characteristics; 3513 uses i2nsf-nsf-counters-type-content; 3514 uses common-monitoring-data; 3515 leaf discontinuity-time { 3516 type yang:date-and-time; 3517 mandatory true; 3518 description 3519 "The time on the most recent occasion at which any one or 3520 more of this interface's counters suffered a discontinuity. 3521 If no such discontinuities have occurred since the last 3522 re-initialization of the local management subsystem, then 3523 this node contains the time the local management subsystem 3524 re-initialized itself."; 3525 } 3526 leaf hit-times { 3527 type yang:counter32; 3528 description 3529 "The number of times a policy is hit"; 3530 } 3531 uses timestamp; 3532 } 3533 } 3535 container i2nsf-monitoring-configuration { 3536 description 3537 "The container for configuring I2NSF monitoring."; 3538 container i2nsf-system-detection-alarm { 3539 description 3540 "The container for configuring I2NSF system-detection-alarm 3541 notification"; 3542 uses enable-notification; 3543 list system-alarm { 3544 key alarm-type; 3545 description 3546 "Configuration for system alarm (i.e., CPU, Memory, and 3547 Disk Usage)"; 3548 leaf alarm-type { 3549 type enumeration { 3550 enum cpu { 3551 description 3552 "To configure the CPU usage threshold to trigger the 3553 cpu-alarm"; 3554 } 3555 enum memory { 3556 description 3557 "To configure the Memory usage threshold to trigger 3558 the memory-alarm"; 3559 } 3560 enum disk { 3561 description 3562 "To configure the Disk (storage) usage threshold to 3563 trigger the disk-alarm"; 3564 } 3565 } 3566 description 3567 "Type of alarm to be configured. The three alarm-types 3568 defined here are used to configure the threshold of the 3569 monitoring notification. The threshold is used to 3570 determine when the notification should be sent. 3571 The other two alarms defined in the module (i.e., 3572 hardware-alarm and interface-alarm) do not use any 3573 threshold value to create a notification. These alarms 3574 detect a failure or a change of state to create a 3575 notification."; 3576 } 3577 leaf threshold { 3578 type uint8 { 3579 range "1..100"; 3580 } 3581 units "percent"; 3582 description 3583 "The configuration for threshold percentage to trigger 3584 the alarm. The alarm will be triggered if the usage 3585 is exceeded the threshold."; 3586 } 3587 uses dampening; 3588 } 3590 } 3591 container i2nsf-system-detection-event { 3592 description 3593 "The container for configuring I2NSF system-detection-event 3594 notification"; 3595 uses enable-notification; 3596 uses dampening; 3597 } 3598 container i2nsf-traffic-flows { 3599 description 3600 "The container for configuring I2NSF traffic-flows 3601 notification"; 3602 uses dampening; 3603 uses enable-notification; 3604 } 3605 container i2nsf-nsf-detection-ddos { 3606 if-feature "i2nsf-nsf-detection-ddos"; 3607 description 3608 "The container for configuring I2NSF nsf-detection-ddos 3609 notification"; 3610 uses enable-notification; 3611 uses dampening; 3612 } 3613 container i2nsf-nsf-detection-session-table-configuration { 3614 description 3615 "The container for configuring I2NSF nsf-detection-session- 3616 table notification"; 3617 uses enable-notification; 3618 uses dampening; 3619 } 3620 container i2nsf-nsf-detection-intrusion { 3621 if-feature "i2nsf-nsf-detection-intrusion"; 3622 description 3623 "The container for configuring I2NSF nsf-detection-intrusion 3624 notification"; 3625 uses enable-notification; 3626 uses dampening; 3627 } 3628 container i2nsf-nsf-detection-web-attack { 3629 if-feature "i2nsf-nsf-detection-web-attack"; 3630 description 3631 "The container for configuring I2NSF nsf-detection-web-attack 3632 notification"; 3633 uses enable-notification; 3634 uses dampening; 3635 } 3636 container i2nsf-nsf-system-access-log { 3637 description 3638 "The container for configuring I2NSF system-access-log 3639 notification"; 3640 uses enable-notification; 3641 uses dampening; 3642 } 3643 container i2nsf-system-res-util-log { 3644 description 3645 "The container for configuring I2NSF system-res-util-log 3646 notification"; 3647 uses enable-notification; 3648 uses dampening; 3649 } 3650 container i2nsf-system-user-activity-log { 3651 description 3652 "The container for configuring I2NSF system-user-activity-log 3653 notification"; 3654 uses enable-notification; 3655 uses dampening; 3656 } 3657 container i2nsf-nsf-log-dpi { 3658 if-feature "i2nsf-nsf-log-dpi"; 3659 description 3660 "The container for configuring I2NSF nsf-log-dpi 3661 notification"; 3662 uses enable-notification; 3663 uses dampening; 3664 } 3665 container i2nsf-counter { 3666 description 3667 "This is used to configure the counters 3668 for monitoring an NSF"; 3669 leaf period { 3670 type uint16; 3671 units "minutes"; 3672 default 0; 3673 description 3674 "The configuration for the period interval of reporting 3675 the counter. If 0, then the counter period is disabled. 3676 If value is not 0, then the counter will be reported 3677 following the period value."; 3678 } 3679 } 3680 } 3681 } 3682 3684 Figure 2: Data Model of Monitoring 3686 10. I2NSF Event Stream 3688 This section discusses the NETCONF event stream for I2NSF NSF 3689 Monitoring subscription. The YANG module in this document supports 3690 "ietf-subscribed-notifications" YANG module [RFC8639] for 3691 subscription. The reserved event stream name for this document is 3692 "I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support 3693 "I2NSF-Monitoring" event stream for an NSF data collector (e.g., 3694 Security Controller). The "I2NSF-Monitoring" event stream contains 3695 all I2NSF events described in this document. The following example 3696 shows the capabilities of the event streams of an NSF (e.g., 3697 "NETCONF" and "I2NSF-Monitoring" event streams) by the subscription 3698 of an NSF data collector; note that this example XML file is 3699 delivered by an NSF to an NSF data collector. The XML examples in 3700 this document follow the line breaks as per [RFC8792]. 3702 3703 3705 3706 3707 3708 3709 NETCONF 3710 Default NETCONF Event Stream 3711 false 3712 3713 3714 I2NSF-Monitoring 3715 I2NSF Monitoring Event Stream 3716 true 3717 3718 2021-04-29T09:37:39+00:00 3719 3720 3721 3722 3723 3724 3726 Figure 3: Example of NETCONF Server supporting I2NSF-Monitoring 3727 Event Stream 3729 11. XML Examples for I2NSF NSF Monitoring 3731 This section shows the XML examples of I2NSF NSF Monitoring data 3732 delivered via Monitoring Interface from an NSF. 3734 11.1. I2NSF System Detection Alarm 3736 The following example shows an alarm triggered by Memory Usage of the 3737 server; note that this example XML file is delivered by an NSF to an 3738 NSF data collector: 3740 3741 3743 2021-04-29T07:43:52.181088+00:00 3744 3746 3747 3750 nsfmi:memory-alarm 3751 3752 3755 nsfmi:subscription 3756 3757 3760 nsfmi:on-change 3761 3762 3765 nsfmi:on-repetition 3766 3767 91 3768 90 3769 Memory Usage Exceeded the Threshold 3770 time_based_firewall 3771 high 3772 3773 3774 3775 Figure 4: Example of I2NSF System Detection Alarm triggered by 3776 Memory Usage 3778 The XML data above shows: 3780 1. The NSF that sends the information is named 3781 "time_based_firewall". 3783 2. The memory usage of the NSF triggered the alarm. 3785 3. The monitoring information is received by subscription method. 3787 4. The monitoring information is emitted "on-change". 3789 5. The monitoring information is dampened "on-repetition". 3791 6. The memory usage of the NSF is 91 percent. 3793 7. The memory threshold to trigger the alarm is 90 percent. 3795 8. The severity level of the notification is high. 3797 11.2. I2NSF Interface Counters 3799 To get the I2NSF system interface counters information by query, 3800 NETCONF Client (e.g., NSF data collector) needs to initiate GET 3801 connection with NETCONF Server (e.g., NSF). The following XML file 3802 can be used to get the state data and filter the information. 3804 3805 3806 3807 3809 3810 3811 3812 3813 3814 3816 Figure 5: XML Example for NETCONF GET with System Interface Filter 3818 The following XML file shows the reply from the NETCONF Server (e.g., 3819 NSF): 3821 3822 3824 3825 3827 3828 3829 2021-04-29T08:43:52.181088+00:00 3830 3831 ens3 3832 3835 nsfmi:query 3836 3837 549050 3838 814956 3839 0 3840 5078 3841 time_based_firewall 3842 3843 3844 3845 2021-04-29T08:43:52.181088+00:00 3846 3847 lo 3848 3851 nsfmi:query 3852 3853 48487 3854 48487 3855 0 3856 0 3857 time_based_firewall 3858 3859 3860 3861 3863 Figure 6: Example of I2NSF System Interface Counters XML Information 3865 12. IANA Considerations 3867 This document requests IANA to register the following URI in the 3868 "IETF XML Registry" [RFC3688]: 3870 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 3871 Registrant Contact: The IESG. 3872 XML: N/A; the requested URI is an XML namespace. 3874 This document requests IANA to register the following YANG module in 3875 the "YANG Module Names" registry [RFC7950][RFC8525]: 3877 name: ietf-i2nsf-nsf-monitoring 3878 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 3879 prefix: nsfmi 3880 reference: RFC XXXX 3882 // RFC Ed.: replace XXXX with an actual RFC number and remove 3883 // this note. 3885 13. Security Considerations 3887 YANG module described in this document defines a schema for data that 3888 is designed to be accessed via network management protocols such as 3889 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 3890 the secure transport layer, and the mandatory-to-implement secure 3891 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 3892 is HTTPS, and the mandatory-to-implement secure transport is TLS 3893 [RFC8446]. 3895 The Network Configuration Access Control Model (NACM) [RFC8341] 3896 provides the means to restrict access for particular NETCONF or 3897 RESTCONF users to a preconfigured subset of all available NETCONF or 3898 RESTCONF protocol operations and content. 3900 All data nodes defined in the YANG module which can be created, 3901 modified and deleted (i.e., config true, which is the default) are 3902 considered sensitive as they all could potentially impact security 3903 monitoring and mitigation activities. Write operations (e.g., edit- 3904 config) applied to these data nodes without proper protection could 3905 result in missed alarms or incorrect alarms information being 3906 returned to the NSF data collector. There are threats that need to 3907 be considered and mitigated: 3909 Compromised NSF with valid credentials: It can send falsified 3910 information to the NSF data collector to mislead detection or 3911 mitigation activities; and/or to hide activity. Currently, there 3912 is no in-framework mechanism to mitigate this and an issue for all 3913 monitoring infrastructures. It is important to keep the enclosure 3914 of confidential information to unauthorized persons to mitigate 3915 the possibility of compromising the NSF with this information. 3917 Compromised NSF data collector with valid credentials: It has 3918 visibility to all collected security alarms; entire detection and 3919 mitigation infrastructure may be suspect. It is important to keep 3920 the enclosure of confidential information to unauthorized persons 3921 to mitigate the possibility of compromising the NSF with this 3922 information. 3924 Impersonating NSF: It is a system trying to send false information 3925 while imitating an NSF; client authentication would help the NSF 3926 data collector to identify this invalid NSF in the "push" model 3927 (NSF-to-collector), while the "pull" model (collector-to-NSF) 3928 should already be addressed with the authentication. 3930 Impersonating NSF data collector: It is a rogue NSF data collector 3931 with which a legitimate NSF is tricked into communicating; for 3932 "push" model (NSF-to-collector), it is important to have valid 3933 credentials, without it it should not work; for "pull" model 3934 (collector-to-NSF), mutual authentication should be used to 3935 mitigate the threat. 3937 In addition, to defend against the DDoS attack caused by a lot of 3938 NSFs sending massive notifications to the NSF data collector, the 3939 rate limiting or similar mechanisms should be considered in both an 3940 NSF and NSF data collector, whether in advance or just in the process 3941 of DDoS attack. 3943 All of the readable data nodes in this YANG module may be considered 3944 sensitive in some network environments. These data nodes represent 3945 information consistent with the logging commonly performed in network 3946 and security operations. They may reveal the specific configuration 3947 of a network; vulnerabilities in specific systems; and the deployed 3948 security controls and their relative efficacy in detecting or 3949 mitigating an attack. To an attacker, this information could inform 3950 how to (further) compromise the network, evade detection, or confirm 3951 whether they have been observed by the network operator. 3953 Additionally, many of the data nodes in this YANG module such as 3954 containers "i2nsf-system-user-activity-log", "i2nsf-system-detection- 3955 event", and "i2nsf-nsf-detection-voip-volte" are privacy sensitive. 3956 They may describe specific or aggregate user activity to include 3957 associating user names with specific IP addresses; or users with 3958 specific network usage. 3960 14. Acknowledgments 3962 This work was supported by Institute of Information & Communications 3963 Technology Planning & Evaluation (IITP) grant funded by the Korea 3964 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 3965 Security Intelligence Technology Development for the Customized 3966 Security Service Provisioning). This work was supported in part by 3967 the IITP (2020-0-00395, Standard Development of Blockchain based 3968 Network Management Automation Technology). This work was supported 3969 in part by the MSIT under the Information Technology Research Center 3970 (ITRC) support program (IITP-2021-2017-0-01633) supervised by the 3971 IITP. 3973 15. Contributors 3975 This document is made by the group effort of I2NSF working group. 3976 Many people actively contributed to this document. The authors 3977 sincerely appreciate their contributions. 3979 The following are co-authors of this document: 3981 Chaehong Chung Department of Electronic, Electrical and Computer 3982 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3983 Gyeonggi-do 16419 Republic of Korea EMail: darkhong@skku.edu 3985 Jinyong (Tim) Kim Department of Electronic, Electrical and Computer 3986 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3987 Gyeonggi-do 16419 Republic of Korea EMail: timkim@skku.edu 3989 Dongjin Hong Department of Electronic, Electrical and Computer 3990 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3991 Gyeonggi-do 16419 Republic of Korea EMail: dong.jin@skku.edu 3993 Dacheng Zhang Huawei EMail: dacheng.zhang@huawei.com 3995 Yi Wu Aliababa Group EMail: anren.wy@alibaba-inc.com 3997 Rakesh Kumar Juniper Networks 1133 Innovation Way Sunnyvale, CA 94089 3998 USA EMail: rkkumar@juniper.net 4000 Anil Lohiya Juniper Networks EMail: alohiya@juniper.net 4002 16. References 4004 16.1. Normative References 4006 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 4007 DOI 10.17487/RFC0768, August 1980, 4008 . 4010 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 4011 DOI 10.17487/RFC0791, September 1981, 4012 . 4014 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 4015 RFC 792, DOI 10.17487/RFC0792, September 1981, 4016 . 4018 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 4019 RFC 793, DOI 10.17487/RFC0793, September 1981, 4020 . 4022 [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol 4023 Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May 4024 1983, . 4026 [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", 4027 STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, 4028 . 4030 [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", 4031 STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, 4032 . 4034 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4035 Requirement Levels", BCP 14, RFC 2119, 4036 DOI 10.17487/RFC2119, March 1997, 4037 . 4039 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 4040 DOI 10.17487/RFC3688, January 2004, 4041 . 4043 [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management 4044 Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, 4045 September 2004, . 4047 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 4048 Congestion Control Protocol (DCCP)", RFC 4340, 4049 DOI 10.17487/RFC4340, March 2006, 4050 . 4052 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 4053 Control Message Protocol (ICMPv6) for the Internet 4054 Protocol Version 6 (IPv6) Specification", STD 89, 4055 RFC 4443, DOI 10.17487/RFC4443, March 2006, 4056 . 4058 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 4059 RFC 4960, DOI 10.17487/RFC4960, September 2007, 4060 . 4062 [RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event 4063 Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, 4064 . 4066 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 4067 DOI 10.17487/RFC5321, October 2008, 4068 . 4070 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4071 and A. Bierman, Ed., "Network Configuration Protocol 4072 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4073 . 4075 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4076 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4077 . 4079 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 4080 DOI 10.17487/RFC6265, April 2011, 4081 . 4083 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4084 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4085 . 4087 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 4088 Protocol (HTTP/1.1): Message Syntax and Routing", 4089 RFC 7230, DOI 10.17487/RFC7230, June 2014, 4090 . 4092 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 4093 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 4094 DOI 10.17487/RFC7231, June 2014, 4095 . 4097 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4098 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4099 . 4101 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4102 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4103 . 4105 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 4106 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 4107 May 2017, . 4109 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 4110 (IPv6) Specification", STD 86, RFC 8200, 4111 DOI 10.17487/RFC8200, July 2017, 4112 . 4114 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4115 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4116 . 4118 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4119 Access Control Model", STD 91, RFC 8341, 4120 DOI 10.17487/RFC8341, March 2018, 4121 . 4123 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 4124 and R. Wilton, "Network Management Datastore Architecture 4125 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 4126 . 4128 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 4129 Documents Containing YANG Data Models", BCP 216, RFC 8407, 4130 DOI 10.17487/RFC8407, October 2018, 4131 . 4133 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4134 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4135 . 4137 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 4138 and R. Wilton, "YANG Library", RFC 8525, 4139 DOI 10.17487/RFC8525, March 2019, 4140 . 4142 [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, 4143 E., and A. Tripathy, "Subscription to YANG Notifications", 4144 RFC 8639, DOI 10.17487/RFC8639, September 2019, 4145 . 4147 [RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications 4148 for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641, 4149 September 2019, . 4151 [RFC9051] Melnikov, A., Ed. and B. Leiba, Ed., "Internet Message 4152 Access Protocol (IMAP) - Version 4rev2", RFC 9051, 4153 DOI 10.17487/RFC9051, August 2021, 4154 . 4156 16.2. Informative References 4158 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 4159 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 4160 . 4162 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4163 Kumar, "Framework for Interface to Network Security 4164 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4165 . 4167 [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, 4168 "Handling Long Lines in Content of Internet-Drafts and 4169 RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, 4170 . 4172 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 4173 Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, 4174 "I2NSF Consumer-Facing Interface YANG Data Model", Work in 4175 Progress, Internet-Draft, draft-ietf-i2nsf-consumer- 4176 facing-interface-dm-15, 15 September 2021, 4177 . 4180 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 4181 Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, 4182 "I2NSF Network Security Function-Facing Interface YANG 4183 Data Model", Work in Progress, Internet-Draft, draft-ietf- 4184 i2nsf-nsf-facing-interface-dm-15, 4 October 2021, 4185 . 4188 [I-D.ietf-i2nsf-registration-interface-dm] 4189 Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park, 4190 "I2NSF Registration Interface YANG Data Model", Work in 4191 Progress, Internet-Draft, draft-ietf-i2nsf-registration- 4192 interface-dm-13, 4 October 2021, 4193 . 4196 [I-D.ietf-i2nsf-applicability] 4197 Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R. 4198 Lopez, "Applicability of Interfaces to Network Security 4199 Functions to Network-Based Security Services", Work in 4200 Progress, Internet-Draft, draft-ietf-i2nsf-applicability- 4201 18, 16 September 2019, . 4204 [I-D.yang-i2nsf-security-policy-translation] 4205 Jeong, J. (., Lingga, P., Yang, J., and C. Chung, 4206 "Security Policy Translation in Interface to Network 4207 Security Functions", Work in Progress, Internet-Draft, 4208 draft-yang-i2nsf-security-policy-translation-09, 21 August 4209 2021, . 4212 [I-D.ietf-tcpm-rfc793bis] 4213 Eddy, W. M., "Transmission Control Protocol (TCP) 4214 Specification", Work in Progress, Internet-Draft, draft- 4215 ietf-tcpm-rfc793bis-25, 7 September 2021, 4216 . 4219 [IANA-HTTP-Status-Code] 4220 Internet Assigned Numbers Authority (IANA), "Hypertext 4221 Transfer Protocol (HTTP) Status Code Registry", September 4222 2018, . 4225 [IANA-Media-Types] 4226 Internet Assigned Numbers Authority (IANA), "Media Types", 4227 August 2021, . 4230 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-11 4232 The following changes are made from draft-ietf-i2nsf-nsf-monitoring- 4233 data-model-11: 4235 * This version is revised following Roman Danyliw's Comments. 4237 Authors' Addresses 4239 Jaehoon (Paul) Jeong (editor) 4240 Department of Computer Science and Engineering 4241 Sungkyunkwan University 4242 2066 Seobu-Ro, Jangan-Gu 4243 Suwon 4244 Gyeonggi-Do 4245 16419 4246 Republic of Korea 4248 Phone: +82 31 299 4957 4249 Email: pauljeong@skku.edu 4250 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4252 Patrick Lingga 4253 Department of Electrical and Computer Engineering 4254 Sungkyunkwan University 4255 2066 Seobu-Ro, Jangan-Gu 4256 Suwon 4257 Gyeonggi-Do 4258 16419 4259 Republic of Korea 4261 Phone: +82 31 299 4957 4262 Email: patricklink@skku.edu 4264 Susan Hares 4265 Huawei 4266 7453 Hickory Hill 4267 Saline, MI 48176 4268 United States of America 4270 Phone: +1-734-604-0332 4271 Email: shares@ndzh.com 4273 Liang (Frank) Xia 4274 Huawei 4275 101 Software Avenue, Yuhuatai District 4276 Nanjing 4277 Jiangsu, 4278 China 4280 Email: Frank.xialiang@huawei.com 4282 Henk Birkholz 4283 Fraunhofer Institute for Secure Information Technology 4284 Rheinstrasse 75 4285 64295 Darmstadt 4286 Germany 4288 Email: henk.birkholz@sit.fraunhofer.de